Industry Compliance Updates 

 Issue by Microsoft of further Policies addressing Adware and Browser Modifications detections

As previously reported, on 1 July 2014, Microsoft implemented a new policy (the “July Policy”) according to which its security product would stop any “adware” detected by it, notify the user and offer recommended action to such user.
 
The July Policy followed Microsoft’s in April 2014 that it would define a program as "adware" if it "announcement runs on the user’s machine and produces notifications promoting goods or services in programs other than itself.”
 
According to the July Policy any program that does not comply with the following rules would be detected as adware by Windows: 

  • Advertisements that are opened by programs must:
    • include an obvious way to close the adand
    • include the name of the program that created the ad
  • Programs that create these advertisements must:
    • Provide a standard uninstall method for the program using the same name as shown in the ads produced by it.​

The new Guidelines  
 
On 19 October 2014, Microsoft published a further update regarding its policy changes (the “new Guidelines”). The company explained that since announcing the July Policy, it has noticed that advertising programs are trying to manipulate and circumvent its rules, which results in a negative Windows experience. Accordingly, the company has decided to add new rules and clarify its view on what is defined as clean advertising:

  • An obvious way to close the ad: according to the July Policy, advertisements need to “include an obvious way to close the ad”, which should be a method that is clear to the user, such as an “X” or the word “close”. In its new Guidelines, the company clarified, that such “close the ad” button may not be used as a trigger to open other advertisements, otherwise the program will be detected as adware.
  • Links must remain clear and unchanged: in its new Guidelines, Microsoft elaborated on the practice of manipulation and misrepresentation of links on a webpage which will qualify as a program to be detected as adware:
  • Modifying a current link - programs that are modifying or replacing hyperlinks with different URLs than those used by the website owner. This includes places where a hyperlink is directly misrepresented and sends users to a different webpage than the one they expected, and a hyperlink that directs a user to an advertisement before they can view the webpage intended by them. 
  • Not highlighting hyperlinks - if a program inserts a link, the user must be aware of the fact that it is a link and in this regard, the program should present a link in a method that is clear and obvious (e.g., the recognizable colored double underline style). The new Guidelines provide a couple of examples where obscuring hyperlinks were detected by Microsoft as adware. The first prohibited example is when a program is using the webpage background as a link (i.e., when the user clicks anywhere on a page that is not already a link and an advertisement is triggered). Another example of a prohibited practice is adding mouse-over events to an advertisement in order to mimic the user clicking the ad. The new Guidelines clarify that the user must click on the ad to follow it away from the page they are on, and any method of mimicking an ad click is not acceptable.

Browser Modifier Detections
 
At the same time, Microsoft has issued an additional policy announcementconcerningthe way the company’s security products detect browser modifiers(“Browser Modifier Policy”). Microsoft explained that according to its policy, two new browser modifier behaviors have been detected by it:

  • Bypassing consent dialogs from browsers - the common web browsers have a disabled-by-default model for newly-installed extensions. Some of the technical methods used to bypass such a model include Group Policy settingsregistry changes, and preferences file modification. Under the Browser Modifier Policy, when installing an extension into the browser (not just in Internet Explorer, but in all browsers running on Windows), the browser’s consent dialog should be prompted and failure to do so can result in the application being detected as a browser modifier by Microsoft.
  • Preventing viewing or modifying browser features or settings - in the Browser Modifier Policy, Microsoft explains that applications and extensions thatprevent the end-user from viewing or modifying your browser settingsor changing the settings back after the end-user makes a modification to themwould qualify for detection purposes as a browser modifier.

Additional information and details on Microsoft’s changes, as to how the company’s security products detect browser modifiers and adware, is available here.

Google's new Unwanted Software Tool

Google recently rolled out its Software Removal Tool - a downloadable tool which is devised to remove from the user's computer unwanted programs or software that impede or interfere with the behavior of the Chrome browser. The Software Removal Tool, which runs as a standalone process, is available for Windows users only, as a Beta version.

According to Google's Chrome Help Forum (available here), the Software Removal Tool scans the user's computer for programs which Google considers to be suspicious or known to cause problems with the Chrome browser (e.g. pop-up ads, toolbars, search pages, homepages, or extensions; however, it does not scan for all types of computer viruses or malware), and offers the user the ability to remove the found programs.

The scan is not limited to browser extensions, and may also include desktop applications or software which effect Chrome's behavior. The Software Removal Tool also prompts the user to reset the Chrome browser to restore it to its default settings.

Moreover, the Software Removal Tool does not reveal the names of the found suspicious programs, arguably in order to discourage the developers of the detected programs from changing the names of their programs. 

Facebook’s new Ad Server – raising privacy protection challenges

Facebook has announced the launching of a new online advertising service that target users on any website or application using their Facebook details. The new service, presented by the company as “people-based marketing” will allow Facebook to sell ads that retarget users across the web and their mobile devices.
 
According to Facebook, people spend more time on more devices and this shift in consumer behavior has had a profound impact on a consumer’s path to purchase, both online and in stores. The current technology for ad serving and measurement rely on cookies, which are used to track browsing on desktop computers, but do not work for mobile devices. The new ad server Atlas addresses that problem by tracking people across devices based on their Facebook log-in information.
 
In this regard, the service will compete with Google’s AdWords, which allows advertisers to follow users across the web as well as mobile devices, by encouraging users to login to Google’s various cross-device apps and websites. As Google’s cross-services data collection practice has witnessed legal challenges brought against the company by various European data protection regulators, Facebook’s new service is expected to raise similar concerns.

Regulatory Developments in the United States

California Student Online Personal Information Protection Act signed into Law

On 29 September 2014 the California Student Online Personal Information Protection Act (“SOPIPA”) was signed into law. SOPIPA is aimed at restricting the use of students' educational data by third-party vendors and will enter into force on 1 January 2016.
 
SOPIPA prohibits operators of online educational services from selling student data and using such information for targeted advertising to students or to "amass a profile" on students for a non-educational purpose. SOPIPA also requires online service providers to maintain adequate security procedures and to delete student information at the request of a school or district.
 
According to SOPIPA, operators of websites and apps with "actual knowledge that the site, service, or application is used primarily for K–12 school purposes and was designed and marketed for K–12 school purposes" cannot engage in any of the following activities on their sites or apps:

  • Engage in targeted advertising on the operator’s service, or target advertising on any other service when the targeting of the advertising is based upon information (including persistent unique identifiers) that the operator has acquired because of the use of that operator’s service;
  • Use information created or gathered by the operator’s service to amass a profile about a K–12 student except in furtherance of K–12 school purposes; or
  • Sell a student’s information (this prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity).

U.S. District Court Stops advertising of “free” trial offers and health claims 

Pursuant to a motion filed by the Federal Trade Commission (“FTC”), a U.S. District Court has temporarily ordered to stop a group of marketers from conducting business using “free” dietary supplements trial offers and health claims that the FTC alleges are deceptive and illegal.
 
This is the first FTC action alleging violations of the Restore Online Shoppers’ Confidence Act (ROSCA), which prohibits marketers from charging consumers in an internet transaction, unless the marketer has clearly disclosed all material terms of the transaction and obtained the consumers’ express informed consent.
 
According to the FTC’s complaint, Health Formulas, LLC and its related entities and principals (carry on business as “Simple Pure”) used telemarketing, the internet, print, radio, and television advertisements to pitch a variety of dietary supplements and other weight-loss, virility, muscle-building, or skin cream products. Examples of Simple Pure’s advertising claims include: “Burn fat without diet or exercise”; “Shed pounds fast!” and “Extreme weight loss!”  The FTC alleges that Simple Pure have no basis for the weight-loss claims they make about their products.
 
The FTC charges that the defendants failed to provide the disclosures required for a negative-option program, failed to provide a way for consumers to stop automatic charges after the suggested trial, and failed to disclose material facts about their refund and cancellation policy.

Amendments to the California Privacy and Data Breach Law

On September 30, 2014, California's Governor approved a new law establishing additional requirements under California's data breach notification law (A.B. 1710). The new law adds three new requirements to the existing law:

  1. Imposition of the security procedures: the new law extends the requirement to maintain reasonable security practices and procedures to businesses that maintain the personal information of California residents (i.e., data processors and service providers), not only those that own or license such information; this imposition could greatly implicate service providers and companies offering "cloud-based" services.
  2. Data Security Breach – Identity Theft Prevention and Mitigation Services: the new law provides that in the event that the party providing breach notification was the source of the breach, it is required to provide appropriate identity theft prevention and mitigation services to the person affected by the breach, at no cost.
  3. Protections for Social Security numbers: the new law prohibits the sale, advertisement for sale, or offer to sell an individual's Social Security Number, other than as permitted by law; the additional protections for Social Security numbers supplement existing protections that prohibit the public display or posting of a Social Security Number, as well as other acts that fail to adequately secure the information.

These amendments reflect the importance for companies which are doing business with California residents to ensure they are maintaining reasonable security procedures and practices to protect the personal information of California residents from unauthorized access, and confirm that they have an appropriate breach procedure in place. The new law will become effective on 1 January 2015.