Hacker News new | past | comments | ask | show | jobs | submit login
Why is the opt-in toolbar scam still acceptable?
33 points by 1dundundun on Feb 3, 2014 | hide | past | favorite | 54 comments
Aside from when I need Photoshop, I've been using my Chromebook 80% of the time & loving it but over the last year, I've had 3-4 family members and friends ask me to help them remove toolbars/search helpers and other shit they downloaded by mistake while installing a legit piece of software on a Windows box.

The industry should have evolved beyond this practice by now. I'm sure there's a less invasive profit center.

This practice specifically preys on the less tech savvy. Not cool... It seems like reputable companies would distance themselves from the practice but some of the most popular software still tries to get you to opt-in via a strategically placed checkboxes or misleading question. It's time for us to stop accepting this. Our parents, kids and friends deserve better.

Thoughts?




Strictly speaking, it's usually opt-out, i.e. the "install toolbar" option is selected by default, usually in fine print at the bottom of the installation screen, and you have to notice it and un-check it.


Yup, sorry. That's what I meant. If you aren't tech savvy or very careful, you breeze right by it because it's often proceeded by questions that have to remain checked.


IMO the problem is that windows does not have a proper built-in package manager. People rely on binaries installed from possibly shady websites to install their software.

This would be a non issue with a proper package manager (that or a well curated "app store").

Installers should be a thing of the past, they hardly serve any purpose in this day and age.

You can't expect people to stop doing that if it makes them money. I'm pretty sure the vast majority here doesn't accept this kind of behaviour (whatever that means), but so what? We're not the target anyway.


Package managers would do nothing to stop vendors from bundling toolbars. They bundle toolbars because it makes them money, not because they have to ship their own installers...


If you bundle crapware in your package it gets rejected. Problem solved.

Look at Steam. Look at the various un*x package managers. They don't have this problem. When I install/update a game through Steam I don't have to worry about crapware (besides steam itself, but that's an other issue).


You want Microsoft to get to decide what software people can and cannot install on their PCs? Seriously?


No, I want Microsoft (or a third party) to propose a curated App Store for common applications on Windows. You would still have the option to install software through other means.

It would be a huge win for Microsoft IMO, better user experience, software updated automatically for better security, less chance to spread a virus etc...

I'm not advocating a walled garden, I'm advocating a fenced garden you can leave at any moment if you need to and you know what you're doing. Best of both worlds IMO.

It would also simplify the work of the devs, because right now most windows applications feature a custom and non-standard way to check and download updates. Or worse, they don't check, making sure that virtually nobody updates them ever.


Given that their current walled/fenced garden is overrun with weeds [0], I wouldn't expect much of Microsoft.

As for 3rd party curated stores, we don't need to look beyond Adblock whitelisting Google ads to see where that's headed. Once any 3rd party store reaches critical mass, dollar signs start showing up and it won't be long before "official" weeds begin to creep into the 3rd party garden.

It might be possible for the EFF or a related body to step in and mandate that before installing a toolbar/extension browsers run a check against a Web Of Trust (WOT)-like decentralized system gathering ratings from actual users for all toolbars and extensions. This is a long-term play, one that is unlikely to come to fruition given the massive amount of co-ordination necessary for relatively little payoff.

Realistically, it's up to the users to get savvy. People get ripped off all the time in the real world and no one has managed to put a stop on that, why expect anything different from the virtual world.

Edit: I just had an epiphany in the shower that leads me to believe I closed off the discussion too soon. My initial thinking was that since this was a social engineering issue a technological solution was impossible. It took a hot shower to remind me that we have solved a similar issue with technology before; we know this as "Parental Controls".

Adopting a similar system for naive users has huge benefits — the control remains in userland instead of in the hands of a 3rd party which means its scalable (new users can begin using it right away instead of waiting/hoping a 3rd party would approve) and specific (opt-in/opt-out remains a choice of the user, so savvy users remain unaffected by the needs of the naive).

It works via a browser setting that a savvy relative can turn ON for the user. Once turned ON, all extensions and plugins including toolbars are blocked. Savvy user can whitelist some extensions etc during setup. Problem solved.

We can call this system "Special Controls", which I think is the best name that describes the purpose of the feature without offending the sensibilities of the user.

[0] https://news.ycombinator.com/item?id=7161609


Steam has been letting vendors bundle DRM rootkits for ages, and they don't do verification/certification on game releases at all. If a vendor wanted to they could bundle a browser toolbar with a major game on Steam and it would install on the machines of anyone who played it. (Valve would probably hear about the backlash and intervene eventually, but it's not as if it would be stopped systemically.)

