Monday, February 28, 2005
All Companies Make Mistakes
Nearly every company, makes mistakes. In my opinion, once a mistake is discovered, it is how the company handles that mistake is more telling, than the mistake itself.
In this world there are big mistakes and there are little mistakes. Digital River recently collected information related to usage and installation of its SoftwarePassport application, without disclosing the tracking to it's customers. The actual tracking was done by including a UserAx.dll in the recent versions of SoftwarePassport and Armadillo.
Developers obviously have a number of concerns related to the new DLL. I'm hoping this article will separate fact from fiction, and get to the heart of the matter.
The concerns expressed by many of the developers were valid and not the result of paranoia. Many industry professionals initially felt that the developer fears were overblown and a result of the adware scandal that plauged the industry a few years ago. After witnessing the fall-out from the adware problems, when adware companies failed to disclose to developers they were tracking surfing habits of end-users, I think the alarm that was sounded in the industry regarding Digitial River's inclusion of the UserAx.dll was appropriate. Many developers bore the brunt of the adware scandal with tarnished reputations and their livelihood's significantly damaged. Realizing it is important to learn from history, Digital River appears to have taken developer concerns seriously.
I contacted Brant Pallazza, a VP within Digital River and requested an interview. Brant was able to coordinate answers to my questions from the Silicon Realms support staff. I felt it best to clarify some of the issues that have been raised. I also felt that it was important that developers understand the issue and that all views be represented. For simplification in the questions that I asked the Silicon Realms support staff, I referred to UserAx.ll as the "marketing module".
For clarity I've bolded the questions and italized the responses from Digital River. Brant started off by clarifying what the term "marketing" module that I used to describe UserAx.dll below.
To clarify, UserAx.dll is not actually a 'marketing module'. It was never intended to be used for any means of sales or marketing. It would be more appropriately labeled as a 'technical support component'. Given that many of Digital River's clients were having difficulty utilizing the functions within Software Passport, Digital River's intent was to use the Relevent Reach technology to help troubleshoot the problems clients were having during the download/installation process.
1.) In what versions of Armadillo and SoftwarePassport does the marketing module exist?
Only Armadillo v4.01 and v4.01a (SoftwarePassport v2.0.1 uses Armadillo v4.01a) still searches for the UserAx.DLL file, but will load it ONLY if it is found in the same directory as your protected program. However, even if it is found there, data will only be collected and sent to the Relevant Reach servers if the author has an account with Relevant Reach and the appropriate information on the user's machine. In Armadillo v4.00 beta-1 and v4.00 final (SoftwarePassport v2.0 uses Armadillo v4.00) you have the option to enable tracking of your protected program (if you have an account with Relevant Reach) by distributing the UserAx.DLL file with your program. If you do not use Relevant Reach, your protected programs will not be affected -- no data is collected. In the rare case that the UserAx.DLL is found on your machine without you explicitly installing it there, your program still won't phone home unless you have an account with Relevant Reach and the appropriate information on the user's machine. (This could occur because Armadillo v4.00 Beta-1 and v4.00 final simply used LoadLibrary to search for that DLL, meaning it will be found if it is anywhere in the path.) This issue was addressed in the v4.01/v4.01a release, which attempts to load it only from the directory where the protected program resides. Armadillo v3.78 or earlier, and SoftwarePassport v1.2.0 or earlier were not affected in any way, as they didn't include this integration at all.
2.) Was the inclusion of a marketing module in Armadillo or SoftwarePassport disclosed to software developers in a EULA or documentation?
No. We apologize that the installation of UserAx.dll was silent. That was a mistake and we apologize for not confirming it was there.
3.) Is any information related to a developer's installation and usage of SoftwarePassport or Armadillo passed to Digital River via Digital River's Relevant Reach account?
Yes, only in the versions mentioned earlier. SoftwarePassport information relating to the completed download, the installation start and complete, and the number of times the program started was collected anonymously. Information was collected about the SoftwarePassport usage only. Information regarding the usage of the Armadillo Classic interface was not collected.
4.) If an application is wrapped with SoftwarePassport or Armadillo is any information related to the developer's end user's usage passed to Digital River?
No. The ONLY way information could have been collected from your protected applications is if you, the developer, chose to collect that information, set up your own account with Relevant Reach, and distributed the UserAx.DLL file with your protected program. Regardless, DR would not have access to the information.
5.) Can the information be passed to anyone other than Relevant Reach?
No.
7.) The Relevant Reach website references a number of items that can be tracked. What specific information does the Digital River marketing module track?
We collected the following information, anonymously:
- Download start attempts
- Download completes
- Installation of SoftwarePassport starts
- Installation of SoftwarePassport completes
- The number of times SoftwarePassport was started
Again, for clarification, we did not collect any information that could in any way connect a user to the program.
Our data was aggregated to show trends, total numbers only for the purpose of troubleshooting SoftwarePassport.
8.) Some developers have expressed a concern that marketing module's DLL in question will eventually be tagged as spyware, whether or not it actually sends data. If that occurs then every Armadillo 4.x protected application will be marked as spyware. Is that correct?
No. Relevant Reach has expended time and energy to cooperate with, and ensure white listing of their program within the spyware definition market. In addition, as clarified in question 1 above, Armadillo v4.00 beta-1, v4.00 final, Armadillo v4.01 and v4.01a are the only versions that have integrations with UserAx.dll of any sort. Armadillo v4.05 beta-2 and Armadillo v4.05 final and future versions will never look for UserAx.dll no matter what. Customers with Relevant Reach accounts can contact us for a version of SoftwarePassport that includes the integration.
9.) What assurances can you provide developers that the new marketing module will not be tagged as spyware?
Relevant Reach is a component that collects anonymous data. How the publisher chooses to integrate this product, and how the publisher chooses to communicate this to the end user will determine whether or not third parties would consider the program spyware. For Digital River, it was clear that the usage of this technical support component without full disclosure to our customers was a mistake. This is the reason why we've completely removed the program going forward.
10.) Developers worry that it is possible for an existing Relevant Reach activated application to "enable" the marketing module that is on the same system in another application. Is it possible?
In other words an Armadillo or SoftwarePassport wrapped application includes a DLL in the directory of another program that appears to be protected with Armadillo or SoftwarePassport. Thus passing that applications information back to Relevant Reach. Is it possible for this to occur?
No, it is not possible. Again, only SoftwarePassport included the Relevant Reach component. The Armadillo Classic Interface did not include or capture any data. That being said, the developer (or software publisher) would need to have an active account with Relevant Reach in order for any data regarding their program to be collected. This would be a conscious decision and a full integration with the Relevant Reach library.
1.) Will a final version of Armadillo and SoftwarePassport be made available that does not include the marketing module, not just the option to turn it off? If so when?
Yes. As posted in the Silicon Realms public forum, Armadillo v4.05 Beta-2 is now available via the Silicon Realms website. This new beta version NEVER looks for the UserAx.dll, no matter what.
12.) What efforts will be made to contact existing Armadillo and SoftwarePassport customers to disclose the usage of tracking information available in SoftwarePassport and Armadillo?
An email will be sent to users who have purchased Armadillo and SoftwarePassport versions that integrated with Relevant Reach and the information contained from the website will be presented to them for review, along with links to download versions of Armadillo which do not include the Relevant Reach library.
13.) What assurances can be provided to developers that full disclosure will occur in the future?
Going forward, any inclusion of a library or component in which data can be collected will be completely optional. In fact, users will need to explicitly and consciously opt in to have this component included with their download. All information will be available to the end user to understand and accept/reject the inclusion of the library within the install of SoftwarePassport.
Commentary from SMR
Lets take a look at Digital River's response to their error. The initial response to concern expressed by developers was posted to: http://siliconrealms.com/relevantreach.shtml . The post was in response to posts in the Silicon Realm's forum, and a private forum frequented by developers. Because many of the developer's concerns were posted in a private forum, Digital River had to be very careful that their response was public, being a publically held company, any private responses had to be carefully worded, so that it could not be misconstrued as any insider information.
One of the paragraphs in the public post included in a statement that did nothing more than anger and frustrate developers.
"In the meantime, please be assured that Relevant Reach has met the criteria of SAFE certification process and standards and has been certified as non-spyware by Aluria Software, a recognized leader in the anti-spyware industry."
In my opinion the Aluria certification of Relevant Reach, is a bit of a red herring, because it clearly relates to the Relevant Reach website not their tracking application. Also many developers felt that paying for certification, created a illusion that was nothing more than a false sense of security. Aluria does not have any global influence with anti-spyware applications that would prevent the UserAx.dll from being marked spyware.
That being said, I think that even within the constraints of a large company Digital River has ultimately handled the situation professionally.
I think Brant Palazza, VP of Shareware Division accurately summarized the situation in his final comments:
At the end of the day, it was a poor decision to include the Relevant Reach code into SoftwarePassport especially without the express consent of the users. I hope that DR's quick reaction in releasing a "clean" version is a demonstration to all that the inclusion of the code was not done with any intention other than to improve the usability of Software Passport, as the attached responses indicate.
As an owner of a small business who has made mistake's I appreciate Brant's candor. Ultimately the developers who have voiced their concerns the loudest, represents a very small portion of Digital River's business, yet Digital River listened and quickly removed the offensive DLL. While I don't feel what Digital River did was right and their response a little slow for my taste, I understand how corporate beaurecacy works and realize their intent was not to harm developers but to collect information to increase their conversions. Something all developers try to do every day.
In this world there are big mistakes and there are little mistakes. Digital River recently collected information related to usage and installation of its SoftwarePassport application, without disclosing the tracking to it's customers. The actual tracking was done by including a UserAx.dll in the recent versions of SoftwarePassport and Armadillo.
Developers obviously have a number of concerns related to the new DLL. I'm hoping this article will separate fact from fiction, and get to the heart of the matter.
The concerns expressed by many of the developers were valid and not the result of paranoia. Many industry professionals initially felt that the developer fears were overblown and a result of the adware scandal that plauged the industry a few years ago. After witnessing the fall-out from the adware problems, when adware companies failed to disclose to developers they were tracking surfing habits of end-users, I think the alarm that was sounded in the industry regarding Digitial River's inclusion of the UserAx.dll was appropriate. Many developers bore the brunt of the adware scandal with tarnished reputations and their livelihood's significantly damaged. Realizing it is important to learn from history, Digital River appears to have taken developer concerns seriously.
I contacted Brant Pallazza, a VP within Digital River and requested an interview. Brant was able to coordinate answers to my questions from the Silicon Realms support staff. I felt it best to clarify some of the issues that have been raised. I also felt that it was important that developers understand the issue and that all views be represented. For simplification in the questions that I asked the Silicon Realms support staff, I referred to UserAx.ll as the "marketing module".
For clarity I've bolded the questions and italized the responses from Digital River. Brant started off by clarifying what the term "marketing" module that I used to describe UserAx.dll below.
To clarify, UserAx.dll is not actually a 'marketing module'. It was never intended to be used for any means of sales or marketing. It would be more appropriately labeled as a 'technical support component'. Given that many of Digital River's clients were having difficulty utilizing the functions within Software Passport, Digital River's intent was to use the Relevent Reach technology to help troubleshoot the problems clients were having during the download/installation process.
1.) In what versions of Armadillo and SoftwarePassport does the marketing module exist?
Only Armadillo v4.01 and v4.01a (SoftwarePassport v2.0.1 uses Armadillo v4.01a) still searches for the UserAx.DLL file, but will load it ONLY if it is found in the same directory as your protected program. However, even if it is found there, data will only be collected and sent to the Relevant Reach servers if the author has an account with Relevant Reach and the appropriate information on the user's machine. In Armadillo v4.00 beta-1 and v4.00 final (SoftwarePassport v2.0 uses Armadillo v4.00) you have the option to enable tracking of your protected program (if you have an account with Relevant Reach) by distributing the UserAx.DLL file with your program. If you do not use Relevant Reach, your protected programs will not be affected -- no data is collected. In the rare case that the UserAx.DLL is found on your machine without you explicitly installing it there, your program still won't phone home unless you have an account with Relevant Reach and the appropriate information on the user's machine. (This could occur because Armadillo v4.00 Beta-1 and v4.00 final simply used LoadLibrary to search for that DLL, meaning it will be found if it is anywhere in the path.) This issue was addressed in the v4.01/v4.01a release, which attempts to load it only from the directory where the protected program resides. Armadillo v3.78 or earlier, and SoftwarePassport v1.2.0 or earlier were not affected in any way, as they didn't include this integration at all.
2.) Was the inclusion of a marketing module in Armadillo or SoftwarePassport disclosed to software developers in a EULA or documentation?
No. We apologize that the installation of UserAx.dll was silent. That was a mistake and we apologize for not confirming it was there.
3.) Is any information related to a developer's installation and usage of SoftwarePassport or Armadillo passed to Digital River via Digital River's Relevant Reach account?
Yes, only in the versions mentioned earlier. SoftwarePassport information relating to the completed download, the installation start and complete, and the number of times the program started was collected anonymously. Information was collected about the SoftwarePassport usage only. Information regarding the usage of the Armadillo Classic interface was not collected.
4.) If an application is wrapped with SoftwarePassport or Armadillo is any information related to the developer's end user's usage passed to Digital River?
No. The ONLY way information could have been collected from your protected applications is if you, the developer, chose to collect that information, set up your own account with Relevant Reach, and distributed the UserAx.DLL file with your protected program. Regardless, DR would not have access to the information.
5.) Can the information be passed to anyone other than Relevant Reach?
No.
7.) The Relevant Reach website references a number of items that can be tracked. What specific information does the Digital River marketing module track?
We collected the following information, anonymously:
- Download start attempts
- Download completes
- Installation of SoftwarePassport starts
- Installation of SoftwarePassport completes
- The number of times SoftwarePassport was started
Again, for clarification, we did not collect any information that could in any way connect a user to the program.
Our data was aggregated to show trends, total numbers only for the purpose of troubleshooting SoftwarePassport.
