Yesterday in Las Vegas we had the opportunity to present an update to the members and guests of CleanApps.org. I've attached a PDF version of the deck here so you can see what we're proud of, what we've done, and what we're going to focus on for 2020.
Three items are worth calling out:
- Our UwS Handling Certification Test has really helped to streamline our certification business and increase AV usage of our feeds. You can check out the final results of last year's test in the deck, or play with a year's worth of data here.
- We have a short list of trends that we're keeping an eye on, as decisions made could affect both our and our customers' business. These are listed toward the end of the presentation (look for the slide with binoculars).
- One of the benefits of our streamlined certification service is that our customers have been able to focus more time on making their apps more valuable. We believe that true consumer value is the most important ingredient of a clean and compliant app. We are happy that our customers are proud of the apps that they offer consumers... this is a huge step forward in the maturity of the software monetization industry.
We also included a few slides on our browser safety extension: Blur.live. If you're not using it yet, please take a look and see if the way we blur deceptive search results and ads helps improve your own internet vision!
-- Janet Attar, Customer Success Manager
Last month we turned three, and it’s time to apply what we’ve learned from our customers to our offerings. This year we are eliminating some service plans, and we’re streamlining others. We believe these changes will be better for our customers as well as our security partners.
The first change is that we no longer offer “uncommitted” subscription pricing. The pricing is much better when customers commit, and although a few customers may have started uncommitted, they all quickly switched to committed. Our offerings have simplified to these three:
- Premium Subscription (6 month minimum).
- Basic Subscription (6 moth minimum).
- Individual Review (pay per review).
The second change is replacing our add-on App Jail services with a built-in streamlined Detection Advisories feature that’s now part of all three of our offerings. We believe that this will be a huge benefit to both our customers and our security partners.
We’ve worked hard over the past three years to build up a great understanding of what the security vendors need, and we work hard to maintain this understanding as they continue to change their own requirements. Detection Advisories are what we’ll provide as part of each app review when we notice any “beyond certification” requirements that we already know will cause security vendors to block it.
This new approach gives our customers valuable, proactive guidance. It also reduces the load on our security partners, as we will not request them to consider removing detections when we know that the app has outstanding Detection Advisories. In cases where a certified app is blocked after all Detection Advisories have been resolved, we will continue to work with our customers and our security partners to discover new actionable reasons.
Making Detection Advisories built into our three offerings makes it easier for us to provide reliable advice and get consistent answers back from the security vendors. We’ve adjusted our pricing to reflect this change for any new app submitted, and existing customer apps will be switched to the new pricing on July 1st.
This post gives some prescriptive guidance to our policy updates, and explains our Deceptor listing policy, for affiliates, download sites, and the affiliated apps.
If your affiliate site offers downloaded apps:
- Make it clear that you are an affiliate of the app you are promoting, and not the maker of the app.
If your affiliate site provides removal instructions for malware, spyware, adware, Deceptors, or other "threats", and also offers an app:
- Do not claim that the app will remove the threat, unless you back up that claim with evidence.
- Get specific in your descriptions of the threat. Screen shots from the threat, actions the threat takes on the consumer machine, references to landing pages and makers, are all great ways to get specific. Making only generic or only "maybe" statements that can be found on many pages are not good ways to be specific.
If your site is a download site:
- Make sure you have permission to store/download the apps. If you don't have permission, point the consumer to app's landing page.
- If you are going to install a download manager and not the app, be clear about this, and don't mislead the consumer into thinking they are getting just the app's official installer.
- Make sure the ads you display don't masquerade as your "download" button. Use ad policies and ad network settings to control the content (for example, AdSense policies can block sensitive ads), and monitor your site to keep it compliant. If you cannot control the ad content, do not place the ads close to your download buttons.
Our policy for Deceptor listing:
- If an affiliate or download site comes to us with questions and we find violations, and if they commit to work in good faith with us, we'll generally give them two weeks to make their changes.
- When we hunt and find a violating affiliate or download site, we will generally list the site as an active Deceptor. The site owner can work with us to clear it (see below).
- If the affiliate app or download manager has directed their affiliate network to require our approval, we will work with the affiliate network.
- If the affiliated app or download manager is working with us to get certified, we will warn them.
- If neither of the cases apply, we will list the affiliated app or download manager as an active Deceptor, following our supply chain accountability policy.
You can find all our requirements, more prescriptive guidance, and some examples of good and violating behavior at our checklist page.
Your affiliate network or affiliated app may require our approval before you're authorized to offer some apps. Just let us know, and we're happy to give you feedback. Please note, though, that we expect that you'll work in good faith with us to fix all your sites.
If we have called out your site or affiliated app/download manager as an active Deceptor, we'll work with you, for free, to answer your questions, and to re-evaluate it and hopefully get it off our active Deceptor list. Just read our faq, then email us at email@example.com when you're ready.
