AppEsteem Blog

Learn more about what's happening at AppEsteem

Not yours! Consumer-linkable information belongs to the consumer.

Imagine you walk into my bookshop. As you peruse my books, I take note of where you pause and what you pick up. I ask you questions about what you're looking for, and I make suggestions. I'm hoping that the more I get to know you, the better I can serve you, and the better chance that you'll become a regular.

My imaginary bookshop is small, and my landlord offered me a free security system. It uses video cameras focused on my aisles, and it sends the video feed to the cloud alerting me when it thinks somebody steals a book.

Now imagine that once you leave my bookshop, I take what I learn about you and turn that into extra money for me: I sell your wish list to others, and I get advertisers to pay me to target you based on your book interests. Also, that free security system let my landlord do the same, based on what else it learned about you while analyzing the security tapes.

My imaginary bookshop sounds both big brother-ish and unfair to my customers. Fortunately, it would be hard for me to run this kind of bookshop, because I'd have to put a big notice on my door that says something like this, "Attention: your entry into this bookshop is your consent to being tracked and targeted for future advertising, both by me and by my landlord, who in return has provided us a free security system. Scan here to see the full privacy policy."

My guess is that if I put that kind of disclosure on my imaginary bookshop, I wouldn't get many customers coming through my door. My bookshop would be rather empty, because although customers are happy if I use data linked to them to give them a better shopping experience, they would not be happy if I was using their information to monetize or trade or sell. The reason? Because any consumer-linkable information I collect belongs to the consumer, not to me.

This makes sense in the physical world, but somehow the Internet doesn't work this way. It should, but we're not there yet.

Somehow the Internet has convinced us that the price of better searches and entertainment only comes when others are allowed to trade, sell, or monetize the information that can be linked back to us. That's not fair, because your non-public information belongs to you, and, except for well-regulated and limited scenarios, nobody else should have the right to sell it, or use it to make money, or permit others to gather it from you.

In what kinds of scenarios can making a business out of consumer-linkable information be acceptable? Two examples come to mind: medical information and credit scores. Unlike the Internet, both medical information and credit scores involve well-regulated industries that have been built up around controlling how this information is protected, limited in its usage, and used appropriately. Strong consumer-focused laws make it clear that you own your data, and they provide protection against misuse. Your consent must be obtained, and only for specific use cases. We think these examples provide good models for how consumer-linkable information collected on the Internet should be handled.

Just because a company knows something personal about you, they don't have the right to sell or make money from others or trade it to somebody else. And they don't have the right to let others collect more linkable information about you. If a company does any of this, especially online while you visit its websites or use its apps, that company is a polluter, and they should be stopped.

Here's just a few examples of how a website or app can pollute your internet experience and take advantage of your linkable information:

  • Google and Bing give you free searches in exchange for learning what you search for and click on, then use your information to charge advertisers to target you while you search.
  • Taboola and Outbrain pay more ad revenue to news websites who let them track and target you based on what they learn about your interests.
  • Google gives tens of millions of websites free analytics in exchange for collecting data on what you do on those websites.
  • Meta, Google, Microsoft, Yahoo, and so many other ad networks have huge businesses based on them selling advertisers access to your information so you can be better targeted.

All of the above examples are unacceptable, because they're all trading in something that doesn't belong to them: information linkable back to you. Only polluters aggregate other people's linkable information and try to turn it into money. Only polluters claim that you gave them consent to resell and repackage and build businesses around your linkable information.

Meanwhile, the privacy debate swirling around various governments seems to be focused on how consumers can request to see what linkable information companies are exploiting, and whether they can request to be forgotten. There is talk about "do not sell" flags in browsers that websites and ad networks can voluntarily consume, but without any teeth behind them. We think these initiatives are missing the basic point: no company should consider consumer-linkable information theirs to resell, to trade, or to monetize outside of providing better and relevant first-party experiences directly back to the consumer.

The BigTech companies who grow their businesses by exploiting consumer-linkable information have been successful in fending off regulation of how they purchase, aggregate, use, and monetize this information. This needs to change.

This is why we've added two new polluter indicators, focused on customer-linkable information, to our list. AP-10 says companies can collect and use consumer-linkable information to improve their direct services, but they can't use it to sell, monetize, or improve third-party services. AP-11 says you can't let others collect consumer-linkable information on your site or in your apps.

It's time to call out this exploitative behavior for what it is: internet pollution. It's time for it to stop.

 

Why Should You Have an Ad-Blocker?

Unfortunately, browsing the web can be dangerous due to the many potential threats lurking in cyberspace. Hackers and scammers steal personal information like passwords and bank accounts, and they infect your devices with malware and unwanted software. Many websites contain inappropriate content that can be accessed by minors - exposing them to explicit material they may lead them to interact with online predators.