8.) Some developers have expressed a concern that marketing module's DLL in question will eventually be tagged as spyware, whether or not it actually sends data. If that occurs then every Armadillo 4.x protected application will be marked as spyware. Is that correct?
No. Relevant Reach has expended time and energy to cooperate with, and ensure white listing of their program within the spyware definition market. In addition, as clarified in question 1 above, Armadillo v4.00 beta-1, v4.00 final, Armadillo v4.01 and v4.01a are the only versions that have integrations with UserAx.dll of any sort. Armadillo v4.05 beta-2 and Armadillo v4.05 final and future versions will never look for UserAx.dll no matter what. Customers with Relevant Reach accounts can contact us for a version of SoftwarePassport that includes the integration.
9.) What assurances can you provide developers that the new marketing module will not be tagged as spyware?
Relevant Reach is a component that collects anonymous data. How the publisher chooses to integrate this product, and how the publisher chooses to communicate this to the end user will determine whether or not third parties would consider the program spyware. For Digital River, it was clear that the usage of this technical support component without full disclosure to our customers was a mistake. This is the reason why we've completely removed the program going forward.
10.) Developers worry that it is possible for an existing Relevant Reach activated application to "enable" the marketing module that is on the same system in another application. Is it possible?
In other words an Armadillo or SoftwarePassport wrapped application includes a DLL in the directory of another program that appears to be protected with Armadillo or SoftwarePassport. Thus passing that applications information back to Relevant Reach. Is it possible for this to occur?
No, it is not possible. Again, only SoftwarePassport included the Relevant Reach component. The Armadillo Classic Interface did not include or capture any data. That being said, the developer (or software publisher) would need to have an active account with Relevant Reach in order for any data regarding their program to be collected. This would be a conscious decision and a full integration with the Relevant Reach library.
1.) Will a final version of Armadillo and SoftwarePassport be made available that does not include the marketing module, not just the option to turn it off? If so when?
Yes. As posted in the Silicon Realms public forum, Armadillo v4.05 Beta-2 is now available via the Silicon Realms website. This new beta version NEVER looks for the UserAx.dll, no matter what.
12.) What efforts will be made to contact existing Armadillo and SoftwarePassport customers to disclose the usage of tracking information available in SoftwarePassport and Armadillo?
An email will be sent to users who have purchased Armadillo and SoftwarePassport versions that integrated with Relevant Reach and the information contained from the website will be presented to them for review, along with links to download versions of Armadillo which do not include the Relevant Reach library.
13.) What assurances can be provided to developers that full disclosure will occur in the future?
Going forward, any inclusion of a library or component in which data can be collected will be completely optional. In fact, users will need to explicitly and consciously opt in to have this component included with their download. All information will be available to the end user to understand and accept/reject the inclusion of the library within the install of SoftwarePassport.
Commentary from SMR
Lets take a look at Digital River's response to their error. The initial response to concern expressed by developers was posted to: http://siliconrealms.com/relevantreach.shtml . The post was in response to posts in the Silicon Realm's forum, and a private forum frequented by developers. Because many of the developer's concerns were posted in a private forum, Digital River had to be very careful that their response was public, being a publically held company, any private responses had to be carefully worded, so that it could not be misconstrued as any insider information.
One of the paragraphs in the public post included in a statement that did nothing more than anger and frustrate developers.
"In the meantime, please be assured that Relevant Reach has met the criteria of SAFE certification process and standards and has been certified as non-spyware by Aluria Software, a recognized leader in the anti-spyware industry."
In my opinion the Aluria certification of Relevant Reach, is a bit of a red herring, because it clearly relates to the Relevant Reach website not their tracking application. Also many developers felt that paying for certification, created a illusion that was nothing more than a false sense of security. Aluria does not have any global influence with anti-spyware applications that would prevent the UserAx.dll from being marked spyware.
That being said, I think that even within the constraints of a large company Digital River has ultimately handled the situation professionally.
I think Brant Palazza, VP of Shareware Division accurately summarized the situation in his final comments:
At the end of the day, it was a poor decision to include the Relevant Reach code into SoftwarePassport especially without the express consent of the users. I hope that DR's quick reaction in releasing a "clean" version is a demonstration to all that the inclusion of the code was not done with any intention other than to improve the usability of Software Passport, as the attached responses indicate.
As an owner of a small business who has made mistake's I appreciate Brant's candor. Ultimately the developers who have voiced their concerns the loudest, represents a very small portion of Digital River's business, yet Digital River listened and quickly removed the offensive DLL. While I don't feel what Digital River did was right and their response a little slow for my taste, I understand how corporate beaurecacy works and realize their intent was not to harm developers but to collect information to increase their conversions. Something all developers try to do every day.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment