Java scam: How Oracle and Ask profit from sneaky add-ons

Oracle's Java security updates come loaded with foistware

Who doesn't love free stuff? I, for one, don't, and neither do millions of users burdened with unwanted software when they install a new update of Java, Adobe Reader, or Skype. Foistware, as it's called, is irritating to users, particularly nontechnical folks who don't know how to get rid of it. Foistware can also plague IT when it has to support naïve users who allow the apps to roost on their PCs.

To be fair, Adobe and Skype (now owned by Microsoft) have backed off from some of their more annoying foistware habits -- but Oracle has not. Here's why: Every time a user is tricked into installing the useless Ask toolbar or McAfee antivirus scanner, Larry Ellison makes a bit of money. And because Java is insecure (the feds have even warned users to disable it), Oracle keeps pumping out patches that give users yet another opportunity to inadvertently install the foistware. You'd almost think the endless patches exist as excuses to deliver foistware.

Read more about Java security: Why it's time to stop the FUD about Java and deprecate the Java Plug-in

As you'll see, this nasty little scam has a link to America's former first daughter: Chelsea Clinton.

I welcomed Oracle's acquisition of Sun in 2008 -- someone needed to save what was left of Sun. I still believe there was no alternative, but the naysayers who warned that Ellison and company would be a lousy steward of the once-indispensible Java software have certainly been proven correct.

How Java tricks you

Harvard professor Ben Edelman, who studies deceptive software practices, and ZDnet's Ed Bott have done an excellent job digging into the foistware scam, giving us a detailed look at how it really works. Earlier this week, Edelman published an extensive analysis of Java, saying, "It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. ... A security update should never serve as an opportunity to push additional software." (Oracle hasn't responded to my request for comments on Edelman's analysis.)

You've probably noticed that every time you install a Java security update, the Ask toolbar and McAfee scanner are included. The updater suggests that you use the standard installation, and if you do, these programs are loaded by default. If you don't want them, you have to opt out by unchecking a couple of boxes.

That requirement to opt out during a security update is troubling enough, but Edelman found that the install box has another clever trap: Pressing either the space bar or the Enter key has the same effect as clicking Next. Before the user knows it, the unwanted software is being installed.

It's easy enough to fall into that trap or simply click your way through the installation without thinking about it. When you do, you'll see a message telling you that the Ask toolbar or McAfee scanner has been installed along with the Java update.

Of course, when a relatively experienced user sees that message, he or she would probably go straight to the Windows Control Panel to uninstall it. That'll work for McAfee, but not for Ask. That's because Oracle and its partner, Web advertising giant IAC, have done something really sneaky to get around that user action: The toolbar doesn't install itself for about 10 minutes, which means it doesn't show up in the list of programs you can uninstall.

As a result, many users assume they can't uninstall the Ask toolbar at all, because they'd already tried. How confusing. That's hardly accidental, and Edelman notes that the delayed-install trick was a standard practice for companies in the business of installing deceptive software some years ago.

What's more, the Oracle/IAC installation solicitation for Ask seeks permission to install an add-on for IE, Chrome, and Firefox, but nowhere does it mention changing address bar search or, in the case of Chrome, the default search provider. Yet the installer makes all these changes without ever seeking or receiving user consent. Conversely, if you figure out how to uninstall the Ask toolbar, the Oracle/IAC uninstaller inexplicably fails to restore the original Chrome settings, which violates Google's software principles' requirement that an "easy" uninstall must disable "all functions of the application," says Edelman. Users need to go through as many as 16 steps to dump some Ask toolbars installed by Oracle/IAC. Yikes!

Even Google profits from this scam

Oracle gets a small commission every time someone installs the Ask toolbar. Because millions of users have installed it, we're talking real money, though there's no way to quantify the amount. IAC, the Web advertising company, makes even more money in this sleazy operation: Every time someone clicks on a sponsored ad on one of its search pages, IAC gets a commission.

To be sure that happens as frequently as possible, the company misleads users into clicking those ads. According to Edelman, IAC omits any distinctive background color to help users distinguish sponsored search results, which are really ads, from legitimate search results. Those sponsored ads sometimes fill up several screens, which a user accustomed to a Google search wouldn't expect and is so even more likely to click on one.

Someone else makes money on this scam, too. Surprisingly, it's Google, which you'd assume is a competitor to Ask. That's because IAC partners with Google by showing its ads in exchange for a share of the revenue, says Edelman. Indeed, a report in the respected Search Engine Land blog says IAC is Google's biggest single advertising customer. So much for Google's software principles.

Then there's the Chelsea Clinton connection

One final tidbit noted by Edelman: In September 2011, Chelsea Clinton, daughter of the former U.S. president and the current Secretary of State, joined the board of IAC. Given that Clinton (who has worked as a management consultant, charity executive, and TV features reporter) has no known expertise in the world of Web advertising, it's not much of a stretch to believe she was brought on to bolster the company's political connections.

Wow. Who would have thought that a simple Java update had tentacles that extended all the way to Washington, D.C.?

I welcome your comments, tips, and suggestions. Post them here (Add a comment) so that all our readers can share them, or reach me at bill@billsnyder.biz. Follow me on Twitter at BSnyderSF.

This article, "Java scam: How Oracle and Ask profit from sneaky add-ons," was originally published by InfoWorld.com. Read more of Bill Snyder's Tech's Bottom Line blog and follow the latest technology business developments at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

This story, "Java scam: How Oracle and Ask profit from sneaky add-ons" was originally published by InfoWorld.

Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.