ReveNews
-
NAVIGATION
-
TOPICS
-
THE REVENEWS BLOGGERS
-
QUICK CONTACT
Who Bears The Responsibility?
My last entry Security Hole Cinema provoked some interesting discussion and there was an interesting response from Scott Jangro, a respected industry insider.
Scott asks: If someone with sufficient access were to install Ebates on all of the computers at Harvard University, would Ebates be responsible for that?
I don’t see how eBates can be held responsible any more than any other merchant who has shady affiliates doing bad things.
I am not sure if eBates was responsible for using this browser security hole or if it was an affiliate. My personal belief is that it was probably a rogue affiliate. Scott insinuates that merchants have the same problems with their affiliates and doing due diligence is not always easy. I agree with this. In a network of tens of thousands how can one really perform quality control?
I would ask how hard is it for Ebates to audit installation URLS?
To vet their distribution partners?
To embed a tracking ID into their software to look for harmful installs?
To design software so it cannot be installed without a EULA?
That is of course their problem, but one they should consider seriously. In October I penned some thoughts on what I felt adware makers should be doing if they ever wanted to develop real relationships with their users.
Perhaps this situation boils down to intent. For example if I give someone a knife to cut their dinner that is certainly within the realm of acceptable behavior- I want them to enjoy a nice steak. If I give them a knife knowing full well he plans to commit a crime than I could be held liable. It boils down to intent and knowledge. Unfortunately there is no way of knowing the intent. One way this could be ascertained is if there was a pattern of abuse that could be proven. I believe methodologies to prove out patterns of abuse are emerging. (I for one am working on such a system.)
Either way Ebates, the merchants who engage in such relationships and the networks that facilitate the transactions all reap financial compensation from this illegal behavior and therefore part of the problem lies on their doorstep.
As long as adware companies engage in incentives for downloads, bundling with questionable partners, and not making their motives clear they will continue to reap what they sow- public outrage. Merchants especially should be sensitive to this because sooner or later it is going to catch up with their brand- the most valuable asset they have.
In Ben’s article, he (and Wayne here) points out the absurd “self defense” clause in Ebates’ EULA. Clearly these guys are battling it out on the desktop. Wouldn’t it be interesting if this was an Eates competitor doing this to put up a smoke screen for their own installation? Ebates certainly has taken plenty of arrows while other less visible, worse behaving, publishers have safely watched the public stoning from the hills.
It is true that other adware companies are “battling it out for the desktop” and this digital warfare includes not only security companies but other adware firms, or loyaltyware in this case, who want to protect either their turf or consumers.
In terms of a competitor doing this I certainly would not rule that. There have been continual FUD (Fear, Uncertainty and Doubt) campaigns against legitimate security companies, including my own. I can point out recent examples where competitors have attached a Trojan to a legitimate .exe and tried to distribute it or making a drive-by posting at well known security sites making false claims. This isn’t counting DOS attacks via zombie networks, general misinformation campaigns, and a host of other nightmares these rogues engage in. They know no boundaries when it comes to sleazy behavior.
Fortunately we have a reputation of never doing any of this and it was quite easy to show our defense in every case. Do adware companies have this type of defense? No. Most of them have some sort of dirty laundry in terms of installations either past or present that make it a hard pill to swallow. So with no proactive attempts to solve the problems people start to deduce that this is standard operating procedure.
Scott says:
Ebates responsibility? To stop any financial incentives that this publisher has to do this and to take whatever steps necessary to keep these guys and guys like them from doing this.
If I were Ebates I would go one step further. Assuming there is an ID attached to these installs I think it would be proactive consumer move for Ebates to contact these users or disable the software on desktops where it was installed without their knowledge. As long as these antics continue consumers and security companies will continue escalating the response. Adware companies, as a whole, have been anything less than proactive. And even if they were it doesn’t count the financial dynasties they have built without a foundation of trust.
