It's been a fascinating couple of days. I've been too busy to post to my blog much recently, but I just couldn't help myself on this one.
A couple months ago, I wrote about "The Limitations of Socially Generated Knowledge", which dealt with the tendency of Internet communities to arrive at conclusions that, to speak colloquially, "just ain't so."
This last week, I've observed another highly inaccurate consensus developing in realtime – and again, while from a philosophical point of view it's fascinating, it's rather frustrating from a business (and accuracy, reality, and truth) perspective.
On January 2, security vendor Fortinet posted an advisory, warning users of a "Facebook Widget Installing Spyware". I will grant that the title of the advisory is at least 50% accurate: the advisory does indeed describe a Facebook widget. (Hint for those of you following along at home: the widget doesn't install anything, and Zango is no more spyware than the Google toolbar is.) If you ignore the title, and actually read the advisory, I have to believe that the bare facts described in the body were likely correct: after the "Secret Crush" Facebook widget was added to a profile, the next Web page in the process showed ads, one of which (for the reasons discussed in more detail below) could very well have been for a Zango application.
I should note that the security team at Zango, after much trying, wasn't actually able to reproduce the scenario Fortinet describes. Nor, best I can tell, has anyone else – including Fortinet. But that's not surprising. To understand why, I need to back up and explain more about how Internet advertising works.
If you visit a site (say, http://entrepeneur.com), you'll typically see a variety of different ads for a variety of different companies, goods, or services. Now, where do those ads come from? It would be horribly inefficient for a small website to maintain a sales force to sell its advertising inventory directly to advertisers – and it's just as inefficient for advertisers to directly place ad buys with thousands of small websites. People figured this out very early in the days of the Internet, and thus was born the idea of an "ad network" (e.g., DoubleClick, ValueClick, Right Media, DrivePM, and so forth). Webmasters who want to show ads on their sites sign up with ad networks, as do advertisers who want their ads to be shown. The ad network takes a cut and automatically places ads from advertisers on websites from publishers. They typically give advertisers some control over where and how they want their ads to be displayed, but it's limited, if only because the ad network ultimately has to trust the web publisher, e.g., not to put anything inappropriate on the page displaying the ad. And of course, it doesn't stop here, with just one intermediary: for many reasons, too complicated to go into right here, there are often lots of intermediaries between the advertiser and the final website.
So, this is how Internet advertising works. Zango, like nearly all companies that do their business online, purchases display advertising through some of these advertising networks, and our ads are displayed on thousands of different sites. And like other online companies, Zango can find it complicated to control exactly where those ads are shown. (Just ask any airline whose ad has shown up next to a news article on the latest airport disaster.) Don't get me wrong: we have standards, and it's against our code of conduct for any of our partners to display Zango ads on a social networking site that prohibits such ads. We do our best to enforce those standards, but our advertising networks have partners as well, and when it comes right down to it, they don't always know where the ad is being displayed. This isn't something nefarious about Zango: it's just how the Internet advertising industry works. Ask anybody.
The end result is that even though our security response team wasn't able to document it, it's not at all unlikely, a priori, that an ad for a Zango application may have been displayed by a Facebook widget. But of course, if a user clicked on the Zango ad, he or she would have been taken to our website, where we have sophisticated mechanisms for ensuring that every user receives appropriate notice and consent before installing the Zango software that provides free access to the Zango application. No user installed Zango who didn't have the opportunity to be very well informed about what he or she was installing. Period.
So these are the bare facts: some individual creates a "Secret Crush" widget that, like many Facebook widgets, is better at getting people to install it than at doing anything interesting or useful. Since this widget happens to displays ads, he hooks up with an advertising network to select those ads for him, and one of the ads randomly displayed was for a Zango application. Unless you have a blanket objection to all advertising in principle (an objection I can at least understand), or have an aesthetic distaste for silly Facebook widgets (a distaste I fully share), it's hard to see anything particularly scandalous in this. It's the way Internet advertising works, and there's absolutely nothing newsworthy about it.
