RealNetworks yesterday posted a response to StopBadware’s alert (and later full report) labeling its RealPlayer software versions 10.5 and 11 as badware. Unfortunately, Real seems to have chosen to explain away the issues we noted in its software, rather than working to change RealPlayer’s badware behaviors, missing the larger point of our report. What’s at issue is not whether downloading RealPlayer “actually hurts anyone,” but that both versions of RealPlayer which we reviewed limit the ability of computer users to make informed choices about what happens on their computers – which violates our guidelines.
Real suggests that consumers might enjoy RealPlayer 10.5 Message Center’s ability to display ads. But as Real admits, many users find that type of ad annoying and unwanted. If an application’s default behavior disrupts a user’s normal and expected computer use with ads and does not disclose that fact clearly before the user chooses to install, it violates our guidelines.
Real’s blog post states that RealPlayer 10.5 is outdated, obsolete, and fully replaced by version 11. Many prominent web links for RealPlayer still lead to the download page for the older version. To truly make RealPlayer 10.5 obsolete, Real needs to do its best to take its outdated software out of circulation. We urge Real to stop distributing RealPlayer 10.5 and redirect the download page for 10.5 to the page for the latest version.
As Real explains in its response, there are legitimate reasons to bundle the Rhapsody player engine with RealPlayer 11. But not disclosing the inclusion of the Rhapsody player is a significant oversight, in contrast to other disclosures in the installation for RealPlayer 11. Users have a right to know if Rhapsody Player Engine is being installed on their computers. Users who choose to remove RealPlayer from their machines should also be able to remove anything that installed along with it just as simply. Real notes in its blog post that the Rhapsody player can be seen and uninstalled from the control panel. Expecting users to seek out a program they are not even aware is on their machine is simply not enough. For users to be able to make informed choices about what software is on their computers, bundled applications need to be disclosed and easily removable if the core application is uninstalled.
Also, if users have no idea that the Rhapsody player software is installed on their computers, they won’t know to keep it updated. Many media player engines have security flaws that have been exploited in the wild. Once these flaws are found they can be fixed with software patches – but only if the user knows to download the patch or updated version. If the Rhapsody player sits on a user’s computer for two or three years without security updates, it could become a serious and potentially harmful vulnerability.
When StopBadware chooses applications to research and report, we don’t focus only on applications that are clearly egregiously harmful. Trojans and keyloggers and other malware are bad, and the average consumer doesn’t need us to tell them that. Where consumers can use a little help, however, is in figuring out which commonly available applications require extra caution. When a computer user chooses to download an application, they are placing their trust in the software’s makers and distributors. It’s the responsibility of the companies behind consumer software to make sure their products fully live up to that trust.
StopBadware believes that software applications should be held to a high standard of full disclosure and user consent. That belief is the underlying principle for our software guidelines, which we apply to determine if an application should be considered badware. Our computers are increasingly important parts of our lives, and we deserve to have control over the software that is on them.
We welcome a continuation of our dialog with the folks at RealNetworks, and we hope that Real will move to addressing the concerns we’ve raised in its next update.