AppEsteem Blog

Happy Third Birthday, AppEsteem!

It's been three years since we started this company and its proposition to help software monetizers thrive by building a self-regulation system.

It's been quite the journey. We spent the first year working through our requirements and building trust with both the security companies and the monetizers. We spent the second year operationalizing our workflow, introducing our Deceptor list, scaling out our business.

This third year has been a solidifying year for AppEsteem. We experimented with new ways to encourage companies to work with us, and we came up with new and improved value propositions. We moved our non-profit alignment from CSA to CleanApps.org. We started certifying anti-malware products and designating them as Deceptor Fighters. We ran several campaigns to help drive needed change, including one that prevents system utilities from abusing free scans results, and another that cleans up badly-behaving affiliates. And we certified three more call centers.

We're very proud of the positive impact we've made for consumers. We know they're in a much better place as they download apps for their PCs. The hundreds of apps we've certified, and the hundreds of apps that have successfully cleaned up after being called out as Deceptors, have helped transform the software monetization world into a kinder and gentler place.

But we're not done. We still see consumer abuse in call centers, download sites, and through rogue affiliates. Sometimes our customers don't act in good faith. And while Windows downloads are now much cleaner, MacOS has gotten noticeably worse, browser extensions and Android apps need more help, and we haven't figured out how to keep Apple and Google paying attention. We need to work on all these problems in our fourth year.

And there's more we're working on. We will soon release Blur, our browser extension that will help consumers "look ahead" and be warned if an ad or a search result will take them to an unsafe site. And we're tinkering with a Most Valuable App program that goes beyond measuring compliance and starts to look at an app's value to consumers.

All of the progress we've made only works because of three things: software monetizers who are committed to building consumer-respecting apps, security partners dedicated to rewarding them while still punishing the unwanted, deceptive vendors, and dedicated employees and partners who work like crazy to make it all happen. Thank you so much for your support!

Policy Updates for Deceptive Affiliate and Download Websites

Since last October, we've been calling out affiliate websites as Deceptors when we observed them making unsubstantiated claims, or when they auto-downloaded apps without presenting the consumer a valid offer.

This has led to good changes on many affiliate sites. Consumers don't have to read untrue statements, and they now get a chance to accept an app before it shows up on their machine.

But although these changes have been helpful, we still observe the following unwanted behaviors on affiliate sites:

  1. Vague and non-specific claims that have the intent to deceive consumers. An example of these kinds of generic claims are found on "how to remove" affiliate sites that offer malware and spyware removal tools. We think that sites making generic claims know they are scaring consumers into downloading the offered apps.
  2. Download sites that purposely allow confusing "start" and "download" ads and offers to surround the actual download button. We think these ads and offers are masquerading as the button the consumer wants to click, and the download site knows they are tricking the consumer into getting an unwanted download.
  3. Download sites that offer an app, but when the consumer accepts the offer, they get a "download manager" that first makes more offers to them. We think the consumer must only get the app that they accepted; if the download site wants the consumer to run their download manager, they must offer it to the consumer, and the consumer must accept that offer, before it's downloaded.

When we find a deceptive affiliate or download site, we'll consider both the site and the affiliated apps as Deceptors. We spent the past two months aligning this policy change with our security partners, and we're looking forward to implementing them later this month.

Announcing the first set of Certified Deceptor Fighters

Dennis Batchelder and Hong Jia

We've completed the first two months of testing how well various antivirus products handle consumer-focused Unwanted Software (UwS) and Potentially Unwanted Applications (PUA), and we're pleased to announce that seven AV products are now Certified Deceptor Fighters:

  • Norton Security Standard
  • Avira Internet Security
  • K7 Total Security
  • Panda Dome
  • AVG Internet Security
  • Avast Internet Security
  • Kaspersky Internet Security
DeceptorFighter


Our test report can be found here
. We followed AMTSO's Testing Standard v1.1, and you can see our compliance information here. We invite you to read it and use its interactive capabilities to explore more about how AV performed. We'll be updating this report as we process each month's results.

