Helping Users Avoid Fraud Sites and Get the Real Firefox

A while back I posted on some of the various Firefox fraud schemes and deceptive sites that trick users into paying for Firefox or downloading malware branded as Firefox. The goal was to explain how we analyze these matters and discuss the tools available to address the problem.  Gerv recently posted on this as well – which was great.

What my last post on this subject didn’t do was talk about the specifics of particular cases. I can’t do that for a number of reasons – there are legal implications and in some cases what we say is constrained by law. However, we can do a better job of keeping those that submit reports informed, and a general update is long over-due, so here goes:

Over the past nine months, these are some of the activities we’ve undertaken in response to user reports we’ve received and activities we’ve discovered:

  • Asserted claims that caused 15 European (mostly German) sites to discontinue their deceptive practices involving Firefox and Thunderbird. These were the result of injunctions or cease and desist efforts (German courts have issued seven legal injunctions in response to our applications);
  • Reviewed more than 4,300 sites;
  • Reported a host of sites to regional consumer protection agencies;
  • Recovered 50 or so domains that were engaged in questionable activities (i.e. subscription traps or distributing malware);
  • Caused 122 US sites to discontinue unauthorized or infringing  practices in response to our requests; and
  • Alerted search engines to these practices when we thought they would act.

More info on European and US activities is available here. While this is really good, there’s more to be done.  Ultimately, we’ll need to address some of the even larger syndicates using legal tools. It seems operators of some of these sites are making so much money from the scams that they will spend even more money to assert frivolous defenses to keep it going.   Fortunately, the courts have to date, seen through these technical defenses.

Cease and desist campaigns, or filing injunctions where possible, is not a scalable or cost effective approach in the long run however.  Already, about 30% of Mozilla’s legal matters are trademark enforcement related.  Long term, to really scale to meet this problem, we’re going to need to explore alternative approaches that utilize organizations like Stopbadware.org, so users can be notified in advance when they end up on these sites.  In combination, we may also need more messaging to warn users about the subscription traps that exist. In the interim, however, we’ll continue to utilize the tools we have so fewer users are scammed and more get the really great product contributors have created.

As Asa Dotzler Tweeted recently: “If you’re being asked to pay for Firefox, it’s a scam! Firefox is absolutely 100% free. Always get Firefox from http://mozilla.com Please RT”

More to come.

Thoughts on Microsoft’s Settlement Proposal in the European Commission’s Tying Investigation

When the European Commission (EC) investigation started we articulated some principles we thought were essential for any remedy. Asa Dotzler did an exhaustive comparison of those principles against Microsoft’s proposal that can be found here. We’ve had some time to think more about Microsoft’s settlement proposal with the benefit of further clarifications from Microsoft about their intent. Overall, the proposal is a good step forward that if earnestly executed could improve browser choice and reduce the likelihood that non-IE choices are undermined by operating system behavior. The ultimate success of the proposal,  however, will depend on Microsoft’s long-term commitment to realize not just the words of the proposal, but its spirit, so a lot still remains to be seen.

Mitchell Baker provides some big picture observations about the proposal here. In the material below we’ve tried to articulate in detail those key aspects of the proposal that need modification (Protecting User Choices and the Ballot Mechanism). Our assumption is that the EC and Microsoft may be close to a resolution; thus, the ability to radically change the proposal may be constrained as a practical matter, but I’d welcome feedback on other essential terms or clarifications that may be missing.

Protecting User Choice of Non-IE Browsers:

Our most urgent concerns in the EC investigation related to protecting a user’s choice of a non-IE browser. The proposal largely addresses those concerns and should merit support if certain deficiencies are corrected.  These are described below:

Windows Update.  Not offering updates through Windows Update to an off-switched IE is a good start.  But most users won’t have IE turned off, even if they have other browsers as their default.  When IE is not the default, any launch of IE, user intended/initiated or not, may prompt the user to restore IE as his default browser. This may be a reasonable action for an intentional user-initiated launch of IE, but it’s an abuse when it’s not user-initiated and has the impact of undoing user choice.  Perhaps the language in Section 1, Paragraph 1 which states that “it [IE] can only be turned on through user action specifically aimed at turning on Internet Explorer” is designed to capture this, but it could be clarified to eliminate any uncertainty. Thus, the proposal should be modified to expressly state that Microsoft cannot use Windows Update to trigger any “Make IE the default” consideration unless the user launched IE intentionally and not just as a requirement of another process.

