Security Firms Fined Over Never-Ending Subscriptions

Barence writes "'Security firms Symantec and McAfee have both agreed to pay $375,000 to US authorities after they automatically renewed consumers' subscriptions without their consent.' The two companies were reported to the New York Attorney General after people complained that their credit cards were being charged without their consent. The investigators found that information about the auto-renewals was hidden at the bottom of long web pages or buried in the EULA."

Pathetic

[akanouras]

$375,000? That's petty change compared to how much they made out of it.

Re:Pathetic

[gnick]

This is unconscionable. AVG has also auto-renewed my subscription perpetually ever since I installed it. I want my bandwidth back!

Seriously though, "cost of business" is exactly right. If the return outweighs the risk*most-likely-consequence, no business would act ethically. It's like insurance companies randomly denying claims knowing that some denials will go unchallenged and they'll come out ahead. The punishment should outweigh the crime.

Re:Pathetic

[ObsessiveMathsFreak]

In the past, when an aristocrat or lord committed a crime against a lesser citizen, they were not held to account in the same way as an ordinary man would. Instead of summary justice, they needed only to pay a small fine or make some other slight amends. This included crimes such as aggravated assault and murder.

Our society is not so different.

Re:Pathetic

[lavacano201014]

They still have a free version but they just don't advertise it.

Re:Pathetic

[oakgrove]

However, this is good news in that despite the EULA containing info about the auto-renewal, that wasn't enough to justify the practise. Further proof that, in the eyes of the law, the EULA is anything but iron-clad.

Re:Pathetic

[Arthur+Grumbine]

They still have a free version but they just don't advertise it.

That's right, they've outsourced their advertising to WHOOSH, a small, but persistently oblivious content-writing firm with members all over the world, most commonly found posting in this thread.

Humph...

[fuzzyfuzzyfungus]

Anybody who is Anti-Symantec is objectively Pro-Virus.

Re:Humph...

[sakdoctor]

Synamic products = Virus
Anti-Synantec = Anti-Virus

Fine

[Hatta]

Security firms Symantec and McAfee have both agreed to pay $375,000 to US authorities

And how much are they going to pay to the people they defrauded?

Re:Fine

[Random2]

Were the people technically defrauded? They did agree to the service via EULA after all...

Re:Fine

[TheRealMindChild]

I'm sorry. While I agree that reading a contract of any merit is important before agreeing to it, some EULA's are DOZENS of pages. I have two colleagues who's whole job is solely to read and interpret EULA's for software that has potential of being purchased. Combine these two things, with the affirmation that you can screw end users by hiding fees in the EULA and you are asking for absolute disaster. It shouldn't be allowed at all.

Re:Fine

[snowraver1]

It's hard to say. As gets brought up on /. quite frequently, EULAs have never really been tested in court. I personally feel that they should be unenforcable because no one reads them, and they are too complicated for the average person. If they are enforceable, it makes it too easy for entities to slip in one-sided terms.

As a consumer, I would expect that any rebill stuff should be clearly presented to the customer to prevent any confusion, at the time of checkout. It should be in bold, and might include a checkbox to check representing that you understand that this will be rebilled.

I feel that at best, it was underhanded and deceiving, and at worst downright fraudulant.

Re:Fine

[Hope+Thelps]

Were the people technically defrauded? They did agree to the service via EULA after all...

That's the nature of fraud. Theft is when you take something that belongs to someone else without their permission. Fraud is when you trick someone into agreeing that you can have something. Some cases are very clear cut when the poor frail old lady is tricked into signing away everything she had, some are more mundane like this. There are a LOT of grey areas but getting someone to 'agree' to terms they haven't read or haven't understood is a common tool of fraud.

Re:Fine

[TheRealMindChild]

What is really sad is the increasing trend of LEGAL business models being dependent on misleading the customers.

You ever see that crap on TV "Try your free sample now! 30 day sample, FREE!!!". They tell you to verify you are over 18, you need a credit card. What they don't tell you, and what most people find out the hard way, is tucked away in your free samples informational booklet that you will never read is that when you ordered this free sample, you agreed to a monthly, recurring renewal of this product.

Ever want to try out a gym like Bally's? You know, where they offer you an introductory rate at almost nothing for a month? Yeah, about that. If you don't pay attention, then you forfeit your trial status if you don't appear at the gym something like 5x a week for that month, or you automatically become a "standard member" with all fee's and penalties applicable.

Ever seen a Cici's pizza, where they advertise their buffet for "Five Dollars and some change"? That is actually $5.99, without a drink, and if you are using anything but cash, you get nailed by a $1 "fee" for using their debit/credit machine. By the time you figure this out, you already have your family at the register, ready to eat. A little hard to back out then.

Some of these are more obvious than others, but the point is, we gave them an inch, and they took more than a mile. It is total bullshit and it is only getting worse.

