Last January, Microsoft posted a blog titled Protecting customers from being intimidated into making an unnecessary purchase. The blog announced that effective March 1, they would be tightening up what they considered to be coercive messaging. The two new areas they called out were:
- Reporting the results in an exaggerated or alarming manner
- Requiring the user to "pay" to fix free scan results
We welcomed these changes, as it demonstrated Microsoft's resolve to go after the app vendors who were taking advantage of consumers to push unnecessary system utilities. But we also recognized that this was a significant change for many system utilities, including those that we had already certified.
Facing this change, we decided that the first step was to see if the anti-malware ecosystem could align on our understanding of Microsoft's principles. We worked with our security partners to come up with wording for a new application certification requirement (ACR-004). We also worked with many affected app vendors, CleanApps.org, compliance partners, and consumer groups to clarify the wording and provide examples of apps that either passed or failed ACR-004.
This took a few months to work through. These kinds of discussions are not easy, especially when the affected parties also include anti-malware vendors. But after all the discussions, we ended up with a requirement that we believe will both help consumers and still allow vendors to continue to demonstrate and monetize the value of their apps.
We set our enforcement date to be December 13, 2018. This means that any apps that do not meet ACR-004 by December 13, including new versions of apps that we have previously certified, may be added to our active Deceptor list.
ACR-004 states: When showing free scan results with the intent to monetize, results are substantiated and avoid any exaggerated sense of urgency, and app provides free fixes for all free scan results shown when the fix is not anticipated to be permanent or the fix offered is an ongoing service.
So what does this mean? If you're using free system utility scan results to monetize your solution, keep the following points in mind:
- Make sure your free scan results are truthful, detailed, and can be substantiated.
- Don't map free scan results to graphs, gauges, meters, or other ways to "measure" how important they are
- Unless you're reporting on immediate threats to the system or consumer (a good example of this is active malware), don't use differentiating colors to highlight your free scan results
- Unless you're providing a one-time permanent fix that's not an ongoing subscription, let the consumer "try" your solution by fixing all the results you show for free.
- If you're fixing free scan results for free as part of a "trial", don't pre-collect payment details or ask the consumer to perform any other tasks beyond providing their email.
You can read more details and see both good and bad examples for ACR-004 on our requirements checklist. We're happy to help vendors understand ACR-004, and we offer both free and paid services to help companies comply.
Over the past few months, new standards for ads have been released by both BetterAds.org and the IAB. We think that these are in response to the proliferation of more and more ad blockers; the ad industry has started taking responsibility for the quality of online ads.
And while we felt that this is great news for consumers, we also realized that it was time to update our own certification requirements for apps that inject or block ads. So we spent the past few months working with our customers, some of the larger ad injector vendors, compliance partners, various security and platform companies, and CleanApps.org.
This work drove significant changes: not only did we adjust the requirements, but some of the requirements were promoted to Deceptor-level. Starting in October, we'll be reviewing and calling out bad ad injectors and blockers and adding them to our active Deceptor list.
You can find a summary of the changes in the following ad injector requirement updates document. Please feel free to use this to understand the context behind the changes. Also, all the changes are live in our online requirements checklist.
We've been certifying apps for almost two years now, and we feel pretty good at the progress we've made: our security partners agree with our requirements and trust our certifications, and our customers (the app vendors) understand what they need to do to meet the requirements.
But we have found an issue that we need to address: bad supply chains can hurt consumers, and we need more help from app vendors to avoid using them as they build, advertise, distribute, and monetize their apps.
Here are just a few examples of where an app vendor can inadvertently hurt consumers by using a bad supply chain partner:
- When an affiliate partner uses deceptive advertising and fear tactics to scare consumers into installing the app
- When a call center over-sells their services to consumers during an activation or customer support call
- When an ad network hijacks ad space or places misleading or inappropriate ads in the app, downgrading the consumers' online experience and exposing them to additional risks
- When a bundler or download manager uses deceptive means to install additional apps on the consumer's machine
- When the payment processor doesn't get consent to include additional apps and services into a consumer's online shopping cart
We don't want clean apps' supply chain partners to mistreat consumers. Starting in September, we're adjusting our policy to hold apps accountable for the misbehavior of their supply chain partners.
Here's the updated policy: If we find that a supply chain partner violates our Deceptor-level requirements in its business related to an app, we'll consider both the supply chain partner and the app as Deceptors, and we'll follow our existing policies for how we notify them or list them immediately on our active Deceptor page.
If you're an app vendor: we suggest that you use supply chain partners who are part of our Better World Network and encouraging non-member partners to join. If you're a supply chain provider, consider joining the Better World Network or registering your service with us for Deceptor notifications.
We're hoping that by enlisting app vendors in this effort, together we'll be able to influence bad supply chain partners to clean up their acts and stop mistreating consumers.