Perhaps we could help them out by examining a few facts that have been revealed recently in comments filed with the Federal Trade Commission's Spyware Workshop. Benjamin Edelman, a PhD candidate in economics at Harvard, in March filed comments with the FTC about some of the things he's learned in his research into spyware. One observation was that his analysis of data transmitted by WhenU.com's Save and SaveNow "adware" software indicated WhenU was violating its own privacy policy.

Edelman's research, detailed here, demonstrated that the transmissions back to WhenU's servers include the web site URL being visited when a WhenU ad was displayed on the user's system as well as other data. This seemed to contradict the then-current WhenU privacy policy statement that as "the user surfs the Internet, URLS visited by the user (i.e., the user's 'clickstream data') are NOT transmitted to WhenU.com or any third party server." And it unquestionably contradicts privacy promises WhenU makes in places where there is at least some chance "customers" will see them before they are inflicted with the company's software.

WhenU claims that if you look at the installation process, they tell you what they are going to do," says Edelman. "But if you look at the installation screens that come up on their sites or those of their partners, they don't just say they won't collect the clickstream data. They promise they do not collect any of your browsing activity."

WhenU.com had not returned my calls by press time, but fortunately they did respond to Edelman by filing a rebuttal with the FTC last week. Although charging Edelman with bias since he's served as a paid expert witness in a number of lawsuits brought against them (as well as in cases against WhenU rival Claria, the former Gator), WhenU didn't dispute his facts. The company acknowledged that such data as the visited URL, search terms, etc. associated with each ad their software displays is transmitted back to their servers.

Instead, WhenU argued that Edelman's interpretation of what their privacy policy was really promising was mistaken. Oddly, they base this assertion on their privacy policy allowing them to report "impressions and clickthroughs" for each ad back to WhenU. Does that mean the URL the user is visiting counted as an impression in addition to the ad display? I would think WhenU advertisers might want to have that clarified.

WhenU has now changed the privacy policy on its website to jibe a little more closely with what Edelman discovered they were doing. But as he pointed out, and as I confirmed for myself by visiting some of their "partner" sites, the promises users are likely to see are quite different. For example, on one website where you might think that you're just downloading a free media player, you have to look pretty hard to discover any information about the WhenU program you'll be getting with it. If you do find it, though, it says straight out that "WhenU.com does NOT transmit URLS visited by the user to WhenU.com or any third-party server." And, in over 800 reassuring words about it not being spyware, the only mention made of the software contacting WhenU's servers states that "it does so in order to retrieve content from them and store that content on your computer."

But what about WhenU's license agreement? Isn't that where, as WhenU told the FTC, its software's functionality is explicitly described? Well, it's explicit enough that anyone who goes through it will at least get an inkling how this intrusive "adware" takes over your computer, which is why it makes sense for WhenU to make it hard to find and hard to read the license. Edelman has an example of one site where the tiny text window displaying the EULA requires 44 page-downs to see it in its entirety. More typical is the example of the free media player that I followed, where the hidden WhenU EULA can only be seen after downloading the software by scrolling though the license agreement of the free software product you actually wanted. Had I not known where to look, I could have easily completed the download and installation (at least up to the point of clicking "I agree", which is where I stopped) without even seeing WhenU's name or the name of its product, much less that I had given informed consent to their pop-up generator taking over my system.

And that's what's going to cause a problem for the software industry. Spyware is a plague for everybody, so there's little sympathy to be found for WhenU.com and its ilk. But, as we know all too well, many software companies like to hide the true nature of their offerings deep in the fine print of their sneakwrap licenses. And, as we will soon need to discuss, events on the near horizon mean that the industry is about to have to choose.

--------------------

Post your comments about this column below or write me directly at Foster@gripe2ed.com. To receive this column every week in my free e-mail newsletter, please go to my subscription page and follow the instructions to opt-in for the EdFoster mailing list.