The Truste group's goal of creating an online ecosystem through which software makers are held accountable for the functions of their programs and end users are given the power to keep unwanted applications off their devices won't be achieved easily, according to security researchers and participants in the nonprofit's Trusted Downloads project.
Launched by Truste in mid-February 2007, the Trusted Download Program aims to certify downloadable consumer software programs in the name of diminishing the ability of schemers to rain adware and malware onto the machines of unwitting end users.
By forcing members of its applications’ white list to disclose the entire functional impact of their programs on end users' machines, and requiring that software distributors obtain explicit permission from consumers before downloading any products onto their computers, Truste is hoping to become a virtual clearinghouse for trustworthy software distribution.
However, perhaps even more important than holding the software makers accountable for the content and delivery of their programs, Truste is also trying to force companies participating in the program to ensure that their distribution affiliates are held to the same rigorous disclosure and download standards.
That part of the process may be the hardest element of the program for the group to enforce, said at least one security researcher following the progress of the initiative, which is still in its beta phase.
Ben Edelman, an assistant professor at Harvard Business School and a longtime expert in the field of adware and spyware distribution, claims that of the 11 programs currently listed on the Trusted Download directory, at least one may still be finding its way onto end users' computers without their permission while another has serious questions looming about its intentions.
One of the programs he cites with the problem -- which he blames largely on affiliate sites that often use any means possible to generate downloads to drive up their revenues -- is Web marketing vendor ComScore's Relevant Knowledge 1.3 program.
Although ComScore, long criticized by some security researchers for its installation policies, has worked to improve its products to meet the types of standards set for by Trusted Download, the program is still being secretly installed in some cases, according to the researcher.
Recently, Edelman observed a pornographic executable file on the Web that downloaded a package of "junk software" without user permission that also included Relevant Knowledge.
In another instance, Edelman discovered what he labeled as a "spyware bundler" program that installed Relevant Knowledge without telling the user it was coming, showing or referencing an end user licensing agreement, or giving the user any opportunity to decline the program.
The other application approved by Trusted Download with which the researcher takes issue is the Vomba 220.127.116.11 client, which offers end users access to online multimedia programs and interactive screen savers in exchange for the "occasional display of targeted advertisements," or pop-ups.