@kartal

"The thing is that OC installs itself(in the program directory as dll and in the registry) and does not tell the user about it even if the user does not want to install the recommended software, based on my experience."

@PhilB66
"I asked a similar question some 70 posts ago.... http://www.donationcoder....18297.msg164050#msg164050"

The fact that not ALL publishers (developers recommending other software via OpenCandy) were disclosing OpenCandy in their EULA was an oversight. It was an honest mistake and I apologize.

Effective immediately no NEW publishers will be allowed to release an OpenCandy powered installer without disclosing it in their EULA (along with a link to our privacy policy).

In addition, EXISTING publishers utilizing OpenCandy that have not disclosed so in their EULA (with a link to our privacy policy) are being notified NOW that they MUST update their EULAs.

@app103
"Let's say I install something containing OC and decline the recommended application. Then the next time because of the stuff they left on a user's system, they know what I previously installed, so they don't offer me that, and they know what I declined and won't offer me that again, either. After awhile, after a sizable portion of the world's developers are using OC in their installers (which is what they are hoping for), it would be possible to gather a pretty large list of what a user has installed on their system and what they are not interested in, in a single shot."

OpenCandy's recommendation engine doesn't function to build a database of what software people have installed on their system. It's function is to make a "good" recommendation. So if 90% of computers install "Bob's Bodacious Biorhythms" software when it's recommended by "Julio's Horoscope Creator" then statistically we (and Julio) are probably making a "good" recommendation. The inverse, if "Joe's Awesome Task Manager" recommending "Frank's Fantastic File Syncing Tool" results in zero installs then it tells us that "Joe's Awesome Task Manager" should look into recommending something else.

@app103
"But if it is harmless and not capable of doing anything, what would be the reason for leaving it and any registry entries related to it on a user's system after the install process is completed, unless it is to activate and/or retrieve other data later, such as the next install of anything containing OC?"

The OC dll is also called during uninstallation.

We provide (aggregate, non-personally identifiable) statistics back to publishers about installation and uninstallation of their software. The idea being that anonymous statistics like (a high percentage of) uninstallations can help a developer recognize if something needs to be fixed, changed, enhanced in their software (though they're going to have to reach out to their users to find out the actual reasons). 

@app103
"Combine that with the data they can collect from your IP address when it contacts their servers, and they can pretty much know where you live, your connection type, what ISP you use, whether you install software at night more than during the day, on weekends rather than during the week, and a ton of other statistical data about you,too. Even without knowing your actual identity and precise street address, they can know a lot about you. This is what is not told to the user, and it's this type of information collecting the user doesn't know about and hasn't consented to."

The key words are "can collect". We don't. As I've stated previously (and as written in our privacy policy), we don't store your IP address (we do use it to determine what COUNTRY you are in), we don't care about your ISP, connection type, or when you install software. The user is told and consents to it when they accept the EULA for the publishers software they are installing.

@cmpm
"Why is it I had to point out what is installed where? And not OC's webpage."

We are currently in the process of re-architecting our entire website. Currently it has ZERO flexibility to work with content. Also, previous to me being hired at OpenCandy there wasn't a single/central person (who had time and was responsible for) getting content/information on the website. So a lot of the information I've provided here will be available on our website as well. :)

@cmpm
"What exactly is that dll doing in it's own folder as well as other programs, after the install, nothing? Is it waiting on input? Is it sending anything anywhere?"

Answered above in response to @app103. It does not send anything, anywhere except during installation or uninstallation of a publisher's software. The information sent is disclosed in our privacy policy.

@cmpm
"No, Dr apps I don't see you as a tech, as in computer technician.
Unless you are just not saying. Cause you haven't said anything that leads me to think that you know much more then anyone with google and some scanners."

Ouch! ;)

I am. It's what I've been during for years. This thread hasn't afforded me the opportunity to prove my "geek cred". But I'm around (on Twitter, now here, and hopefully I'll launch my new blog soon)... So, there will be plenty of opportunities for me to share my tech knowledge. :)

@cmpm
"And most troubling is the lack of willingness to disclose the users of OC. If it's so great then why is it not revealed before installs. There's other questions not answered
as well."