Tie-ins with Microsoft Applications.  Not including links, shortcuts, or icons for launching an install or download inside of Office 2007 is a good start; however, it’s just not enough.  Microsoft Office 2007 and other Microsoft programs should not “hard code” links, shortcuts, or icons to launch an already installed IE when IE is not the default browser.  If Microsoft applications need to launch a browser, they should only launch the user’s default browser.  Otherwise, with every launch of IE from its other applications, Microsoft is prompting the user to restore IE to the default status.  This has the effect of pressuring users to undo their default browser choice.  Thus, the proposal should be modified such that this provision applies to all Microsoft desktop software, and certainly to the already announced Office 2010.

Ballot Mechanism:

If a ballot is going to help provide consumers a meaningful choice, the proposal needs to be modified a bit. Below are some key aspects of the ballot that are currently not addressed sufficiently or that need modification.

Ballot Application.  The proposal states in Section 2, Paragraph 7 that “Microsoft will distribute a Ballot Screen software update to users within the EEA of Windows XP, Windows Vista and Windows Client PC Operating Systems, by means of Windows Update as described hereafter:..” The proposal later states in Section 2, Paragraph 8 that “The Ballot Screen will give those users who have set Internet Explorer as their default web browser an opportunity to choose whether and which competing web browser(s) to install in addition to the one(s) they already have.” It is unclear how this applies in the OEM channel. If Microsoft or other 3rd parties have paid for pre-installation of IE (or an IE derivative) in the OEM channel, the ballot mechanism should still apply. As currently drafted the ballot mechanism seems to only apply to “those users who have set Internet Explorer as their default web browser.” Does this include users who bought a PC with IE pre-installed? If not, it should. Perhaps this is an oversight or unintentional ambiguity.  Nonetheless, this aspect of the proposal should be modified such that it is clear that the ballot mechanism applies if IE is pre-installed by OEMs.

There’s another more complex question of whether the ballot should apply to any browser pre-installed with OEM distributions.  Some would say it should, since there are only a few parties who can compete economically in the distribution game, so why tie Microsoft and leave everyone else free to engage in the same behavior. Conversely, such other parties are unlikely to have monopoly power in the operating system market, nor are they the subjects of an investigation based on practices found to be anti-competitive. In the absence of an overwhelming and compelling justification, it seems unwise to tinker with this any more than is necessary, but it still doesn’t seem quite right.  I suspect these are exactly the kind of unintended consequences Mitchell Baker expressed concern about initially.

Download Process. A download link is insufficient for fulfilling user intent.  If a user clicks the download Opera link in the ballot, he is signaling intent to, at a minimum, try out Opera. Our data shows that only ~55% of users who click a download link will be able to complete the process of downloading and installing so that they may at least try out the new browser.  A download link, therefore, is insufficient to fulfill user intent. The most valuable change to promote the likelihood of fulfilling user intent would be to have the link trigger both the download and the execution of the installer at download complete. The second most important change would be to have the download also launch the vendor’s instruction page for completing download and install of the new browser.  Obviously this is a complex process that will take some thinking, and to make it really work, we would strongly recommend that the proposal include a Microsoft commitment to work with browser vendors directly in an informal group (including the EC) so the ballot implementation can be informed by the knowledge and experience of other browser providers. To date, Dave Heiner, Microsoft’s Vice President and Deputy General Counsel, has been receptive to comments from those outside of Microsoft. We hope this continues as the development teams engage more fully in making the ballot work as intended.

Ballot Screenshot.  The ballot as described in the screenshot is not unbiased as MS claims in the written proposal. It suffers from two major bias issues.

The first is that IE may become the default browser in more scenarios than the alternative browsers. IE may become the default by being selected. It may also become the default if the user simply ignores the ballot. It may also become the default if the user is unable to figure out how to use the ballot. Finally, it may become the default even if the user expresses a desire to try one of the other browsers but fails to achieve an alternative browser install (point 1. above.) The other browsers have only one, difficult and failure prone scenario to becoming the default. I don’t know how one would remedy this except partially by requiring the user to make a choice rather than treating no choice as a user preference for IE.

The second issue of bias is the ordering of the browser choices on the ballot. When presented with a question that interrupts the user’s “flow” the most common user response is to take actions, without serious consideration, that will remove the interruption. That often results in users simply closing the Window containing the interruption or in choosing the button or option they believe is most likely to remove the Window.  We strongly suspect that placement matters, and being the farthest most left position has some inherent advantage. Thus, having a mechanism to equitably mitigate this inherent advantage would make this a much better remedy. This will likely require further evaluation and testing, so the notion that the proposal can be adopted, implemented, and filed away, without subsequent iteration doesn’t seem plausible.

De-selection of IE. Section 2, Paragraph 8 further states that “Microsoft shall ensure that in the Ballot screen users will be informed in an unbiased way that they can turn Internet Explorer off.” Merely advising the user with text on how to turn IE off in the ballot is simply not enough to achieve the intended purpose of the remedy. The commitment should be modified so that IE is turned off seamlessly when the user selects a non-IE browser through the ballot screen, rather than through a separate procedure.  Even if a user does succeed in choosing and successfully installing an alternative browser as his default, IE will still occupy prominent real estate on the Desktop and Start Menu. The other browsers do not have this luxury and the advertising opportunity it provides merely through placement.  Consequently, the best way to ameliorate this is to offer the user the opportunity to _replace_ IE rather than to simply join it on the desktop. This could take the form of a “make this browser the new default and turn IE off when that’s done” option in the ballot.  Alternatively, Microsoft could provide an API to the IE off switch that could be used in the installers of other browsers to effect the same change.

Education. The ballot, as proposed, does nothing to educate the user as to what a Web browser is or how different browsers might offer different experiences. A user with no understanding of what a browser is and no explanation in the ballot to educate him will likely just dismiss the window as an unexplainable interruption. The ballot should introduce the user to at least a simple definition of what a browser is before offering the user a choice in browsers. It should probably go one step further and explain that the different browsers compete for superiority in the areas of ease of use, security, and customizability. A two-sentence introduction with this information will help users make a meaningful choice.

Testing and Evaluation. The term of the proposal is five years; however, there are no interim evaluation milestones. To evaluate the efficacy of the remedy, there must be some ongoing evaluation, otherwise how will we know if the ballot proposal made a difference, and if so, what did it actually change. Thus, an annual review by the EC should be part of the proposal. The review should include only data derived from public sources and Microsoft that comports with all applicable privacy directives.

——————-

For now, these seem to be the minimum set of changes required for an effective remedy. There are numerous other terms that could be adjusted, but these key points should be considered and addressed before adopting the proposal.

I’d like to thank Asa Dotzler who made significant contributions to this post.

FOSS Projects Working Together to Invalidate Patents

As many of you may know, there are a number of initiatives around regarding prior art that all tackle the problem of software patents from different angles.  Whether its Open Invention Network’s  Linux Defenders, post issue P2P, or our own infant Prior Art Share project, each relies upon an underlying principle of cooperation.  The fact is that the ultimate defense – the way to eliminate a patent – is via prior art. It’s no doubt harder, but permanent, like sunlight to vampires.

Non-infringement arguments work, but only for the specific implementation. Ofcourse when you’re the defendant, you’ll gladly take either, but the real challenge is finding good prior art and developing it into admissible evidence within the time constraints of an actual patent case with a tight trial schedule. It can both invalidate the claims and/or narrow infringement arguments. Even if you can’t invalidate, prior art can establish safe zones — you can’t infringe by practicing what was “known” prior to the invention.

Notwithstanding the various projects, imagine a world where an attack on one is an attack on all, and developers across multiple FOSS communities responded to a call to action, in a coordinated and organized fashion, to find relevant non-patented prior art in response to the assertion of a patent against a FOSS project. Something like a NATO pact, but workable and without all the politics. The global hunt for prior art would happen not after the 3rd or “N” settlement, but in the first instance. In such a setting, a potential plaintiff would have to carefully evaluate the risk of asserting its patent because if found invalid, the asset would be worthless, and the licensing/royalty game would be over.  We did this once before years ago in the Wang v. Netscape patent case, and it worked. In response, developers provided a massive amount of prior art we would have never found on our own.