Note that most Ubisoft titles on Steam currently just install and launch UPlay instead of actually running the game through Steam. This is despite the fact that in the past having UPlay installed exposed you to remote code execution vulnerabilities.


That would be the job for the repository (app store) - not the package manager.


I agree that this is a tactic that preys on the less tech savvy folks, and share your continued astonishment that reputable companies would engage in these drive-by toolbars/extensions that are bundled in installers.

YC has invested[0] in a company called InstallMonitizer[1] that appears to help developers and advertisers connect in the pay-per-install marketplace.

[0] http://www.techdirt.com/articles/20130115/17343321692/why-ar...

[1] http://www.installmonetizer.com/

Sadly it does't seem like a practice that will go away any time soon. I'd like to do some digging around on developer forums and see if any folks have shared their experience and would be able to comment on the amount of extra revenue that they see from such programs.


Interesting.


The worst bit of social engineering of this kind that I recently encountered was contained in the OS X installer for μTorrent. Halfway during the installation process you get a large body of text along with the buttons AGREE and DECLINE. You immediately think you're looking at a license agreement and click AGREE. Then you realize what the buttons actually said was:

AGREE to this offer DECLINE this offer

And the offer obviously is to install some toolbar crap into your browser. Normally I'm very careful not to install any adware or toolbars, but this one caught me off guard.


Correct. I've noticed incredibly SEO optimized pages for popular free software (VLC I think). That is what people like my parents find if they google form such products. If you install from one of these pages you get a lot of crap- and adware. It wouldn't be a problem if they didn't score so high for names of free software...


There is even worse, my mom installed Kies the other day from a website which was better referenced than samsung's (Kies being the synchronizing app for samsung devices for ppl wondering). It cost her € 10 through sms payment. Well maybe it was some sponsored link but in the end its just the same for "elder" people who dont have a minimum tech background (or common sense you might add). Anyway no other website than the official developper / distributor one should come first when doing such a straightforward search. This leads to a terrible customer experience for both google and samsung along with some easy earned money someone who doesnt deserve it.


Meta question for browser designers... is there any possible reason or purpose for toolbar addons other than spamming users? No? Oh, then take out the entire functionality, please. It'll be a massive net gain to humanity.

Since they won't, makes you wonder how much they're being paid to leave it in.


On Firefox, toolbars are just one of the many functionalities that extensions have available, and that allow them to completely modify the UI. And yes, those capabilities are useful: see Firebug, Vimperator, etc.


I don't disagree with your assessment of usefulness, solely with the assumption that useful = net gain to humanity.

As a guy who uses firebug, I'd much rather download a special built executable of firebug for myself, once, than spend a lifetime cleaning up relatives browser bars.

(edited to rephrase, what I'm asking for is a market bifurcation where stereotypical end users can't install toolbars and stuff to get owned, but devs are given the ability to screw their browsers up. Or we simply distribute dev tools separate from end user tools.)


What makes you think that spammers won't convince your relatives to download "special built executables" that add those toolbars? In the IE world, the way to create one of those toolbars is to develop an executable - a DLL -, but we all know that didn't stop them.

In the end, browsers can only do so much; you need full process isolation at the OS level to avoid these problems.


Taking out the toolbar functionality would do nothing because add-ons can modify the content of webpages so they can create fake toolbars on top of every page.


Yes.

https://chrome.google.com/webstore/search-apps/toolbar


Just deliberately search in google, yahoo and bing for "download <insert popular software or game here>", find the obviously pay-per-install-crap ads, report them. (say they try to get the user to download malware, which adware is.)


'Download flash player' in Bing gives me a bunch of dubious sponsored links before the official installer. Google has taken the step of removing all of those and linking to the official installer first.


Last I checked, the legitimate Flash installer from Adobe tries to install McAfee.

And the Java updater for Windows tries to install the Ask toolbar on every update. I feel like these are programs I can't really avoid installing, either. Scum!


(The biggest of these unwanted craps being Chrome.)


Is Chrome being installed without your consent when installing some other piece of software? Could you give a specific example, that is new to me.


It's in the standard rotation of shovelware. You don't get it 100% of the time but I had a Flash update for Firefox try to install Chrome last week.


It is installed with the very same consent that you give when installing toolbars.

