SiteAdvisor scareware misleads web users

6 July 2008 - 17:45

The logic behind McAfee's SiteAdvisor web safety product is so flawed I am starting to wonder whether the company's lawyers have even looked at it. Do they understand how exposed to litigation their company is, because of this product? The potential for webmasters to take McAfee for a lot of money in a class action for defamation and loss of business seems immense. I think the only reason this hasn't happened yet is that many webmasters and online business owners don't even know that SiteAdvisor is defaming their site because they haven't installed the browser plug-in and can't see it.

I have already blogged about how SiteAdvisor is defaming Tech-Pro.net by accusing us of distributing dangerous downloads, when in fact the McAfee malware scanner is at fault. McAfee has made fundamental errors in the design of its system for testing for malware:

  • It is basing its verdict on the results of a single scanner, its own, despite the fact that false alarms are a common occurrence that nearly all scanners suffer from. It is technically insupportable to give a site a "dangerous" verdict without checking the offending files using other scanners to eliminate false positives.
  • It is not informing webmasters of an impending bad rating, in order to give them time to respond. This is grossly unfair, since most webmasters won't even know their site has a bad rating if they haven't installed the SiteAdvisor plug-in. But not informing webmasters is also irresponsible since it denies them the opportunity to demonstrate that they don't deserve the bad rating by doing something about the problem - if it is indeed a genuine malware detection - which would help clean up the internet for all web users, not just those who use SiteAdvisor.

Expecting site owners to find out for themselves about their SiteAdvisor rating, and then live with a black (or red) mark against their site until McAfee deigns to do a re-test is just not on. McAfee is not above the law. It has no right to say whether sites are good or bad. If it chooses to set itself up as a guardian of the web, it has a responsibility to be 100% correct. If it makes a mistake, it does not have the right to dictate when a bad rating is removed, and it should be liable for damages for every day that it makes a false and defamatory claim about a site.

But if SiteAdvisor's malware tests weren't flawed enough, McAfee compounds the problem by blacklisting sites by association. Sites that link to another site that has been given a red "dangerous downloads" rating are themselves also given a red rating. So for example the web site of Alpha ZIP, an excellent archive manager developed by a respected member of the Association of Shareware Professionals, is given a red flag because it links to Security Software Zone, which has been condemned for linking to, as it happens, the same Spyware Doctor trial version that has caused Tech-Pro.net to get a red danger rating.

SiteAdvisor is using who a site is linked to as an heuristic of whether it is good or bad, but it does not appear to be using any other common sense methods. If a site has had a safe "green" rating for a long time then the sudden appearance of a "dangerous" download should be treated as suspicious. SiteAdvisor is supposed to base its ratings on user opinions as well (though this is not much help for even modestly successful businesses like ours as most sites have few or no user contributions.) However, this did not help Security Software Zone mentioned above which had only "good" ratings until this false malware identification occurred.

What is even more misleading about SiteAdvisor is that it is not giving sites the same rating for the same problem. So, for example, you could download the same file that has got Tech-Pro.net a "dangerous downloads" warning from Snapfiles.com, and receive no warning from Yahoo because SiteAdvisor has given SnapFiles only a yellow cautionary rating as the allegedly infected file represents only a "small proportion" of files. The site owner's comment suggests that SnapFiles was red rated a year ago for the same issue of false positive detections. One year and still McAfee has not done anything about this issue!

I am all in favour of anything that singles out the disreputable websites and purveyors of malware from the rest. But McAfee SiteAdvisor as currently implemented is an absolute disaster, and that's not just my opinion but that of everyone in the industry I've communicated with about it. Is it really a genuine attempt to make the web a safer place for surfers? Or is SiteAdvisor scareware that needs a lot of yellow- or red-flagged sites to justify its purchase to consumers?

Used tags: , , , , , , , , ,

« Gmail finally support… | Home | Yahoo! disclaims resp… »

no comments

Trackback link:

Please enable javascript to generate a trackback url

Leave a comment
  
Remember personal info?

Emoticons / Textile
  (Register your username / Log in)

Notify:
Hide email:

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.

Archives

September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008

Topics

Business
Computers
Internet
News
Other stuff
Soapbox
Software
Tips and tricks
Web development
Windows