Re:Fine

[david_thornley]

Precisely where it is now.

The typical EULA either denies certain rights to the user, or requires the user to do something, or establishes a potentially unwanted continuing obligation. Since the user is giving something up, this requires some sort of contract. Whether, and under what conditions, a EULA constitutes a valid contract is still heavily debated, and will be until either Congress does something about it (most EULAs cross state boundaries), or there's enough generally accepted case law.

The GPL does not deny you any rights you already had, or obligate you to do something. It establishes conditions on how you can do certain things that would otherwise be illegal. The user is giving nothing up, but if the user wants to do something beyond use the software, the user must comply with the license. This does not require any sort of contract.

Re:Fine

[hurfy]

Don't rely on the CC expiring. Sony managed to bill my expired Visa debit card for a Stars Wars subscription once. Turbine didn't for similar services. Not sure how that works but naturally i would have wanted it to be the opposite :( Got the bank to reverse after convincing them they couldn't explain it to my satisfaction why they let them bill an expired card.

Back on topic...

yup, that is barely a blip as a cost of doing business for them i am sure. Millions in subs vs $375k in fines is probably only a percent or 2. I don't see that they agreed to stop, nor any of the other bazillion companies doing the same. Just a feel-good deal for an Attorney General while the companies rewrite a couple lines of the EULA in CAPS....

Subscription services and auto-renewal are new?

[djh101010]

You know, I can't think of a single subscription service I have that _doesn't_ auto-renew. In fact, I would be quite annoyed if I had to explicitly tell them "Yes, please, I want the Internet / satellite TV / newspaper tomorrow as well".

Is there anyone surprised that if you sign up for a subscription, that it keeps going?

Re:Subscription services and auto-renewal are new?

[John3]

I get periodic statements for my newspaper and cable/TV/phone subscriptions. Generally speaking those subscriptions are month-to-month. If I don't send a check, the newspaper stops. These folks do offer automatic billing to your credit card, but the ones I have seen are VERY clear about this offer. They don't bury the renewal option in the fine print.

A better example to the anti-virus subscription is a magazine subscription. You know up front that you are signing up for a one year, two year, or some other subscription time period. As that time period nears an end (usually much sooner) you start to receive notices that you should renew. Even if you paid the initial subscription with a credit card, they don't automatically renew with that card.

Re:Subscription services and auto-renewal are new?

[atfrase]

You know, I can't think of a single subscription service I have that _doesn't_ auto-renew. In fact, I would be quite annoyed if I had to explicitly tell them "Yes, please, I want the Internet / satellite TV / newspaper tomorrow as well".

Is there anyone surprised that if you sign up for a subscription, that it keeps going?

I think part of the problem is that a lot of people still don't think of computer security in general, and virus/malware/etc protection in particular, as an ongoing necessity. People's computers slow down, crash, display popups or whatever, they go out and buy some product to "fix it", and think of it as a one-time deal. They don't think of it as a "subscription" and don't expect to have to renew it.

Sting those bastards with a charge back

[sakdoctor]

It's not immediately clear if the companies will be governed by the same rules in the UK.

The charge-back form from your bank, will most likely have this scenario as one of the generic reasons for issuing a charge back.
I caught sneaky virgin media dipping in for an extra month (before they turned super evil), but the money was back in my account within a few weeks.

They'll get a charge back fee for sure; though the companies size probably makes them immune from having their card processing facility revoked, for excessive charge backs. Shame.

Re:Sting those bastards with a charge back

[bcrowell]

Charge-backs aren't always that easy to do. I had one that I thought was super-straightforward (merchant charged me twice in a row for the same thing, and wouldn't communicate with me about the problem), but the cc company wouldn't do the chargeback because my evidence didn't convince them.

If you've got a recurring charge that you want to cancel, and you have a feeling that the company might be sleazy about it, the simplest thing to do is just cancel the cc number associated with the periodic billing, and have your cc company set you up with a new card and a new number. Same thing you'd do for any other kind of fraud, such as identity theft. If you have other recurring payments on that card, you do have to change them to the new number, but that's probably less than half an hour of work if you don't have too many of them -- that's a lot less than the amount of time you could spend banging your head against the wall trying to deal with the dishonest company that's the source of the problem.

Trying the charge-back can't hurt, of course. If the merchant is both small and sleazy, it might actually have a significant effect on them. If there are enough charge-backs, the cc company will shift them to a higher-risk category (which costs the merchant money).

The sleaziest example of abusive recurring charges I ever had to deal with was with the company that was providing me with a merchant credit card account. I canceled the account, but then a year later their charges mysteriously started showing up on my monthly cc bill again. Getting a new account number was my cc company's suggestion. Worked great.

Rebills?

[basementman]

I wonder if this means they will also begin cracking down on people promoting rebills (crap online products that start with an initial buy in price of $2 but then charge you another $60 after a month). Which they try to claim they're legal because they bury it 4 pages in on the Terms and Conditions page which is link to in fine print on the bottom of the sales page.

Malware

[Mr_eX9]

Antivirus companies: The world's only legitimate malware vendors.

Do I get some of that fine money?

[charleste]

<rant>About two years ago, I noticed this after I actually went to their website AND called to cancel prior to renewal. It still renewed, and the "customer service" rep had the balls to tell me that they couldn't refund my money when I called about it. I took that one as far up the food chain as I could - including writing an email to the president or whatever, and got the "immediate" response that they wouldn't auto-renew NEXT time. It took approximately 3 months to get my money back. ONLY because I had documented my cancellation with workers numbers and crap. I figure they owe me about $600 in time. </rant>

Re:Do I get some of that fine money?

[JSBiff]

I find it very. . . interesting, that on the McAfee website, you can turn ON the auto-renew yourself through the account management, but to get it turned OFF, you have to contact their customer service reps. What kind of BS is that? I'm getting my parents away from McAfee, and I myself left McAfee a couple years back. They used to be a good company to deal with. Now, I just don't trust them anymore. Setting up your website like that just screams out to me that they are trying to make it as hard as possible for people to get out of the auto-renew.

Re:If you buy from abusers, expect to be abused.

[MightyMartian]

I don't deal with either, not because of this, but because they're products suck. I use F-Prot nowadays, cheap and simple, with a dead-dog simple LAN client. I wouldn't install Symantec's garbage on my worst enemy's computer, because I'm a bastard, but not a cruel bastard.

Home users shouldn't pay for Antivirus

[pdragon04]

I run my own home computer repair company (but don't have enough bandwidth to post my URL here). I give all my customers the free versions of AVG, Avast, or Clamwin, depending on their needs/preferences. Usually throw on Spybot and show them how to use the Immunize feature as well. My advice to them is to never, EVER pay for Antivirus/Antispyware software ever again. It's doesn't prevent infections and they end up just having to pay someone to fix it for them anyway. The free stuff is plenty good enough for notifying them when an infection has occurred. My customers thank me for my honesty, for saving them money, and I get plenty more business than I ever would shelling out subscriptions to crap like this.

Re:EULA not binding

Hmm, there is no case law contradicting his statement.

see how easy that is without proof?

Free Alternatives

[the_denman]

There are plenty of free alternatives out there, I personally prefer AVG. Here is an article laying the free options out for you.

Read the fine print. . .

[JSBiff]

Those "Free" versions (AVG, Avast, maybe others) are often restricted in the fine print so that you can do no commercial activity whatsoever on your computer. It's ambiguously enough stated that even just using a remote access program to access your computer at your job to do work from home might be violating the EULA. Granted, it's not likely that they'll actually catch you, but the point still remains that if you do anything that might be construed as generating income now or in the future, you might be a fly in their web.

Not an issue as much with ClamWin, but ClamWin has no real-time scanner, which despite the parent post's assertion, do sometimes stop infections before they happen (not always, it's true, but enough of the time that it's definitely worth having anti-virus software of some sort). The On-access scanner isn't *required*, but most users will not remember to manually scan stuff 100 percent of the time. The On-access scanners, will provide much more consistent protection against infection than a manual scanner, for most users.

Personally, I've been using the AVG Free edition, and if I need to upgrade to a 'commercial use' license in the future, AVG seems to have slightly better prices than most of the others out there.

Standard here in NL

[tsa]

Here in the Netherlands automatic renewal of subscriptions to anything is standard. You have to call or write to the organization to stop your subscription by the next renewal period. This is extremely annoying and tedious of course. I'm so glad I have an American provider for my websites and email! Every year I get an email from them, in which they ask me in a friendly way to renew my subscription. That's the way I like it!

Re:If you buy from abusers, expect to be abused.

[hairyfeet]

Yeah, which is a shame, as in the days of Win3.xx and Win9X Norton stood for quality. In the shop i was working at at the time we pretty much insisted that a customer pick up Norton Utilities with their new PC purchase. Norton Utilities and especially Disk Doctor were simply miles above anything MSFT packed with the OS and would often fix things that would have meant a return if you only used MSFT tools. But then Win9X gave way to WinNT arch and they just went down the shitter.

Now as far as AVs go, I give Avast! to my customers that still have Win2K workstations(like the one I am typing this on) and Comodo Internet Security to those on XP32/64 and Vista. While I think Avast! runs better on older hardware Comodo is simply more user friendly IMHO and seems to be the best I've tried so far for 64 bit Windows. On my XP X64(which despite all the horror stories I heard actually turned out to be a damn fine OS) it hardly uses any resources and does its job quietly and effectively. So my rule of thumb is-older machine equals Avast! and newer and 64bit equals Comodo.