Who doesn't love free stuff? I, for one, don't, and neither do millions of users burdened with unwanted software when they install a new update of Java, Adobe Reader, or Skype. Foistware, as it's called, is irritating to users, particularly nontechnical folks who don't know how to get rid of it. Foistware can also plague IT when it has to support naïve users who allow the apps to roost on their PCs.
To be fair, Adobe and Skype (now owned by Microsoft) have backed off from some of their more annoying foistware habits -- but Oracle has not. Here's why: Every time a user is tricked into installing the useless Ask toolbar or McAfee antivirus scanner, Larry Ellison makes a bit of money. And because Java is insecure (the feds have even warned users to disable it), Oracle keeps pumping out patches that give users yet another opportunity to inadvertently install the foistware. You'd almost think the endless patches exist as excuses to deliver foistware.
Read more about Java security: Why it's time to stop the FUD about Java and deprecate the Java Plug-in
As you'll see, this nasty little scam has a link to America's former first daughter: Chelsea Clinton.
I welcomed Oracle's acquisition of Sun in 2008 -- someone needed to save what was left of Sun. I still believe there was no alternative, but the naysayers who warned that Ellison and company would be a lousy steward of the once-indispensible Java software have certainly been proven correct.
How Java tricks you
You've probably noticed that every time you install a Java security update, the Ask toolbar and McAfee scanner are included. The updater suggests that you use the standard installation, and if you do, these programs are loaded by default. If you don't want them, you have to opt out by unchecking a couple of boxes.
That requirement to opt out during a security update is troubling enough, but Edelman found that the install box has another clever trap: Pressing either the space bar or the Enter key has the same effect as clicking Next. Before the user knows it, the unwanted software is being installed.
It's easy enough to fall into that trap or simply click your way through the installation without thinking about it. When you do, you'll see a message telling you that the Ask toolbar or McAfee scanner has been installed along with the Java update.
Of course, when a relatively experienced user sees that message, he or she would probably go straight to the Windows Control Panel to uninstall it. That'll work for McAfee, but not for Ask. That's because Oracle and its partner, Web advertising giant IAC, have done something really sneaky to get around that user action: The toolbar doesn't install itself for about 10 minutes, which means it doesn't show up in the list of programs you can uninstall.
As a result, many users assume they can't uninstall the Ask toolbar at all, because they'd already tried. How confusing. That's hardly accidental, and Edelman notes that the delayed-install trick was a standard practice for companies in the business of installing deceptive software some years ago.
What's more, the Oracle/IAC installation solicitation for Ask seeks permission to install an add-on for IE, Chrome, and Firefox, but nowhere does it mention changing address bar search or, in the case of Chrome, the default search provider. Yet the installer makes all these changes without ever seeking or receiving user consent. Conversely, if you figure out how to uninstall the Ask toolbar, the Oracle/IAC uninstaller inexplicably fails to restore the original Chrome settings, which violates Google's software principles' requirement that an "easy" uninstall must disable "all functions of the application," says Edelman. Users need to go through as many as 16 steps to dump some Ask toolbars installed by Oracle/IAC. Yikes!
Even Google profits from this scam
To be sure that happens as frequently as possible, the company misleads users into clicking those ads. According to Edelman, IAC omits any distinctive background color to help users distinguish sponsored search results, which are really ads, from legitimate search results. Those sponsored ads sometimes fill up several screens, which a user accustomed to a Google search wouldn't expect and is so even more likely to click on one.
Someone else makes money on this scam, too. Surprisingly, it's Google, which you'd assume is a competitor to Ask. That's because IAC partners with Google by showing its ads in exchange for a share of the revenue, says Edelman. Indeed, a report in the respected Search Engine Land blog says IAC is Google's biggest single advertising customer. So much for Google's software principles.
Then there's the Chelsea Clinton connection
Wow. Who would have thought that a simple Java update had tentacles that extended all the way to Washington, D.C.?
I welcome your comments, tips, and suggestions. Post them here (Add a comment) so that all our readers can share them, or reach me at bill@billsnyder.biz. Follow me on Twitter at BSnyderSF.
This article, "Java scam: How Oracle and Ask profit from sneaky add-ons," was originally published by InfoWorld.com. Read more of Bill Snyder's Tech's Bottom Line blog and follow the latest technology business developments at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.