Main  |  E-Mail

Fair criticism, or libel and theft?
07 October 2000 08:41

Questions have again been raised about companies using libel and intellectual property laws to silence critics, after claims that a small UK software developer censored security complaints.

In the latest version of their popular TV listings program DigiGuide, Gipsy Media incorporated third-party advertising software for the first time. Conducent's TimeSink system is one of a growing range of dedicated advertising solutions labelled "spyware" by security experts and privacy campaigners.

By logging individual customer information, it has been claimed that TimeSink and similar systems violate privacy rights and, in the UK, data protection laws. Such systems have become a subject of much controversy as an increasing number of software developers embrace in-product advertising as a source of revenue.

Andy Mabbett, a long-term beta tester of DigiGuide, complained on Gipsy Media's message board that the use of TimeSink was not adequately declared when customers upgraded to the latest version.

Specifically, he felt customers should have been warned that TimeSink was able to track fixed IP addresses. This tracking is a potential security risk for people with always-on Internet connections and customers of some dial-up providers. Mabbett's ISP, Demon Internet, is one of the few that still provide fixed IP addresses.

Gipsy Media insisted that there was no risk from TimeSink's ability to track customers, describing the omission of a warning as a "documentation bug". They added: "If [customers think] that an IP address is personally identifiable then we are happy to change our privacy statement to reflect this if it's true."

Other users of DigiGuide have complained of two more alleged security risks and breaches of privacy.

One customer pointed out that the TimeSink system uses 'cookie' files to track user activity. Cookies, used by most web browsers, are generally accepted as posing no serious security risk. However, Gipsy had previously stated that they were not used at all: "Conducent does not use cookies, and DigiGuide doesn't use cookies."

After a list of cookies, apparently created by DigiGuide, was provided, a senior Gipsy representative, Russ Freeman, responded: "I see the logic, if DigiGuide uses Conducent and Conducent software uses an [Internet Explorer] control and the IE control uses cookies then therefore DigiGuide must [use] cookies ... DigiGuide uses a web browser to display HTML pages." This appears to conflict with another statement he had made 24 hours earlier: "Conducent goes nowhere near your browser, independent analysis of our installation will/has proven this."

Another customer expressed concern that the TimeSink system was using his real name, not the fake name given during registration. Gipsy explained that the name used by TimeSink was the customer's computer login name, contradicting assurances that the only customer-specific information used was that which had been given during the registration process.

Following several heated exchanges between Andy Mabbett and Russ Freeman, other DigiGuide beta testers noticed that some of Andy Mabbett's messages on the Gipsy Media web site were being removed. Freeman then told Mabbett: "Your attitude is unwelcome on Gipsy Media web sites, your rights to access our web sites and our products is now revoked. Make the visit to read this your last and make no more posts."

Three days later, Mabbett posted a newsgroup message explaining what he felt were "contradictions" and "dishonesty" in some of Gipsy Media's statements and documentation. This message was reported to his ISP, Demon, who removed it from their server after their solicitors had deemed it to have "a defamatory meaning". Demon also required Mabbett to agree that he would "not publish such material in future using [his] Demon service".

In the UK, once on notice an ISP can be held legally responsible for any material available on its servers. There have been calls from representatives of the ISP industry for this part of the law to be changed so that ISPs cannot be held responsible. Since the case of Laurence Godfrey, the physicist who successfully sued Demon for libel over a newsgroup message posted by another ISP's customer from outside the UK, some ISPs will as a matter of policy remove messages on receipt of a complaint.

By apparently exploiting an unpopular aspect of the law in this way, Gipsy Media has attracted accusations of censorship.

In fact, it is not entirely clear if Gipsy did complain to Demon. When pushed for an answer, Russ Freeman explained that he felt it would be "a breach of ... confidentiality" to say one way or the other.

Demon will not reveal the identity of complainants, although one representative expressed surprise that Gipsy Media had declined to give a definite answer.

It has also come to light that Demon are investigating a second complaint made against Andy Mabbett, after it was alleged that by quoting excerpts from Gipsy Media's documentation, he had infringed copyright.

Again, Demon would not confirm who had made the complaint, but it seems unlikely that it would have been anyone other than Gipsy Media. Russ Freeman had previously complained about Mabbett's quoting of copyrighted material, saying that "[re-transmitting] content from our web site is strictly forbidden without prior written consent".

This case has raised several controversial issues.

If a company can prevent criticism of its products by claiming that small quotes from documentation are infringements of copyright, this makes it difficult for journalists and consumers to expose what they see as misleading information.

Gipsy Media were acting within their legal rights when they deleted Andy Mabbett's messages from their web site, but in doing so they removed accusations that had previously been denied.

And if Gipsy Media did indeed make the complaint of libel, this will undoubtedly be seen by free speech campaigners and legal reformists as an example of fair criticism being silenced by underhanded tactics.

Ironically, one senior figure at Demon had already expressed disapproval of Gipsy Media removing Andy Mabbett's messages from their web site. In a newsgroup discussion, Clive Feather told Russ Freeman: "You censored him. Be honest about it."

The case has also shown how precarious a company's image can be. From this one incident, Gipsy Media's long-standing reputation as a community-driven enterprise has suffered greatly, with some customers expressing distrust and vowing never to use DigiGuide in future.

To clarify both sides of the story, there now follows an interview with Russ Freeman of Gipsy Media, and with Andy Mabbett.

Interview: Russ Freeman

Previous versions of DigiGuide were supported by advertising, but did not rely on any third-party advertising systems. Why was the decision made to incorporate the Conducent system?

Our previous advertising system was written in house, supported by ourselves. We have no sales team and no marketing team. We found it impossible to sell the adverts in our system. We sold some adverts, over the 18 months it was enabled, but not enough even to pay for the soft drinks the team consumes!

We were faced with the commercial reality of the situation: Nine staff, an office and the daily data updates cost a substantial amount of money; if we were going to continue this free service it had to start paying for itself somehow. (The online version(s) pays for itself nicely, through providing the branded version and through traditional banner advertising.)

We specifically chose Conducent after looking around at the other suppliers, looking into their documentation and SDKs and after looking at what some of the anti-ad campaigners had to say about them. We found the only issues levelled against them were down to privacy documentation/installers and we aimed to correct that in ours.

What do you think of the term "spyware" being used to describe advertising systems such as that made by Conducent? Is it a fair description?

According to some of the anti-ad campaigners, the term "spy" is appropriate for some of the software on the growing lists of 'spyware'. The term has been used to describe Conducent software without any proof. Spying suggests doing things in secret and I don't see where Conducent are taking stuff in secret. They don't monitor browsing habits, nor hard disk contents, or anything else that they don't already declare on their Privacy statement, as can be shown using utilities like FileMon.

I don't care for the term either way to be honest. Adware is appropriate for Conducent, and DigiGuide has always been adware. Neither of us have the means nor the desire to start spying on users.

One concern voiced by many of your customers is that the DigiGuide documentation does not fully and prominently warn them about the Conducent system. Indeed, people automatically updating from previous versions would not have been told at all. Do those customers have a valid complaint?

We acknowledged that our documentation could have been clearer and you can now see the current version of our documentation is much improved. We had a lot of criticism, not all of it constructive, but thanks to the feedback from the DigiGuide Community at large we have now amended the documents to be clearer. We now have clearer T&Cs and a knowledge-base devoted to questions on the advertising engine.

People that updated from 3.1 to 4.0 had to read the EULA and agree/disagree before continuing. This EULA explained that an advertising engine would be used. It was only after agreeing to these terms that any Conducent software would be installed. The only thing we didn't do was use the name "Conducent" in this document. We did, however, include several hyperlinks a few paragraphs below that fully described Conducent and provided more information.

To make things much clearer, the very first paragraph now states: "Unless you have registered the product, this software application is provided to you FREE OF CHARGE and is paid for by advertisements that appear within the user interface. When choosing to install the advert-supported version, you will be asked to accept these terms and conditions after which DigiGuide will install the advertising engine. This engine will send information about the advertisements you see while using DigiGuide to Conducent Inc., in the USA."

Conducent software can track people who have a static IP address. Is this a security risk for those people?

Web sites can track people with static IP addresses thanks to the nature of the Internet. I notice that and [partner site] have no privacy policy so they could be tracking IP addresses (spying? no precise declaration seems to mean guilt according to some groups). Conducent does not track you via your IP address and neither does DigiGuide. I can't be sure or don't because of the lack of statement. If it's a problem for people with static IP addresses then it must indeed be a wide reaching one.

Static IP addresses identify a computer, not an individual, that's the point to IP addresses. The biggest security risk that static IP addresses pose is from hacking.

You have stated that DigiGuide doesn't use cookies, but one customer provided a list of cookies that were allegedly used by DigiGuide. Can you please clarify what may have lead to this apparent discrepancy?

DigiGuide for Windows makes no use of cookies. DigiGuide does use a web browser control which may use cookies. We have no access to those cookies and we are not in control of whether or not the cookies are sent from the server.

Conducent also use a web browser control. They don't have access to nor control of the cookie data either. I notice that [the utility] "CrapSpy" uses a browser control and I also notice that using the same arguments it would use cookies too. I dare say the authors of the software would argue that they have no cookie handling code or cookie ability in their software. This cookie capability, when using a web browser control, can be turned off using standard Internet Explorer Security Settings.

The web site uses a cookie for it's forums and uses cookies to allow you to customise the site. The following FAQs detail exactly what data is stored in the cookies used by our web sites.

You have also stated that the Conducent system only uses personal information that the user has voluntarily supplied, but one customer has claimed it uses his real name, not the name he supplied. Can you explain this?

What this user has noticed is that Conducent have used the logged in user name as the name of a folder below their main folder which stores how many ads that login user has seen -- this coincidentally happens to be his real name. The login name is available from the GetUserName Win32 API function.

One of your customers, Andy Mabbett, has been very vocal about your use of the Conducent system. Why did you decide to ban him from the DigiGuide forums and delete many of the messages he had previously posted?

Andy Mabbett was behaving the same way as he does in Usenet. This behaviour is not tolerated on our forums and he was asked to not visit our sites any further. Our forums have always been moderated but the only posts we had been forced to remove previously were adverts for porn sites.

Several people have said that by removing Andy Mabbett's messages, you were in effect censoring a legitimate complaint. Is that a fair accusation?

If that were true, why did the same complaints, but delivered by different people, remain unaltered? Most people want problems solved. Some people enjoy the problem and just want to further it. Complaints are dealt with, issues are raised and solved. We have an excellent record of addressing issues raised, whether they are complaints or bug reports. We have nothing to fear from complaints because they ultimately improve our software with the net result being a great system for everyone. This is and has always been our approach.

Andy never emailed me about any issues he raised, he never asked us to fix anything. Others did and the issues have now been resolved.

Andy Mabbett also posted some comments about DigiGuide to a newsgroup. These comments were removed by his ISP following a complaint that they were potentially libellous. Was this complaint made by a representative of Gipsy Media?

I think that's between Andy Mabbett and his former ISP. It is my understanding, from his posts, that there were several complaints from different sources.

It has been my observation that some posting styles in Usenet attract a disproportionate number of complaints from Usenet users. Perhaps the knee-jerk use of the word "liar" had been levelled at one person too many or perhaps the creative quoting used was taken badly.

On Usenet, anyone, it seems, can say anything. Everyone else assumes it to be true. I personally wouldn't take legal advice from, not because I have an opinion about the people there but because I believe I would get value for money, i.e. it is free. How would I know the difference between the posts of a criminal or an 8 year old, and those of a barrister.

I'd like to push you a bit more about the complaint to Demon: Has any representative of Gipsy Media complained to Demon about any of Andy Mabbett's newsgroup messages?

How is that relevant to issues relating to Conducent and DigiGuide?

Do you think GM would be justified in complaining about accusations of lying, or his posting of copyright material in newsgroups?

Well, some people feel it would be unethical of Gipsy Media to take advantage of how the UK libel laws currently affect UK ISPs.

So it's not relevant then, and ... 'opinion' isn't the interesting issue.

Can you say if GM did or did not make the complaint?

I feel that it would be a breach of GM's, Mr Mabbett's and Demon's confidentiality, perhaps even unethical to say whether or not GM was one of the complainants - note the plural as stated in Mr Mabbett's post (conversation with Demon); There is the possibility that Mr Mabbett may have upset more than one entity recently in regards to this debate, but also over a longer period of time.

Interview: Andy Mabbett

How did you become aware that the latest version of DigiGuide uses the Conducent advertising system?

I was alerted to the fact that it had been added to my machine by a third-party utility, whether "AdAware" or "OptOut" (I was using both at that time; I don't recall which of them alerted me) which detects "spyware". DigiGuide was the only recently-upgraded (or installed) software, hence the obvious source. I was certainly not aware of it being installed by DigiGuide which upgraded itself automatically.

In your view, what dangers or risks could potentially be introduced by software that uses the Conducent system?

You will note that I have never raised any issue of "danger" or "risk" in the recent debate. You can read about Conducent on this page (though of course any impact would depend on the circumstances of the individual installation, and the experience of, and security measures taken by the individual user).

You have been distinctly vocal in your criticism of Gipsy Media's decision to use the Conducent software, and also their alleged failure to fully disclose its potential security risks. Can you explain why you feel so strongly about these points?

I don't believe I have ever made comments which could reasonably lead you to those conclusions. I suggest you re-read my comments in the newsgroups concerned; particularly this one, which was my first post on the subject; and this one, which was a response in the same thread, to a request for clarification.

Russ Freeman of Gipsy Media has said that you were only interested in complaining about problems with DigiGuide, with no real interest in seeing them resolved. Is that a fair comment for him to make?

It is a completely false allegation, not supported by the facts and my previous suggestions for improvements to the software, for example [those in] this newsgroup message (of April 1999), most of which were adopted by Gipsy Media.

I have no idea why Mr Freeman should make such an unwarranted and baseless accusation, for which there is no evidence, and can only suppose that he did so to detract attention from his own, his company's and his product's failings.

My raising of the issue seems to have resulted in changes to DigiGuide (Mr Freeman has said as much) and its documentation, by Gipsy Media. While I have yet to see these changes, it would seem that a direct result of my comments is a resolution of the issues raised, which, in addition to all other evidence, indicates the fallacious nature of his absurd allegation.

Incidentally, Mr Freeman initially denied what his company's web site now admits, and what his beta testers were telling him as long ago as June 15: that IP addresses can be used to identify individuals. In this message, Russ Freeman wrote: "Your claims hinge on the fact that your IP address identfies you personally. It is as I thought, it can't be done."

Why do you believe Gipsy Media banned you from their forums and removed messages you had previously posted?

I don't believe that they have [banned me]. In this message, Mr Freeman claimed that: "We grant licences to use our web site, the licence is revokable, Andy's licence was revoked under the terms and conditions of our site." But according to those terms and conditions, officers of the company can only change the terms and conditions (including explicit or implicit invitations to read and post to their site, or use their software, presumably) in writing. I have received no such letter.

My messages were first edited, before being removed. After editing, but before removing, them, in this message, Russ Freeman wrote: "If we wanted to censor you we would have taken your post out or changed it to be favourable." So I can only suppose that they wanted to censor me. As to why they would want that, you would have to ask them.

In this message, Russ Freeman wrote: "[Where] his posts have gone I don't know, I don't live at work and I don't maintain the forums but I will find out where they have gone and why."

But no answer has been forthcoming, despite my posting reminders.

In fact, Mr Freeman has repeatedly failed to answer perfectly reasonable questions, put to him by me and others, and to provide evidence for his false allegations about me when I have challenged him to do so. For example, in this message, he wrote: "He (Andy Mabbett) is very creative with his quoting and snipping I find." I replied: "If you feel I have misrepresented you, feel free to say how, and where."

In this message, I wrote: "You still haven't said what you were doing in uk.local.birmingham, BTW." (Mr Freeman had inexplicably cross-posted some of his comments into that group, which has no connection with any of the issues being discussed.)

In this message, I wrote: "Now, I've lost count of how many times I've asked you this, but I think this is the sixth: Perhaps you can now explain, if appropriate, where in the DigiGuide documentation it is made clear that uninstalling DigiGuide does not uninstall Conducent; and where it tells people how to do so themselves, without paying you for the privilege? You might also explain how a fixed IP number is not 'personally identifiable information'."

Do you feel Gipsy Media were justified in banning you and removing your messages?

Of course not.

You posted a message to a newsgroup, making several accusations about Gipsy Media's conduct and honesty. Someone then complained to your ISP, alleging that the message was potentially libellous. Do you know who made this complaint?

While I have not seen the original compliant, no reference to libel was made by Demon.

[Note: Demon refers to the message as having "a defamatory meaning". This is the standard term used by Demon in response to allegations of libel.]

Mark Gracey of Demon told me that he was "unable" to tell me who had complained.

I no longer use Demon, having terminated my account with them.

Do you feel the libel complaint was valid?

Again, of course not.

The facts I presented in that article speak for themselves, I feel.

Hosted By