We're proud that many AVs have embraced the urgency to address UwS and PUA, and are working with us to identify, call out, and block deceptive apps, as well as to define the requirements needed to allow them to run undetected. We believe that when AV vendors work together to tackle problems, it's bad news for deceptive apps, and great news for clean app vendors.

About working together: last November we gave a talk at AVAR with a provocative hypothesis: when AV's don't cooperate, cybercrime increasesOur presentation demonstrates what happens with and without a coordinated effort by AVs.

Congratulations to the AVs who got certified!

Deprecating our Deceptor notification program

Our active Deceptor list works; apps and services that get listed either clean up or stop distributing. That's great for consumers, but we've seen that this process can be painful for vendors.

Back in the fall of 2017 we got a few requests for a way to provide vendors with Deceptor notifications. The idea was that there were many vendors who didn't want to be our customers, but who were happy to register with us so we could notify them first if we found their apps or services were deceptive.

We thought this was a great idea. Our goal was to find the fastest path to keep consumers safe from deceptive behaviors, and if there were vendors who said an early "heads-up" would speed up their fixing the violations, we'd be happy to give it to them. So last October we announced our free Deceptor notification program.

Unfortunately, over past year we found that when we notified vendors about their apps' and services' Deceptor-level violations, only vendors who were our certification customers worked quickly to get the issues resolved. Other vendors, if they fixed at all, did so at a significantly slower pace. We don't know why this happened, but we do know this outcome isn't good for consumers.

And because we've determined that it's not in the best interests of consumers, we're deprecating our Deceptor notification program as of December 31. We'll continue to work with our certification customers to clean up their apps and services, but starting in January next year, we will only pre-notify other vendors when we're pretty sure that by doing so it will protect consumers faster.

Please note that this doesn't change how we work with apps and services that are listed as active Deceptors; we'll continue to help vendors at no charge to get their apps and services off the active Deceptor list.

You can find more information about our notification policies, as well as how to clean up active Deceptors, on our Deceptor FAQ.

 

Our new pay-as-you-go pricing option

We're announcing today that we've added a new pay-as-you-go pricing option for apps that want to get reviewed and certified, but would rather not commit to our subscription model.

The pay-as-you-go pricing replaces our promotional free certification program, which we ran for a year with great success.

And while we're excited about this new pricing option, we believe that your best value remains our premium subscription, because it comes with unlimited compliance consulting for your app, a CleanApps.org membership, and access to our Insiders calls. But we recognize that some customers with more mature or less-frequently-changing apps would be better served if they could pay for reviews on an ad-hoc basis.

And even with our free certifications going away, we still evaluate and remove Deceptors for free, and we offer a free Deceptor notification service for apps and sites who wish a heads-up if we find them violating our Deceptor-level requirements.

Thanks for all of your support for AppEsteem's certification program! Please let us know if you have any questions: just drop an email to sales@appesteem.com

 

 

Be ready for December 13: remove the urgency from free scans

Last January, Microsoft posted a blog titled Protecting customers from being intimidated into making an unnecessary purchase. The blog announced that effective March 1, they would be tightening up what they considered to be coercive messaging. The two new areas they called out were:

  1. Reporting the results in an exaggerated or alarming manner
  2. Requiring the user to "pay" to fix free scan results

We welcomed these changes, as it demonstrated Microsoft's resolve to go after the app vendors who were taking advantage of consumers to push unnecessary system utilities. But we also recognized that this was a significant change for many system utilities, including those that we had already certified.

Facing this change, we decided that the first step was to see if the anti-malware ecosystem could align on our understanding of Microsoft's principles. We worked with our security partners to come up with wording for a new application certification requirement (ACR-004). We also worked with many affected app vendors, CleanApps.org, compliance partners, and consumer groups to clarify the wording and provide examples of apps that either passed or failed ACR-004.

This took a few months to work through. These kinds of discussions are not easy, especially when the affected parties also include anti-malware vendors. But after all the discussions, we ended up with a requirement that we believe will both help consumers and still allow vendors to continue to demonstrate and monetize the value of their apps.

