Last January, Microsoft posted a blog titled Protecting customers from being intimidated into making an unnecessary purchase. The blog announced that effective March 1, they would be tightening up what they considered to be coercive messaging. The two new areas they called out were:
- Reporting the results in an exaggerated or alarming manner
- Requiring the user to "pay" to fix free scan results
We welcomed these changes, as it demonstrated Microsoft's resolve to go after the app vendors who were taking advantage of consumers to push unnecessary system utilities. But we also recognized that this was a significant change for many system utilities, including those that we had already certified.
Facing this change, we decided that the first step was to see if the anti-malware ecosystem could align on our understanding of Microsoft's principles. We worked with our security partners to come up with wording for a new application certification requirement (ACR-004). We also worked with many affected app vendors, CleanApps.org, compliance partners, and consumer groups to clarify the wording and provide examples of apps that either passed or failed ACR-004.
This took a few months to work through. These kinds of discussions are not easy, especially when the affected parties also include anti-malware vendors. But after all the discussions, we ended up with a requirement that we believe will both help consumers and still allow vendors to continue to demonstrate and monetize the value of their apps.
We set our enforcement date to be December 13, 2018. This means that any apps that do not meet ACR-004 by December 13, including new versions of apps that we have previously certified, may be added to our active Deceptor list.
ACR-004 states: When showing free scan results with the intent to monetize, results are substantiated and avoid any exaggerated sense of urgency, and app provides free fixes for all free scan results shown when the fix is not anticipated to be permanent or the fix offered is an ongoing service.
So what does this mean? If you're using free system utility scan results to monetize your solution, keep the following points in mind:
- Make sure your free scan results are truthful, detailed, and can be substantiated.
- Don't map free scan results to graphs, gauges, meters, or other ways to "measure" how important they are
- Unless you're reporting on immediate threats to the system or consumer (a good example of this is active malware), don't use differentiating colors to highlight your free scan results
- Unless you're providing a one-time permanent fix that's not an ongoing subscription, let the consumer "try" your solution by fixing all the results you show for free.
- If you're fixing free scan results for free as part of a "trial", don't pre-collect payment details or ask the consumer to perform any other tasks beyond providing their email.
You can read more details and see both good and bad examples for ACR-004 on our requirements checklist. We're happy to help vendors understand ACR-004, and we offer both free and paid services to help companies comply.