Watch Out for Bundled Third-Party Software

Update (September 7, 2014): Today, I updated a computer to Java 8 Update 20. This time, I know for a fact that the boxes that lead to installation of an Ask program and change my home page settings were checked by default. Here’s what the installer for Java 8 Update 20 pops up:

Updated screenshot

Guess what? They changed the word “Toolbar” to “Search App”. Is that supposed to make the program more palatable? Giving the program a different name doesn’t change its nature. Nor does it change the fact that it’s an opt out, rather than an opt in third-party program.

My original post (July 26, 2014):

Screenshot

Last week, I was updating Java on a computer when I got the following pop-up. Although I’m not 100% certain, I believe the box next to “Install the Ask Toolbar in Internet Explorer” was checked, thus installing a toolbar into the browser of any unwary user. This situation is not news; Oracle has been doing this for over a year already. Nevertheless, I thought I’d take a moment to remind everyone not to click those “next” buttons in program installers without reading what you’re agreeing to.

Many companies, including large and well-known ones, bundle third-party programs into the installers for their own software. When you’re updating a program, how often do you read through every prompt to check if potentially undesirable software is being foisted upon you? How often do you read the license agreements that accompany the third-party software? The boxes leading to the installation of such third-party software are often checked by default. If you don’t want the programs, you have to actually do the work of unchecking the pertinent boxes.

Out of curiosity, I checked the privacy policy of Ask, and here‘s the information they collect from users who choose to install their toolbar (I’m quoting them):

(1)       IP address of your computer

(2)        Unique mobile device identifier

(3)        Technical information about your computer or mobile device such as type of device, mobile device ID number, web browser (Internet Explorer 8, etc.), other browser information (e.g. size, connection speed and connection type), and operating system or platform (Mac, Windows XP, etc.)

(4)        Your preferences and settings (time zone, language, etc.)

(5)        Internet provider or mobile carrier name

(6)        The URL of the last webpage you visited before visiting the Website

(7)        Information about your activity on the Services (e.g., your search queries, mis-formatted DNS entries, search results selected, clicks, pages viewed, search history, comments);

(8)    If you are using a mobile device, your mobile device’s geographic location (specific geographic location if you’ve enabled collection of that information, or general geographic location automatically).  Please see the section “Mobile Device Location Information” below for further information.

(9)    If you installed a Search Application, we may also collect information about that Search Application (e.g. the specific release date and distribution source of your Search Application, a unique Search Application ID, Search Application partner ID, the ads you click on, and information contained in error log files or cookies, aggregate query or click data and erroneous domain name system requests).

From the perspective of privacy, the situation is obviously far worse for mobile users; it’s not only your search terms that are being recorded, but also your device’s unique identifier.

Malware often installs itself onto user computers without their consent, but in some cases, the third-party companies involved exhibit a veneer of legitimacy by embedding convoluted legal agreements, privacy policies that grant the company broad permissions, and force the user to uncheck boxes that are checked by default. As the above article indicates, many such third-party programs and toolbars have gained a reputation for being adware/spyware.

Before you install such third-party programs, ask yourself whether you really want information such as your search terms being sent back to a company that wants to profit from the information. Consider, for example, the future then-Google CEO Eric Schmidt envisioned:

“With your permission you give us more information about you, about your friends, and we can improve the quality of our searches,” he said. “We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less now what you’re thinking about.”

If you would like to grant this type of permission, feel free to click “next”. Otherwise, pause for a moment whenever you’re updating or installing new software.

Leave a Reply

Your email address will not be published. Required fields are marked *