Google Spyware

20 comments

Google have been in trouble with observant techies over bundling, just as Yahoo! and others have with their toolbars, but now, they're taking spyware tactics to a whole new level.

The Google Web Accelerator, that oh so fluffy and "helpful" app that's garnered so much love with the public, is taking a note out of the Spyware Bible™ and targeting the Windows MSI file OnLoad

What this means
Sounds complicated, but after 20mins talking to Dave Naylor (linked above) it's actually fairly simple. Here's how it works:

  • Follow this link to GWA download page BUT don't press enter or click 'ok'
  • Notice the Javascript window that's prompting you to download GWA?
  • Well, that's come about because Google are targeting the MSI file onload - This is at very best, rude, but at worst, it's a classic spyware tactic used by countless nefariously evil apps over the years.

So, when people link to that page, the first thing they get is that prompt to download GWA - hmmmm real nice Google, what are you going to do for your next trick?

Comments

Agreed Nick

it becoming a more common practice to just on load the MSI file when a click to the MSI would have been ok !

and because google keep taking down the home page everyone has started linking to the MSI popup page ..

DaveN

spyware?

"So, when people link to that page" - How is it spyware - That page isn't supposed to be linked from anyware, but used in an iframe from this page - http://webaccelerator.google.com/ ( i.e. where it currently says " Thank you for your interest in Google Web Accelerator."... there would be a download link there, that opens the /dc.html page and prompts you to save the file. ) -perfectly legit.

I'm sure you guys are smart enough to work that out?

Onload & meta refresh are used at almost every download site. e.g. phpbb, sourceforge, microsoft, download.com ...

Show me one place where the dc.html page is linked from from google.com and then maybe you've got a point.

It's just like me linking to this directly and saying ooooh sourceforge is using meta referesh to install some weird app on my pc ! help ! spyware !

Dave: what the arse? :) Heh, I speak British :)

Dave, I'm pretty sure I did a long post on your blog. Either your blog ate it or you didn't approve the post. I don't care enough to reconstruct it, but the point was that we don't foist this page on people. [huh, turns out I did care enough to write it again.]

This morning, you had to go to http://webaccelerator.google.com/ then click Learn More to get to http://webaccelerator.google.com/support.html then click "Download Google Web Accelerator" to get to http://webaccelerator.google.com/index.html to get to a page with be "Download Now" in bold. Then if you click the big bold button that says "Download Now" you go to the page http://webaccelerator.google.com/dc.html that, you know *starts the download like the user asked for*. :)

It took me three clicks to get the bloody thing, because this morning, the main page had the "we're full up" message so you had to root around to get it. It looks like as capacity frees up, the "Download Now" button is available sometimes from http://webaccelerator.google.com/ .

My point is that the GWA page http://webaccelerator.google.com/ tells all about it and has links to info. You only get to the dc.html page if you click the big blue Download Now button. Having the download start on a page that you reach by clicking Download is "taking spyware tactics to a whole new level"?

I call bullocks. :)

Also

I'm going to bed. You UK/DK people are up posting stuff at all the wrong times! ;)

and NZ

10 pm here ( thursday ) ;)

We do it just to freak you

We do it just to freak you out matt, you know that heh...

It's working!

2:21 a.m.! Can't a grumpy old Googler get any sleep?! You kids with your Sex Pistols and your Elvis Costello blaring all night long and your Page 3 girls. Honestly! I'll tramp your dirt down, youngster! :)

Ta.

Get with the timezone Matt,

Get with the timezone Matt, meridian massif :-P

Maybe someday

Gotta get me a Mattbot. It could handle stuff 24 hours/day. ;)

Mattbot

Gotta get me a Mattbot. It could handle stuff 24 hours/day. ;)

I think we've already seen the beta... ;)

If it is important to you,

If it is important to you, Google and Matt, that users actually take the "normal" steps to get to the dc-file and forced download why do you let people link and go directly to it? It is not very difficult to block direct entries, you know how to do it and you should have thought about this. So why are you not doing it?

- Did you forget?
- Do you not care?
- Do you want as many downloads - whatever the price is?

Please tell us why this was not done properly and we may start to feel with you :)

Matt sorry .. you tripped a spam filter

yer matt posted on my blog but he tripped a spam filter we use ..lol and I agree with mikkel.. people in forums are linking to the dc page...

DaveN

Seeing you're British now

Matt, well batted :)

Hysterical Horseshit

It's not Google's fault people are passing around the link to the direct download. If you direct link to the page that invokes a download you shouldn't cry wolf like a bunch of techno babbling babies.

When people don't know the difference between a download page and Spyware someone needs to just stop the planet so I can step off as there's no intelligent life here anymore.