But take a quick look at how this bare set of facts has been repeated and distorted, first in the original Fortinet posting and thereafter throughout the web and blogosphere. Here are just a few examples culled from literally dozens and dozens of posts, articles and conversations, nearly all reiterating (and some exacerbating) the same mistakes:
- 'Installs Spyware.' As I've already mentioned, the original Fortinet posting claims that the widget "installs spyware". It should be clear that the widget didn't install anything – the user did, if and only if he or she wanted to do so. Nor does it make the slightest sense to call Zango "spyware". If Zango is spyware, the term has no meaning. There is such a thing as spyware. But Zango isn't. I should also note that this one advisory aside, Fortinet acknowledges as much: their own security applications classify Zango as adware, not spyware.
'Adware Distribution Scheme.' Matt Hines, of
InfoWorld, calls it an "adware distribution scheme", and later lumps Zango in with "badware". Throughout the article, he implies that the makers of the widget were specifically out to install Zango, which, so far as I can tell, is absolutely incorrect. (It certainly seems like the widget maker just wanted to show some ads and arranged to do so via an ad network; one of those ads happened to be for a Zango application.) Hines also goes on to confuse the Facebook widget with the Zango download, by saying:
"The Secret Crush program also tries to lure people who download the file to pass it along to other Facebook members they know, according to Fortinet's research."
That's not true, nor even what Fortinet's research said.
- 'Spyware' with weak notice and consent. Thomas Claburn, of Information Week, repeats the "spyware" charge and implies that Zango has weak notice and consent policies. (If he'd perhaps bothered to install Zango's software, he would have been made aware of his mistake – he doesn't appear to have ever done so.)
- 'Notorious' malware. InternetNews follows the original (spurious) Fortinet claims, adding that Zango is a "notorious adware distributor" and calls the application itself "malware". Like the original posting, this one fails to recognize that what's being described is nothing more than a widget showing ads; and it fails to acknowledge that any install of Zango software promoted in any rotating ad shown by the widget absolutely followed our strict and thorough notice and consent policies.
And more silliness.
- ITbusiness.ca calls the episode a "hack", an "attack", and a "threat".
- The Malware Adviser blog calls it a "backdoor".
- TechnoSocial calls it a "worm".
- The Happy Geek calls it a "security threat" and a "worm".
- AppScout calls Zango "an undercover malicious spyware program" and a "virus", and implies that 4% of all Facebook users had installed it.
And I could go on, but it gets boring. All this effort, all this indignation and pontification for . . . an ad? Wow.
It would be amusing how quickly the Internet arrives at a consensus if that alacrity wasn't so scary. This is admittedly a pretty minor issue in the big scheme of things – but take a few moments and ponder how the same dynamic is at work for much more important questions.
I have to add, as a postscript if nothing else, that PaperGhost alone seems to have recognized the insanity generated by Fortinet for what it is:
They [Fortinet] also posted up a screenshot that seems to show the application merely showing randomly selected adverts - not just an advert for Zango.
If that's the case, then this whole thing just puzzles me because it immediately looks more like
Install application > application opens popup advert > popup advert calls adspace purchased by companies to display random advert and less like:
Install application > GET JACKED BY ZANGO, LOL
...so, once and for all, can anyone who played with this thing - because I haven't - set the record straight?
In it's original incarnation, did this application
A) open a box for Zango and only Zango every single time it was tested, or
B) did it just happen to randomly show a Zango advert (out of a big pile of other things it could have displayed)?
Chris: Because nobody (at Zango or elsewhere) has been able to replicate the scenario Fortinet describes, I can't say definitively how the widget functioned when Fortinet did its testing. But, internally here at Zango, we can tell that the URL referred to in the Fortinet posting was for an ad network, not for a publisher, so the answer is almost certainly "B". In other words, Zango had no relationship with the Secret Crush widget maker, and he or she had no incentive to see Zango software installed.