By S. Housley
Nearly every company, makes mistakes. In my opinion, once a mistake is discovered,
it is how the company handles that mistake is more telling, than the mistake itself.
In this world there are big mistakes and there are little mistakes. Digital River
recently collected information related to usage and installation of its SoftwarePassport
application, without disclosing the tracking to it's customers. The actual tracking
was done by including a UserAx.dll in the recent versions of SoftwarePassport and
Armadillo.
Developers obviously have a number of concerns related to the new DLL. I'm hoping
this article will separate fact from fiction, and get to the heart of the matter.
The concerns expressed by many of the developers were valid and not the result of
paranoia. Many industry professionals initially felt that the developer fears were
overblown and a result of the adware scandal that plauged the industry a few years
ago. After witnessing the fall-out from the adware problems, when adware companies
failed to disclose to developers they were tracking surfing habits of end-users,
I think the alarm that was sounded in the industry regarding Digitial River's inclusion
of the UserAx.dll was appropriate. Many developers bore the brunt of the adware
scandal with tarnished reputations and their livelihood's significantly damaged.
Realizing it is important to learn from history, Digital River appears to have taken
developer concerns seriously.
I contacted Brant Pallazza, a VP within Digital River and requested an interview.
Brant was able to coordinate answers to my questions from the Silicon Realms support
staff. I felt it best to clarify some of the issues that have been raised. I also
felt that it was important that developers understand the issue and that all views
be represented. For simplification in the questions that I asked the Silicon Realms
support staff, I referred to UserAx.ll as the "marketing module".
For clarity I've bolded the questions and italized the responses from Digital River.
Brant started off by clarifying what the term "marketing" module that
I used to describe UserAx.dll below.
To clarify, UserAx.dll is not actually a 'marketing module'. It was never intended
to be used for any means of sales or marketing. It would be more appropriately labeled
as a 'technical support component'. Given that many of Digital River's clients were
having difficulty utilizing the functions within Software Passport, Digital River's
intent was to use the Relevent Reach technology to help troubleshoot the problems
clients were having during the download/installation process.
1.) In what versions of Armadillo and SoftwarePassport does the marketing module
exist?
Only Armadillo v4.01 and v4.01a (SoftwarePassport v2.0.1 uses Armadillo v4.01a) still
searches for the UserAx.DLL file, but will load it ONLY if it is found in the same
directory as your protected program. However, even if it is found there, data will
only be collected and sent to the Relevant Reach servers if the author has an account
with Relevant Reach and the appropriate information on the user's machine. In Armadillo
v4.00 beta-1 and v4.00 final (SoftwarePassport v2.0 uses Armadillo v4.00) you have
the option to enable tracking of your protected program (if you have an account
with Relevant Reach) by distributing the UserAx.DLL file with your program. If you
do not use Relevant Reach, your protected programs will not be affected -- no data
is collected. In the rare case that the UserAx.DLL is found on your machine without
you explicitly installing it there, your program still won't phone home unless you
have an account with Relevant Reach and the appropriate information on the user's
machine. (This could occur because Armadillo v4.00 Beta-1 and v4.00 final simply
used LoadLibrary to search for that DLL, meaning it will be found if it is anywhere
in the path.) This issue was addressed in the v4.01/v4.01a release, which attempts
to load it only from the directory where the protected program resides. Armadillo
v3.78 or earlier, and SoftwarePassport v1.2.0 or earlier were not affected in any
way, as they didn't include this integration at all.
2.) Was the inclusion of a marketing module in Armadillo or SoftwarePassport disclosed
to software developers in a EULA or documentation?
No. We apologize that the installation of UserAx.dll was silent. That was a mistake
and we apologize for not confirming it was there.
3.) Is any information related to a developer's installation and usage of SoftwarePassport
or Armadillo passed to Digital River via Digital River's Relevant Reach account?
Yes, only in the versions mentioned earlier. SoftwarePassport information relating
to the completed download, the installation start and complete, and the number of
times the program started was collected anonymously. Information was collected about
the SoftwarePassport usage only. Information regarding the usage of the Armadillo
Classic interface was not collected.
4.) If an application is wrapped with SoftwarePassport or Armadillo is any information
related to the developer's end user's usage passed to Digital River?
No. The ONLY way information could have been collected from your protected applications
is if you, the developer, chose to collect that information, set up your own account
with Relevant Reach, and distributed the UserAx.DLL file with your protected program.
Regardless, DR would not have access to the information.
5.) Can the information be passed to anyone other than Relevant Reach?
No.
7.) The Relevant Reach website references a number of items that can be tracked.
What specific information does the Digital River marketing module track?
We collected the following information, anonymously:
- Download start attempts
- Download completes
- Installation of SoftwarePassport starts
- Installation of SoftwarePassport completes
- The number of times SoftwarePassport was started
Again, for clarification, we did not collect any information that could in any way
connect a user to the program.
Our data was aggregated to show trends, total numbers only for the purpose of troubleshooting
SoftwarePassport.
8.) Some developers have expressed a concern that marketing module's DLL in question
will eventually be tagged as spyware, whether or not it actually sends data. If
that occurs then every Armadillo 4.x protected application will be marked as spyware.
Is that correct?
No. Relevant Reach has expended time and energy to cooperate with, and ensure white
listing of their program within the spyware definition market. In addition, as clarified
in question 1 above, Armadillo v4.00 beta-1, v4.00 final, Armadillo v4.01 and v4.01a
are the only versions that have integrations with UserAx.dll of any sort. Armadillo
v4.05 beta-2 and Armadillo v4.05 final and future versions will never look for UserAx.dll
no matter what. Customers with Relevant Reach accounts can contact us for a version
of SoftwarePassport that includes the integration.
10.) What assurances can you provide developers that the new marketing module
will not be tagged as spyware?
Relevant Reach is a component that collects anonymous data. How the publisher chooses
to integrate this product, and how the publisher chooses to communicate this to
the end user will determine whether or not third parties would consider the program
spyware. For Digital River, it was clear that the usage of this technical support
component without full disclosure to our customers was a mistake. This is the reason
why we've completely removed the program going forward.
11.) Developers worry that it is possible for an existing Relevant Reach activated
application to "enable" the marketing module that is on the same system in another
application. Is it possible?
In other words an Armadillo or SoftwarePassport wrapped application includes a
DLL in the directory of another program that appears to be protected with Armadillo
or SoftwarePassport. Thus passing that applications information back to Relevant
Reach. Is it possible for this to occur?
No, it is not possible. Again, only SoftwarePassport included the Relevant Reach
component. The Armadillo Classic Interface did not include or capture any data.
That being said, the developer (or software publisher) would need to have an active
account with Relevant Reach in order for any data regarding their program to be
collected. This would be a conscious decision and a full integration with the Relevant
Reach library.
12.) Will a final version of Armadillo and SoftwarePassport be made available
that does not include the marketing module, not just the option to turn it off?
If so when?
Yes. As posted in the Silicon Realms public forum, Armadillo v4.05 Beta-2 is now
available via the Silicon Realms website. This new beta version NEVER looks for
the UserAx.dll, no matter what.
13.) What efforts will be made to contact existing Armadillo and SoftwarePassport
customers to disclose the usage of tracking information available in SoftwarePassport
and Armadillo?
An email will be sent to users who have purchased Armadillo and SoftwarePassport
versions that integrated with Relevant Reach and the information contained from
the website will be presented to them for review, along with links to download versions
of Armadillo which do not include the Relevant Reach library.
14.) What assurances can be provided to developers that full disclosure will occur
in the future?
Going forward, any inclusion of a library or component in which data can be collected
will be completely optional. In fact, users will need to explicitly and consciously
opt in to have this component included with their download. All information will
be available to the end user to understand and accept/reject the inclusion of the
library within the install of SoftwarePassport.
Commentary from SMR
Lets take a look at Digital River's response to their error. The initial response
to concern expressed by developers was posted to: http://siliconrealms.com/relevantreach.shtml . The post
was in response to posts in the Silicon Realm's forum, and a private forum frequented
by developers. Because many of the developer's concerns were posted in a private
forum, Digital River had to be very careful that their response was public, being
a publically held company, any private responses had to be carefully worded, so
that it could not be misconstrued as any insider information.
One of the paragraphs in the public post included in a statement that did nothing
more than anger and frustrate developers.
In my opinion the Aluria certification of Relevant Reach, is a bit of a red herring,
because it clearly relates to the Relevant Reach website not their tracking application.
Also many developers felt that paying for certification, created a illusion that
was nothing more than a false sense of security. Aluria does not have any global
influence with anti-spyware applications that would prevent the UserAx.dll from
being marked spyware.
That being said, I think that even within the constraints of a large company Digital
River has ultimately handled the situation professionally.
I think Brant Palazza, VP of Shareware Division accurately summarized the situation
in his final comments:
At the end of the day, it was a poor decision to include the Relevant Reach code
into SoftwarePassport especially without the express consent of the users. I hope
that DR's quick reaction in releasing a "clean" version is a demonstration to all
that the inclusion of the code was not done with any intention other than to improve
the usability of Software Passport, as the attached responses indicate.
As an owner of a small business who has made mistake's I appreciate Brant's candor.
Ultimately the developers who have voiced their concerns the loudest, represents
a very small portion of Digital River's business, yet Digital River listened and
quickly removed the offensive DLL. While I don't feel what Digital River did was
right and their response a little slow for my taste, I understand how corporate
beaurecacy works and realize their intent was not to harm developers but to collect
information to increase their conversions. Something all developers try to do every
day.
About the Author:
Sharon Housley manages marketing for FeedForAll software for creating, editing and
publishing RSS feeds and NotePage, Inc. a wireless messaging software company.
RSS Marketing Feed
