May 01, 2008
Adware is Dead. Long Live Adware!
By Eric Goldman
In late January, I attended the Anti-Spyware Coalition's Public Workshop entitled Spyware: What's Worked, What's Left, and What's Coming. I was on a panel entitled "Is Adware Dead?" with Alissa Cooper from CDT and Colin O'Malley from TRUSTe. This is a timely topic because I've been pondering this question myself for a while now. This blog post recaps some of my thoughts.
Adware Is Dead
At the workshop, everyone agreed that adware is dead, although we may have been using different definitions of adware. (Commissioner Leibowitz declared adware "mostly dead," invoking the phrase from the Princess Bride). I was a little surprised to see such broad consensus on this topic. Let's explore what happened.
Looking back, it's clear that the 2003-06 period was a wild time for the adware industry. Several new entrants sought to build "legitimate" businesses on client-side software that displayed advertising, and others were seeking technical exploits for more nefarious purposes.
Collectively, these efforts sparked the Great Adware Wars of the 2000s. This was a time of mania, with everyone scrambling for the largest network of installs. In turn, vendors attempted lots of aggressive practices, such as bundled installs with obscure notice/consent, difficult uninstalls, loosely controlled/uncontrolled third party distribution chains, and overgrazing of user attention once a desktop install was achieved.
I'm declaring that the Great Adware Wars of the 2000s are over, and the anti-adware forces won. The signs of a decline in the adware industry are everywhere. Most obviously, most of the entrants are out of the business. Of the players trying to run legit adware companies, arguably only Zango persists in its client-side software business model circa 2004.
Why Did Adware Die?
It's hard to tell exactly what ended the Great Adware Wars. Some possible contributing factors:
* enforcement actions by the FTC, state AGs and private litigants (including class action lawsuits)
* new laws, including the laws passed by Utah and Alaska
* technological responses, including enhanced filtering/labeling by anti-spyware vendors
* changes in the economics. In particular, paying third party distributors for installs spurred a lot of unprofitable behavior, so installation economics improved. At the same time, due to the enforcement actions and negative publicity, advertisers have become increasingly gun-shy about advertising via adware. There is some anecdotal evidence that advertisers are now including anti-adware policies in their agency agreements. It's not clear that such policies are actually being enforced, but collectively they send a signal that suppresses the demand for advertising inventory in adware.
* changes in user behavior, due to user education and press attention to adware. Adware has become a dirty/tainted word, and that taint suppresses demand up and down the chain.
Ultimately, I think the single biggest contributing factor to the demise of adware is that it often provides a lousy consumer experience. Even when adware doesn't carpetbomb users with ads, it is still largely based on interruption marketing (a term from Seth Godin's excellent book Permission Marketing [Amazon affiliate link]), i.e., getting the user to stop what they are doing to focus on the ad being presented. Telemarketing is a great example of interruption marketing, and it's universally reviled. Interruption marketing might work if the ads are routinely sufficiently relevant, but I believe that even the "best" adware rarely fulfills that potential.
In the end, I believe lousy consumer experiences always fail in the marketplace. The adware being deployed during the Great Adware Wars didn't prove otherwise.
What Consequences from the Death of Adware?
The Great Adware Wars are over. Now what?
Even though the war is over, regulators haven’t gotten the message. In fact, I predict that we will see continued efforts to regulate 2005-era adware. Why? If the threat has been neutralized, shouldn't regulators focus their attention elsewhere?
This is a classic public choice problem. Everyone hates pop-up ads and scary adware, so regulators can pander to their constituencies' fears. At the same time, no one is opposing these efforts--the adware companies have largely vanished (not that they were ever a potent lobbying force in the first place), and no one else will stand up in their stead. As a result, regulators seeking some publicity bounce for being “tough on Internet threats” can easily enact ineffectual laws to combat past problems. (As an example of this, see the continued unopposed efforts of the Humane Society to ban Internet hunting).
Long Live Adware!
Adware circa 2003-06 may be dead, but adware in the broad sense--client-side software that displays advertising--will never die. Instead, as I argue here, adware is an inevitable part of our future for several reasons.
First, client-side software can interact with the user whenever they are using their computer. As a result, the vendor doesn’t have to worry about Internet connectivity. Plus, each vendor wants to be able to reach the consumer 100% of the time, not just when the user is visiting its servers.
Second, client-side software has access to the very best data about a user. Server-side applications generally only see the data made available when users are communicating with it. This partially explains the Facebook Beacon offering; it's an attempt by Facebook to aggregate data about user behavior that's captured by third party servers (i.e., data that Facebook ordinarily wouldn't see). But even compared with Beacon, client-side software will see more--and better--data.
At the conference, it was pointed out that behavioral targeting doesn't necessarily improve with deeper datasets. While this is true, it also remains true that a website never knows if the user has transacted with its competitor (i.e., when I searched for flights at both American and United's websites, the losing company has no idea if I transacted with its competitor or not). Client-side applications can see all of this valuable information.
As a result, vendors will always want to get onto users' hard drives and watch the users' communication flows from there. Thus, the race for client-side installations will remain an omnipresent fixture of our technological environment.
At the same time, the residual legislative and regulatory efforts--made in a vacuum without a direct threat and without any counterbalancing lobbying--has a serious risk of inhibiting the development of beneficial client-side applications. Simply put, in the legislative grandstanding to put the "nail in the coffin" of adware, regulators might in fact distort the innovation cycles of software developers who can improve users' lives. It's this risk of collateral fallout that drives my objection to most types of anti-adware regulation, and when I see stupid and regressive state laws (like the Utah Spyware Control Act, or Alaska's anti-adware law, or the screwed up Utah Trademark Protection Act), the potential harm on innovation is palpable.
So here's my proposal. Let's take a moment to pause and celebrate the end of the Great Adware Wars of the 2000s, and congratulate the many people who worked very hard to contribute to its demise. Then, let's all collectively vow to move on and focus our energies on looking forward to the next round of bona fide and serious threats, instead of looking backwards at perceived threats already vanquished.
Posted by Eric at May 1, 2008 08:10 AM | Adware/Spyware
TrackBack URL for this entry: