AppEsteem Blog

Be ready for December 13: remove the urgency from free scans

Last January, Microsoft posted a blog titled Protecting customers from being intimidated into making an unnecessary purchase. The blog announced that effective March 1, they would be tightening up what they considered to be coercive messaging. The two new areas they called out were:

  1. Reporting the results in an exaggerated or alarming manner
  2. Requiring the user to "pay" to fix free scan results

We welcomed these changes, as it demonstrated Microsoft's resolve to go after the app vendors who were taking advantage of consumers to push unnecessary system utilities. But we also recognized that this was a significant change for many system utilities, including those that we had already certified.

Facing this change, we decided that the first step was to see if the anti-malware ecosystem could align on our understanding of Microsoft's principles. We worked with our security partners to come up with wording for a new application certification requirement (ACR-004). We also worked with many affected app vendors, CleanApps.org, compliance partners, and consumer groups to clarify the wording and provide examples of apps that either passed or failed ACR-004.

This took a few months to work through. These kinds of discussions are not easy, especially when the affected parties also include anti-malware vendors. But after all the discussions, we ended up with a requirement that we believe will both help consumers and still allow vendors to continue to demonstrate and monetize the value of their apps.

We set our enforcement date to be December 13, 2018. This means that any apps that do not meet ACR-004 by December 13, including new versions of apps that we have previously certified, may be added to our active Deceptor list.

ACR-004 states: When showing free scan results with the intent to monetize, results are substantiated and avoid any exaggerated sense of urgency, and app provides free fixes for all free scan results shown when the fix is not anticipated to be permanent or the fix offered is an ongoing service.

So what does this mean? If you're using free system utility scan results to monetize your solution, keep the following points in mind:

  • Make sure your free scan results are truthful, detailed, and can be substantiated.
  • Don't map free scan results to graphs, gauges, meters, or other ways to "measure" how important they are
  • Unless you're reporting on immediate threats to the system or consumer (a good example of this is active malware), don't use differentiating colors to highlight your free scan results
  • Unless you're providing a one-time permanent fix that's not an ongoing subscription, let the consumer "try" your solution by fixing all the results you show for free.
  • If you're fixing free scan results for free as part of a "trial", don't pre-collect payment details or ask the consumer to perform any other tasks beyond providing their email.

You can read more details and see both good and bad examples for ACR-004 on our requirements checklist. We're happy to help vendors understand ACR-004, and we offer both free and paid services to help companies comply.

 

Supply Chain Accountability

We've been certifying apps for almost two years now, and we feel pretty good at the progress we've made: our security partners agree with our requirements and trust our certifications, and our customers (the app vendors) understand what they need to do to meet the requirements.

But we have found an issue that we need to address: bad supply chains can hurt consumers, and we need more help from app vendors to avoid using them as they build, advertise, distribute, and monetize their apps.

Here are just a few examples of where an app vendor can inadvertently hurt consumers by using a bad supply chain partner:

  • When an affiliate partner uses deceptive advertising and fear tactics to scare consumers into installing the app
  • When a call center over-sells their services to consumers during an activation or customer support call
  • When an ad network hijacks ad space or places misleading or inappropriate ads in the app, downgrading the consumers' online experience and exposing them to additional risks
  • When a bundler or download manager uses deceptive means to install additional apps on the consumer's machine
  • When the payment processor doesn't get consent to include additional apps and services into a consumer's online shopping cart

We don't want clean apps' supply chain partners to mistreat consumers. Starting in September, we're adjusting our policy to hold apps accountable for the misbehavior of their supply chain partners.

Here's the updated policy: If we find that a supply chain partner violates our Deceptor-level requirements in its business related to an app, we'll consider both the supply chain partner and the app as Deceptors, and we'll follow our existing policies for how we notify them or list them immediately on our active Deceptor page.

If you're an app vendor: we suggest that you use supply chain partners who are part of our Better World Network and encouraging non-member partners to join. If you're a supply chain provider, consider joining the Better World Network or registering your service with us for Deceptor notifications.

We're hoping that by enlisting app vendors in this effort, together we'll be able to influence bad supply chain partners to clean up their acts and stop mistreating consumers.

