Why does crapware still exist? Follow the Silicon Valley money trail

If you followed security experts' advice and manually updated Java this week to fix a critical vulnerability, you might have gotten more than you asked for. Oracle probably makes tens of millions of dollars a year from crapware, and big venture capitalists see it as a growth business.
Written by Ed Bott, Senior Contributing Editor

Oracle this week released an update for its widely used Java software, fixing a zero-day vulnerability that was being actively exploited to install malware via drive-by downloads.

But before you begin patting Oracle on the back for its quick response, note two things about that update:

  • It might not actually fix the underlying security issues.
  • Along with the must-install security update, Oracle continues to include crapware.

Yes, adding insult to injury, Oracle is actually making money and cheapening your web browsing experience by automatically installing the Ask toolbar, which in turn tries to change your default search engine and home page.

I'm ready to move Oracle's Java to the top of my Foistware Hall of Shame, alongside Adobe, for crap like this.


Notice that the "FREE Browser Add-on from Ask" is selected by default. If you're like most people and you impatiently click through the installer screens, you'll end up with a new, unwanted, and downright ugly toolbar in your browser. And that's true no matter which browser you use.

And if you forget to clear that checkbox, you'll be dealing with the toolbar and its automatic updater for a while.

I have no idea how much money Ask pays and Oracle collects off this seamy, sleazy practice. I can only assume it's enough to justify selling out Java users.

The companies involved in the crapware business rarely talk about the economics of their business, but occasionally a bit of information emerges into the wild. Long Zheng today disclosed a glimpse into the economics of the crapware business. In a must-read post at his IStartedSomething blog, he includes the text of letters he received from a prominent software company that was willing to pay big bucks if Long and his partners would agree to include "something extra" with their free (and excellent) MetroTwit Twitter client.

Here's what the offer came down to after Long said no:

We launched similar cooperation with WinZip, Nero, TuneUp, Yahoo, and dozens of other reputable brands so this it’s a shame we can’t work together.

Personally I believe you can still present high quality product to your users and make good monetization out from it.

Based on our estimation this type of cooperation, will add a new revenue channel, estimated at $90,000 – $120,000 each year for your company.

All Long would have had to do is sell out his users by allowing his program's installer to include an offer for a browser toolbar. "We can even have it on opt in," the crapware distributor said, implying that the default offer is installed automatically unless users pay careful attention. Just like the big guys do.

And that's for a tiny software company with a niche product.

When you do the math, it's easy to see why Oracle and Adobe pull this crap. Java has 850 million desktop users worldwide. At 30 cents per successful toolbar install, they stand to collect tens of millions of dollars a year even if only a small fraction of their users accept this "recommended" crapware.

What's more alarming and depressing is that the crapware business seems to be growing. Long notes that a new company called InstallMonetizer is funded by a who's who of Silicon Valley venture capital outfits, including Andreesen Horowitz and Paul Graham's highly regarded Y Combinator. And they're perpetuating the bad behavior of bygone days:

Perhaps even worse, the company’s “solution” also includes “Post Install Conversion Tracking“. Alarmingly, it’s tracking software (some would call it spyware) that monitors and uploads user’s ongoing usage activity of the bundled crapware.

Although the company claims it is all “non-personally identifiable data”, according to its website this surprisingly includes not only IP but the globally unique MAC addresses.

Rafael Rivera did a quick analysis of the InstallMonetizer software and found appalling results, including a cavalier approach to privacy and laughable security precautions.

The rise of tablet-based apps that sell for 99 cents and compete with free apps has made it extraordinarily difficult for software developers to write good products and get properly compensated. But this sort of crap(ware) isn't the answer. Extra toolbars and unwanted add-ons cheapen and degrade the PC experience for everyone, and they hasten the decline of the PC platform.

A gushing profile of InstallMonetizer at TechCrunch yesterday offers depressing numbers:

The company says that it now works with more than 9,000 publishers. It’s profitable, and the number of installations that it’s driving doubles every two or three months.

The article continues, "InstallMonetizer actually launched two years ago, and it was part of the winter 2012 class at Y Combinator, but it hasn’t sought out any attention from the tech press until now." This shouldn't be surprising. The backers of this type of business have never been fond of having their practices scrutinized carefully. 

The biggest irony of all is that InstallMonetizer is being funded by people who I'm willing to bet never touch a Windows PC in their daily lives. In the Valley, of course, everyone uses Macs. Big-time VCs have no problem paying for fully loaded MacBook Pros for everyone in the offices. And guess what? Oracle's installer for OS X doesn't include any crapware. No money there, I guess.

So Andressen and Graham and other Valley bigwigs push their wares out into the world with no empathy and no awareness of how much grief they're causing for their unwitting and often unwilling users. It's a cynical business model: crapware for the rubes.

And the comments on Hacker News to Long's post reinforce what a sleazy, cynical business it is. One representative of VLC, the open source media player, notes:

They are liars, shady business, IP violators and are downright dangerous.

They have all those great offers for you, but they refuse to give any details as soon as you ask any question. More than half of them are "the biggest in the world" (sic). They lie about download numbers, about download size, about number of software actually installed and about their connexions. They even lie on the actual payback price.

Thanks for nothing, guys.

Update: There's a Microsoft connection in the InstallMonetizer story. The company's backers include an "advisor" who is currently employed by Microsoft, and the company got its start bundling MSN and Bing add-ons.

Meanwhile, spyware/adware expert Ben Edelman (who documented the role of big investors in supporting first-generation spyware a decade ago) notes via email that Google sells the ad inventory for Ask, which means that advertisers who deal with Google might find their ads being delivered via the Ask toolbar.

And let's not forget Facebook. The same group behind InstallMonetizer is also delivering ads for Facebook.

Editorial standards