A new version of the Netscape Web browser is being criticized by spyware experts for failing to notify Web surfers when theyre visiting Web sites that distribute the noxious monitoring programs.
Netscape 8s Trust Rating System, which warns users about insecure Web sites, gives a “green light” to Web sites that download spyware onto users machines, according to Ben Edelman, a student at Harvard University Law School and an expert on spyware software.
In a conversation Wednesday, AOL spokesman Andrew Weinstein acknowledged that some spyware sites received an “unknown” rating from the browser. The spokesman subsequently confirmed evidence viewed by eWEEK magazine suggesting that other spyware sites received a “trusted” rating. The company is working to correct the problem with the new browser.
The critiques are the latest bump in the road for Netscape 8, which was released this month. It was patched almost immediately to cover a host of known holes in its code, which is based on the popular Firefox browser, and to fix a conflict with Microsofts Internet Explorer browser.
America Online Inc. touted Netscapes advanced security features when it released the program May 19. The new browser was “designed for the millions of online users who are searching for a safer and better browser,” a company news release said.
The Trust Ratings feature is a key part of the browsers security story. According to AOL, if a user visits a Web site using Netscape 8.0, the browser automatically checks to see whether the site is on a blacklist of suspected virus, scam or spyware sites, or on a “white list” of 150,000 Web sites deemed acceptable by digital certificate authority VeriSign Inc. and by TRUSTe, a nonprofit online privacy monitoring organization.
Spyware and adware distribution sites do not get “trusted” certification if they are on a list of sites maintained by anti-spyware vendor Aluria Software LLC, according to Weinstein.
“If a company is on Alurias list, it will not get the green, trusted certification,” Weinstein said.
“That is false,” said Edelman, who provides screenshots of Netscape 8s “Trust Rating” System on his Web site.
The new browser gives a green “trusted” rating when it brings up www.hotbar.com, a Web site that distributes a program that adds graphical skins to Internet Explorer toolbars, in addition to a Hotbar toolbar and stealth monitoring software, Edelman claims.
A copy of the new browser downloaded and tested by eWEEK does confirm Edelmans claim: The green “trustworthy” symbol is displayed on the hotbar.com home page as well as on a page on the Hotbar site that attempts to download the software to users machines.
A green “trusted” sign is also displayed on the download page at www.ABetterInternet.com, another Web site that downloads and installs monitoring software.
Hotbar and ABetterInternet are also listed as spyware on Alurias Web site, casting doubt on AOLs claims that any companies on Alurias list are blocked, too.
In theory, sites on Alurias list should have a gray “unknown” or red “dangerous” sign, according to Weinstein.
Relying on Partners
Part of the problem with the rating system is its reliance on the work of partner organizations such as TRUSTe, whose assessments of trustworthiness are flawed, Edelman and others argue.
“If Netscapes list of trustworthy sites were perfect or even largely accurate, Netscapes new rating features could be of substantial assistance to users who dont otherwise know what sites to trust. But in fact Netscape has delegated its trust to partners whose trust endorsements are dubious at best,” Edelman wrote in an article posted on his Web site.
For one thing, TRUSTes list of trustworthy Web sites, which are allowed to display the TRUSTe seal, is a list of sites that adhere to that organizations strict information privacy practices. But the seal doesnt address the issue of software downloads, according to Fran Maier, executive director at TRUSTe.
“There are a lot of sites that download software. We cant say whether theyre all spyware. Its just not clear to us,” Maier said.
TRUSTe is aware of the concern about unauthorized downloads and spyware, Maier said, adding that there need to be clear industry standards about issues such as disclosure prior to installation and practices for installation and removal.
The organization is considering whether to develop a separate program to set guidelines about what constitutes “spyware-free” Web sites, but it hasnt yet committed to such a program.
“Its an obvious area of consumer concern,” Maier said.
TRUSTe also forbids sites to display the organizations seal on pages that download the software, though that policy appears to have been broken, at least by HotBar.com, which clearly displays the TRUSTe logo on the installation page.
AOL is reviewing a list of spyware sites that are on TRUSTes list of certified Web sites, Weinstein said.
TRUSTe is also open to feedback from Internet users and will pull certification for sites that violate its policies, Maier said.
Laws about what is and isnt acceptable practice for placing software on someone elses computer are murky at both the state and federal levels. A federal anti-spyware law is making its way through Congress.
Spyware-specific laws aside, however, Edelman said many of the practices used by spyware vendors probably violate established trespass and contract law and are clearly unethical.
“Spyware companies are putting software on your computer … to make money and without getting your consent. Its not about what the law requires; you can just look at it and feel like this isnt right,” he said. ´
Editors Note: This story was updated to clarify statements made by AOL spokesman Andrew Weinstein.