People should be more concerned that masses of morons are installing Web Accelerator to solve a 'problem' that doesn't exist, slowing down fast connections routing off to Google as an intermediary, causing web sites to malfunction, and more things that I won't address before 10am.

Wha?

Mikkel, it's a static html page that people reach when they click the big blue *download* button. It seems a little silly to me to embed referrer checks and stuff that probably won't work into JS on the page. What if someone surfs with referrers off (like me) or is coming through a proxy? Sorry, you can't have the executable because we suspect some punter might be having a go at you by posting an internal link on a forum or you don't meet our exacting standards of how you can reach this page or you just seem to have a shifty look with that no-referrers thing? Nick would post about that, too. ;)

If we "want as many downloads - whatever the price?" then why would we limit the number of people who can download the app? No, I call bollocks, and fish and chips and Guy Fawkes as well.

Hmmm...

I think Matt has a valid point about the GWA DL page.

IMO, It is too bad that Matt (or another google rep) were not so forceful about denying that the GWA app is nothing but spyware.

This isn't changing the big picture

This isn't changing the big picture,
I don't see a special problem with GWA or the page, Google already got access to significant Personal and Financial data via:

- Gmail
- Gtoolbar
- Desktop search
- Gtalk
- Eternal cookies (note: change computer prior to year 2038 :-) )
- Google Groups
- Google Maps
- Urchin
- Blogger
- AdWords
- AdSense
- Froogle
- Picasa+Hello
- Rss reader + personal HomePage
- Travel and flight Gadgets
- Maps and Keyhole (Where I am and will be)
- Google WiFi + Mobile(He's exactly at "x,y" point browsing for $something, let's serve him "x,y" ads dealing with $something)
- Must have forgotten some…

If that's not enough - Knocking on our doors:
- Base (I don’t know if it's 3rd world discrimination but the login just loops)
- Wallet
- Micro payments, Macro payments
- Public domain registrar
- Google Plastic notebook for every child
- Google OpenOffice
- Google OS
- *Planet Google*

IMO The GWA's problem seems to be that it is just not sufficiently mature or understood (nor working), make it work and it's just small addition to a long list of what more would you like to know?

Google may have

access to your 'significant Personal and Financial data' but they don't have access to mine or millions of other peoples, yet.

So gilad is saying (as far as I can tell) that cuz google has access to a few not too bright peoples Personal and Financial data that they should have access to all the significant Personal and Financial data that is out there... how amazingly googlesque.

what more would I like to know? How about why google (a for profit Corporation) feels it is OK collect my (and your) personal data? What is google going to do with all that personal data that they are trying to collect? Is google just going to sit on all that hard earned and expensive data and do nothing with it... I don't think so.

Not Exactly...

what I'm saying.
I'm saying that Google access or denial to data with a new tool is just one apple in a full basket,
The bigger issue is Google's ceaseless data access and mining.

google has access to a few not too bright peoples Personal and Financial data

From my experience few info-holics and early-adopters (some of them hospitalized on TW) tend to block cookies, surf by proxy and generally camouflage their web experience and presence (for good reasons of course, even Matt turns referrers off),
But those who don't do that are the majority of the web and their data is exposed,
You say "not so bright" - Agreed,
"few"? Na... :-)

Regarding Google (Evil?) usage of the Information - we'll just have to wait and see, Nick collects the *exhibits*.

download now != install now

... it's a static html page that people reach when they click the big blue *download* button. It seems a little silly to me to embed referrer checks and stuff that probably won't work into JS on the page.

It may be a static html page. That is, not generated by a dynamic server side process. BUT the download button fires a javascript function that does a redirect based on the dl() function. So JS can't be used for one thing but can be used for another thing. The download can ONLY be accessed on that page by normal means if JS is turned on. It is an absolute requirement. (unless one is willing to do a view source, figure out dl(), and use wget)

It is at least somewhat disingenuous to claim that JS is not suitable for use on a static page and then make JS an absolute requirement to achieve the goal of the page.

by taking the route of a POST transaction instead of displaying a normal link, a user does not have the option of “save link as", which *would* be a download.

for the apologists mentioning sourceforge, et al, there may be a metarefresh or redirect, but the target is also available as a link, and the target is almost certain to be a .zip or .gz not an auto install .msi

at the very least there should be two options:

1. auto install (for those who don't give a rat's ass what happens to their machine.

2. download .msi and manual install

the best of all would be:

download as a zip with no .msi functionality with detailed instructions on a full manual install process.

to reiterate:

download now != install now

never has been, never will be, no matter what some MBA decides to put in their TOS.

unless google just bought dictionary.com

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.