Privacy and security experts say advertisers and other bundled software distributors are exploiting people's mindless habit of clicking "I agree," and they worry that consumers are abandoning their rights with the click of a mouse. Much as the avalanche of spam in the 1990s prompted action from legislators and regulators, growing annoyance with this quietly bundled software has triggered a backlash that could help set ground rules for using consumers' computers. "The question is not whether people read and understand (terms-of-service agreements) -- of course they don't -- but whether they can be enforced," said Cern Kaner, an attorney specialising in software legislation who teaches computer science at the Florida Institute of Technology. "I don't think that companies should have the right to spy on you without your actual permission, but I think it will be hard...to prosecute companies who do engage in this type of practice if you have actually clicked on an agreement that gives them permission." Although people regularly click on such agreements, few scroll through the verbiage. In a survey last month of 155 adults by Richardson, Texas-based consulting firm Privacy Council, 76 percent of respondents said they were "concerned" about having their privacy violated on the Internet. Only 22 percent admitted to reading privacy policies. Among respondents ages 18 to 25 -- a core constituency for file-swapping software -- only 8 percent read the policy. "It preys upon a very vulnerable population -- namely teenagers and other people desperate to get free software," Privacy Council chief eExecutive Larry Ponemon said. "They never read any of that gobbledygook. They want to satisfy their need immediately, not make sure they have consent and protection." Moreover, reading the policies does not automatically translate to understanding them. Like software licence agreements for Microsoft Word or Windows, most privacy and terms-of-use statements that accompany bundled software are rife with impenetrable jargon and legalese. Mark Hochhauser, a psychologist and readability consultant, said clicking the "I agree" button at the end of consent forms reflects widespread trust on the part of consumers -- not necessarily ignorance or illiteracy. "Patients who are very sick can be given a 3,000-word consent form written by lawyers with the same level of complexity as these privacy notices," Hochhauser said. "The sick people usually just sign it without reading it because their doctor said it was OK. Same thing here: The reader thinks, 'The FTC would close them down if they were doing something really bad.' There may be a basic element of trust that people bring into this." Putting it in plain English
Stung by criticism in the media and on online bulletin boards, some adware companies are adopting "plain English" policies for their forms. Gator, a popular free application that is supported by advertising revenue from its own bundled program, requires a marketing person to draft its terms of service. That person then sends the document to the legal department, which edits and returns it to the marketing department for revisions. The result is a three-paragraph statement that chief marketing officer Scott Eagle calls a "kindergarten version" of the full policy. Gator includes simple directions for how to remove its software and discontinue the targeted advertising in the first privacy policy that its users receive. It also requires the person to click "I agree" long after downloading is complete -- part of a policy of "ongoing communication" with customers, Eagle said. "Does an uninvited guest keep knocking on your door saying, 'Hi! I'm here!'?" he asked rhetorically, describing Gator's multiple disclosures and the icon of alligator eyes that appears whenever the program is running. "No. We are invited guests on the desktop and even pop up a fourth modal screen saying, 'Your Gator software is here.' And since our e-wallet software helps users every day fill out forms, we constantly come back and have an ongoing relationship with our customers." Gator has more than 300 clients, including four of the top six automotive companies and businesses that sell everything from mortgages to diapers. It sends an average of two pop-up ads per week to more than 15 million people. Sharman Networks' Kazaa, which many consumers sharply criticised for bundling Brilliant's Altnet software earlier this month, has set up a special Web site explaining bundled software. Audiogalaxy, which bundles Gator with its software, includes a separate screen during installation that shows Gator's logo and then forces people to go through several screens describing Gator and consenting to the service. "Honestly, I don't know any other ways of harassing the user, other than making the screen flash," Audiogalaxy chief executive Michael Merhej said. Nevertheless, industry executives say a handful of companies -- which emerge and go out of business quickly and rarely publish physical addresses on their Web sites -- are tainting adware's image. Gator executives said they recently submitted a list of "best practices" to the Interactive Advertising Bureau, including recommended guidelines for consent and disclosure, but spyware remains below the radar of the Better Business Bureau. The Federal Trade Commission has received complaints about the software, though it won't say how many or for which programs. Internet industry groups are taking up the cause from a technological standpoint. On Tuesday, the World Wide Web Consortium endorsed standards for protecting consumers' privacy on Web sites. Blissful ignorance -- so far
Some consumer groups want to eliminate sweeping statements in contracts -- including clauses that allow companies to change an agreement without any notice. Brilliant includes such a clause in its terms of use, noting it "reserves the right to change or modify any of the terms and conditions of this agreement and any of the policies governing the services at any time in its sole discretion." Other policies make no mention of bundled software at all -- an omission that attorneys are quick to point out. "You can't say with any certainty that click-wrap agreements are always enforceable," said Doug Isenberg, an Atlanta-based attorney and publisher of the GigaLaw.com Web site. "Many judges will look for a way to find that a click-wrap agreement is unenforceable if the terms of the agreement are not conspicuous." The US Congress is examining bundled software and related issues. In 1999, and again in 2001, Sen. John Edwards, D-N.C., introduced legislation to force spyware distributors to get permission and notify people with a detailed description of the information they're collecting. No committee has picked up the bill, but broader consumer notice and privacy concerns are showing up in a compromise Internet privacy legislation soon to be introduced by Sen. Ernest "Fritz" Hollings, D-S.C. The FTC is urging consumers with complaints to contact the agency. Staff members are particularly concerned that children are among the most voracious consumers of free downloads and that software companies don't prevent children from agreeing to terms that affect their parents' computers. That was partly why the FTC took action recently against a company whose software disconnected surfers' computers from the Net and rerouted them through a 1-900 number. Congress has already enacted some consumer protection rules in other areas that could eventually apply to bundled software. For example, credit card companies must list the long-term interest rates for credit cards in a large font, and they can't hide even ordinary terms and conditions in small print. Market forces may also provide an antidote to bundled software abuses. German software company Lavasoft has distributed at least 4.5 million copies of Ad-Aware, a free program that scans a computer memory, registry and hard drives for known adware and spyware. "What we need is a private police force on the Internet to make sure the software you get has sufficient protections," said Privacy Council's Ponemon. "There's probably a really good business opportunity there."
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.
Have your say instantly, and see what others have said. Go to the ZDNet news forum.
Let the editors know what you think in the Mailroom.