We set our enforcement date to be December 13, 2018. This means that any apps that do not meet ACR-004 by December 13, including new versions of apps that we have previously certified, may be added to our active Deceptor list.

ACR-004 states: When showing free scan results with the intent to monetize, results are substantiated and avoid any exaggerated sense of urgency, and app provides free fixes for all free scan results shown when the fix is not anticipated to be permanent or the fix offered is an ongoing service.

So what does this mean? If you're using free system utility scan results to monetize your solution, keep the following points in mind:

  • Make sure your free scan results are truthful, detailed, and can be substantiated.
  • Don't map free scan results to graphs, gauges, meters, or other ways to "measure" how important they are
  • Unless you're reporting on immediate threats to the system or consumer (a good example of this is active malware), don't use differentiating colors to highlight your free scan results
  • Unless you're providing a one-time permanent fix that's not an ongoing subscription, let the consumer "try" your solution by fixing all the results you show for free.
  • If you're fixing free scan results for free as part of a "trial", don't pre-collect payment details or ask the consumer to perform any other tasks beyond providing their email.

You can read more details and see both good and bad examples for ACR-004 on our requirements checklist. We're happy to help vendors understand ACR-004, and we offer both free and paid services to help companies comply.

 

Adjusting our Ad Injector/Blocker Requirements

Over the past few months, new standards for ads have been released by both BetterAds.org and the IAB. We think that these are in response to the proliferation of more and more ad blockers; the ad industry has started taking responsibility for the quality of online ads.

And while we felt that this is great news for consumers, we also realized that it was time to update our own certification requirements for apps that inject or block ads. So we spent the past few months working with our customers, some of the larger ad injector vendors, compliance partners, various security and platform companies, and CleanApps.org.

This work drove significant changes: not only did we adjust the requirements, but some of the requirements were promoted to Deceptor-level. Starting in October, we'll be reviewing and calling out bad ad injectors and blockers and adding them to our active Deceptor list.

You can find a summary of the changes in the following ad injector requirement updates document. Please feel free to use this to understand the context behind the changes. Also, all the changes are live in our online requirements checklist.

Supply Chain Accountability

We've been certifying apps for almost two years now, and we feel pretty good at the progress we've made: our security partners agree with our requirements and trust our certifications, and our customers (the app vendors) understand what they need to do to meet the requirements.

But we have found an issue that we need to address: bad supply chains can hurt consumers, and we need more help from app vendors to avoid using them as they build, advertise, distribute, and monetize their apps.

Here are just a few examples of where an app vendor can inadvertently hurt consumers by using a bad supply chain partner:

  • When an affiliate partner uses deceptive advertising and fear tactics to scare consumers into installing the app
  • When a call center over-sells their services to consumers during an activation or customer support call
  • When an ad network hijacks ad space or places misleading or inappropriate ads in the app, downgrading the consumers' online experience and exposing them to additional risks
  • When a bundler or download manager uses deceptive means to install additional apps on the consumer's machine
  • When the payment processor doesn't get consent to include additional apps and services into a consumer's online shopping cart

We don't want clean apps' supply chain partners to mistreat consumers. Starting in September, we're adjusting our policy to hold apps accountable for the misbehavior of their supply chain partners.

Here's the updated policy: If we find that a supply chain partner violates our Deceptor-level requirements in its business related to an app, we'll consider both the supply chain partner and the app as Deceptors, and we'll follow our existing policies for how we notify them or list them immediately on our active Deceptor page.

If you're an app vendor: we suggest that you use supply chain partners who are part of our Better World Network and encouraging non-member partners to join. If you're a supply chain provider, consider joining the Better World Network or registering your service with us for Deceptor notifications.

We're hoping that by enlisting app vendors in this effort, together we'll be able to influence bad supply chain partners to clean up their acts and stop mistreating consumers.

 

Build, Measure, Learn, Improve (our Deceptor Program)

(Dennis Batchelder and Hong Jia)

Today we were at Google’s Mountain View campus attending the Clean Software Summit, and Dennis presented the results of a study we conducted on our Deceptor program. By analyzing the data from the past year, we had four important findings:

  1. The AVs are doing a great job detecting the active Deceptors on our list, which in turn protects consumers.
  2. Merely informing apps when they violate Deceptor requirements is not effective at protecting consumers
  3. A low percentage of active Deceptors (less than 8%) eventually become paying customers
  4. We’ve identified additional ways we can make our operations transparent with the app vendor community

You can find more details in our presentation – we hope you find the data and findings as fascinating as we did!

 Note that in the deck, we also announced we’re taking four immediate actions:

  • Formalize AV Relationship: To showcase AV effectiveness even more, we’re going to align with the AV-driven initiative to formally ratify our Deceptor and Certification requirements. We believe this will make the Deceptor program even more effective at protecting consumers, and at the same time reduce the false positive detections of certified apps
  • Require Registration: Because of the proven ineffectiveness of merely informing apps of their violations, we will provide notifications to apps that violate our Deceptor requirements only if those apps have previously registered for notifications with us
  • Increase Transparency: To give app vendors assurance that we operate fairly, we’re providing insight and input to CleanApps.org, an app vendor-based non-profit organization
  • Provide Opportunities: We’re actively seeking monetization opportunities that certified apps can benefit from. A great example is BlackSwan’s EverCore program, which manages its risk by requiring all offers, carriers, and call centers to be certified by us

Finally, we gave a heads-up about a big upcoming Deceptor campaign; if you're an app vendor, it's worth checking this out.

Just a reminder: it’s free to register with us, and free to get your app certified. You can sign up at https://appesteem.com, or email us at register@appesteem.com

Here's a pic from my presentation... 

 

 

Deceptors wish we’d stop calling them out

Today CSA released a document containing a collection of vendor opinions about our Deceptor program. It seems several vendors took the time to add their thoughts, and we believe their views will be helpful as we keep improving our efforts to prevent consumers from getting infected by deceptive, harmful, and unwanted software.

Our take: we’re encouraged by the apparent effectiveness of our Deceptor program. The document is a great example of how the software monetization industry has been impacted by our work, and that there is now a strong sense of urgency in the industry to clean up. We understand that the process is disruptive, but we believe this approach results in better-protected and better-respected consumers.

Reading CSA’s document got us reflecting on those who have hijacked the software monetization industry and messed it up for the honest vendors. Just like we don’t want them to succeed, it seems these organizations want our Deceptor program to fail. We think this would be a real shame for consumers.

Running this Deceptor program is tough. It’s not easy to strike a balance between disrupting bad actors and encouraging honest vendors. We’ll scour the vendor comments in CSA’s document for new ideas we can use to get it right. We’ll continue to engage with and take input from our security partners, vendors, and consumer representatives. We’ll find ways to get regular input from vendors committed to doing it right. And we’ll try to make every decision based on what is best for consumers, even when these decisions are unpopular with the monetization industry.

While we’re happy that CSA’s document confirms that the Deceptor program works, we do understand that there are vendors out there who do want to treat consumers with respect, and who are shocked, offended, and even ashamed when they discover their app has landed on our Deceptor list.

If you’re a vendor who’s gotten entangled in an industry that spent the past decade telling you that your primary focus should be performance marketing instead of bringing your unique value to consumers, we want to get you back on track with as little fuss and as much help as possible. We have some great (and mostly free) services for you to consider:

  1. FREE: We’ll answer your questions and help you get your app off our Deceptor list.
  2. FREE: We’ll let you know (with up to 30 days’ notice) about Deceptor violations if you register your app to our Deceptor notification service.
  3. FREE: We’ll certify your app so you can show the world your app is safe and it respects consumers.
  4. PAID: We offer value-added subscription services like unlimited compliance consulting for your app, “insiders” access to requirements changes and industry trends, embedded electronic seals for your certified app, and assistance figuring out what to do when our security partners flag your certified app.

But we also want to be clear: if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.

Copyright © 2019 - Design by FS