August 03, 2005
FTC Says No Undisclosed Adware? In the Matter of Advertising.com
In the Matter of Advertising.com, Inc., and John Ferber, Federal Trade Commission File No. 042-3196 (consent order announced Aug. 3, 2005).
The FTC is signaling that it is sending a "message" with this case. The only problem? I'm not sure what message the FTC is trying to send!
Advertising.com distributed the SpyBlast software, which claimed to be security software that would protect users from hackers. SpyBlast included adware in a download bundle. The adware was not prominently announced in the advertising, but it was disclosed in the EULA and (inconspicuously) on the SpyBlast home page. The FTC brought the enforcement action against Advertising.com (and its principal) for deceptive trade practices for failing to adequately disclose the adware component of the download bundle.
On first blush, this action makes sense. SpyBlast promised security and privacy, and many users would think that undisclosed adware is exactly the kind of thing that security software would prevent--not contain. So it would be easy to connect the dots and say that if you're a security software vendor, undisclosed adware contravenes user expectations so greatly that they deserve to be unambiguously aware of the adware in the bundle.
However, the FTC went out of its way to make sure that we got some greater message from this enforcement action. In a separate analysis of the proposed consent order, the FTC says:
"However, the limitation in the proposed order to respondents’ software programs whose principal function is to enhance security or privacy should not be read more broadly to suggest that the requirement for clear and prominent disclosure is necessarily limited to those situations."
Huh? There's an implicit double-negative in this sentence (the limit...should not be read...to suggest a limitation), so (as usual) the FTC is trying to say something without saying it.
Helpfully, the paragraph continues:
"Moreover, the problem here was not the security software that Advertising.com disseminated with its adware. Instead, it was the
respondents’ practice of downloading software onto users’ computers, without adequate notice and consent, that generated repeated pop-up ads as the computer users surfed the Web."
Putting this paragraph together, the FTC seems to be saying that if you distribute adware in a bundle, you have to give users adequate notice and consent of the adware.
What Did Advertising.com Do Wrong?
So the question is--why wasn't Advertising.com's disclosure adequate? They made the disclosures in the EULA and on their website. The problem was that users had no reason to read either.
So although the document was styled as a EULA, it was presented more like a browsewrap than a clickthrough. Many Cyberlaw lawyers would think that it wasn't a binding contract at all.
Similarly, there was no call-to-action that would have encouraged the user to visit the SpyBlast web page to be exposed to a significant disclosure--and even if the user did, the disclosure was pretty hard to see.
The "Message" Redux
Based on this, I can read the FTC enforcement action one of two ways:
(1) Every software bundle containing adware must clearly and conspicuously disclose the presence of the adware as an integral part of the ad copy, or
(2) If a vendor wants to distribute adware as part of a bundle, then the disclosures don't need to be in the ad copy but do need to be integrated into some legally binding EULA or otherwise preceded by a sufficiently strong call-to-action.
The only thing the FTC does to tip its hand further is to say that the behavior did not comport with its Dot Com Disclosures document. Unfortunately, the Dot Com Disclosure document is far from clear--it rarely tells the reader yes or no, but instead it casts most behaviors as shades of grey. So pointing to the Dot Com Disclosures document without a little more guidance still leaves me scratching my head.
Sending a Message via a Defendant Who Couldn't Care Less
One other thing about sending a message through this enforcement action really bothers me. The FTC is going after a group of defendants who presumably are incredibly unmotivated to care about their requests. Advertising.com has already sold to AOL, who has no interest in messing with the FTC...plus, they have no reason, as AOL is not bound by the agreement. Further, the settlement does not involve any cash, and Advertising.com claims to be long out of the SpyBlast business, so the agreement's restrictions will be particularly easy to comply with (i.e., they don't have to change their behavior at all). So Advertising.com has virtually zero skin in the game, and they have absolutely ZERO incentive to push back on any FTC request. It's a little hard to fully get the message in an enforcement where the defendants are going to instantly roll over and play dead.
This is not to say that hard negotiations didn't proceed this announcement. Maybe the FTC initially demanded cash and Advertising.com/AOL avoided that only through skillful negotiation. But as the consent agreement now reads, there's no meaningful consequence to Advertising.com to signing the document, so why wouldn't they happily do so?
In its analysis memo, the FTC seems to be going out of its way to solicit comments on this enforcement action. I might take it up on that request. If I do, my principal comment will be simple--tell us if you meant reading #1 or #2! More specifically, if the FTC is trying to take position #1--that every download bundle containing adware must prominently annouce the presence of adware in the ad copy--I think we deserve a clear pronouncement to that effect and perhaps even some explanation for why the presence of adware must be elevated above many other product attributes that consumers might care about.
Without further clarification from the FTC, I think many lawyers will cautiously interpret this enforcement as a signal that disclosures about adware need to be an integral part of the marketing. My hunch is that the FTC would be happy with that outcome even if they are unwilling to issue an edict directly.
UPDATE: Suzi weighs in with her assessment: "The FTC is now on the record that companies must specifically disclose adware functionality in a clear and conspicuous manner OUTSIDE OF THE EULA."
UODATE 2: Cracker of an Issue weighs in with a thoughtful analysis. I agree that companies generally should consider the FTC's standards as minimum baselines that they frequently exceed, but I'm not sure that the FTC has picked the right standard here or has even made the standard clear.
In the end, we can't tell consumers EVERYTHING about the software on the hopes that some of it might be useful to some of the consumers. Overdisclosure is costly to producers, but more importantly, it's costly to consumers to wade through lots of disclosures that they do not consider relevant.
It might be that virtually all consumers consider a prominent notification of "adware-inside" to be relevant, so on that basis, this issue may be worth elevating. But if the FTC is trying to say that disclosure in the EULA isn't enough, the FTC ought to articulate its reasons why this topic is elevated over the dozens or hundreds of other disclosures that a company must make or wants to make in its EULA.