Best Practices for Clean Software

 

To accurately determine whether a software program is well-intended or not, we have created the below set of guidelines that describes what we consider to be malicious/potentially unwanted behavior and advises on the best practices for clean software.

Advertising

Must have:

• Landing page 
  • Clearly identify the product vendor, describe the software functionality, and provide cost information if applicable.
  • Include a list of all bundled software, third-party components/dependencies (for example, monetization engines), plugins, or widgets.
  • Visibly link to the product's EULA and Privacy Policy.
  • Indicate if the software is ad supported, if applicable.
  • Present information in line with industry standards for readability (for example, no green font on a greenish background, and no tiny letters).

• Disclosure and consent 
  • All app promoting pages must clearly identify the vendor.

Prohibited:

• Misleading ads
  • All forms of threatening messages.
  • All forms of deceptive behavior (for example, missing codecs, plugins, vulnerable/infected machine, when unnecessary).
  • All forms of impersonation of system messages (for example, impersonating the Windows user interface, MSFT/Windows logo, etc.), other brands (such as Chrome, Flash, anti-malware, etc.) or web components (for example, download buttons).
  • Displaying multiple 'call to actions' with different wording but leading to the same or a similar action.
  • Advertising a free product for a cost.

• Download
  • Auto or direct download from ads is strictly prohibited.

• Disclosure and consent
  • Starting the app download or installation process without proper disclosure and user consent is strictly prohibited.

Installation Process

Recommended:

• Signing software
  • Every executable file should contain a vendor identifier. No specific format is required, but version information is preferred. Alternatively, a plain text description in a custom section is also sufficient.
  • Availability of a digital signature is preferred.
  • If the file is packed, it should have a Taggant.

Must have:

• Bundling software
  • All included programs should be legitimate in nature and contain a clear, positive value to the installing user.
  • Each program must be offered on its own offer/install screen with clear information about its functionality, behavior, cost (if applicable) and purpose.
  • Each offer screen must have a clearly labeled skip/decline button or opt-in/opt-out checkbox enabling the user to decline the offer.
  • Each offer screen must have the same wording, 'Call to Action' buttons, navigation style and button placement throughout the installation process.
  • Any software that includes third-party components or software therein must provide appropriate disclosure to end users.

• User consent, control, and transparency
  • All disclosure and consent clauses must be unavoidable to end users, must meet industry standards for readability, and must be presented in a language that an ordinary end user comprehends.
  • User consent must be obtained before download/installation of any software.
  • The installer must only install the software which the user provided their consent to install.
  • The user must be able to stop the installation at any point.
  • Any data acquisition must be made with the end user's consent.
  • Each setup screen must include exit functionality.
  • App installation must not be affected by any user decisions on the offers.
  • The app must disclose to the user the name of the product, identify developer name or the brand name of the providing entity, and how to contact this entity.
  • The software's EULA must disclose to the user if and how the app may affect any other programs on the user's PC and settings.
  • It must be clear in which stage the installation currently is and show progress during longer stages (i.e. while copying/downloading files).

• Misleading behavior
  • All of the app's functionalities must correlate with the description mentioned in the installation screens.

• Update
  • A software updater can only update the main application (it must not install any additional software without the user's consent).

Prohibited:

• Bundling software
  • Software without offer screens.
  • Any form of promoting exaggerated or false claims about the user's system (health, registry, files, etc.).

• User consent, control, and transparency
  • Sell or otherwise share a user's personal identifying information to third parties without the user's explicit consent.
  • Any software must have its own privacy policy to describe its data collection, usage, and sharing practices.
  • Software must not bypass/hack the system or other apps' security and consent features (browser hijack, disable notification, etc.).
  • Software must not operate, access any content, or cause the use of a user's PC without prior informed consent (i.e. operate BitCoin miners).
  • Software must not redirect/block/modify searches, queries, user-entered URLs, etc. without user consent.
  • Software must not access any other site that doesn't directly relate to consented software functionality.
  • Any type of installation which does not require the End Users' informed consent is expressly prohibited.

• Misleading behavior
  • The installer must not mislead a user to take action that was previously declined.
  • Revenue modules must not engage with fictional installations of the product or the revenue model.
  • The software must not display exaggerated, misleading, or inaccurate claims about the health, files, registry or other items of the system of the user.
  • The installer must not initiate the installation of an app based on false, misleading, or fraudulent representation.
  • The software must not falsely claim to be a program from another brand (such as Avast, Microsoft, Google, Adobe, etc.).

• Interfering
  • Software must not engage with interfering, replacing, uninstalling, or disabling any third-party content, application, browser functionality and/or settings, websites, widget, the operating system or any part thereof without the user's consent.
  • Software must not engage in any fraudulent activity.
  • Software must not interfere with the browser default search/search pages without the user's consent.

Program Functionality

Must have:

• Transparency and attribution
  • Ads must include a clear attribution to the providing application.
  • Ads must be clearly labeled and identified as ads.
  • When injecting data into external content (such as websites or search results), monetization services must be clearly labeled and distinguishable from any platform (such as a website) it appears on.
  • Ads must provide a link to an 'Ad Info' webpage with the following prominent notices and information:
    1. A short explanation about why the ad was displayed.
    2. Links to the advertiser's full and clear description of the revenue module.
    3. Links to the product's terms of service and privacy policy.

Prohibited:

• Transparency and attribution
  • A program must not fail to clearly indicate when the program is active, and must not attempt to hide or disguise its presence.

• Program behavior
  • Software must not include monetization services such as pop-ups, pop-unders, expanding banners, etc.
  • Software must not use the end user's device for purposes that are unwarranted and unexpected by the end user.
  • Software must not decrease a PC's reliability and/or cause a poor end user experience.

Uninstallation Process

Must have:

• Completely remove all components of the software and/or related monetization modules, leaving no remains on the user's PC.
• Function properly in an equivalent manner to the installation process.
• Include a corresponding 'Add/Remove' entry in the Windows Control Panel or equivalent on different platforms, and the user must be able to completely uninstall the software.
• Show the same software name as shown during the installation process and during operation of the app and/or monetization module. Likewise, the same software name must be visible in the Add/Remove section of the Windows Control Panel.
• Provide an easy way to close the software and/or ads attributed to it.

Privacy Policy and EULA

Must have:

• Privacy Policy
  • The app and/or monetization service's privacy policy must comply with the applicable privacy and data collection and protection laws, and provide a clear and comprehensive description of the advertiser's data collection practices.
  • The Privacy Policy must specify:
    1. Whether the software uses cookies or other means of collecting user data.
    2. Whether the software accesses, collects, uses, or discloses users' personally identifiable information (PII).
    3. What types of user data is accessed, collected, used, or disclosed, as well as what means it uses to do so and what is done with the collected data.
    4. How a user can opt out of PII collection and stop the app and/or monetization service from collecting PII data about them. Users must be able to achieve this in a straightforward way, and the app and/or monetization service must comply with the users' request immediately.

• EULA
  • The app and/or monetization service must comply with the applicable laws and have an EULA that is easy to access during the installation process and from the app's website.
  • The vendor and product must comply with the EULA as accepted by the user during installation.
  • The app and/or monetization service should be clearly described in the EULA, any changes to the EULA require updated user consent.

Prohibited:

• Privacy Policy
  • The app and/or monetization service must not sell or otherwise share with third parties personally identifying information without the user's specific consent in advance.
  • The app and/or monetization service must not mislead users about the origin of cookies and/or other means of data collection, or cause a user to falsely believe it is associated with another app.