ComScore chairman and co-founder Gian Fulgoni believes there's a distinction between overt and covert data gathering. Market researchers, he suggests, rely on "researchware," in contrast to criminal researchers who employ "spyware."
"Market research tracking software (we have dubbed it 'researchware') needs to be differentiated from 'adware,' 'spyware,' and 'malware' and should not be treated in the same way as these intrusive and potentially harmful applications," Fulgoni said in a blog post Wednesday. "We must not let the purveyors of spyware -- the rotten apples -- give market researchers a bad name."
Such name calling has significant implications for ComScore's business: using "researchware" to track the actions of its 2 million-person panel of Internet users and mining that data for salable market intelligence. As the company warns in a third-quarter 2007 SEC filing, "Concerns over the potential unauthorized disclosure of personal information or the classification of our software as 'spyware' or 'adware' may cause existing panel members to uninstall our software or may discourage potential panel members from installing our software."
To critics, Fulgoni's attempt to separate "researchware" from "spyware" looks like an effort to divide conjoined twins.
"ComScore goes to great lengths to tout its supposed good behaviors," said spyware researcher Benjamin Edelman in an e-mail. "But the fact is, there's indisputable video proof of ComScore software becoming installed without any notice at all and without any consent at all. There's also indisputable proof of recent installation sequences where notice was hidden, muddled, or otherwise opaque. ComScore claims its software should be differentiated from adware or spyware. But just like adware and spyware, ComScore's software has a history of arriving on users' computers without users knowing what it is or agreeing to receive it. And just like adware and spyware, ComScore's software tracks and transmits detailed information about users' online activities. These behaviors give users ample reason to distrust ComScore's approach."
Edelman published two critiques of ComScore's practices recently. In January, Edelman wrote, "The basic challenge is that users don't want ComScore software. ComScore offers users nothing sufficiently valuable to compensate them for the serious privacy invasion ComScore's software entails. There's no good reason why users should share information about their browsing, purchasing, and other online activities. So time and time again, ComScore and its partners resort to trickery (or worse) to get their software onto users' PCs."
ComScore sees things differently. It maintains that users appreciate the download accelerators, games, and screen savers that come with the company's tracking software, and it claims it behaves in accordance with accepted marketing practices.
There Is A Precedent
To support his proposed distinction between market research and intrusive spyware, Fulgoni points to Federal Trade Commission precedent: The FTC exempts tele-research calls from the Do Not Call Registry rules that govern intrusive telemarketing calls.
The problem Fulgoni faces in his campaign to legitimize "researchware" is that marketers and security professionals have differing opinions about the ethical and legal dividing line between good software and bad software. As Steve Schuster, director of IT security at Cornell University, put it in 2005, whether or not ComScore's software is spyware "depends on who is asked."
Cornell blocked ComScore's Marketscore software from October 2004 through early May 2005. It subsequently stopped doing so both because the university community became more aware of the risks of the software and because two antivirus packages adopted by the university could detect and remove Marketscore.
Despite ComScore's claim that its software collected data with the informed consent of its users, Schuster said "many believe that ComScore Networks is walking a rather fine line by purporting that a very large and lengthy user agreement constitutes appropriate user notification, and may be taking advantage of the fact that very few people actually read user agreements before installing software."
Last July, shortly after Edelman's initial post about ComScore's failure to obtain user consent to install it software, TRUSTe, an organization that certifies and audits privacy practices, confirmed that a rogue distributor of ComScore's RelevantKnowledge application had been using a security exploit to force the software on users. The organization then removed RelevantKnowledge from its Whitelist of Certified Applications.
"This is a good example of how the Whitelist and the program works," said a TRUSTe spokeswoman. "We think we're actually encouraging our customers to be more accountable."
She said that TRUSTe was still in the process of working with ComScore to make sure the company can secure its distribution program. "We're looking forward to them being in compliance and coming back on the Whitelist," she said.