Ask Jeeves Disputes Anti-Spyware Flaggings

Vendors say their security apps highlight Ask Jeeves' programs because they install without full disclosure.

A dispute has erupted between the Ask Jeeves search engine and anti-spyware software companies that raises questions about the standards used to flag potentially unwanted programs on users computers.

At least two anti-spyware companies—Sunbelt Software Inc. and Facetime Inc. —have been asked by Ask Jeeves Inc. to stop flagging or to change the way they categorize the companys Web browser search bar plug-in programs but have refused to do so, according to interviews with executives at those companies. At issue is Ask Jeeves method of distributing its software, such as bundling arrangements that result in the programs being installed without users consent.

Ask Jeeves recognizes that industry confusion exists around the distinction between user-friendly downloadable software products and adware and spyware. The company maintains that its products are not adware or spyware and takes the "erroneous flagging" by anti-spyware companies very seriously, according to an e-mail statement from Kirk Lawrence, director of Internet security and privacy at Ask Jeeves.

Sunbelt Software, which makes the CounterSpy anti-spyware program, flags a number of Ask Jeevess software products on machines it scans. Products such as My Global Search, My Search Bar, Need2Find Toolbar, My Speedbar, MyWebSearch Toolbar are labeled "potentially unwanted programs," not "spyware" or "adware," and considered a "low risk," said Alex Eckelberry, president of Sunbelt, which is based in Clearwater, Fla.

In recent weeks, executives at Ask Jeeves asked Sunbelt to stop flagging its programs altogether, he said.

"They didnt feel they were adware and felt they shouldnt be listed," Eckelberry said.

The same was true at Facetime Inc., said Wayne Porter, vice president of greynet research at Facetime Communications, Inc. of Foster City, Calif. "They dont think that AskJeeves has a problem," Porter said.

But security researchers at both Facetime and Sunbelt felt otherwise after studying the way in which Ask Jeevess software makes it onto users computer desktops.

"We found poorly disclosed bundled installs and poor disclosure," Eckelberry said.

In one example, a special branded version of Ask Jeeves software called the iMesh Bar is bundled with the iMesh peer-to-peer file sharing program. Users who install iMesh must read a 5,500 word end user license agreement (EULA). In that agreement, Ask Jeeves is described as a "Third Party Beneficiary," but the iMesh Bar isnt identified as an Ask Jeeves toolbar and the iMesh Bar is portrayed as an integral part of the iMesh software, according to a soon-to-be-released Sunbelt report.

Both Eckelberry and Porter acknowledge that the browser plug-ins do not display pop-up or banner advertisements, track user behavior or perform other actions that qualify other programs as adware or spyware.

"Theyre a legitimate search engine thats involved in a distribution channel that doesnt provide proper disclosure (to users)," Eckelberry said.

"Are they making it clear what consumers are getting? No," said Porter.

Other spyware experts have reached the same conclusions and found other faults with Ask Jeevess distribution practices.

Ben Edelman, a Harvard University Law School student, spyware expert and advertising software industry gadfly, has taken the company to task for what he claims are misleading banner advertisements that target minors and install the companys software without receiving proper consent.

Edelman claims, on his Web site, to have documented instances of Ask Jeeves MyWay and MySearch software being installed using security holes in Web browsers without any disclosure, including video of the surreptitious installation. However, eWEEK was not able to independently verify his claims.

But not all anti-spyware companies agree with the stand that Sunbelt, Facetime and some other companies are taking.

Anti-spyware programs by Microsoft and Lavasoft dont flag Ask Jeevess search bar plug-ins, Eckelberry noted.

Webroot Software Inc.s SpySweeper program doesnt flag any of AskJeevess software either, said Richard Stiennon, vice president of threat research at Webroot.

"We take a tack based on the product. We dont look at the rest of business model," said Stiennon, adding that Ask Jeevess programs dont qualify as spyware or adware.

"The toolbar doesnt spy on you, so we dont think its spyware," he said.

/zimages/3/28571.gif180 Solutions says its new software will stop illegal downloads. Click here to read more.

Widening the spyware net to look at how the programs are distributed would require Webroot to flag a slew of other harmless programs, including Yahoo Inc.s toolbars, in addition to Ask Jeeves, Stiennon said.

Besides, ask Jeeves and Yahoo search bars are a small concern, given the explosion of true spyware and malicious code, Stiennon said.

"Right now, were focused on getting to the point where we understand all the spyware thats out there doing super nasty stuff," he said.

For Eckelberry and Sunbelt, the question is one of user consent, more than what the program does once its installed.

"Does a person know how (Ask Jeeves software) got on a machine and do they want it to be on their machine? Were uncertain of that, based on our research."

With reports of spyware infections on the rise, there have been concerted efforts in recent months to clear up confusion surrounding the definition of the term. The Anti-Spyware Coalition (ASC), a group of academics, consumer advocates and anti-spyware industry representatives, is working on a document of "definitions" for the industry.

A draft of that document, available on the ASC Web site, notes that "in some cases, unwanted software components can be bundled with programs users download, and can thereby be snuck onto their computers without adequate notice or consent."

Ask Jeeves recognizes that spyware is an industry-wide issue and supports industry efforts to create standards and practices to eliminate unauthorized installations of software, Lawrence wrote.

Ask Jeeves has created standards that its distribution partners have to adhere to. Companies that violated Ask Jeeves guidelines on spyware, unauthorized distribution or disclosure will "be brought into compliance or terminated as an Ask Jeeves distribution partner," he wrote.

Advertising software companies have been on the defensive in recent months, as alarming reports of adware and spyware infections have attracted the attention of Capitol Hill lawmakers. In May, two anti-spyware bills passed in the U.S. House of Representatives.

In recent months, 180 Solutions Inc. announced lawsuits against Web site affiliates who distribute their software illegally. The company had been notorious for turning a blind eye to such practices.

/zimages/3/28571.gifIntel edges toward security market. Click here to read more.

On Sept. 7, 180 Solutions also announced new versions of its Zango Search Assistant and 180search Assistant clients with technology it calls Safe and Secure Search, or "S3," that can spot illegal installation and disclosure activity, the company said.

But spyware experts like Porter, Stiennon and Eckelberry said that such moves are just marketing ploys. They see little change in the practices of companies like 180 and Direct Revenue, and have plenty of evidence of affiliates using software holes and silent downloads to place advertising software on the computers of unwitting Web surfers.

Ultimately, the behaviors of a few unethical distributors, and companies that turn a blind eye could erode the trust of Internet users and hurt even ethical companies, Porter said.

"Theres so much trickery and flim flammery that people have lost trust in all these companies," he said.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.