The folks at Real Networks, creators of RealPlayer, recently brought to our attention a new version of the software that addresses the badware concerns we raised last year. We have therefore archived our alert about RealPlayer and updated it to reflect the presence of the new version. It’s always good to see software companies respond in a positive way to the concerns of the community.

RealNetworks yesterday posted a response to StopBadware’s alert (and later full report) labeling its RealPlayer software versions 10.5 and 11 as badware. Unfortunately, Real seems to have chosen to explain away the issues we noted in its software, rather than working to change RealPlayer’s badware behaviors, missing the larger point of our report. What’s at issue is not whether downloading RealPlayer “actually hurts anyone,” but that both versions of RealPlayer which we reviewed limit the ability of computer users to make informed choices about what happens on their computers – which violates our guidelines.

Real suggests that consumers might enjoy RealPlayer 10.5 Message Center’s ability to display ads. But as Real admits, many users find that type of ad annoying and unwanted. If an application’s default behavior disrupts a user’s normal and expected computer use with ads and does not disclose that fact clearly before the user chooses to install, it violates our guidelines.

Real’s blog post states that RealPlayer 10.5 is outdated, obsolete, and fully replaced by version 11. Many prominent web links for RealPlayer still lead to the download page for the older version. To truly make RealPlayer 10.5 obsolete, Real needs to do its best to take its outdated software out of circulation. We urge Real to stop distributing RealPlayer 10.5 and redirect the download page for 10.5 to the page for the latest version.

As Real explains in its response, there are legitimate reasons to bundle the Rhapsody player engine with RealPlayer 11. But not disclosing the inclusion of the Rhapsody player is a significant oversight, in contrast to other disclosures in the installation for RealPlayer 11. Users have a right to know if Rhapsody Player Engine is being installed on their computers. Users who choose to remove RealPlayer from their machines should also be able to remove anything that installed along with it just as simply. Real notes in its blog post that the Rhapsody player can be seen and uninstalled from the control panel. Expecting users to seek out a program they are not even aware is on their machine is simply not enough. For users to be able to make informed choices about what software is on their computers, bundled applications need to be disclosed and easily removable if the core application is uninstalled.

Also, if users have no idea that the Rhapsody player software is installed on their computers, they won’t know to keep it updated. Many media player engines have security flaws that have been exploited in the wild. Once these flaws are found they can be fixed with software patches – but only if the user knows to download the patch or updated version. If the Rhapsody player sits on a user’s computer for two or three years without security updates, it could become a serious and potentially harmful vulnerability.

When StopBadware chooses applications to research and report, we don’t focus only on applications that are clearly egregiously harmful. Trojans and keyloggers and other malware are bad, and the average consumer doesn’t need us to tell them that. Where consumers can use a little help, however, is in figuring out which commonly available applications require extra caution. When a computer user chooses to download an application, they are placing their trust in the software’s makers and distributors. It’s the responsibility of the companies behind consumer software to make sure their products fully live up to that trust.

StopBadware believes that software applications should be held to a high standard of full disclosure and user consent. That belief is the underlying principle for our software guidelines, which we apply to determine if an application should be considered badware. Our computers are increasingly important parts of our lives, and we deserve to have control over the software that is on them.

We welcome a continuation of our dialog with the folks at RealNetworks, and we hope that Real will move to addressing the concerns we’ve raised in its next update.

Public response to StopBadware’s recent RealPlayer alert has generally been positive, and we are pleased to hear that RealNetworks plans to correct some of the behaviors which we identified in the alert in a future RealPlayer release.

Nonetheless, we are a little confused by the reported comments of RealNetworks’ PR Manager, Ryan Lukin, whose words may have the potential to mislead consumers regarding the undisclosed features of RealPlayer 10.5 and RealPlayer 11. According to CNET News, Lukin claims that the Message Center software that is bundled with RealPlayer is “clearly identified during installation”, and that the content served by this software does not qualify as advertising. Lukin also implies that all users are provided with the opportunity to opt out of these ‘messages’ by the RealPlayer 10.5 installer. In our experience, the advertising features of the message center are not adequately disclosed, and only users who submit their personal information to RealNetworks during the registration stage of the RealPlayer 10.5 installation are actually granted the opportunity to opt out of the pop-up advertisements; users who exit the registration must accept the message center’s default settings, which include the display of pop-up advertisements for third-party products and offers.

Our alerts describe the ways in which software applications violate our software guidelines, but they do not always fully depict the behavior of those applications. This can make it difficult for some users to understand the conclusions that we draw in these alerts. In order to better illustrate our reasons for applying the ‘badware’ label to RealPlayer, we are now releasing a follow-up report, replete with screenshots, to the public. We hope that you will find it informative.

The RealPlayer follow-up report can be found here and the original alert can be viewed here.

StopBadware has released an alert identifying RealPlayer as badware. See our press release here and the complete alert here.

Interestingly, RealPlayer 10.5 and RealPlayer 11, both of which are distributed widely, both violate our badware guidelines, but in different ways.

RealPlayer 10.5 is badware because it doesn’t tell the user that its “Message Center” feature will pop up ads from the system tray if the user doesn’t register the application.

RealPlayer 11 is badware because it installs the Rhapsody Player Engine without notifying the user. When the user uninstalls RealPlayer, Rhapsody Player Engine is left behind, unless the user also knows to uninstall it separately.

RealNetworks, Inc., the publisher of RealPlayer, has been upfront about these behaviors in our conversations with them. They point out that version 11 does not install the ad-serving Message Center by default, and they acknowledge that it was a mistake on their part to not offer to uninstall Rhapsody Player Engine when uninstalling RealPlayer 11. We expect that the next version of RealPlayer will correct the issue and provide better disclosure, and we encourage RealNetworks to work with their downstream partners to ensure that older versions are replaced by the new version.