Anti-Spyware Coalition Workshop

On February 8 and 9, I had the opportunity to participate in the Anti-Spyware Coalition Public Workshop. The event brought together representatives from the software industry and government, including the Federal Trade Commission and the Center for Democracy and Technology. In the past year the FTC has filed suit against several of the worst spyware offenders including Enternet Media, and the CDT recently filed an FTC complaint against 180Solutions for its practices. The Anti-Spyware Coalition has been working to craft clear definitions of acceptable software installation behavior.

Ben Edelman and and I participated in the final panel of the day, intended to be a look ahead at how the problem and solutions might evolve. Ben and I put together screen shots to illustrate a few of the antics that happen every day on the Internet. You can see Ben’s screen shots here and I’ll show you mine below. The main theme of both presentations was that major ad networks–including Google and Yahoo–are allowing their systems to be exploited by the purveyors of unwanted software, and actually providing a channel to make it profitable.

Hey Adults, Play Kids Games!

In late January, I sat down and did a little browsing experiment. I Googled for the search term play kids games and visited the first page or two of search results. The first site that showed up was (no surprise) playkidsgames.com; despite the “for all ages” tag, its selection of games and use of a cartoon frog character clearly seems to be aimed at a younger audience.

If you click on the Google ad that says “Free Unlimited Games”, as a small child might do, you’re taken to the TotallyFunFreeStuff.com site and given the opportunity to play Bubble Burst, another game that seems aimed at a younger audience.

But wait, what’s that at the bottom of the screen? They’ve helpfully checked a box that says you’re 18 or older and agree to their license, although it’s so far down the screen it’s unlikey to be seen at all. If you click the Play Now button you will download and install not only the game, but invasive Zango adware from 180Solutions. If that name seems familiar, it may be because the Center for Democracy and Technology has filed a complaint against 180Solutions for its long history of questionable practices.

Ask Jeeves to Leave My Kids Alone

Here’s another example from billybear4kids.com, whose design certainly seems to be aimed at young children. The ads at the top of the page are delivered by Casale Media, and are for the MyFunCards.com site run by Ask Jeeves.

Just click on the ad with the cute bears and puppies–as many kids would be tempted to do–and you’ll find an even more adorable display:

The picture of the bears is a cute animation with the two baby bears greeting daddy as he returns home from work. Hey kids, click the big red button to get cute, fun, free greeting cards! Junior’s parents may be unhappy that the software has significantly reconfigured their system by adding several new applications and toolbars and changing the browser’s search engine choices. It may also modify any outgoing emails so that they spread the word about this great software that is now installed. Some of those details are described on this screen and the end user license agreement mentioned there, which also says you must be 18 or you cannot click on Mister Big Red Button. So why was an ad like this on a child-oriented site at all? As of mid-February, I am still seeing these and several other questionably-targeted ads.

Government’s Role?

The “adware” industry has tried self-regulation for years and has come up short. Inadequate disclosure of the purpose of this software is bad enough for adults, but the targeting of children as “mules” to install this software is inexcusable. This is where Federal Trade Commission oversight could come into play.

The FTC’s 900-number rule offers a framework that was able to solve a very similar problem. (I have mentioned this rule before.) The 900-number rule applies specific requirements for advertising 900-number services in situations where the audience is under the age of 18, and generally prohibits ads targeted to children under age 12. What we need, then, are tools to identify child-oriented sites so that advertisers can easily avoid them–and be held responsible when they don’t.

Here is my proposal:

  1. Ad networks should ask each site in their network to fill out a profile indicating the age demographic of their visitors. If no hard data is available, as is often the case, the site operator should give reasonable estimates of the target audience. The site’s content, for example, often provides a clue about the target audience. (In the two sites above, is there any doubt that most visitors are under 18 and many are under 12?)
  2. Advertisers should indicate whether their ads should be displayed on sites in the ad network that have a majority audience under the age of 18. Immediate software downloads that require acceptance of a license agreement should not be advertised on such sites, since minors cannot enter into such agreements.
  3. The steps above only create a framework for compliance. Given that framework, the FTC can create specific 900-number-like rules that clarify what is acceptable and what is not. That will allow them to judge whether ad networks, web site operators, and advertisers are adequately protecting children and the computers they use.

Adware companies often talk about how the user agreed to install their software. Yet ads like the ones showed here demonstrate at least one aspect of the true reality. Children are being tricked into installing this stuff. Adware companies are filled with shrewd businessmen that measure every aspect of their business; the fact that they continue to advertise on these sites says that it’s a profitable way to spread their software. That needs to stop, now.

I have mixed feelings about these events. Is there any doubt that some companies deceive consumers into installing unwanted software that reconfigures and/or breaks their computer? Spyware fighters expose these situations month after month, even as new antispyware organizations appear. Although I don’t have a lot of hope events like this anti-spyware conference will change things in the near term, I attend them to stay in touch with others who are as dedicated to fighting spyware as PC Pitstop has been. This time it included Bill Pytlovany, Suzy Turner, Alex Eckelberry, Chris Boyd, Ben Edelman, and Eric Howes (now at Sunbelt). Maybe, just maybe, someone was listening this time.

Comments? Questions? Please make a post in the Site Feedback section of our forums.

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles