By S. Housley
Nearly every company, makes mistakes.
In my opinion, once a mistake is discovered,
it is how the company handles that mistake is
more telling, than the mistake itself.
In this world there are big mistakes
and there are little mistakes. Digital River
recently collected information related to usage
and installation of its SoftwarePassport application,
without disclosing the tracking to it's customers.
The actual tracking was done by including a
UserAx.dll in the recent versions of SoftwarePassport
Developers obviously have a number
of concerns related to the new DLL. I'm hoping
this article will separate fact from fiction,
and get to the heart of the matter.
The concerns expressed by many
of the developers were valid and not the result
of paranoia. Many industry professionals initially
felt that the developer fears were overblown
and a result of the adware scandal that plauged
the industry a few years ago. After witnessing
the fall-out from the adware problems, when
adware companies failed to disclose to developers
they were tracking surfing habits of end-users,
I think the alarm that was sounded in the industry
regarding Digitial River's inclusion of the
UserAx.dll was appropriate. Many developers
bore the brunt of the adware scandal with tarnished
reputations and their livelihood's significantly
damaged. Realizing it is important to learn
from history, Digital River appears to have
taken developer concerns seriously.
I contacted Brant Pallazza, a
VP within Digital River and requested an interview.
Brant was able to coordinate answers to my questions
from the Silicon Realms support staff. I felt
it best to clarify some of the issues that have
been raised. I also felt that it was important
that developers understand the issue and that
all views be represented. For simplification
in the questions that I asked the Silicon Realms
support staff, I referred to UserAx.ll as the
For clarity I've bolded the questions
and italized the responses from Digital River.
Brant started off by clarifying what the term
"marketing" module that I used to
describe UserAx.dll below.
To clarify, UserAx.dll is
not actually a 'marketing module'. It was never
intended to be used for any means of sales or
marketing. It would be more appropriately labeled
as a 'technical support component'. Given that
many of Digital River's clients were having
difficulty utilizing the functions within Software
Passport, Digital River's intent was to use
the Relevent Reach technology to help troubleshoot
the problems clients were having during the
1.) In what versions of
Armadillo and SoftwarePassport does the marketing
Only Armadillo v4.01 and v4.01a
(SoftwarePassport v2.0.1 uses Armadillo v4.01a)
still searches for the UserAx.DLL file, but
will load it ONLY if it is found in the same
directory as your protected program. However,
even if it is found there, data will only be
collected and sent to the Relevant Reach servers
if the author has an account with Relevant Reach
and the appropriate information on the user's
machine. In Armadillo v4.00 beta-1 and v4.00
final (SoftwarePassport v2.0 uses Armadillo
v4.00) you have the option to enable tracking
of your protected program (if you have an account
with Relevant Reach) by distributing the UserAx.DLL
file with your program. If you do not use Relevant
Reach, your protected programs will not be affected
-- no data is collected. In the rare case that
the UserAx.DLL is found on your machine without
you explicitly installing it there, your program
still won't phone home unless you have an account
with Relevant Reach and the appropriate information
on the user's machine. (This could occur because
Armadillo v4.00 Beta-1 and v4.00 final simply
used LoadLibrary to search for that DLL, meaning
it will be found if it is anywhere in the path.)
This issue was addressed in the v4.01/v4.01a
release, which attempts to load it only from
the directory where the protected program resides.
Armadillo v3.78 or earlier, and SoftwarePassport
v1.2.0 or earlier were not affected in any way,
as they didn't include this integration at all.
2.) Was the inclusion of
a marketing module in Armadillo or SoftwarePassport
disclosed to software developers in a EULA or
No. We apologize that the installation
of UserAx.dll was silent. That was a mistake
and we apologize for not confirming it was there.
3.) Is any information related
to a developer's installation and usage of SoftwarePassport
or Armadillo passed to Digital River via Digital
River's Relevant Reach account?
Yes, only in the versions mentioned
earlier. SoftwarePassport information relating
to the completed download, the installation
start and complete, and the number of times
the program started was collected anonymously.
Information was collected about the SoftwarePassport
usage only. Information regarding the usage
of the Armadillo Classic interface was not collected.
4.) If an application is
wrapped with SoftwarePassport or Armadillo is
any information related to the developer's end
user's usage passed to Digital River?
No. The ONLY way information
could have been collected from your protected
applications is if you, the developer, chose
to collect that information, set up your own
account with Relevant Reach, and distributed
the UserAx.DLL file with your protected program.
Regardless, DR would not have access to the
5.) Can the information
be passed to anyone other than Relevant Reach?
7.) The Relevant Reach
website references a number of items that can
be tracked. What specific information does the
Digital River marketing module track?
We collected the following
- Download start attempts
- Download completes
- Installation of SoftwarePassport starts
- Installation of SoftwarePassport completes
- The number of times SoftwarePassport was started
Again, for clarification, we
did not collect any information that could in
any way connect a user to the program.
Our data was aggregated to
show trends, total numbers only for the purpose
of troubleshooting SoftwarePassport.
8.) Some developers have
expressed a concern that marketing module's
DLL in question will eventually be tagged as
spyware, whether or not it actually sends data.
If that occurs then every Armadillo 4.x protected
application will be marked as spyware. Is that
No. Relevant Reach has expended
time and energy to cooperate with, and ensure
white listing of their program within the spyware
definition market. In addition, as clarified
in question 1 above, Armadillo v4.00 beta-1,
v4.00 final, Armadillo v4.01 and v4.01a are
the only versions that have integrations with
UserAx.dll of any sort. Armadillo v4.05 beta-2
and Armadillo v4.05 final and future versions
will never look for UserAx.dll no matter what.
Customers with Relevant Reach accounts can contact
us for a version of SoftwarePassport that includes
10.) What assurances can
you provide developers that the new marketing
module will not be tagged as spyware?
Relevant Reach is a component
that collects anonymous data. How the publisher
chooses to integrate this product, and how the
publisher chooses to communicate this to the
end user will determine whether or not third
parties would consider the program spyware.
For Digital River, it was clear that the usage
of this technical support component without
full disclosure to our customers was a mistake.
This is the reason why we've completely removed
the program going forward.
11.) Developers worry that
it is possible for an existing Relevant Reach
activated application to "enable" the marketing
module that is on the same system in another
application. Is it possible?
In other words an Armadillo
or SoftwarePassport wrapped application includes
a DLL in the directory of another program that
appears to be protected with Armadillo or SoftwarePassport.
Thus passing that applications information back
to Relevant Reach. Is it possible for this to
No, it is not possible. Again,
only SoftwarePassport included the Relevant
Reach component. The Armadillo Classic Interface
did not include or capture any data. That being
said, the developer (or software publisher)
would need to have an active account with Relevant
Reach in order for any data regarding their
program to be collected. This would be a conscious
decision and a full integration with the Relevant
12.) Will a final version
of Armadillo and SoftwarePassport be made available
that does not include the marketing module,
not just the option to turn it off? If so when?
Yes. As posted in the Silicon
Realms public forum, Armadillo v4.05 Beta-2
is now available via the Silicon Realms website.
This new beta version NEVER looks for the UserAx.dll,
no matter what.
13.) What efforts will
be made to contact existing Armadillo and SoftwarePassport
customers to disclose the usage of tracking
information available in SoftwarePassport and
An email will be sent to users
who have purchased Armadillo and SoftwarePassport
versions that integrated with Relevant Reach
and the information contained from the website
will be presented to them for review, along
with links to download versions of Armadillo
which do not include the Relevant Reach library.
14.) What assurances can
be provided to developers that full disclosure
will occur in the future?
Going forward, any inclusion
of a library or component in which data can
be collected will be completely optional. In
fact, users will need to explicitly and consciously
opt in to have this component included with
their download. All information will be available
to the end user to understand and accept/reject
the inclusion of the library within the install
Commentary from SMR
Lets take a look at Digital River's response
to their error. The initial response to concern
expressed by developers was posted to: http://siliconrealms.com/relevantreach.shtml
. The post was in response to posts in the Silicon
Realm's forum, and a private forum frequented
by developers. Because many of the developer's
concerns were posted in a private forum, Digital
River had to be very careful that their response
was public, being a publically held company,
any private responses had to be carefully worded,
so that it could not be misconstrued as any
One of the paragraphs in the public
post included in a statement that did nothing
more than anger and frustrate developers.
In my opinion the Aluria certification
of Relevant Reach, is a bit of a red herring,
because it clearly relates to the Relevant Reach
website not their tracking application. Also
many developers felt that paying for certification,
created a illusion that was nothing more than
a false sense of security. Aluria does not have
any global influence with anti-spyware applications
that would prevent the UserAx.dll from being
That being said, I think that
even within the constraints of a large company
Digital River has ultimately handled the situation
I think Brant Palazza, VP of Shareware
Division accurately summarized the situation
in his final comments:
At the end of the day, it was
a poor decision to include the Relevant Reach
code into SoftwarePassport especially without
the express consent of the users. I hope that
DR's quick reaction in releasing a "clean" version
is a demonstration to all that the inclusion
of the code was not done with any intention
other than to improve the usability of Software
Passport, as the attached responses indicate.
As an owner of a small business
who has made mistake's I appreciate Brant's
candor. Ultimately the developers who have voiced
their concerns the loudest, represents a very
small portion of Digital River's business, yet
Digital River listened and quickly removed the
offensive DLL. While I don't feel what Digital
River did was right and their response a little
slow for my taste, I understand how corporate
beaurecacy works and realize their intent was
not to harm developers but to collect information
to increase their conversions. Something all
developers try to do every day.
About the Author:
Sharon Housley manages marketing for FeedForAll
software for creating, editing and publishing
RSS feeds and NotePage, Inc. http://www.notepage.net
a wireless messaging software company.