Simple example would be : Flash, Reader, Java, Avast, ...


Adobe bundle Chrome with their Windows Flash player installer.


What's wrong with Chrome? At least it's not adware...


Updating Flash shouldn't install another web browser as well as changing your default browser. Causes tech support issues all the time.


Adware, no. Spyware, yes depending on your definition.


Nothing, somebody always complains about products created by mega corporations.


When I visit my parents, I end up having to remove the Ask toolbar. It always returns due to the frequent java updates having the Ask install box ticked by default.


Put Ninite on their boxen and set it to autoupdate java, perhaps?


I didn't know this app. Thanks a lot!


I want to believe that 'boxen' is a Brian Regan reference and not just a typo :)


Its been in the jargon file for a while – http://www.catb.org/jargon/html/B/boxen.html – I guess its an obvious analogy with ox/oxen.


Also VAX/VAXen.


Uninstall the JRE and install the full JDK which includes a JRE: http://www.oracle.com/technetwork/java/javase/downloads/inde...

Oracle doesn't bundle adware with the JDK.


How could any industry evolve beyond such easy money? As long as there are users who will put up with Google/MyCoolWebSearch/ALOT/Conduit/Baylon/etcetera messing around with their settings and information these firms will never move away from these tactics.

If I rememeber correctly, Ccleaner was removed from Ninite due to the automatic refusal of big G's toolbar.


Yes this practice should not be acceptable, if a company does it I actively avoid them and recommend friends do the same. I think the market for this sort of thing will ever be shrinking as more and more of the technology generation grow into adults. It's a shame that normal people out in the world are completely unaware this is even happening on their systems. I often speak to people who've falled foul of this practice and they don't even know where it come from and don't seem worried that something appeared without them approving it. Most of the time they just assume that's how it's always been and they'd not noticed it before.


I tried installing something ostensibly legitimate from download.com. The "download.com installer" masked the opt-in of 3 separate craps with EULA acceptance prompts. If I was just slightly less paranoid about this stuff, I would have clicked through all of them.

And to be clear, they were not checkboxes, or "custom install" options. They were straight-up walls of text in tiny textareas, with only "accept" and "decline" buttons.

My instinct was to decline them, and they just kept coming. After I dismissed the final crap, the installer then downloaded the real installer for the app I was trying to install.


Having moved to OSX, but by no means a zealot, there are many things I miss about Windows.

This - download.com and others - is absolutely not one of them.


One software that I really appreciate, Freemake Video Converter, perpetrates this "scam." Personally, I prefer unchecking a box once to seeing ads on every use. But I agree it's a pretty shady tactic. I'm sure the problem will go away as tech literacy increases. Until then, so few people will be both aware and bothered by it that there will be no sudden change... just like issues in the non-tech world!


I 100% agree, but the problem is that people have adblockers everywhere now, so toolbars are pretty much the only place left to serve ads.


It's because a ton of ads are filled with malware, are overly annoying, are untargeted garbage trying to sell me garbage and use a ton of resources because non-tech site owners think it's a good idea to put 15 ads on a page that has 2 paragraphs of text.

I was on a computer the other day without adblock and I can't believe how horrible the standard internet viewing experience has become.


Really? I know some people use them, but my impression is that most people do not use ad blockers.


It's still low, but it IS likely on the rise; at least, I hope so, given how advertisers are not averse to poisoning the well by allowing ads that are distracting, or downright evil.

I know I avoided using adblockers (I want to support my favorite websites after all)...until I had one particularly pernicious ad served to me on comics.com that hadn't been vetted, and caused my browser window to minimize, and displayed a popup right over my (Windows) system tray, styled to look like a system alert, indicating my system wasn't secure and I needed to click here and download X. That was the final straw, and I haven't looked back.


Here (in Germany) almost everyone I know uses Adblock/Adblock plus, and Chrome/FF penetration rate is high, too.

Our local IT press also constantly advertises for adblockers and non-IE browsers, too, so it might be a "cultural" issue.


You are right, last time I read the highest percentage of ad block users were seen on Gaming related website that was 30%.

Gaming, Tech, Adult, Entertainment category websites see the highest adblock users ranging from 30-20%. Other websites go as low as 5%.


Ordinary users are starting to catch on too. My parents use one, for example.


he is just in a bubble


If that would be the problem then the toolbars would disable adblockers, but most of them are just changing the browser's search engine and default home page so the users will use their search and see their ads.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: