While our office remains empty and we're confined to our homes, our spirits are high, because we made it all the way to our fifth birthday!
The big idea we had when we started was that software monetizers could actually thrive in a cleaner, consumer-respecting world. The formula was simple: they'd promise to be good, we'd certify their apps, and we'd work to educate the anti-malware ecosystem about the differences between the good and the bad players.
We were so naïve.
But in spite of our inability to look at the world through anything but rose-colored-lenses, we all worked together and accomplished something big. The Windows and MacOS apps are in such a better place now. Unwanted software is mostly gone: the good apps thrive, the bad apps get whacked, and the industry has found a way to work together to protect consumers.
We made an impact that we only dreamed of achieving.
We're not done, though. Browser extensions and mobile apps still have large numbers of unscrupulous vendors taking advantage of consumers. We think this is because the platform stores are still more focused on growth than they are on protecting consumers, and they've found effective ways to keep both the AVs and companies like AppEsteem at bay. (Shame on them.) We're still trying to crack this nut.
But we feel great at what's been accomplished. And we owe a huge debt to the AVs and our customers for not only taking a chance on us, but also for continually working to make this software space cleaner every year. Thank you!
We've learned so much in the process, too. Some of the learnings were painful lessons. Here's six of our critical success factors:
- Many of the early "supporters" (both vendors and AVs) weren't interested in solving the problem. They wanted to give lip service while they prolonged their cheating ways. Thankfully these bad vendors have shut down or moved out of this space, and the insincere AVs have mostly become irrelevant, but we had to learn how to stop wasting time on insincere supporters.
- Few vendors wanted our certification service (even when we offered it for free) until we had a robust method of reporting Deceptors. We had to balance our carrots and sticks.
- The AVs were very happy with our Deceptor feed, but our big breakthrough on stopping their flags on certified apps came when we started testing them. We had to find how to leverage the existing momentum of our partners.
- It took us time to realize that AVs are also software monetizers, and many times their sales, marketing, and product managers break the ACRs (and their own policies) they enforce on others. Keeping everybody aligned and the hypocrisy at bay was a difficult task to master.
- Staying in sync with a robust vendor association like CleanApps.org helped keep us focused on what matters to software vendors (and not just to their supply chain). We learned how to operationalize how we figured out what our customers really needed.
- Having our own app (check out Blur.live!) has taught our entire team so much about what our customers go through as they build and distribute their apps. We should have done this earlier.
We've abandoned our office and fled to our homes. We're washing our hands, searching for online delivery services, and wiping down the incoming packages. We're figuring out how to spend all day on Teams and Zoom and Skype and Hangouts without getting massive backaches. And with all this chaos, we're taking a moment to celebrate our fourth birthday.
Back in 2016, who ever thought a tiny self-funded startup would be able to drive such a big impact in the quality of consumer apps? But we figured it out, and consumers everywhere are safer, thanks to the combined efforts of the vendors who make the certified apps and the AVs who protect consumers from unwanted software. Thank you so much for working with us to improve the computing experience of billions of consumers around the world.
Over the past year we also rolled out our very own browser extension. Blur.live automatically blurs ads as well as deceptive search results. Please check it out here -- we hope you'll fall in love with it.
Like the rest of the world, we've been thinking a lot about how this crazy coronavirus will impact our company's future. If you had asked us two months ago, we would have said that we thought we were almost done with the fight against Windows-based Deceptors. But then this virus went global, and many people went from their workplaces and schools to spend time at home... in front of their computers... without getting computer support from their nephews, neighbors, and the local computer store. The bad guys woke up; Deceptors that once had gone away rose up like zombies; and many apps and services were offered by emboldened and unscrupulous affiliates. Suddenly consumers were getting tricked and cheated and scared like it was early 2016. We realized that the best way we could help the world cope with its biological virus was to double down on our Deceptor hunting and increase our monitoring of the apps that we certify. We've made these priority adjustments, and we think that together with the vendors and the AVs, we'll quickly get this industry back on track.
And while we're cleaning up the software monetization space, we'll also increase distribution of Blur.live so we can help keep more consumers safe. By the time we turn five, we'll have an Android version available. We'll work hard to keep you, and all the other consumers around the world, safe from unwanted and deceptive software.
And maybe, just maybe, we'll get to see our offices again. Can't wait for that day!
Yesterday in Las Vegas we had the opportunity to present an update to the members and guests of CleanApps.org. I've attached a PDF version of the deck here so you can see what we're proud of, what we've done, and what we're going to focus on for 2020.
Three items are worth calling out:
- Our UwS Handling Certification Test has really helped to streamline our certification business and increase AV usage of our feeds. You can check out the final results of last year's test in the deck, or play with a year's worth of data here.
- We have a short list of trends that we're keeping an eye on, as decisions made could affect both our and our customers' business. These are listed toward the end of the presentation (look for the slide with binoculars).
- One of the benefits of our streamlined certification service is that our customers have been able to focus more time on making their apps more valuable. We believe that true consumer value is the most important ingredient of a clean and compliant app. We are happy that our customers are proud of the apps that they offer consumers... this is a huge step forward in the maturity of the software monetization industry.
We also included a few slides on our browser safety extension: Blur.live. If you're not using it yet, please take a look and see if the way we blur deceptive search results and ads helps improve your own internet vision!
-- Janet Attar, Customer Success Manager
Last month we turned three, and it’s time to apply what we’ve learned from our customers to our offerings. This year we are eliminating some service plans, and we’re streamlining others. We believe these changes will be better for our customers as well as our security partners.
The first change is that we no longer offer “uncommitted” subscription pricing. The pricing is much better when customers commit, and although a few customers may have started uncommitted, they all quickly switched to committed. Our offerings have simplified to these three:
- Premium Subscription (6 month minimum).
- Basic Subscription (6 moth minimum).
- Individual Review (pay per review).
The second change is replacing our add-on App Jail services with a built-in streamlined Detection Advisories feature that’s now part of all three of our offerings. We believe that this will be a huge benefit to both our customers and our security partners.
We’ve worked hard over the past three years to build up a great understanding of what the security vendors need, and we work hard to maintain this understanding as they continue to change their own requirements. Detection Advisories are what we’ll provide as part of each app review when we notice any “beyond certification” requirements that we already know will cause security vendors to block it.
This new approach gives our customers valuable, proactive guidance. It also reduces the load on our security partners, as we will not request them to consider removing detections when we know that the app has outstanding Detection Advisories. In cases where a certified app is blocked after all Detection Advisories have been resolved, we will continue to work with our customers and our security partners to discover new actionable reasons.
Making Detection Advisories built into our three offerings makes it easier for us to provide reliable advice and get consistent answers back from the security vendors. We’ve adjusted our pricing to reflect this change for any new app submitted, and existing customer apps will be switched to the new pricing on July 1st.
This post gives some prescriptive guidance to our policy updates, and explains our Deceptor listing policy, for affiliates, download sites, and the affiliated apps.
If your affiliate site offers downloaded apps:
- Make it clear that you are an affiliate of the app you are promoting, and not the maker of the app.
If your affiliate site provides removal instructions for malware, spyware, adware, Deceptors, or other "threats", and also offers an app:
- Do not claim that the app will remove the threat, unless you back up that claim with evidence.
- Get specific in your descriptions of the threat. Screen shots from the threat, actions the threat takes on the consumer machine, references to landing pages and makers, are all great ways to get specific. Making only generic or only "maybe" statements that can be found on many pages are not good ways to be specific.
If your site is a download site:
- Make sure you have permission to store/download the apps. If you don't have permission, point the consumer to app's landing page.
- If you are going to install a download manager and not the app, be clear about this, and don't mislead the consumer into thinking they are getting just the app's official installer.