 

Build, Measure, Learn, Improve (our Deceptor Program)

(Dennis Batchelder and Hong Jia)

Today we were at Google’s Mountain View campus attending the Clean Software Summit, and Dennis presented the results of a study we conducted on our Deceptor program. By analyzing the data from the past year, we had four important findings:

  1. The AVs are doing a great job detecting the active Deceptors on our list, which in turn protects consumers.
  2. Merely informing apps when they violate Deceptor requirements is not effective at protecting consumers
  3. A low percentage of active Deceptors (less than 8%) eventually become paying customers
  4. We’ve identified additional ways we can make our operations transparent with the app vendor community

You can find more details in our presentation – we hope you find the data and findings as fascinating as we did!

 Note that in the deck, we also announced we’re taking four immediate actions:

  • Formalize AV Relationship: To showcase AV effectiveness even more, we’re going to align with the AV-driven initiative to formally ratify our Deceptor and Certification requirements. We believe this will make the Deceptor program even more effective at protecting consumers, and at the same time reduce the false positive detections of certified apps
  • Require Registration: Because of the proven ineffectiveness of merely informing apps of their violations, we will provide notifications to apps that violate our Deceptor requirements only if those apps have previously registered for notifications with us
  • Increase Transparency: To give app vendors assurance that we operate fairly, we’re providing insight and input to CleanApps.org, an app vendor-based non-profit organization
  • Provide Opportunities: We’re actively seeking monetization opportunities that certified apps can benefit from. A great example is BlackSwan’s EverCore program, which manages its risk by requiring all offers, carriers, and call centers to be certified by us

Finally, we gave a heads-up about a big upcoming Deceptor campaign; if you're an app vendor, it's worth checking this out.

Just a reminder: it’s free to register with us, and free to get your app certified. You can sign up at https://appesteem.com, or email us at register@appesteem.com

Here's a pic from my presentation... 

 

 

Deceptors wish we’d stop calling them out

Today CSA released a document containing a collection of vendor opinions about our Deceptor program. It seems several vendors took the time to add their thoughts, and we believe their views will be helpful as we keep improving our efforts to prevent consumers from getting infected by deceptive, harmful, and unwanted software.

Our take: we’re encouraged by the apparent effectiveness of our Deceptor program. The document is a great example of how the software monetization industry has been impacted by our work, and that there is now a strong sense of urgency in the industry to clean up. We understand that the process is disruptive, but we believe this approach results in better-protected and better-respected consumers.

Reading CSA’s document got us reflecting on those who have hijacked the software monetization industry and messed it up for the honest vendors. Just like we don’t want them to succeed, it seems these organizations want our Deceptor program to fail. We think this would be a real shame for consumers.

Running this Deceptor program is tough. It’s not easy to strike a balance between disrupting bad actors and encouraging honest vendors. We’ll scour the vendor comments in CSA’s document for new ideas we can use to get it right. We’ll continue to engage with and take input from our security partners, vendors, and consumer representatives. We’ll find ways to get regular input from vendors committed to doing it right. And we’ll try to make every decision based on what is best for consumers, even when these decisions are unpopular with the monetization industry.

While we’re happy that CSA’s document confirms that the Deceptor program works, we do understand that there are vendors out there who do want to treat consumers with respect, and who are shocked, offended, and even ashamed when they discover their app has landed on our Deceptor list.

If you’re a vendor who’s gotten entangled in an industry that spent the past decade telling you that your primary focus should be performance marketing instead of bringing your unique value to consumers, we want to get you back on track with as little fuss and as much help as possible. We have some great (and mostly free) services for you to consider:

  1. FREE: We’ll answer your questions and help you get your app off our Deceptor list.
  2. FREE: We’ll let you know (with up to 30 days’ notice) about Deceptor violations if you register your app to our Deceptor notification service.
  3. FREE: We’ll certify your app so you can show the world your app is safe and it respects consumers.
  4. PAID: We offer value-added subscription services like unlimited compliance consulting for your app, “insiders” access to requirements changes and industry trends, embedded electronic seals for your certified app, and assistance figuring out what to do when our security partners flag your certified app.

But we also want to be clear: if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.

