SMB - Building trust in downloads no simple feat

Trust's program aims to certify consumer software programs in the name of preventing adware and malware

The Truste group's goal of creating an online ecosystem through which software makers are held accountable for the functions of their programs and end users are given the power to keep unwanted applications off their devices won't be achieved easily, according to security researchers and participants in the nonprofit's Trusted Downloads project.

Launched by Truste in mid-February 2007, the Trusted Download Program aims to certify downloadable consumer software programs in the name of diminishing the ability of schemers to rain adware and malware onto the machines of unwitting end users.

By forcing members of its applications' white list to disclose the entire functional impact of their programs on end users' machines, and requiring that software distributors obtain explicit permission from consumers before downloading any products onto their computers, Truste is hoping to become a virtual clearinghouse for trustworthy software distribution.

However, perhaps even more important than holding the software makers accountable for the content and delivery of their programs, Truste is also trying to force companies participating in the program to ensure that their distribution affiliates are held to the same rigorous disclosure and download standards.

That part of the process may be the hardest element of the program for the group to enforce, said at least one security researcher following the progress of the initiative, which is still in its beta phase.

Ben Edelman, an assistant professor at Harvard Business School and a longtime expert in the field of adware and spyware distribution, claims that of the 11 programs currently listed on the Trusted Download directory, at least one may still be finding its way onto end users' computers without their permission while another has serious questions looming about its intentions.

One of the programs he cites with the problem -- which he blames largely on affiliate sites that often use any means possible to generate downloads to drive up their revenues -- is Web marketing vendor ComScore's Relevant Knowledge 1.3 program.

Although ComScore, long criticized by some security researchers for its installation policies, has worked to improve its products to meet the types of standards set for by Trusted Download, the program is still being secretly installed in some cases, according to the researcher.

Recently, Edelman observed a pornographic executable file on the Web that downloaded a package of "junk software" without user permission that also included Relevant Knowledge.

In another instance, Edelman discovered what he labeled as a "spyware bundler" program that installed Relevant Knowledge without telling the user it was coming, showing or referencing an end user licensing agreement, or giving the user any opportunity to decline the program.

The other application approved by Trusted Download with which the researcher takes issue is the Vomba client, which offers end users access to online multimedia programs and interactive screen savers in exchange for the "occasional display of targeted advertisements," or pop-ups.

Page Break

In addition to evidence of unsolicited downloads carried out by affiliates, Edelman's concerns with Vomba relate to the company's close ties to Integrated Search Technologies, a sister company of the Montreal, Quebec-based firm. IST was the target of a complaint filed to the Federal Trade Commission (FTC) in 2005 for improper software downloads by the Center for Democracy & Technology, another online industry watchdog.

Edelman is also concerned with Vomba because the program will not run on VMware software, a tool frequently used by researchers to dig into the code of such programs to determine their implications. The researcher said there is "no good reason" for the program designers to block such access unless they have something to hide.

"The biggest problems with these types of programs today are typically the affiliate distribution systems, which encourage affiliates to go to great lengths in trying to generate downloads and income," Edelman said. "Even if these 'adware' makers have the right intentions in modifying their programs to meet the requirements of Trusted Download, they seem to continue some bad distribution relationships."

Edelman isn't convinced that the Trusted Download can't work, he just believes that based on the size of the problem, it will take a lot of time and effort for the initiative to have its desired impact across the ever-growing world of downloadable Web applications.

"It's a very difficult task, and the jury is still out as to whether they can actually monitor all the types of affiliate relationships that contribute to the spyware ecosystem," the researcher said. "I worry that it will be hard for them to monitor these relationships with the necessary accuracy."

Officials with Truste said they're disappointed by Edelman's observations but interested in hearing more about his research for the purpose of improving the program. However, the group does not believe that the ComScore and Vomba applications that have been certified are being installed inappropriately.

Truste also pointed out that the two applications in question have gained only "provisional" certification from Trusted Download, which means the vendors are still working to update their programs and get new versions into the hands of legacy users.

Older versions of the programs in question may still be abused by affiliates, lending confusion to the issue, according to Truste.

"We're definitely still learning and working on understanding all the complexities of monitoring distribution networks and models, and there may be certain models that we're unaware of, but we know that companies like ComScore and Vomba have limited their distribution networks as a result of our requirements," said Carolyn Hodge, director of marketing at San Francisco-based Truste.

"That's what we're hearing from a lot of companies coming to us, that they're trying to build credibility and get better control over distribution of their products," Hodge said.

Hodge said that Truste is aware of the relationship between Vomba and IST, but that it believes the company's claims that it is trying to create programs and use affiliate practices that comply with Trusted Download's goals. Truste also reserves the right to bar companies from the white list if any of their other applications are observed violating the initiative's policies.

Page Break

If the group does find that any application on the list is failing to meet its requirements, Truste has the option of removing the software from the list or putting the involved company on temporary probation until it remedies any problems.

"We definitely respect Ben's work, but our methodology is to try and get companies to improve their practices by offering guidelines and certifications. We think this will push many companies to do a better job with consumer notice and choice," Hodge said. "We don't expect the process to go on without any glitches, but we think we've gotten a good start. In the end we want more applications publishers to meet higher standards, even if it means moving forward one application at a time."

The applications makers themselves say that they are working in good faith to meet the requirements of Trusted Download and prevent their programs from being passed along to end users without permission.

Both ComScore and Vomba officials said they have changed the architecture of their programs so that affiliates no longer handle the applications downloads themselves, but instead pass interested users along to the software makers who handle the implementation and maintenance of the tools.

For instance, ComScore said that it only provides a so-called stub installer to third-party distributors of Relevant Knowledge 1.3. The installer's only function is to call the company's servers to verify that the download of the program has been rightfully approved by the end user.

If any requirements cannot be verified, the relevant Knowledge will never be downloaded on an individual's machine, the company said.

"We stopped doing business with people that we couldn't get to adapt fast enough to the Trusted Download requirements, as we wanted to make sure that the group of people we're working with can provide to the criteria Truste has set," said Christiana L. Lin, chief privacy officer at ComScore. "Our affiliates are contractually required to comply with the privacy requirements we've set forth, and we audit them before paying them for anything they might download onto a user's machine."

Lin said that she believes the technological steps the company has taken have eliminated the problem of unsolicited downloads, and that Relevant Knowledge is meeting Trusted Download's requirements.

Vomba said that it is taking similar measures to prevent abuse, and that it is working hard to build an image that differs from the reputation associated with IST, even though it disputes claims made against that division.

"After the 2005 complaint against IST, and even beforehand, we made a lot of technological changes to have better control of distribution through affiliates," said Karl Bernard, president of both Vomba and IST, which share the same offices.

Bernard said that Vomba and IST are being managed by a new team that is making a concerted effort to be more up front with consumers about its programs. The reason its software won't run in VMware is because the company believes outsiders will use the technology to create altered versions of its applications that bypass the Trusted Download-driven features.

"We learned from IST that when you start giving out executables to affiliates, they can be exposed to all kinds of fraud because someone can modify the code and we can't always know where the content is distributed," Bernard said. "We also learned that when you take a piece of software and bundle it with adware without any link between the programs, it's not an effective business model."