AppEsteem Blog

Learn more about what's happening at AppEsteem

Announcing the first set of Certified Deceptor Fighters

Dennis Batchelder and Hong Jia

We've completed the first two months of testing how well various antivirus products handle consumer-focused Unwanted Software (UwS) and Potentially Unwanted Applications (PUA), and we're pleased to announce that seven AV products are now Certified Deceptor Fighters:

  • Norton Security Standard
  • Avira Internet Security
  • K7 Total Security
  • Panda Dome
  • AVG Internet Security
  • Avast Internet Security
  • Kaspersky Internet Security
DeceptorFighter


Our test report can be found here
. We followed AMTSO's Testing Standard v1.1, and you can see our compliance information here. We invite you to read it and use its interactive capabilities to explore more about how AV performed. We'll be updating this report as we process each month's results.

We're proud that many AVs have embraced the urgency to address UwS and PUA, and are working with us to identify, call out, and block deceptive apps, as well as to define the requirements needed to allow them to run undetected. We believe that when AV vendors work together to tackle problems, it's bad news for deceptive apps, and great news for clean app vendors.

About working together: last November we gave a talk at AVAR with a provocative hypothesis: when AV's don't cooperate, cybercrime increasesOur presentation demonstrates what happens with and without a coordinated effort by AVs.

Congratulations to the AVs who got certified!

Deprecating our Deceptor notification program

Our active Deceptor list works; apps and services that get listed either clean up or stop distributing. That's great for consumers, but we've seen that this process can be painful for vendors.

Back in the fall of 2017 we got a few requests for a way to provide vendors with Deceptor notifications. The idea was that there were many vendors who didn't want to be our customers, but who were happy to register with us so we could notify them first if we found their apps or services were deceptive.

We thought this was a great idea. Our goal was to find the fastest path to keep consumers safe from deceptive behaviors, and if there were vendors who said an early "heads-up" would speed up their fixing the violations, we'd be happy to give it to them. So last October we announced our free Deceptor notification program.

Unfortunately, over past year we found that when we notified vendors about their apps' and services' Deceptor-level violations, only vendors who were our certification customers worked quickly to get the issues resolved. Other vendors, if they fixed at all, did so at a significantly slower pace. We don't know why this happened, but we do know this outcome isn't good for consumers.

And because we've determined that it's not in the best interests of consumers, we're deprecating our Deceptor notification program as of December 31. We'll continue to work with our certification customers to clean up their apps and services, but starting in January next year, we will only pre-notify other vendors when we're pretty sure that by doing so it will protect consumers faster.

Please note that this doesn't change how we work with apps and services that are listed as active Deceptors; we'll continue to help vendors at no charge to get their apps and services off the active Deceptor list.

You can find more information about our notification policies, as well as how to clean up active Deceptors, on our Deceptor FAQ.

 

Our new pay-as-you-go pricing option

We're announcing today that we've added a new pay-as-you-go pricing option for apps that want to get reviewed and certified, but would rather not commit to our subscription model.

The pay-as-you-go pricing replaces our promotional free certification program, which we ran for a year with great success.

And while we're excited about this new pricing option, we believe that your best value remains our premium subscription, because it comes with unlimited compliance consulting for your app, a CleanApps.org membership, and access to our Insiders calls. But we recognize that some customers with more mature or less-frequently-changing apps would be better served if they could pay for reviews on an ad-hoc basis.

And even with our free certifications going away, we still evaluate and remove Deceptors for free, and we offer a free Deceptor notification service for apps and sites who wish a heads-up if we find them violating our Deceptor-level requirements.

Thanks for all of your support for AppEsteem's certification program! Please let us know if you have any questions: just drop an email to [email protected]

 

 

Be ready for December 13: remove the urgency from free scans

Last January, Microsoft posted a blog titled Protecting customers from being intimidated into making an unnecessary purchase. The blog announced that effective March 1, they would be tightening up what they considered to be coercive messaging. The two new areas they called out were:

  1. Reporting the results in an exaggerated or alarming manner
  2. Requiring the user to "pay" to fix free scan results

We welcomed these changes, as it demonstrated Microsoft's resolve to go after the app vendors who were taking advantage of consumers to push unnecessary system utilities. But we also recognized that this was a significant change for many system utilities, including those that we had already certified.

Facing this change, we decided that the first step was to see if the anti-malware ecosystem could align on our understanding of Microsoft's principles. We worked with our security partners to come up with wording for a new application certification requirement (ACR-004). We also worked with many affected app vendors, CleanApps.org, compliance partners, and consumer groups to clarify the wording and provide examples of apps that either passed or failed ACR-004.

This took a few months to work through. These kinds of discussions are not easy, especially when the affected parties also include anti-malware vendors. But after all the discussions, we ended up with a requirement that we believe will both help consumers and still allow vendors to continue to demonstrate and monetize the value of their apps.

We set our enforcement date to be December 13, 2018. This means that any apps that do not meet ACR-004 by December 13, including new versions of apps that we have previously certified, may be added to our active Deceptor list.

ACR-004 states: When showing free scan results with the intent to monetize, results are substantiated and avoid any exaggerated sense of urgency, and app provides free fixes for all free scan results shown when the fix is not anticipated to be permanent or the fix offered is an ongoing service.

So what does this mean? If you're using free system utility scan results to monetize your solution, keep the following points in mind:

  • Make sure your free scan results are truthful, detailed, and can be substantiated.
  • Don't map free scan results to graphs, gauges, meters, or other ways to "measure" how important they are
  • Unless you're reporting on immediate threats to the system or consumer (a good example of this is active malware), don't use differentiating colors to highlight your free scan results
  • Unless you're providing a one-time permanent fix that's not an ongoing subscription, let the consumer "try" your solution by fixing all the results you show for free.
  • If you're fixing free scan results for free as part of a "trial", don't pre-collect payment details or ask the consumer to perform any other tasks beyond providing their email.

You can read more details and see both good and bad examples for ACR-004 on our requirements checklist. We're happy to help vendors understand ACR-004, and we offer both free and paid services to help companies comply.

 

Adjusting our Ad Injector/Blocker Requirements

Over the past few months, new standards for ads have been released by both BetterAds.org and the IAB. We think that these are in response to the proliferation of more and more ad blockers; the ad industry has started taking responsibility for the quality of online ads.

And while we felt that this is great news for consumers, we also realized that it was time to update our own certification requirements for apps that inject or block ads. So we spent the past few months working with our customers, some of the larger ad injector vendors, compliance partners, various security and platform companies, and CleanApps.org.

This work drove significant changes: not only did we adjust the requirements, but some of the requirements were promoted to Deceptor-level. Starting in October, we'll be reviewing and calling out bad ad injectors and blockers and adding them to our active Deceptor list.

You can find a summary of the changes in the following ad injector requirement updates document. Please feel free to use this to understand the context behind the changes. Also, all the changes are live in our online requirements checklist.

Supply Chain Accountability

We've been certifying apps for almost two years now, and we feel pretty good at the progress we've made: our security partners agree with our requirements and trust our certifications, and our customers (the app vendors) understand what they need to do to meet the requirements.

But we have found an issue that we need to address: bad supply chains can hurt consumers, and we need more help from app vendors to avoid using them as they build, advertise, distribute, and monetize their apps.

Here are just a few examples of where an app vendor can inadvertently hurt consumers by using a bad supply chain partner:

  • When an affiliate partner uses deceptive advertising and fear tactics to scare consumers into installing the app
  • When a call center over-sells their services to consumers during an activation or customer support call
  • When an ad network hijacks ad space or places misleading or inappropriate ads in the app, downgrading the consumers' online experience and exposing them to additional risks
  • When a bundler or download manager uses deceptive means to install additional apps on the consumer's machine
  • When the payment processor doesn't get consent to include additional apps and services into a consumer's online shopping cart

We don't want clean apps' supply chain partners to mistreat consumers. Starting in September, we're adjusting our policy to hold apps accountable for the misbehavior of their supply chain partners.

Here's the updated policy: If we find that a supply chain partner violates our Deceptor-level requirements in its business related to an app, we'll consider both the supply chain partner and the app as Deceptors, and we'll follow our existing policies for how we notify them or list them immediately on our active Deceptor page.

If you're an app vendor: we suggest that you use supply chain partners who are part of our Better World Network and encouraging non-member partners to join. If you're a supply chain provider, consider joining the Better World Network or registering your service with us for Deceptor notifications.

We're hoping that by enlisting app vendors in this effort, together we'll be able to influence bad supply chain partners to clean up their acts and stop mistreating consumers.

