Yesterday we found out that the Clean Software Alliance (we think they're being abused by Rise, a Deceptor bundler) has a PR agency sending out a press packet to various journalists. Here's their message:
From: Jill Burkes <[email protected]>
Sent: Tuesday, July 23, 2024 6:32 AM
To: xxx
Subject: Advanced Look: Antivirus Industry Shaken by Certification Scandal
Hi xxx ,
A bombshell investigation by The Clean Software Alliance (CSA) has uncovered a shocking pay-to-play scheme at the heart of the antivirus certification process. The CEO of a leading certification company is implicated in a scheme that has compromised the security standards trusted by millions of users worldwide.
This report/story exposes how a key gatekeeper of cybersecurity has been systematically corrupted, potentially leaving consumers vulnerable to cyberattacks. The CSA has damning evidence and insights into the far-reaching implications of this scandal.
This story is set to ignite public interest and spark widespread discussion. Let me know if you want to learn more and speak with CSA experts.
Thanks,
Jill
That certainly sounds exciting, right? It made us want to hear more, especially when we knew it was an attack against us.
Here's the attached CSA reports so you can read them yourself:
WHAT WE THINK HAPPENED
Last April was the start of our enforcement of the new "bundler" ACRs. Since then, we have been calling out apps that monetize with the Rise offer network, as these apps' installers are using deceptive techniques to drive unintentional installs of bundled offers.
The new ACRs are trying to stop how consumers are unfairly interrupted during the install of an app with offers to silently install unrelated software. We know this leads to many unwanted and unintentional installs. We worked hard to drive consensus among the AVs. We even worked with CSA and Rise, although they weren't happy about it.
Rise is a spin-off of IronSource. It just so happens that Rise has been CSA's biggest supporter. In fact, Rise's chief legal officer is CSA's CEO.
We think that we got Rise's attention with the updated bundler ACRs, and they're abusing their relationship with CSA to attack us in this sham "investigation".
OUR RESPONSE
We're glad that we got Rise's attention. Now maybe they'll realize that it's time to clean up their act. That would help millions of consumers every year keep extra software off their PCs.
The last time CSA was abused by Deceptors to attack us, we wrote a blog response, we got a couple great news stories, and more app vendors chose to build clean, sustainable apps that keep consumers safe. This was a great outcome, and we're hoping for the same here. Because this attack is just as silly as the last one: a cobbled-together set of out-of-context data points in a sad attempt to sound sensational.
But we should address what CSA is claiming. There are different claims in their "CSA Report" and their 4-page "One Pager", and we tried to include both. Here's a handy guide to help show what we think of their allegations:
"Issues" Found
|
Our Response |
Issue: Dennis Batchelder, founder of for-profit certification company AppEsteem, also serves as the CEO of AMTSO, a non-profit testing standards organization for the antivirus (AV) industry. AppEsteem uses its "certified" and "deceptor" as additional testing criteria for AMTSO members, potentially boosting its own business while harming software developers.
|
AppEsteem runs a UwS Handling Certification test (it's not an AMTSO test) that follows the AMTSO standards (see our AMTSO compliance page here).
We suggest contacting Eddy Willems, the new COO of CSA, for more information. Eddy served on AMTSO's board of directors when the AMTSO test standards were established and when the first UwS Handling Certification tests were run.
|
Several new ACRs prohibit commonly accepted industry practices utilized by many software vendors, including ones from the anti-malware community, streaming services such as YouTube and smart TVs. A good example is ACR-013 ‘deceptor’ requirement which requires an additional offer screen to be presented to the end user in addition to already existent and agreed upon user disclosures.
Moreover, it is the CSA’s opinion that several new ACRs lack actual applicability, such as ACR-060 ‘deceptor’ requirement which requires software developers to disclose to the end user the name of the network used, while in practice most software developers utilize their own installer and monetization without using any network.
|
If YouTube, in the middle of a video, popped up an interrupting offer to silently install software using its administrative privileges, and demanded an answer before the video continued, then we'd call it out as failing ACR-013. This is what the Rise bundlers do (during software installs), and why we call them out, because that behavior is unfair to consumers.