Good guys and bad guys, but don't forget it's our birthday

Today is AppEsteem’s second birthday. To celebrate, I spent yesterday afternoon on the witness stand in a federal courtroom in Austin Texas, advocating for one of our customers. I explained to the judge that we work so hard to punish bad guys and reward good guys because we’re convinced this is the only way consumers can be protected from unwanted software.

I told the judge that there are plenty of bad guys building unwanted software in the software monetization space. He could look at our Deceptor list and find many examples of apps and bundlers cheating, tricking, and unpleasantly surprising consumers in their quest to gain market share. 

But I also told him that the good guys aren't just the AVs; good guys are also building apps, and not everybody on our Deceptor list remains a bad guy. Some companies, when we point out their mistakes, fix their app’s issues and ask us to remove it from our list. Some of these companies take another courageous step and choose to certify their apps, showing the world that they are committed to building apps that respect consumers, and that they are good guys.

I explained that we love it when companies reach this level of commitment, and we work hard to help their certified apps thrive. Because this is our grand experiment: if we can identify the clean apps made by the good guys, our security partners can fight that much better against the bad guys, and we’ll end up in a better world where consumers don’t have to worry about that the apps they install will hurt, trick, or cheat them. 

We don’t yet know how the judge will rule. I hope he can find a way to help certified apps thrive without weakening the regulations that allow security companies to protect consumers.

Today I’m back in the office, and I’m reflecting on the last two years. We have over sixty apps that have made it through what can be a grueling certification process, and we have at least that many more in our certification pipeline. We’ve called out almost four hundred Deceptor apps and services, and we’ve been thrilled that this approach has been super-effective at driving change in both the vendors and the AVs. We’ve adjusted our business model, and last month we got the best second birthday present we could have imagined: our monthly billings exceeded our monthly expenses, and we reached break-even.

It hasn’t been easy, though. Getting the software monetization industry to try a new approach has sometimes felt impossible. Even two years later, we still are dealing with trust issues with a couple of the AVs. We haven’t figured out a productive relationship with the Clean Software Alliance. Some app companies remain on the sidelines, wondering if we’re going to survive. We’re still struggling to raise urgency with the browsers and search platforms so they’ll take action against Deceptor browser extensions, and we haven’t yet solved how we’re going to be able to drive change against Deceptor affiliate networks.

But now we’ve proven our business is viable, we know every challenge is surmountable. Our cause is righteous, and it’s also desperately needed. Consumer-hurting apps must disappear, and the bad guys who make and distribute them need to either change their ways or find a different line of work. 

If you’re still sitting on the sidelines, come and join us! It’s time to show the world that you’re committed to consumer protection and clean apps. Just like yesterday when we supported a good guy’s certified app in court, we’ll work as hard as we can to help certified apps thrive. We’ve proven that we won’t crumble under the pressure, and we promise that we won’t relent in our fight to protect consumers by stopping the bad guys and driving better behavior.

How we'll stop bad bundlers from tricking you

(see updates at the end)

You searched for an app, you downloaded it, and then you scrutinized the prompts to be sure that you installed only the app and the additional offers you wanted. And still you were unpleasantly surprised with what happened to your PC: your search engine changed to one that's filled with ads. You have new browser extensions, and apps that seem to bug you or scare you into to upgrading to a paid version.

Bad news: you got tricked by an unethical software bundler. And you're not alone. We also get tricked.

We want this to stop, so we're going to do something about it. The antivirus companies too: we worked together to identify some of the worst bundler behaviors that we all think should be stopped so we can better protect you, the consumer. We agreed to start acting against the violating bundlers: we'll get them added to our Deceptor list and feeds. Once the antivirus companies verify, they'll detect, block, and prevent these unethical bundlers from running on your PC.

Here's some examples of the kinds of bad bundler behaviors we're going to focus on fixing:

  1. Download managers who don't make it clear to you that they're not the app you were trying to get, but a wrapper that's going to offer you additional apps.
  2. Offers that don't make it clear to you that they're offers, or try to make you think that they're part of app you wanted, or act like they're specifically recommended.
  3. Unclear and inconsistent ways for you to accept, skip, or decline offers and each component in the offers.
  4. Bundlers and download managers that don't stop when you ask them to, leave remnants on your desktop, or don't uninstall their offers when you cancel installing the app you wanted.
  5. Bundlers that ignore you when you say "no".

