A few days ago, at StopBadware.org, we released a report on AOL 9.0, the free software on offer from one of the giants of the Internet industry.
The back-story on this matter is that we wrestled hard with the right way to release this report. We followed our research process rigorously, following tips and leads from dozens of users who submitted reports to us via StopBadware.org about AOL 9.0, and found that the application didn’t meet our guidelines on multiple fronts. (And yes, we have tested the apps of other big, mainstream tech companies; we are not just “picking on” AOL.) We tested AOL 9.0 many, many times; we shared the draft with a number of trusted advisors and with AOL itself; and we are confident that the results of our testing are accurate. But we also didn’t want to mislead users into thinking that AOL is malicious, when we plainly think they are not.
As I’ve said in every interview I’ve done on this topic, AOL does not belong in the company of the most malicious of spyware and malware providers. No question about it, AOL has been a leader for the past several years in working to fight spyware, whether through its involvement in the Anti-Spyware Coalition that Ari Schwartz of CDT runs or any number of other initiatives overseen by Jules Polonetsky. On his blog, AOL Vice-Chairman Ted Leonsis, the senior executive who has been with the company the longest, wrote, “No company on the Internet has done more to protect users from the dangers of spyware and adware.” That strong statement may or may not be true, but it is certainly the case that AOL has been on the side of the angels in this matter in many ways and on many occasions. It’s important that the nuance is captured, by putting this report in a newly-created category of “open inquiries” on our reports page, rather than issuing a final statement, especially while the company is working to improve the application and says it intends to meet the standards set in the guidelines we’ve published. I admire many people who work at AOL, including one of my oldest friends, from high school. And it’s essential that we make clear that AOL has stepped up to the plate to make changes, many of which they say are already in the works, destined for a new release next month.
Even good companies can release bad applications. Our concern related to AOL 9.0 is primarily about disclosure. The report lists our specific concerns, which I won’t repeat here.
Set aside AOL and our “open inquiry” for a moment, and consider the problem in a broader, abstract construct. If an ordinary computer user goes to a website and decides to accept the offer of a free software download:
1) Does the user have a good chance of knowing — more or less — what will happen to their computer when she clicks “I agree”?
2) Will the user know what’s running in the background after that download, and where she got it from?
3) And once the user decides she no longer wishes to have these services running on their computer, will she be able to get them completely off the computer?
What I wanted to recount here is not our process before issuing the report, but rather just my personal experience trying this application at home — just one user’s view, setting aside all the guidelines and formality of StopBadware. If you doubt our findings, I urge you to try it.
The day before we issued our report, (to be clear, the real testing was in a pristine testing lab environment, many times over), I went home and turned on an ordinary computer. It’s a few years old, a Dell, quite nice when I bought it and generally in great shape, but not exactly humming along on the latest dual-core processors. It is on a fast broadband connection, wired, from Comcast, in the Boston area. I get a good throughput on it.
I set to downloading the application. It took a while, despite the speed of the connection and the relative power of the computer — perhaps a sure sign that lots was going on. During this time, my screen filled with various statements about security software and so forth that I was getting, and noting that for-pay upgrades would be available to make the services better. At no point did I have the chance to see a full list of what was arriving onto my computer, nor a chance to “uncheck” the boxes so as to say that, no, I didn’t actually need more than one new media player, for instance. The process took maybe 15 minutes or so. After a reboot, I checked out what had happened.
AOL gave me a lot of stuff. This would not come as a surprise to anyone who has downloaded an application suite from AOL before, I suppose. And no doubt other leading Internet firms do the same thing. Several icons appeared on my desktop and in the tray along the bottom of my Windows 98 (yeah, I know, I said it was old) screen. A new search bar appeared in a second layer of the tray along the bottom, branded clearly as AOL. As soon as I tried to go online, I found myself back in 1998 — in AOL’s garden. The experience wasn’t terrible, to be sure — nothing malicious that I could find, to be sure — but not for me. I admit: I’m not likely AOL’s target customer anymore, even if I was in the 1990s. I decide I want to uninstall the whole thing.
I go to add/remove programs, because I know to do that. I suppose most users at this point do, thanks to the computing industry’s standardization around this method, at least in the Windows environment. The process of getting rid of the applications, even the ones that do uninstall, was for me exactly as described here. Let’s just say it took forever. A much longer time than it took to get it installed, by a wide margin.
All in all, let’s assume AOL fixed the pop-up that didn’t have an “x” to close it (floating for days on our test machine, vaguely offering some form of upgrade related to connectivity services) and the .exes that didn’t fully uninstall (seems to have been done, and AOL says it has, and that they were never doing anything bad while they were there) and so forth, as we outline in our report. Let’s assume also that the disclosure is improved.