- Make sure the ads you display don't masquerade as your "download" button. Use ad policies and ad network settings to control the content (for example, AdSense policies can block sensitive ads), and monitor your site to keep it compliant. If you cannot control the ad content, do not place the ads close to your download buttons.
Our policy for Deceptor listing:
- If an affiliate or download site comes to us with questions and we find violations, and if they commit to work in good faith with us, we'll generally give them two weeks to make their changes.
- When we hunt and find a violating affiliate or download site, we will generally list the site as an active Deceptor. The site owner can work with us to clear it (see below).
- If the affiliate app or download manager has directed their affiliate network to require our approval, we will work with the affiliate network.
- If the affiliated app or download manager is working with us to get certified, we will warn them.
- If neither of the cases apply, we will list the affiliated app or download manager as an active Deceptor, following our supply chain accountability policy.
You can find all our requirements, more prescriptive guidance, and some examples of good and violating behavior at our checklist page.
Your affiliate network or affiliated app may require our approval before you're authorized to offer some apps. Just let us know, and we're happy to give you feedback. Please note, though, that we expect that you'll work in good faith with us to fix all your sites.
If we have called out your site or affiliated app/download manager as an active Deceptor, we'll work with you, for free, to answer your questions, and to re-evaluate it and hopefully get it off our active Deceptor list. Just read our faq, then email us at [email protected] when you're ready.
It's been three years since we started this company and its proposition to help software monetizers thrive by building a self-regulation system.
It's been quite the journey. We spent the first year working through our requirements and building trust with both the security companies and the monetizers. We spent the second year operationalizing our workflow, introducing our Deceptor list, scaling out our business.
This third year has been a solidifying year for AppEsteem. We experimented with new ways to encourage companies to work with us, and we came up with new and improved value propositions. We moved our non-profit alignment from CSA to CleanApps.org. We started certifying anti-malware products and designating them as Deceptor Fighters. We ran several campaigns to help drive needed change, including one that prevents system utilities from abusing free scans results, and another that cleans up badly-behaving affiliates. And we certified three more call centers.
We're very proud of the positive impact we've made for consumers. We know they're in a much better place as they download apps for their PCs. The hundreds of apps we've certified, and the hundreds of apps that have successfully cleaned up after being called out as Deceptors, have helped transform the software monetization world into a kinder and gentler place.
But we're not done. We still see consumer abuse in call centers, download sites, and through rogue affiliates. Sometimes our customers don't act in good faith. And while Windows downloads are now much cleaner, MacOS has gotten noticeably worse, browser extensions and Android apps need more help, and we haven't figured out how to keep Apple and Google paying attention. We need to work on all these problems in our fourth year.
And there's more we're working on. We will soon release Blur, our browser extension that will help consumers "look ahead" and be warned if an ad or a search result will take them to an unsafe site. And we're tinkering with a Most Valuable App program that goes beyond measuring compliance and starts to look at an app's value to consumers.
All of the progress we've made only works because of three things: software monetizers who are committed to building consumer-respecting apps, security partners dedicated to rewarding them while still punishing the unwanted, deceptive vendors, and dedicated employees and partners who work like crazy to make it all happen. Thank you so much for your support!
Since last October, we've been calling out affiliate websites as Deceptors when we observed them making unsubstantiated claims, or when they auto-downloaded apps without presenting the consumer a valid offer.
This has led to good changes on many affiliate sites. Consumers don't have to read untrue statements, and they now get a chance to accept an app before it shows up on their machine.
But although these changes have been helpful, we still observe the following unwanted behaviors on affiliate sites:
- Vague and non-specific claims that have the intent to deceive consumers. An example of these kinds of generic claims are found on "how to remove" affiliate sites that offer malware and spyware removal tools. We think that sites making generic claims know they are scaring consumers into downloading the offered apps.
- Download sites that purposely allow confusing "start" and "download" ads and offers to surround the actual download button. We think these ads and offers are masquerading as the button the consumer wants to click, and the download site knows they are tricking the consumer into getting an unwanted download.