This theory is again in action, see Red Hat’s blog on the subject. If you want to contribute your knowledge on prior art related to the Tom Tom case (programs, documents, publications, prior to the date of the patent, that disclose the elements of the claims) they’re collecting prior art references here. Obviously, there are other long term techniques like defensive publications, advance tagging of software programs so prior art is found more easily, eliminating software patents via legislation, but in the short term, cooperation may be the most effective technique.  For those interested, the network is already in place, and if you’d like to get involved let me know.

Trademarks – the Good, the Bad and the Ugly

On an all too frequent basis, we receive reports of websites selling the Mozilla Firefox browser, using the Mozilla trademarks to promote other products and services, or using modified versions of the Mozilla trademarks. The problem is that these activities are deceptive, harm users, cause consumer confusion, and jeopardize the identity and meaning of the Mozilla brands – not to mention being illegal. The cases seem to fall into three different categories that I’ll nominally call the good, the bad, and the ugly.  When we receive reports or identify problematic activities, we “exercise due diligence, care and prudence”  all of which means we analyze the reports and treat each case differently based on the intent and severity of the matter.

The Good. There’s a category of cases that involve good intentions but improper use of the trademarks. Typically, these folks really support the project, the brand, and the mission, and in their efforts to engage others and share their excitement about the products, they may have used the trademarks in a way that’s improper. In truth, we’re lucky to have this problem because it indicates people care about what we’re doing. This is almost always easily corrected with a phone call or short note. These matters are not troubling in my view, because they’re indicative of a user’s desire to embrace the brands in ways that are relevant and meaningful to them. Maintaining trademark protection (good trademark hygiene) and having supporters embrace the brand should not be mutually exclusive nor inconsistent. Trademark law as it exists today is technically more constraining, but I hope to see it evolve to recognize these complementary concepts. For further perspectives on trademark law, see a recent paper Tiki Dare and I wrote on this topic in the International In-house Counsel Journal.

The Bad. This category involves people who are intentionally trading on the brand for their own benefit. At the core, these cases are based on people or entities misrepresenting themselves as Mozilla. The problem may manifest itself as domain name hijacking, using the marks to promote other products, or manipulating search terms to acquire web traffic and users. Some calculations estimate that 2 to 7 million potential Firefox users per year are diverted to these fraudulent sites. This is especially offensive because these actors are trading on the value of the Firefox brand built by the community and ripping off users in the process.

The Ugly. These cases involve a clear intent to deceive, manipulate and steal from users in a highly organized and syndicated fashion. They’re a form of fraud, and frequently include other software products as well, and they seem to make a business out of charging for FOSS code and shareware. Often the identities of these infringers are intentionally hidden under layers of corporate obfuscation across multiple countries. When we can ascertain their identities, we notify them and first try to resolve it amicably. In response, we generally get the proverbial stiff arm. At times I wonder why we even bother with this step because if you’ve gone through the effort to set up an elaborate scheme to hide your identity and rip people off, why would you just stop if we say “please” and ask nicely. As an added bonus, these sites may also continue to charge the user’s credit card even after the user realizes the deception and cancels the subscription.

Many of you have sent us links about sites you suspect infringe. Thank you. At any given time there are 50 – 70 matters under investigation. Also, we now have a central place for everyone to report such sites. The more information you provide us when you file the report, the easier it is to evaluate and respond appropriately.

When we come across the bad and the ugly, and we can’t reach an accord with the person(s) responsible, we sometimes have to use legal remedies.  This may include legal action or administrative procedures where and when appropriate. For example, if a cease and desist letter does not work, we have instituted UDRP proceedings at WIPO (World Intellectual Property Organization). In some jurisdictions, we have filed and obtained preliminary injunctions to compel the infringer to stop. Surprisingly, sometimes a court order is not even enough. So far, we have been successful in the actions we’ve initiated. Recently we recovered a bunch of domains from a domain hijacker and in other actions, we obtained preliminary injunctions against web site operators engaged in fraudulent practices. In almost all of these cases, a community member reported the problem or it may even have been first reported in the media.

These actions are not only expensive and time consuming, but they divert us from our primary purpose. Unfortunately, it’s an area where I foresee continued growth and continued efforts to defend the meaning of the brands. Having the support and help of our community makes our work easier and more worthwhile.