The complete list of Deceptor behaviors, as well as examples and prescriptive guidance on how to avoid violating them, can be found on our Requirements Page.

Over the past few weeks we've been notifying as many bundlers that we can to prepare them for this change and to answer the questions they have. We have free programs available: bundlers can register with us for notification of Deceptor violations, and they can also get free certification from us.

We're encouraged with the changes that some bundlers and download managers are already making, and we're hoping that come April, there won't be many bad actors for us to call out, because they've already decided that cleaning up and not tricking you is the right thing to do.

(updates follow)

1 March 2018: This is the press release regarding our program.

8 March 2018: This is the deck we presented in our open industry call.

Busting the Barriers to Clean Behavior

(Dennis Batchelder)

(tl;dr: we removed a big barrier to getting certified or requiring certification: the fee. read on for more...)

Buenos Dias from Madrid, Spain! David, Jaimee, and I attended the Clean Software Alliance Summit, and we spent two days hearing from software monetizers, most of the major AV vendors, Google, and Microsoft about the state of the software monetization industry.

I also gave an update on changes we're making to AppEsteem to help drive faster adoption of clean practices. I've attached the presentation so you can see them for yourselves... we're super excited about these changes, and we think it's going to give many more vendors the incentive they need to get off the sidelines and make a commitment to clean behavior.

Here's the presentation.... and just as a teaser to get you to read it, here's some of the cool barrier-busters we announced:

  • Certifications are now free. If you're on a budget, or if you're happy with your compliance team, no worries: we'll evaluate your app at no cost. If it meets our requirements, we'll issue you a certification and inform the security companies that you're compliant. (wow wow wow!)
  • Software vendors who commit to following our requirements can register their apps with us, and we'll provide early notification if we happen to find violations that would land the app on our Deceptor page.
  • We've made it even easier to follow our application certification requirements with a new checklist page that provides prescriptive guidance and shows examples.

 

Helping China's software monetizers get it right

(Dennis)

As you may have seen in our Deceptor page, we've listed a number of China-based software monetizers who are distributing their apps globally.

We see an opportunity to help China's software monetizers figure out clean ways to distribute their software world-wide. Our goal is that when they want to take their products to a global market, part of their process is to get certified first. This would save them the hassle of going through a Deceptor set of detections and then cleaning up.

Therefore, we announced at the 5th China Cyber Security Conference this week that we'll be publishing our App Certification Requirements in Chinese. We'll also devote some publicity to letting China's software monetizers know that we can help them get their apps right before the launch. We're hoping that by doing this, we'll save consumers (and the software monetizers) a lot of headaches.

I've attached an excerpt of the presentation I gave at the conference. Check out the second to last slide for the Chinese vendor offer.

Here I am with Christine, my translator. Jesse Song, the conference's organizer, realized that we needed to translate Deceptor, so he worked with Hong to come up with something. I think it ended up being called "cheating software" in Chinese. We'll have to come up with another catchy logo...

AppEsteem Goes to Washington

(David Finn, COO)

Last month Jaimee King (AppEsteem’s General Counsel) and I traveled from Washington State to Washington, D.C. to meet with law enforcement officials, prosecutors, and Capitol Hill staffers. Our agenda: to collaborate on new ways to protect consumers from the deceptive and harmful apps that plague the software downloading industry.

We met with eight of the top cyber officials in the FBI and Department of Justice; more than a dozen division heads, attorneys, and investigators at the FTC; and staffers at the Senate Majority Committee on Aging. 

Our primary message was simple – through collaboration, the private sector and government can make tremendous strides in protecting consumers. This message rides on the 2005 industry workshop and report from the FTC that discussed malware, spyware and adware. The FTC made a series of recommendations in that report, including that 

  • “The public and private sectors should work separately and in concert” to reduce the harm this fraudulent software causes;
  • Industry should develop common standards to help the industry self-regulate and better protect consumers; and
  • Industry should refer cases to the government for civil and criminal prosecution.

Unfortunately, the private sector didn’t get it together right away – leaving the problem of fraud and malware from harmful apps to reach epidemic proportions over the next decade. As the industry failed to control itself, the race to the bottom in making and distributing deceptive apps intensified. And the losers turned out to be millions and millions of consumers. 