- Download sites that offer an app, but when the consumer accepts the offer, they get a "download manager" that first makes more offers to them. We think the consumer must only get the app that they accepted; if the download site wants the consumer to run their download manager, they must offer it to the consumer, and the consumer must accept that offer, before it's downloaded.
When we find a deceptive affiliate or download site, we'll consider both the site and the affiliated apps as Deceptors. We spent the past two months aligning this policy change with our security partners, and we're looking forward to implementing them later this month.
Dennis Batchelder and Hong Jia
We've completed the first two months of testing how well various antivirus products handle consumer-focused Unwanted Software (UwS) and Potentially Unwanted Applications (PUA), and we're pleased to announce that seven AV products are now Certified Deceptor Fighters:
- Norton Security Standard
- Avira Internet Security
- K7 Total Security
- Panda Dome
- AVG Internet Security
- Avast Internet Security
- Kaspersky Internet Security
Our test report can be found here. We followed AMTSO's Testing Standard v1.1, and you can see our compliance information here. We invite you to read it and use its interactive capabilities to explore more about how AV performed. We'll be updating this report as we process each month's results.
We're proud that many AVs have embraced the urgency to address UwS and PUA, and are working with us to identify, call out, and block deceptive apps, as well as to define the requirements needed to allow them to run undetected. We believe that when AV vendors work together to tackle problems, it's bad news for deceptive apps, and great news for clean app vendors.
About working together: last November we gave a talk at AVAR with a provocative hypothesis: when AV's don't cooperate, cybercrime increases. Our presentation demonstrates what happens with and without a coordinated effort by AVs.
Congratulations to the AVs who got certified!
Our active Deceptor list works; apps and services that get listed either clean up or stop distributing. That's great for consumers, but we've seen that this process can be painful for vendors.
Back in the fall of 2017 we got a few requests for a way to provide vendors with Deceptor notifications. The idea was that there were many vendors who didn't want to be our customers, but who were happy to register with us so we could notify them first if we found their apps or services were deceptive.
We thought this was a great idea. Our goal was to find the fastest path to keep consumers safe from deceptive behaviors, and if there were vendors who said an early "heads-up" would speed up their fixing the violations, we'd be happy to give it to them. So last October we announced our free Deceptor notification program.
Unfortunately, over past year we found that when we notified vendors about their apps' and services' Deceptor-level violations, only vendors who were our certification customers worked quickly to get the issues resolved. Other vendors, if they fixed at all, did so at a significantly slower pace. We don't know why this happened, but we do know this outcome isn't good for consumers.
And because we've determined that it's not in the best interests of consumers, we're deprecating our Deceptor notification program as of December 31. We'll continue to work with our certification customers to clean up their apps and services, but starting in January next year, we will only pre-notify other vendors when we're pretty sure that by doing so it will protect consumers faster.
Please note that this doesn't change how we work with apps and services that are listed as active Deceptors; we'll continue to help vendors at no charge to get their apps and services off the active Deceptor list.
You can find more information about our notification policies, as well as how to clean up active Deceptors, on our Deceptor FAQ.
We're announcing today that we've added a new pay-as-you-go pricing option for apps that want to get reviewed and certified, but would rather not commit to our subscription model.
The pay-as-you-go pricing replaces our promotional free certification program, which we ran for a year with great success.
And while we're excited about this new pricing option, we believe that your best value remains our premium subscription, because it comes with unlimited compliance consulting for your app, a CleanApps.org membership, and access to our Insiders calls. But we recognize that some customers with more mature or less-frequently-changing apps would be better served if they could pay for reviews on an ad-hoc basis.
And even with our free certifications going away, we still evaluate and remove Deceptors for free, and we offer a free Deceptor notification service for apps and sites who wish a heads-up if we find them violating our Deceptor-level requirements.
Thanks for all of your support for AppEsteem's certification program! Please let us know if you have any questions: just drop an email to [email protected]