 

Build, Measure, Learn, Improve (our Deceptor Program)

(Dennis Batchelder and Hong Jia)

Today we were at Google’s Mountain View campus attending the Clean Software Summit, and Dennis presented the results of a study we conducted on our Deceptor program. By analyzing the data from the past year, we had four important findings:

  1. The AVs are doing a great job detecting the active Deceptors on our list, which in turn protects consumers.
  2. Merely informing apps when they violate Deceptor requirements is not effective at protecting consumers
  3. A low percentage of active Deceptors (less than 8%) eventually become paying customers
  4. We’ve identified additional ways we can make our operations transparent with the app vendor community

You can find more details in our presentation – we hope you find the data and findings as fascinating as we did!

 Note that in the deck, we also announced we’re taking four immediate actions:

  • Formalize AV Relationship: To showcase AV effectiveness even more, we’re going to align with the AV-driven initiative to formally ratify our Deceptor and Certification requirements. We believe this will make the Deceptor program even more effective at protecting consumers, and at the same time reduce the false positive detections of certified apps
  • Require Registration: Because of the proven ineffectiveness of merely informing apps of their violations, we will provide notifications to apps that violate our Deceptor requirements only if those apps have previously registered for notifications with us
  • Increase Transparency: To give app vendors assurance that we operate fairly, we’re providing insight and input to CleanApps.org, an app vendor-based non-profit organization
  • Provide Opportunities: We’re actively seeking monetization opportunities that certified apps can benefit from. A great example is BlackSwan’s EverCore program, which manages its risk by requiring all offers, carriers, and call centers to be certified by us

Finally, we gave a heads-up about a big upcoming Deceptor campaign; if you're an app vendor, it's worth checking this out.

Just a reminder: it’s free to register with us, and free to get your app certified. You can sign up at https://appesteem.com, or email us at [email protected]

Here's a pic from my presentation... 

 

 

Deceptors wish we’d stop calling them out

Today CSA released a document containing a collection of vendor opinions about our Deceptor program. It seems several vendors took the time to add their thoughts, and we believe their views will be helpful as we keep improving our efforts to prevent consumers from getting infected by deceptive, harmful, and unwanted software.

Our take: we’re encouraged by the apparent effectiveness of our Deceptor program. The document is a great example of how the software monetization industry has been impacted by our work, and that there is now a strong sense of urgency in the industry to clean up. We understand that the process is disruptive, but we believe this approach results in better-protected and better-respected consumers.

Reading CSA’s document got us reflecting on those who have hijacked the software monetization industry and messed it up for the honest vendors. Just like we don’t want them to succeed, it seems these organizations want our Deceptor program to fail. We think this would be a real shame for consumers.

Running this Deceptor program is tough. It’s not easy to strike a balance between disrupting bad actors and encouraging honest vendors. We’ll scour the vendor comments in CSA’s document for new ideas we can use to get it right. We’ll continue to engage with and take input from our security partners, vendors, and consumer representatives. We’ll find ways to get regular input from vendors committed to doing it right. And we’ll try to make every decision based on what is best for consumers, even when these decisions are unpopular with the monetization industry.

While we’re happy that CSA’s document confirms that the Deceptor program works, we do understand that there are vendors out there who do want to treat consumers with respect, and who are shocked, offended, and even ashamed when they discover their app has landed on our Deceptor list.

If you’re a vendor who’s gotten entangled in an industry that spent the past decade telling you that your primary focus should be performance marketing instead of bringing your unique value to consumers, we want to get you back on track with as little fuss and as much help as possible. We have some great (and mostly free) services for you to consider:

  1. FREE: We’ll answer your questions and help you get your app off our Deceptor list.
  2. FREE: We’ll let you know (with up to 30 days’ notice) about Deceptor violations if you register your app to our Deceptor notification service.
  3. FREE: We’ll certify your app so you can show the world your app is safe and it respects consumers.
  4. PAID: We offer value-added subscription services like unlimited compliance consulting for your app, “insiders” access to requirements changes and industry trends, embedded electronic seals for your certified app, and assistance figuring out what to do when our security partners flag your certified app.

But we also want to be clear: if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.

Good guys and bad guys, but don't forget it's our birthday

Today is AppEsteem’s second birthday. To celebrate, I spent yesterday afternoon on the witness stand in a federal courtroom in Austin Texas, advocating for one of our customers. I explained to the judge that we work so hard to punish bad guys and reward good guys because we’re convinced this is the only way consumers can be protected from unwanted software.

I told the judge that there are plenty of bad guys building unwanted software in the software monetization space. He could look at our Deceptor list and find many examples of apps and bundlers cheating, tricking, and unpleasantly surprising consumers in their quest to gain market share. 