If this is allowed to continue, or if ebates continually allows this sort of business partner (Jeff’s “Flunkies”) to operate this way (again, assuming the publisher doing the installations is getting paid), then that’s something to crack down on as a Network. If a merchant’s program is a chronic menace through the actions of its affiliates (not to be confused with being a menace affiliate themselves), something should be done. Force them onto manual review, make them actively approve each affiliate.
Scott is correct here. The best response is from the Networks that control the relationships. They and merchants have the ultimate power in a mouse click. There must be severe penalties for companies who engage in questionable behavior or benefit from it indirectly.
In the case above we are not even talking about overwriting of links, a gray area, or the current copyright battles, another gray area, but the use of a security flaw to install software- this is illegal. Strong measures must be taken to see that this is put down.
It’s too bad this whole model hasn’t just become too much trouble for it’s worth. I guess it’s worth quite a bit.
It certainly is. Take software, add lots of money and you have recipe for confusion.
4 Comments
-
We Support New York Affiliates
-
Subscribe to ReveNews
I certainly repsect and like Scott very much, but this has no comparison to someone from Harvard doing it. And why would ebates want to police them, every rogue install just means more money from them. They are in the same boat as the networks, they both love it.
I have been waiting since last week to get a call from Befree about the latest bunch of cookie overwriting ebates is doing on my site and others. Do I expect to talk to them this week? No way. Do I expect anyone to do anything about the latest round of cookie overwriting? Not one bit.
BTW, do the networks have a three strikes policy for software apps? We know it’s always an accident when ebates does it, right, and it just happens to be at Christmas time, imagine that. But I would like to know how many more times something like this will be allowed to happen.
This whole industry is a joke, with each hand trying to catch as much green as it can before the ax falls.
I just wish the merchants would realize it’s going to be them that gets stuck with the stigma and their customers will vote with their mice and their feet.
>> I am not sure if eBates was responsible for using this browser security hole or if it was an affiliate. My personal belief is that it was probably a rogue affiliate. <<
Same thing, really. Ebates *is* a rogue affiliate. This year’s edition of How the Grinch Stole Christmas is playing at a cinema near you.
DVD will be out in February.
Guess who’s playing the Grinch?
>”Scott asks: If someone with sufficient access were to install Ebates on all of the computers at Harvard University, would Ebates be responsible for that?
I don’t see how eBates can be held responsible any more than any other merchant who has shady affiliates doing bad things. ”
Although Ebates is not responsible for the installation, it is certainly jointly liable for harm done once installed.
Its reasonably foreseeable Ebates on one machine will do plenty of harm. The laws it is breaking are well documented. Its even more forseseeable that on more machines Ebates will do even more harm. This is not by accident, this is by design.
You might as well ask who is responsible when a firework is thrown into a crowded marketplace and by reflex people kick it one to another, until it blows up in someone’s face. Is it the last person in the chain, or is it the first?
Its the first. Look it up.
In this case I’d say Ebates lit the firework and CJ threw it into the crowd. The affiliate committing the download is the little boy they’ve paid a penny to - to stand there taking fresh ones out of the box.
Monkey
In a court of law, would the merchant be held liable for damage done by illegal actions of an affiliate? Perhaps. That’s not what I’m talking about here. Plenty of people get rightly convicted of crimes they didn’t intend to commit.
Are they guilty of being careless about who distributes their software? If this is one of their affiliates, then yes. But is it easy to be careful? No way.
How many programs would you sign up for as an affiliate if you had to subject yourself to a background check and references? How about simply answering the phone and explaining your business model? I’ve had many affiliates tell me they won’t work with a merchant merely because they take several few days to manually review an application.
But the main point I’m addressing is did they intend for their software to be distributed in this manner?
I really don’t think anybody developed the software and an affiliate program to market it had intentions to do so by breaking the law. I also doubt they “love” the unintended promotional methods.
Evil plots to pay little boys to hurt people with firecrackers?
I undersand the emotion here, believe me. But to villianize the parties involved as part of your point…I say leave out the FUD.