It's been three years since we started this company and its proposition to help software monetizers thrive by building a self-regulation system.
It's been quite the journey. We spent the first year working through our requirements and building trust with both the security companies and the monetizers. We spent the second year operationalizing our workflow, introducing our Deceptor list, scaling out our business.
This third year has been a solidifying year for AppEsteem. We experimented with new ways to encourage companies to work with us, and we came up with new and improved value propositions. We moved our non-profit alignment from CSA to CleanApps.org. We started certifying anti-malware products and designating them as Deceptor Fighters. We ran several campaigns to help drive needed change, including one that prevents system utilities from abusing free scans results, and another that cleans up badly-behaving affiliates. And we certified three more call centers.
We're very proud of the positive impact we've made for consumers. We know they're in a much better place as they download apps for their PCs. The hundreds of apps we've certified, and the hundreds of apps that have successfully cleaned up after being called out as Deceptors, have helped transform the software monetization world into a kinder and gentler place.
But we're not done. We still see consumer abuse in call centers, download sites, and through rogue affiliates. Sometimes our customers don't act in good faith. And while Windows downloads are now much cleaner, MacOS has gotten noticeably worse, browser extensions and Android apps need more help, and we haven't figured out how to keep Apple and Google paying attention. We need to work on all these problems in our fourth year.
And there's more we're working on. We will soon release Blur, our browser extension that will help consumers "look ahead" and be warned if an ad or a search result will take them to an unsafe site. And we're tinkering with a Most Valuable App program that goes beyond measuring compliance and starts to look at an app's value to consumers.
All of the progress we've made only works because of three things: software monetizers who are committed to building consumer-respecting apps, security partners dedicated to rewarding them while still punishing the unwanted, deceptive vendors, and dedicated employees and partners who work like crazy to make it all happen. Thank you so much for your support!
Since last October, we've been calling out affiliate websites as Deceptors when we observed them making unsubstantiated claims, or when they auto-downloaded apps without presenting the consumer a valid offer.
This has led to good changes on many affiliate sites. Consumers don't have to read untrue statements, and they now get a chance to accept an app before it shows up on their machine.
But although these changes have been helpful, we still observe the following unwanted behaviors on affiliate sites:
- Vague and non-specific claims that have the intent to deceive consumers. An example of these kinds of generic claims are found on "how to remove" affiliate sites that offer malware and spyware removal tools. We think that sites making generic claims know they are scaring consumers into downloading the offered apps.
- Download sites that purposely allow confusing "start" and "download" ads and offers to surround the actual download button. We think these ads and offers are masquerading as the button the consumer wants to click, and the download site knows they are tricking the consumer into getting an unwanted download.
- Download sites that offer an app, but when the consumer accepts the offer, they get a "download manager" that first makes more offers to them. We think the consumer must only get the app that they accepted; if the download site wants the consumer to run their download manager, they must offer it to the consumer, and the consumer must accept that offer, before it's downloaded.
When we find a deceptive affiliate or download site, we'll consider both the site and the affiliated apps as Deceptors. We spent the past two months aligning this policy change with our security partners, and we're looking forward to implementing them later this month.
Dennis Batchelder and Hong Jia
We've completed the first two months of testing how well various antivirus products handle consumer-focused Unwanted Software (UwS) and Potentially Unwanted Applications (PUA), and we're pleased to announce that seven AV products are now Certified Deceptor Fighters:
- Norton Security Standard
- Avira Internet Security
- K7 Total Security
- Panda Dome
- AVG Internet Security
- Avast Internet Security
- Kaspersky Internet Security
Our test report can be found here. We followed AMTSO's Testing Standard v1.1, and you can see our compliance information here. We invite you to read it and use its interactive capabilities to explore more about how AV performed. We'll be updating this report as we process each month's results.
We're proud that many AVs have embraced the urgency to address UwS and PUA, and are working with us to identify, call out, and block deceptive apps, as well as to define the requirements needed to allow them to run undetected. We believe that when AV vendors work together to tackle problems, it's bad news for deceptive apps, and great news for clean app vendors.
About working together: last November we gave a talk at AVAR with a provocative hypothesis: when AV's don't cooperate, cybercrime increases. Our presentation demonstrates what happens with and without a coordinated effort by AVs.
Congratulations to the AVs who got certified!
Our active Deceptor list works; apps and services that get listed either clean up or stop distributing. That's great for consumers, but we've seen that this process can be painful for vendors.
Back in the fall of 2017 we got a few requests for a way to provide vendors with Deceptor notifications. The idea was that there were many vendors who didn't want to be our customers, but who were happy to register with us so we could notify them first if we found their apps or services were deceptive.
We thought this was a great idea. Our goal was to find the fastest path to keep consumers safe from deceptive behaviors, and if there were vendors who said an early "heads-up" would speed up their fixing the violations, we'd be happy to give it to them. So last October we announced our free Deceptor notification program.
