• by Ben Edelman , December 9, 2005

In Nov. 29's "Scanning for Fear," 180solutions CEO Keith Smith offers an odd tirade against those who detect and remove 180's software from users' PCs. Anti-spyware applications are wrongly encouraging users to remove software they consented to run, Smith argues. And they're giving users inaccurate information about the programs they find, Smith claims, leading users to remove software Smith thinks they actually want.

Smith's story of overstated detections may have a nugget of truth: Surely some anti-spyware programs, somewhere, make some overblown statements about some spyware they find. But for the users I talk to, and for the spyware and market-leading anti-spyware I test, overzealous program descriptions aren't a big problem. Far more serious are the spyware infections that sneak onto users' computers in the first place.

Smith's piece describes "legitimate companies" offering "clear explanations of how [their] program[s] work" and "easily understood opt-in and consent." Smith doesn't say what companies he has in mind, but his description certainly doesn't match the 180solutions practices I have observed. For 18 months, I and others have chronicled 180solutions software installing without consent. (Videos from my site: 1, 2, 3, 4.) Even where 180 claims to get consent, its explanations aren't consistently "clear" or "easily understood." Last year I pointed out a Kiwi Alpha installer that included 180, but mentioned 180 only if a user scrolled to page 16 of a 54-page EULA. This spring, Ezone.com installed 180 via promises of "remov[ing] all advertising" on a kids' site, never showing or even referencing a license agreement. 180's current installation stubs do show a license, but they don't clearly disclose 180's effects: The installers' on-screen text describes "targeted ads" without mentioning that these ads appear in much-hated popups. And 180's installers say 180 "never collects or shares personally identifiable information"--without disclosing that 180 tracks what Web sites users visit.

These poor installation procedures are not mere anomalies. Eric Howes recently posted a summary of 180's 2005 business practices--recalling scores of troubling episodes, like 180 installing in exploits at child porn sites, through botnets, and at sites featuring pirated software.

With so many nonconsensual and deceptive installations of its software, 180 would be well advised to improve its business practices. But instead of devoting all of its energy to cleaning house, 180 diverts resources by criticizing others--PR efforts as well as litigation, such as 180's recent suit against Zone Labs. Like most anti-spyware vendors, Zone Labs tells users that 180 threatens privacy--accurate, in my judgment, in that 180 specifically tracks what Web sites users visit, and (for many users) does so without consent. But 180 says these claims of privacy problems are "false" because the company doesn't collect personally identifiable information (complaint, paragraph 3.13). 180 also objects to ZL's claim that it's spyware, because the word "spyware" is sometimes used to refer to programs that collect passwords, credit card data, or other personally identifiable information. But that's not the only definition of spyware. Many people use the terms adware and spyware interchangeably; after all, ad-serving programs (including 180) do ultimately monitor the sites people browse, and serve ads based on which sites are visited.

180 would prefer that anti-spyware vendors stop detecting its software and offering to remove it. But reasonable users inevitably want 180 off their PCs when they're given a fair description of 180's effects. Suppose an anti-spyware vendor truthfully told its users: "180solutions software tracks what Web sites you visit, then shows you extra pop-up ads. 180's software may be on your computer even though you never agreed to install it." What users would agree to keep 180 installed?

So 180's loss of users doesn't result from anti-spyware vendors' descriptions of 180's practices. Rather, 180's unpopularity results from 180's own business practices. Users don't like the software 180solutions makes--don't like the pop-up ads, don't like the privacy consequences, don't like the sneaky installation practices. If 180 wants to maintain an installed base, its best strategy is to offer a product that's genuinely valuable --not pop-up ads users (supposedly) accept in order to get something else, but a product users actually want in its own right. Until then, users will always want 180 off their PCs, and the security industry will rightly come to users' assistance.