But outside of the obvious threats that you already be aware of, new threats have emerged from the countless advertisements we face online. 

What is Ad-Pollution?

Ad pollution is how we refer to the unfair digital advertisements that bombard us while we're online. This occurs on websites, social media platforms, and other digital outlets. 

In best-case scenarios, ad pollution disrupts your overall media consumption experience with slower loading times clogged-up feeds. 

In worst-case scenarios, ad pollution delivers you into the hands of opportunistic cybercriminals by impersonating brands and directing users to malicious sites that host ransomware or steal your login credentials and other sensitive financial information. This technique is referred to as malvertising.

The Rise of Malvertising on Major Search Engines 

Malvertising attackers buy ads on legitimate search engines and advertising networks on popular websites, including video streaming sites, news sites, blogs, and more. The ads lure you to download unwanted software, or to run malicious code.

Malvertising campaigns are designed to be hard to detect and often use the latest technology in order to stay ahead of security measures. By reaching the web pages through native ads and tricking you that they’re just other content on the page that is safe to click, criminals can steal your personal information such as credit card details or login credentials. They may also redirect users to phishing websites or install malicious software onto a user's computer without them realizing.

For this reason, it's important for you to be aware of the risks associated with malvertising and take steps to protect yourself. The easiest way to protect yourself from the dangers associated with malvertising and the annoyances associated with ad pollution is to install a reputable ad-blocking app. 

What is an Ad-Blocker? 

Ad-blocking software is designed to block ads, especially ad pollution, from appearing on websites. It works by detecting and preventing the loading of online advertisements, including those in pop-up windows, banner ads, streaming audio or video ads, auto play video ads, and more.

Ad-blocking technology can be found as an add-on or extension for popular web browsers like Chrome, Edge, and Firefox. It also exists as a standalone application that works with any browser. By blocking these intrusive advertisements, users are able to browse the internet without being inundated with unwanted content. 

Additionally, ad-blocking technology can help protect user privacy while browsing online by blocking third party cookies or tracking scripts used by advertisers to track user activity across different sites. Overall, ad-blocking software is a great way for users to reclaim control over their online experience.

The FBI Recommends the use of Ad-Blocking Software 

For most of the same reasons listed above, last fall the FBI formally recommended the use of Ad Blocking software to protect internet users from malicious online advertisements, particularly the kind which can be used to spread malware and viruses that can damage your computer or steal personal information.

The FBI's public service announcement, titled “Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users,” recommended that individuals, “Use an ad blocking extension when performing internet searches. Most internet browsers allow a user to add extensions, including extensions that block advertisements. These ad blockers can be turned on and off within a browser to permit advertisements on certain websites while blocking advertisements on others.”

By blocking ads, users are also protecting themselves from data mining practices by companies who use online ads to track user behavior in order to target advertising more effectively. Earlier this year, social media giant Meta (Facebook, WhatsApp, Instagram, Messenger) was fined 390 million Euro for violating the General Data Protection Regulation (GDPR).

In that case, the courts said that Meta failed to protect user privacy and collected large amounts of personal data without obtaining permission from their customers. This allowed them to gain access to sensitive information such as age, gender, and political views that would be difficult for any other company to acquire through traditional methods. And it made it easier for attackers to trick you with their malvertising.

Ad-Blocking software provides a layer of protection against these threats and helps you maintain your privacy while browsing the internet. With online scams netting cybercriminals billions of dollars yearly, it is important for you to take steps towards safeguarding your information when surfing the web, and Ad Blocking software is one of the easiest and most effective ways to do this.

 

Why Certified apps sometimes get detected

Antimalware products detect vendor-developed applications for a variety of reasons, usually revolving around their belief that the app is cheating, scaring, or tricking the consumer.

We offer vendor-developed apps a certification service so that a vendor can develop a consumer-respecting app, knowing they won’t be surprised by a detection. Our certification service verifies the app’s behavior, as well as the behavior of its ads, how it distributes, and its purchase, support, and call center methods. We offer a comprehensive, evolving checklist of Application Certification Requirements to help our customers stay compliant. These requirements have been thoroughly vetted over the past six years with many security companies.

Each security company releasing antimalware products maintains their own criteria for detecting vendor-developed applications. Usually these criteria align with our requirements, but sometimes we have differences. We strive to understand these differences by working with the security companies, so we can tell vendors how ensure their apps remain consumer-respecting and not detected.

One way we try to keep in sync with the security companies is by running tests. Every month we produce an Unwanted Software Handling Certification Test (we call it the DeceptorFighters Test for short) Report. In this test, we measure how well various antimalware products can block and allow vendor-developed applications.