Unfortunately, over past year we found that when we notified vendors about their apps' and services' Deceptor-level violations, only vendors who were our certification customers worked quickly to get the issues resolved. Other vendors, if they fixed at all, did so at a significantly slower pace. We don't know why this happened, but we do know this outcome isn't good for consumers.
And because we've determined that it's not in the best interests of consumers, we're deprecating our Deceptor notification program as of December 31. We'll continue to work with our certification customers to clean up their apps and services, but starting in January next year, we will only pre-notify other vendors when we're pretty sure that by doing so it will protect consumers faster.
Please note that this doesn't change how we work with apps and services that are listed as active Deceptors; we'll continue to help vendors at no charge to get their apps and services off the active Deceptor list.
You can find more information about our notification policies, as well as how to clean up active Deceptors, on our Deceptor FAQ.
We're announcing today that we've added a new pay-as-you-go pricing option for apps that want to get reviewed and certified, but would rather not commit to our subscription model.
The pay-as-you-go pricing replaces our promotional free certification program, which we ran for a year with great success.
And while we're excited about this new pricing option, we believe that your best value remains our premium subscription, because it comes with unlimited compliance consulting for your app, a CleanApps.org membership, and access to our Insiders calls. But we recognize that some customers with more mature or less-frequently-changing apps would be better served if they could pay for reviews on an ad-hoc basis.
And even with our free certifications going away, we still evaluate and remove Deceptors for free, and we offer a free Deceptor notification service for apps and sites who wish a heads-up if we find them violating our Deceptor-level requirements.
Thanks for all of your support for AppEsteem's certification program! Please let us know if you have any questions: just drop an email to firstname.lastname@example.org
Last January, Microsoft posted a blog titled Protecting customers from being intimidated into making an unnecessary purchase. The blog announced that effective March 1, they would be tightening up what they considered to be coercive messaging. The two new areas they called out were:
- Reporting the results in an exaggerated or alarming manner
- Requiring the user to "pay" to fix free scan results
We welcomed these changes, as it demonstrated Microsoft's resolve to go after the app vendors who were taking advantage of consumers to push unnecessary system utilities. But we also recognized that this was a significant change for many system utilities, including those that we had already certified.
Facing this change, we decided that the first step was to see if the anti-malware ecosystem could align on our understanding of Microsoft's principles. We worked with our security partners to come up with wording for a new application certification requirement (ACR-004). We also worked with many affected app vendors, CleanApps.org, compliance partners, and consumer groups to clarify the wording and provide examples of apps that either passed or failed ACR-004.
This took a few months to work through. These kinds of discussions are not easy, especially when the affected parties also include anti-malware vendors. But after all the discussions, we ended up with a requirement that we believe will both help consumers and still allow vendors to continue to demonstrate and monetize the value of their apps.
We set our enforcement date to be December 13, 2018. This means that any apps that do not meet ACR-004 by December 13, including new versions of apps that we have previously certified, may be added to our active Deceptor list.
ACR-004 states: When showing free scan results with the intent to monetize, results are substantiated and avoid any exaggerated sense of urgency, and app provides free fixes for all free scan results shown when the fix is not anticipated to be permanent or the fix offered is an ongoing service.
So what does this mean? If you're using free system utility scan results to monetize your solution, keep the following points in mind:
- Make sure your free scan results are truthful, detailed, and can be substantiated.
- Don't map free scan results to graphs, gauges, meters, or other ways to "measure" how important they are
- Unless you're reporting on immediate threats to the system or consumer (a good example of this is active malware), don't use differentiating colors to highlight your free scan results
- Unless you're providing a one-time permanent fix that's not an ongoing subscription, let the consumer "try" your solution by fixing all the results you show for free.
- If you're fixing free scan results for free as part of a "trial", don't pre-collect payment details or ask the consumer to perform any other tasks beyond providing their email.
You can read more details and see both good and bad examples for ACR-004 on our requirements checklist. We're happy to help vendors understand ACR-004, and we offer both free and paid services to help companies comply.
Over the past few months, new standards for ads have been released by both BetterAds.org and the IAB. We think that these are in response to the proliferation of more and more ad blockers; the ad industry has started taking responsibility for the quality of online ads.
And while we felt that this is great news for consumers, we also realized that it was time to update our own certification requirements for apps that inject or block ads. So we spent the past few months working with our customers, some of the larger ad injector vendors, compliance partners, various security and platform companies, and CleanApps.org.
This work drove significant changes: not only did we adjust the requirements, but some of the requirements were promoted to Deceptor-level. Starting in October, we'll be reviewing and calling out bad ad injectors and blockers and adding them to our active Deceptor list.
You can find a summary of the changes in the following ad injector requirement updates document. Please feel free to use this to understand the context behind the changes. Also, all the changes are live in our online requirements checklist.