Can TRUSTe be TRUSTED?

Coupons, Inc. is a perfect example of the close cooperation between Trusted Download publishers and the TRUSTe compliance teams to maintain high standards for trustworthy software. On December 20th, Coupons, Inc. rolled out a number of significant changes to their Coupon Printer Software that addressed concerns raised in September. To improve registry key and naming, the new version of the software uses an improved security scheme that writes only one registry key placed in a typical location, named in an appropriate manner. During installation all users accept the process as described in the EULA. The new version uninstaller removes the files left behind by the previous versions. Users who didn't receive the automated upgrade for technical reasons received an email from the company with user upgrade instructions. Finally, Coupons, Inc. updated its HELP section so the small number of users who may have missed these notifications, can easily find information on how to uninstall older versions of the software.

This is an excellent outcome to a long, but ultimately productive process. A user found a problem, filed a complaint, and TRUSTe worked with the Participant to make necessary corrections. This is the essence of our approach -- encourage good behavior from certified companies, and address problems promptly to provide a good consumer experience.

Posted by Irina Doliov, Sr. Product Manager

Jordan,

TRUSTe really needs to test Coupons, Inc's software again and retract the blog entry posted on the TRUSTe blog.

It is more than obvious that either TRUSTe failed to test currently distributed software by Coupons, Inc or ignored the impact Coupons, Inc software has on end user's computer systems. The initial complaint filed by Professor Benjamin Edelman was based in part on Coupons, Inc's practice of using deceptively named windows registry keys and file names. This practice, although TRUSTe reports is no longer in effect, continues with their latest release.

My steps:

1. Installed a fresh copy of Windows XP SP2 on a reformatted hard drive and installed all available security updates available through the windows update site.
2. Took a snapshot of my registry and file system.
3. Installed Coupons, Inc's coupon printer software which was obtained by visiting their website and attempting to print a coupon from their website.
4. Took a snapshot of my registry and file system.

My conclusions:

1. The software provided by Coupons, Inc created two files (with read only and hidden attribute set) and placed them in my C:\windows directory. These files are called WindowsShellOld.Manifest.1 and uccspecc.sys.
2. The software provided by Coupons, Inc created five registry keys. These registry keys are called:
• HKLM\Software\Microsoft\Windows\CurrentVersion\UccSpecC
• HKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Style
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\EnableAutoTrayHistory
• HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLDecoding
• HKLM\Software\Classes\Manifest.Template.1

(Please note, multiple tests were conducted and the Coupons, Inc installer picks a random key from five to place in the HKLM\Software\Classes hive of the windows registry. The remaining four keys are:

• HKLM\Software\Classes\English.cpl
• HKLM\Software\Classes\Web.Template.URL
• HKLM\Software\Classes\NODEMGR.Cache
• HKLM\Software\Classes\Web.IndexCache.1)
3. Uninstalling software provided by Coupons, Inc does not remove any of the above mentioned files or registry keys.

These registry keys and files are either identical or nearly identical to the files and registry keys reported by Professor Benjamin Edelman in his initial watchdog complaint, and the same or nearly the same registry keys and files which TRUSTe mandated that Coupons, Inc rename and finally remove upon uninstalling of the Coupons, Inc software. It is completely unclear why TRUSTe now claims that "the new version of the software uses an improved security scheme that writes only one registry key placed in a typical location, named in an appropriate manner" when in fact, the new version of the software acts in the exact same manner as Professor Edelman reported in his initial watchdog complaint.

In addition, Coupons, Inc has added an additional file which is deceptive in nature and is not removed from the user's computer when the software is uninstalled from the user's computer.

When attempting to print a coupon from the Coupons, Inc website, couponprinter.ocx downloads (without checking for appropriate signature) "cpnprt2.cid" and places the file in either c:\windows or c:\windows\system32 with the "hidden" and "read only" attribute. This file, in fact, is a DLL file and not a CID file and contains the print engine of the latest released version of Coupons, Inc's software. Additionally, cpnprt2.cid survives the uninstall process of Coupons, Inc's uninstaller and the users are neither told it will be downloaded, that it exists, what it's purpose is or that it will survive an uninstall. (I have further concerns about cpnprt2.cid which will be addressed in my blog when time permits)

It is obvious to me that TRUSTe has failed to require Coupons, Inc comply with mandates issued by TRUSTe. What is not so obvious is why TRUSTe reports Coupons, Inc has complied. Users around the internet have come to rely on TRUSTe endorsements. These endorsements provide a guarantee to these users that the website they are visiting or the software they are installing is TRUSTED. Credibility in this system is lost when TRUSTe blindly endorses a company which completely ignores mandates TRUSTe issues without full testing by TRUSTe to ensure those mandates were met.