To pass the test, an antimalware product needs to get a 95% score on blocking Deceptors and allowing Certified apps. We provide free feeds of all the apps in the test, and we allow the antimalware products to dispute our scores by telling us why their policies led them to allow the Deceptor app to run, or to block the Certified app.

We’ve been running this test for over three years, and we’ve figured out that the security companies behind the antimalware products we test are at various maturity levels for how they handle Unwanted Software (UwS) and Potentially Unwanted Apps (PUA).

Below we’ve mapped these maturity levels, from most to least mature, into the reasons why an antimalware product may detect a certified app.

DeceptorFighter antimalware products: they generally provide vendors and us with the actionable reasons why they detect Certified apps. They usually have well-published and well-understood policies for vendor-developed apps. They have a large enough staff handling vendor-developed apps to keep up with incoming disputes.

Contender antimalware products: we’ve seen they are actively working to distinguish between wanted and unwanted software. They have researchers dedicated to analyzing vendor-developed applications, and they publish their criteria. They can usually explain why they detect a Certified app, and they generally respond to our queries. We believe the security companies behind them are working on getting more mature in this area, and their antimalware products will soon be DeceptorFighters.

Potentially Unfair Blocking antimalware products: we notice that they claim to be great at detecting UwS and PUA, but ether they haven’t established public criteria for doing so, or they don’t have an efficient way for vendors to dispute these detections. Most of the security companies behind these products don’t communicate well with us, either, leaving vendors in the dark as to why they’re being detected. These security companies may be rewarded for their unfair detections by falsely claiming protection, driving up their own conversions to paid products.

Significant Effort Required antimalware products: we believe that the main reason these security companies detect Certified apps is because they don’t put any focus onto UwS or PUA. They may be great at detecting malware and ransomware, but their abilities to focus on vendor-developed applications is either unfunded or immature.

To think about why a Certified app is detected by an antimalware company, just map the security company into its corresponding maturity category:

  • First, it may be that a DeceptorFighter level antimalware product has provided the app its actionable reasons for detection, and the app has decided to not implement the fixes. Note that vendors of Certified apps have committed to fix issues as they are reported by antimalware companies, so if an app is being detected for this reason, the detection usually only lasts a few days.
  • Second, it could be that a Contender level antimalware product is still evaluating the app, and it will take some time (up to a few weeks) for them to clear it before they stop detecting it.
  • Third, a Potentially Unfair Blocking level antimalware product may be monetizing its detection, or they may have made a conscious decision to ignore disputes from vendors. Note that most of these vendors are small, with limited consumer market share.
  • Fourth, a Significant Effort Required antimalware product might have automation-level detection, with nobody monitoring the results.

We suggest that our customers focus on ensuring their Certified apps have no detections by DeceptorFighters and Contenders, because these security companies are mature enough to not only have well-understood policies, but also to have the staff in place to handle vendor disputes. Fortunately, the antimalware companies in these two categories make up the vast majority of the consumer market share.

Here’s a list of antimalware products that remained either DeceporFighters or Contenders for the entirety of last year (see the 2021 report here):

Meanwhile, we continue to try to work with all security companies. Our Deceptor and Certified feeds, as well as our ACRs, are available free of charge for security companies to use as they work to increase their own maturity levels in how they handle vendor-developed apps.

 

Deceptors wish we’d stop calling them out

Today CSA released a document containing a collection of vendor opinions about our Deceptor program. It seems several vendors took the time to add their thoughts, and we believe their views will be helpful as we keep improving our efforts to prevent consumers from getting infected by deceptive, harmful, and unwanted software.

Our take: we’re encouraged by the apparent effectiveness of our Deceptor program. The document is a great example of how the software monetization industry has been impacted by our work, and that there is now a strong sense of urgency in the industry to clean up. We understand that the process is disruptive, but we believe this approach results in better-protected and better-respected consumers.

Reading CSA’s document got us reflecting on those who have hijacked the software monetization industry and messed it up for the honest vendors. Just like we don’t want them to succeed, it seems these organizations want our Deceptor program to fail. We think this would be a real shame for consumers.

Running this Deceptor program is tough. It’s not easy to strike a balance between disrupting bad actors and encouraging honest vendors. We’ll scour the vendor comments in CSA’s document for new ideas we can use to get it right. We’ll continue to engage with and take input from our security partners, vendors, and consumer representatives. We’ll find ways to get regular input from vendors committed to doing it right. And we’ll try to make every decision based on what is best for consumers, even when these decisions are unpopular with the monetization industry.

While we’re happy that CSA’s document confirms that the Deceptor program works, we do understand that there are vendors out there who do want to treat consumers with respect, and who are shocked, offended, and even ashamed when they discover their app has landed on our Deceptor list.