Would it then add up to Badware, if all of these programs were disclosed and the user could go through and take them all off? Nah. But still pretty annoying? You bet. And is the average user likely to go all the way through this process of informing themselves and then uninstalling all these programs, loads of reboots, etc.? Honestly, I don’t think so. But let’s be clear: this is not just an AOL problem — it’s instead an industry issue, one related to bundling of applications. Do users really want this level of simplicity? Maybe. But maybe users deserve more credit: maybe users really do want to take the easy route OR to be able to install a subset of those applications. Maybe it’s possible within AOL 9.0, but I sure couldn’t find it.
What I’ve been so surprised at, both before and since releasing the report, is what other people have said to us. My e-mail box has filled up with reports of people saying, “I’ve been waiting for someone to say this” or telling stories about how they’ve had similar experiences and have felt powerless to do anything about it. It’s not hard to hear what users are saying about AOL 9.0. Read what people are saying in the comments fields, say, of the many blogs, Slashdot postings, etc. who have covered this story. One user: “What that org. says about AOL is true. AOL 9.0 puts so much extra crap on your computer, doesn’t tell you about it, then tries to say it’s a vital part of the AOL program.” Another user told us, before we released the application: “I re-installed the newest software for AOL and it just keeps coming on and on whether I want it to or not. … I’ll NEVER put AOL on again! Warn people, this is something new.” The user comments, submitted to us directly or to the web before and after this report, tell a pretty clear story: at least some meaningful subset of users are not happy with what they’re getting.
Eric von Hippel is here at the Berkman Center today. He’s amazing — a professor at MIT’s Sloan School and champion of Democratizing Innovation. For the past three decades, he’s been talking about user-centric innovation. The Internet community is packed with people seeking to tell their story back to companies that offer services online. Sometimes users are cranks, for sure. But sometimes they speak very clearly and loudly and with their feet — and much of the time, as von Hippel and others have proved, a subset of these users are in fact the innovators. (This is a big Dave Winer theme, too.) One argument goes: AOL users are not the innovators. But I don’t believe this, not for a second. There are almost 20 million users, and no doubt these users have had a lot to say to AOL over time that has made its way into the many fine applications AOL has developed and offered as part of its services. This is an era of user-centered innovation, not just in Web 2.0, but in many many fields, as von Hippel has shown. Users of AOL 9.0’s free version are doing a whole lot of free reviewing out there and telling a story of their experiences across the web, some of which we’ve echoed on StopBadware.org. Eric von Hippel’s insight strikes me as relevant not just to AOL, but to all those offering bundles of applications for free downloads. Users have a lot to say, and some of it might help get to innovation, if the conversation is kept open. Put another way, instead of trying to make it more and more simple but also more and more closed, could AOL and others similarly situated instead make its application more “hackable”?
[…] John Palfrey, Executive Director of the Berkman Center, has an engaging and illuminating post about the StopBadware project’s warning concerning AOL downloads (which I discussed here). It’s worth reading the whole post, which explores how, as his title says, “good companies sometimes release bad applications.” He goes through his own frustrating experience testing out the AOL software. Then he notes that, even if AOL fixed some of the most serious problems they documented, related to failure to disclose programs and difficulty uninstalling them, another problem would remain: Would it then add up to Badware, if all of these programs were disclosed and the user could go through and take them all off? Nah. But still pretty annoying? You bet. And is the average user likely to go all the way through this process of informing themselves and then uninstalling all these programs, loads of reboots, etc.? Honestly, I don’t think so. But let’s be clear: this is not just an AOL problem — it’s instead an industry issue, one related to bundling of applications. Do users really want this level of simplicity? Maybe. But maybe users deserve more credit: maybe users really do want to take the easy route OR to be able to install a subset of those applications. Maybe it’s possible within AOL 9.0, but I sure couldn’t find it. […]
A couple of quick comments:
1. You might want to use one of the virtual machine monitors (such as VMware’s free server) to create a pristine Windows environment that you can snapshot, use as a sandbox, and then restore to pristine state. I have found that to be a very useful method, and one that saves an amazing amount of time.
2. I don’t know if you consider it “badware” but I came across a “End User License Agreement” that did not license anything. Instead it made the user an employee of the company offering the service! I realized this when they sent a follow-up confirming e-mail that confirmed that I had not only become an employee but had waived several Federal employment protections, such as parts of COBRA end ERISA!! And all I thought I was doing was getting a password so that I could look at the benefits from my real employeer. (I’ll send you a copy of the click-through EULA if you are intererested.)