But that’s now changing. As we discussed with our government hosts in D.C., stakeholders across the private sector proudly came together last year to finally do what the FTC recommended: collaborating to develop the most comprehensive, clean software standards ever, which are now publicly available under Creative Commons.

And with the launch of the AppEsteem Deceptor Program, AppEsteem is working with the security industry to call out the worst apps that trick and defraud people. We hope – and expect – that most Deceptors will clean up their act and stop harming consumers once we’ve named them. 

As for those who persist in preying on consumers, these Deceptors will be among the most appropriate targets for prosecution. Our meetings in D.C. were a big step in adding accountability for the makers and distributors of dirty apps.

Everybody we met in D.C. was engaged and responsive – it was wonderful to be reminded how mission-oriented and committed law enforcement and other government officials in this area are. They clearly recognize that when your average consumer pushes the install button for a free computer app, the experience remains far too risky. But that shouldn’t be – and it doesn’t have to be. 

A big thank you to everybody who met with us from the FBI, FTC, Department of Justice, and U.S. Senate, and to our new friends at the National Cyber Security Alliance and National Consumers League, too. Our trip further convinced us of the founding principle behind AppEsteem’s existence: that together, law enforcement, government agencies, security companies, consumer advocates, and software developers can make the internet safer for everybody.

No Deceptors allowed

Hong Jia and Dennis Batchelder

The more time we spend in the software monetization space, the better we understand how consumers are tricked and misled and taken advantage of by deceptive and harmful apps.

We need better ways to urge the software industry to avoid deceptive and harmful behavior. Vendors need to learn that releasing apps that take advantage of consumers will cause them all sorts of pain. And our certification customers need support against competitors who don't follow the same rules.

Guess what? We have a way to do this: our Deceptor program. And it's not only hurting the bad vendors and helping the good vendors, but it gets the antivirus companies more efficient at eliminating the bad apps from their customers' machines.

We've been working with the AVs since December to agree on consumer-friendly requirements that apps must stick to if they don't want to get automatically flagged. That led to us identifying twenty-five of the most harmful and deceptive behaviors that bad apps are doing to hurt consumers (you can read all about them at this link). Here's the important part: if an app violates these requirements and we spot it, we'll call it out as a Deceptor, and we'll alert the AVs. Once they do their own review and agree, the AVs will detect, block, and remove that app.

If you want to see where we call out the Deceptors, check out this link. Click on each app name and you'll find all kinds of goodies underneath: what was violated with screenshots and videos, how we found the app, and the metadata about the app.

The AVs have been very supportive, which is great. But we just launched the program, and it still has a long way to go to be fully operational (we've only identified a few Deceptors so far).

And though it's just a start, we hope to call out several of these Deceptors every day. And we hope that we've made the program easy enough so that when a vendor finds their app on our site, it's easier for them to fix the issues than it is for them to evade, or even worse, fire up their lawyers. You can check out our FAQ to see how we try to guide vendors to do the right thing.

So why, you may ask, would AppEsteem offer a free service that seems to undercut their certification business? First of all, it helps our existing customers compete on a level playing field. But we also learned in our pilot that that our best customers are those who treat consumers with respect. Hunting for Deceptors helps us find many great, consumer-respecting apps. We plan to offer our services to these vendors.

We'll be writing more about this in the future, once we see how effective the program is at driving the urgency to clean up. So far we've had some great responses from the app vendors, but we're waiting on the fixes. We're crossing our fingers and hoping that they choose the right path forward :-)

If you find a Deceptor, let us know by email: info@appesteem.com. If you're the vendor of an app that we've called out as a Deceptor, check out the FAQ and get in touch with us at dispute@appesteem.com. Our goal is to help you get your app in shape and respecting consumers.

For more information:

  1. Deceptors and how to spot them contains the requirements we worked out with the AVs 
  2. You called my app a Deceptor. What do I do now? is our FAQ for vendors
  3. This example email is a template that AVs can use when responding to a vendor inquiry about a Deceptor detection.
  4. Our latest Deceptor list shows the deceptive and harmful apps we're currently calling out and hopefully helping to clean up.

 

Copyright © 2018 - Design by FS