The blogosphere has been buzzing about revelations that CNET’s site has been embedding adware into the install process for all kinds of software, including open source software like NMAP.  For the unwary, some of the ads could have been read to suggest accepting the advertised service (e.g., the Babylon translation tool bar) was part of the installation process.  Users who weren’t paying attention may also have clicked “accept” simply by accident.  In either event, after their next restart, they would have been surprised to find their settings had been changed, new tool bars installed, etc. Gordon Lyon, the developer who first called public attention to's practices, found a particularly egregious example last night: a bundled ad for “Drop Down Deals,” an app that, once installed, spies on your web traffic and pops up ads when you visit some sites.  It’s hard to imagine that many users would choose that app on purpose.

This practice is not only deceptive, it directly contradicts’s stated policy, which promises users that it has “zero tolerance” for bundled adware and that “when it comes to fighting unwanted adware . . . has always been in your corner.”  Indeed, that promise was one reason users and developers had come to trust as a reliable source. 

In response to widespread criticism, CNET took some initial steps to address the problem.  First, it issued a statement declaring that “as a rule” doesn’t bundle adware with open source software but that it had gone through its open source files and wasn’t doing so any more. It also revised its process to make it a little easier for users to choose not to use the adware-laden install process.  In a post to developers, it also (sort of) apologized. That same post announced that was launching, in alpha, a new installer program that would only bundle adware if the developer opted-into the program.

But the company still has a long way to go.  First, as several developers immediately pointed out, that “re-check” apparently wasn’t too thorough. There is still adware in some open-source installs. Second, the re-check only applied to open-source software – too bad if you are a commercial developer (even one offering free software), at least until the “opt-in” alternative gets put in place. Third, none of these steps did much to help users who are (or were) confused by the installer process and, as a result, find themselves stuck with software they didn’t want.

So, CNET, here's what you need to do to really make it right:

Stop bundling adware into your installer.  Failing that,

  1. Rewrite your adware policy to admit that no longer has a “zero tolerance” policy for bundled adware, and make the change public, so users and developers know about it.
  2. If you are going to allow ads, make sure they are not deceptive.  This means it should be very clear that the ad is entirely separate from the install process (and no “accept” buttons where “next step” should be), and that the developer of the software the user actually wants has nothing to do with the advertised app.
  3. Clean up the mess: prominently offer, on the front page of the site and as part of the ads themselves, to assist users with uninstalling any advertised software they may have unknowingly installed. 
  4. Right now, many users won’t know they can download the software without the adware. Direct download should be the default process, and users who choose to use the installer should know, before they do, that the process will include advertising or other software they might not want.
  5. Until the “opt-in” procedure is well-established, cease bundling adware for commercial as well as open source applications.

It’s going to take more than half-hearted rollbacks and an apology to earn back the trust of users and developers. We hope that CNET is willing to do what it takes to make this right. If it does, we’ll be the first to say so.