ACR-060 only applies when an offer network is used. If a software monetizer has their own offers and doesn't use an offer network, ACR-060 does not apply.
|
AppEsteem certified app that violates ACR-152, one of many certified applications found to be in violation of AppEsteem ACRs.
|
ACR-152 applies to bundlers. The app shown doesn't make offers to silently install other software, so this ACR does not apply. This example, as well as the other "evidence" examples, shows a misunderstanding by CSA of how our ACRs apply.
However, ACR-048 does apply: This app should have stated that the install cannot be cancelled... we missed it in our review, and we're sorry. We'll have them fix it ASAP.
Calling this as evidence of a "Pay to Play Scheme" is just silly. We review apps as we certify them, we hope to catch everything, and sometimes we miss. You can talk to our customers and ask them if they think they could pay us to *not* follow the ACRs.
|
AppEsteem Deceptor Test Plan performed through AMTSO includes a “Conflict of Interests Disclosure” section, indicating that test results and scores seem to be dependent on the degree to which the anti-malware companies implement AppEsteem’s ‘certified’ and ‘deceptor’ lists.
|
Yes, this is correct. We also include a "Disputes" section that explains how AVs can dispute if their UwS/PUA policies differ from our ACRs (see the "Dispute" sections our current test here, or in any of the previous 5 years' tests).
|
AppEsteem Fee Schedule shows how AppEsteem’s paid Premium Services include a membership in CleanApps, suggesting that AppEsteem provides funding for CleanApps, which is allegedly an independent “Business Association for App Makers and Marketers.”
|
Not sure what the issue is here. We thought this was a great benefit for our Premium customers, and that it would help grow CleanApps.org -- a win/win for a safer consumer app ecosystem. |
The AppEsteem Certification requirements (ACRs) were initially mostly based on the CSA guidelines which cover the “common ground” violations agreed upon by most anti-malware companies. A good example is ACR-048 ‘deceptor’ requirement which is identical to the CSA’s guideline “Products must not hide and/or limit the user’s ability to close, delete, disable or uninstall the program”. Over time, AppEsteem’s new certification requirements moved from covering the mutual consensus, to include more requirements which are not in consensus. This is evident by the fact that not all anti-malware companies enforce all requirements.
|
Our goal with new Deceptor-level ACRs is to ensure that at least 60% of consumer PCs will be protected by an AV that will enforce the ACR. As part of our consensus-building process with the AVs, we hold regular meetings with them, gathering their feedback on precise wording for the ACRs that either they or we have proposed.
We think this is an oblique reference to the "bundling" ACRs (ACR-013 and ACR-060). It is true that several AVs do not enforce these (they use bundlers themselves to distribute), but these bundler-distributing AVs only protect a minority of the total consumer population.
|
OUR RESOLVE
We want to protect consumers from being deceived by unwanted apps. We believe that if we help clean apps thrive and we call out Deceptors, consumers will be better protected. We realize that our path to success in cleaning up the unwanted software space is to engage deeply with the AVs as they enforce their own policies against UwS.
OUR SUGGESTIONS
We humbly submit the following suggestions:
- CSA: stop being used by Deceptors. Do your job, as your name suggests, and focus on cleaning up the ecosystem instead of attacking those who should be your allies in the fight against unwanted software.
- Rise: start complying with ACR-013, and do your part to clean up the bundling mess you are making. It's silly that you are choosing to attack instead of learning better ways to respect consumers.
- AVs: thank your for the past eight years of support. Let's keep working together to fight against unwanted software! And if you're still using Rise to distribute, may we suggest that you find a better, cleaner alternative. Or get them to change to be better: your distribution spend on them makes up most of their income, anyway.... you have the power!
- Certified Apps: you guys set a great example of how clean software vendors can thrive. We'll keep calling out Deceptors who are cheating consumers and hurting your reputation.
- Reporters/Press: please check out the full story. We're happy to address other questions. And we have lots of data to share with you if you're interested in seeing how we drive consensus with the AVs and the software vendors, how bundlers like Rise are cheating consumers, the email chain we had with Rise/CSA regarding the bundler ACRs, and how we work with orgs like AMTSO and CleanApps.org.
- Publishers using the Rise offer network: Your use of a Deceptor bundler is telling your customers that you aren't respecting them. Please use your power to drive Rise to change, or find a better, more respectful offer network to monetize through.