If you’re a vendor who’s gotten entangled in an industry that spent the past decade telling you that your primary focus should be performance marketing instead of bringing your unique value to consumers, we want to get you back on track with as little fuss and as much help as possible. We have some great (and mostly free) services for you to consider:

  1. FREE: We’ll answer your questions and help you get your app off our Deceptor list.
  2. FREE: We’ll let you know (with up to 30 days’ notice) about Deceptor violations if you register your app to our Deceptor notification service.
  3. FREE: We’ll certify your app so you can show the world your app is safe and it respects consumers.
  4. PAID: We offer value-added subscription services like unlimited compliance consulting for your app, “insiders” access to requirements changes and industry trends, embedded electronic seals for your certified app, and assistance figuring out what to do when our security partners flag your certified app.

But we also want to be clear: if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.

Good guys and bad guys, but don't forget it's our birthday

Today is AppEsteem’s second birthday. To celebrate, I spent yesterday afternoon on the witness stand in a federal courtroom in Austin Texas, advocating for one of our customers. I explained to the judge that we work so hard to punish bad guys and reward good guys because we’re convinced this is the only way consumers can be protected from unwanted software.

I told the judge that there are plenty of bad guys building unwanted software in the software monetization space. He could look at our Deceptor list and find many examples of apps and bundlers cheating, tricking, and unpleasantly surprising consumers in their quest to gain market share. 

But I also told him that the good guys aren't just the AVs; good guys are also building apps, and not everybody on our Deceptor list remains a bad guy. Some companies, when we point out their mistakes, fix their app’s issues and ask us to remove it from our list. Some of these companies take another courageous step and choose to certify their apps, showing the world that they are committed to building apps that respect consumers, and that they are good guys.

I explained that we love it when companies reach this level of commitment, and we work hard to help their certified apps thrive. Because this is our grand experiment: if we can identify the clean apps made by the good guys, our security partners can fight that much better against the bad guys, and we’ll end up in a better world where consumers don’t have to worry about that the apps they install will hurt, trick, or cheat them. 

We don’t yet know how the judge will rule. I hope he can find a way to help certified apps thrive without weakening the regulations that allow security companies to protect consumers.

Today I’m back in the office, and I’m reflecting on the last two years. We have over sixty apps that have made it through what can be a grueling certification process, and we have at least that many more in our certification pipeline. We’ve called out almost four hundred Deceptor apps and services, and we’ve been thrilled that this approach has been super-effective at driving change in both the vendors and the AVs. We’ve adjusted our business model, and last month we got the best second birthday present we could have imagined: our monthly billings exceeded our monthly expenses, and we reached break-even.

It hasn’t been easy, though. Getting the software monetization industry to try a new approach has sometimes felt impossible. Even two years later, we still are dealing with trust issues with a couple of the AVs. We haven’t figured out a productive relationship with the Clean Software Alliance. Some app companies remain on the sidelines, wondering if we’re going to survive. We’re still struggling to raise urgency with the browsers and search platforms so they’ll take action against Deceptor browser extensions, and we haven’t yet solved how we’re going to be able to drive change against Deceptor affiliate networks.

But now we’ve proven our business is viable, we know every challenge is surmountable. Our cause is righteous, and it’s also desperately needed. Consumer-hurting apps must disappear, and the bad guys who make and distribute them need to either change their ways or find a different line of work. 

If you’re still sitting on the sidelines, come and join us! It’s time to show the world that you’re committed to consumer protection and clean apps. Just like yesterday when we supported a good guy’s certified app in court, we’ll work as hard as we can to help certified apps thrive. We’ve proven that we won’t crumble under the pressure, and we promise that we won’t relent in our fight to protect consumers by stopping the bad guys and driving better behavior.

Nice confirmation of our plans... thanks Fortune, Google, and NYU!

Fortune published an article last week titled This Software Is So Sleazy, Google Calls It Ooze.  It refers to this blog entry by Google, which summarizes the results of a study by Google and NYU researchers that lays out some of the worst parts of the software monetization industry.

The article tells how consumers end up being deceived and bamboozled into downloading software they don’t want or need. It describes how the current system of incentives is encouraging bad behavior, rewarding fraudsters, and harming consumers. And it notes the need for solutions.  “One of the primary outcomes of this research is, we hope, to raise awareness from the research community at large,” says a Google researcher, “and to focus more on techniques to help protect users.”

We at AppEsteem couldn’t agree more.  Our entire business is dedicated to offering a solution to all this “ooze” -- one that will help the industry get clean and thrive, so consumers can live in a world where they no longer need to fear installing or using apps.

Check out our plan to find out more!