Zango defying FTC agreement, researchers say

Zango Inc., formerly known as 180solutions, has been trying for some time to erase its public image as a shameless adware pusher.

The most recent example came earlier this month, when Zango agreed to settle Federal Trade Commission (FTC) charges that it used unfair and deceptive methods to download adware and obstruct consumers from removing it. The settlement bars future downloads of Zango's adware without consumers' consent, requires the company to let consumers remove the adware, and requires it to relinquish $3 million in ill-gotten gains.

But Ben Edelman, a well-known researcher on a mission to expose spyware and adware, has posted a detailed analysis in his blog of how Zango is failing to live up to the FTC settlement.

"We commend the proposed settlement's core terms," Edelman and fellow researcher Eric Howes wrote. "But despite these strong provisions, bad practices continue at Zango -- practices that, in our judgment, put Zango in violation of the key terms and requirements of the FTC settlement."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Is the SANS Top 20 still useful? Sailing a sea of spam Dissecting Firefox 2.0

First, the researchers noted the specifics of the FTC settlement, in which Zango is:

• Prohibited from using "any legacy program to display any advertisement to, or otherwise communicate with, a consumer's computer."
• Prohibited from (directly or via third parties) "exploiting" a security vulnerability ... to download or install onto any computer any software code, program, or content."
• Prohibited from installing software onto users' computers without "express consent." Obtaining "express consent" requires "clearly and prominently disclos[ing] the material terms of such software program or application prior to the display of, and separate from, any final end user license agreement."
• Required to "provide a reasonable and effective means for consumers to uninstall the software or application," through a computers' Add/Remove utility.
• Required to "clearly and prominently" label each advertisement it displays.

Despite Zango's claim that it has met those demands, Edelmen and Howes said they continue to find ongoing installations of Zango's software "that fall far short of the proposed settlement's burdens, requirements, and standards."

For example, they wrote, Zango:

• Often announces "material terms" only in its end user license agreement, not in the more prominent locations required by the proposed settlement.
• Often omits "material terms" from its prominent installation disclosures -- failing to prominently disclose facts likely to affect consumers' decisions to install Zango's software.
• Presents disclosures in a manner and format such that these disclosures fail to gain the required "express consent" of users because the disclosures are not "clearly and prominently" displayed.
• Presents disclosures only after the installation and execution of Zango's software on the users' computers has already occurred, contrary to the terms of the proposed settlement.
• Has software that continues to become installed with no disclosure whatsoever.
• Allows older versions of Zango's software -- versions with installation, uninstallation, and/or disclosure inconsistent with the proposed settlement -- to keep being installed and to communicate with Zango servers.
• Has installs that are still known to be promoted and performed in or through a variety of miscellaneous practices that can only be characterized as deceptive.
• Distributes advertisements that lack the labeling required by the proposed settlement.

"These improper practices remain remarkably easy to find, and we have numerous additional recent examples on file," the researchers wrote. "Moreover, these problems are sufficiently serious that they cast doubt on the efficacy and viability of the FTC's proposed settlement as well as Zango's ability to meet the requirements of the settlement."

The blog entry continues with a series of very specific examples of the violations.

Zango defended its compliance efforts in its own blog.

"Several researchers released information this week pertaining to our settlement agreement announced earlier this month with the FTC," Zango said. "We are committed to meeting and exceeding our obligations, take concerns relating to the FTC consent order very seriously and welcome any and all input about our business practices and the protection of consumers."

The statement doesn't directly address the specific violations Edelmen and Howes outlined, however.

A look around the blogosphere shows little surprise that Zango may be shirking its responsibilities.

The Security Garden blog called on the FTC to look at Zango's practices, not words, and "come down hard on them and other creators of advertising software."

The Techdirt blog called the researchers' findings a laundry list of what you'd expect from a company like Zango.

"It's bad news for Internet users and a major slap in the face to the FTC, which sees its agreements flouted so blatantly as it struggles to come up with a workable model of regulating online activity," Techdirt said.