But I also told him that the good guys aren't just the AVs; good guys are also building apps, and not everybody on our Deceptor list remains a bad guy. Some companies, when we point out their mistakes, fix their app’s issues and ask us to remove it from our list. Some of these companies take another courageous step and choose to certify their apps, showing the world that they are committed to building apps that respect consumers, and that they are good guys.

I explained that we love it when companies reach this level of commitment, and we work hard to help their certified apps thrive. Because this is our grand experiment: if we can identify the clean apps made by the good guys, our security partners can fight that much better against the bad guys, and we’ll end up in a better world where consumers don’t have to worry about that the apps they install will hurt, trick, or cheat them. 

We don’t yet know how the judge will rule. I hope he can find a way to help certified apps thrive without weakening the regulations that allow security companies to protect consumers.

Today I’m back in the office, and I’m reflecting on the last two years. We have over sixty apps that have made it through what can be a grueling certification process, and we have at least that many more in our certification pipeline. We’ve called out almost four hundred Deceptor apps and services, and we’ve been thrilled that this approach has been super-effective at driving change in both the vendors and the AVs. We’ve adjusted our business model, and last month we got the best second birthday present we could have imagined: our monthly billings exceeded our monthly expenses, and we reached break-even.

It hasn’t been easy, though. Getting the software monetization industry to try a new approach has sometimes felt impossible. Even two years later, we still are dealing with trust issues with a couple of the AVs. We haven’t figured out a productive relationship with the Clean Software Alliance. Some app companies remain on the sidelines, wondering if we’re going to survive. We’re still struggling to raise urgency with the browsers and search platforms so they’ll take action against Deceptor browser extensions, and we haven’t yet solved how we’re going to be able to drive change against Deceptor affiliate networks.

But now we’ve proven our business is viable, we know every challenge is surmountable. Our cause is righteous, and it’s also desperately needed. Consumer-hurting apps must disappear, and the bad guys who make and distribute them need to either change their ways or find a different line of work. 

If you’re still sitting on the sidelines, come and join us! It’s time to show the world that you’re committed to consumer protection and clean apps. Just like yesterday when we supported a good guy’s certified app in court, we’ll work as hard as we can to help certified apps thrive. We’ve proven that we won’t crumble under the pressure, and we promise that we won’t relent in our fight to protect consumers by stopping the bad guys and driving better behavior.

How we'll stop bad bundlers from tricking you

(see updates at the end)

You searched for an app, you downloaded it, and then you scrutinized the prompts to be sure that you installed only the app and the additional offers you wanted. And still you were unpleasantly surprised with what happened to your PC: your search engine changed to one that's filled with ads. You have new browser extensions, and apps that seem to bug you or scare you into to upgrading to a paid version.

Bad news: you got tricked by an unethical software bundler. And you're not alone. We also get tricked.

We want this to stop, so we're going to do something about it. The antivirus companies too: we worked together to identify some of the worst bundler behaviors that we all think should be stopped so we can better protect you, the consumer. We agreed to start acting against the violating bundlers: we'll get them added to our Deceptor list and feeds. Once the antivirus companies verify, they'll detect, block, and prevent these unethical bundlers from running on your PC.

Here's some examples of the kinds of bad bundler behaviors we're going to focus on fixing:

  1. Download managers who don't make it clear to you that they're not the app you were trying to get, but a wrapper that's going to offer you additional apps.
  2. Offers that don't make it clear to you that they're offers, or try to make you think that they're part of app you wanted, or act like they're specifically recommended.
  3. Unclear and inconsistent ways for you to accept, skip, or decline offers and each component in the offers.
  4. Bundlers and download managers that don't stop when you ask them to, leave remnants on your desktop, or don't uninstall their offers when you cancel installing the app you wanted.
  5. Bundlers that ignore you when you say "no".

The complete list of Deceptor behaviors, as well as examples and prescriptive guidance on how to avoid violating them, can be found on our Requirements Page.

Over the past few weeks we've been notifying as many bundlers that we can to prepare them for this change and to answer the questions they have. We have free programs available: bundlers can register with us for notification of Deceptor violations, and they can also get free certification from us.

We're encouraged with the changes that some bundlers and download managers are already making, and we're hoping that come April, there won't be many bad actors for us to call out, because they've already decided that cleaning up and not tricking you is the right thing to do.

(updates follow)

1 March 2018: This is the press release regarding our program.

8 March 2018: This is the deck we presented in our open industry call.