Answered above in response to @app103. ALL Publishers MUST disclose OpenCandy via their EULA.  Publishers are free to decide for themselves if they want to talk about OpenCandy on their websites (though we encourage them to blog/inform their community about us!), some of them already do (I linked to some, a bunch of posts back). Also, we have "Powered by OpenCandy" on every recommendation screen and we have a link to our site in the downloader. I also mentioned earlier in this thread that we plan to have an OpenCandy link (and possibly a link to specific information about the recommended program) in the recommendation screen but due to technical issues it hasn't been implemented yet.

BTW, our privacy policy is available here: http://assets.opencandy.com/privacy-policy/ Also, if anyone wants to check out our SDK and documentation, it's available here: http://www.opencandy.com/participate/ (I didn't link to the direct download of our SDK because when it's updated the file name changes).

Thanks. :)

Dr. Apps

@mouser
"...or is it just a dll/library that is part of the installer and only runs during installation and uninstallation?"

Yes, that's exactly right. :)

@mouser
"This is about the time when andrew is probably regretting he ever joined in this discussion, since answering the posts in this thread has become a full time job for him  huh

If it's any comfort -- i do think the thread is an overall positive thing for OC -- in letting you explain the workings of it to people who might be initially skeptical.  Not everyone will like it, but at least this thread will be a place they can find out more and see both sides discussed reasonably."

Haha. :) Nah, I don't regret it at all. Sure, it's taken quite a bit of time though :) But it's helped me confirm I made the right decision to join OC, because through explaining what we are doing I've gotten some positive feedback from people, that, on the whole, are just like me... security and privacy minded techies.

@cmpm
"He is a salesman mostly, not a tech, nothing wrong with that."

Fair enough, I'm part salesman. I've been selling myself as well as inanimate objects since I was 12 years old. It started with comic books and baseball cards, then burritos, then financial plans because I believed in trying to help people create a legacy, then IT services to help secure Windows machines for small businesses and home users. And now I'm with OpenCandy because I believe our technology will help fuel innovation & competition in the developer community which in turn will benefit the user community. And I'm proud that we do it in a way that doesn't trample over user's privacy and rights.

I'm definitely a tech (techie), but I'm just not a developer, programmer, coder or engineer (guess those terms are relatively interchangeable). I've personally asked pretty much every question that has been asked on this thread before I accepted my position at OpenCandy. I've asked it to our engineers, our business development team, our founders, and everyone else. I've digested it and I'm putting it out here as best I can in the terms that I'm most familiar with. Of course, if I haven't answered a question (technical or otherwise) clearly enough, please let me know. :)

@mouser

As cmpm confirmed -- it's just an extra dll that the setup program loads.

Which is how i assumed it worked when andrew explained that OC can be integrated into Inno Setup and NSIS Installers.  And that's really a very clever, non-intrusive way of doing it, which i think should be applauded.  Much of the resistance from people on this thread may result from the fact that people assume that OC is installing some standalone program that is running in the background, etc.

Really OC is not doing anything all that different from what many installer tools from larger companies *already do* (i.e. show some blurbs during installation, offer to let people download another related program from the company, etc.); OC just seems to offer an easier and standard way to do this for the developer who is creating the install package.

I think it's pretty clever actually.

:up: And, at least with OpenCandy, you DON'T have the classic: Click Next -> Next -> Next -- "OMG! How did I get BrandX toolbar?"

@kartal

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.

I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.

I'll bet $100 against that. It'll never happen. We will NEVER install hidden stuff or spy on people.

@mouser

"i think it should be pretty clear by now that if OC start to make some evil changes  -- you can be we will all be screaming bloody murder here on this forum :)"

Amen to that! I'd be here screaming bloody murder too because I'd leave the company in a heartbeat if that ever happened (which it won't).

@app103

"I have teamed up with a company with a proven track record of abusing the trust of everyone. But don't worry, the founder of the company says he saw the light and he is all reformed now.

What company has a proven track record of doing that? Certainly not OpenCandy.

The business decisions that were made at DivX were made and done... at DivX. This is about OpenCandy. Our business decisions are driven from our vision (which I've covered extensively in my other posts on this thread) and our mission is to carry out that vision in a user-centric and user-friendly way that provides a measurable value to users (discovery of great software).

And regarding what DivX did (which I said I didn't approve of), they stopped doing it in 2004.

@app103
"I trust him, because the guy that he sent to talk to me seems like a likable guy, and that is what is really important. Whatever the nice guy says about him must be true and his motives must be pure & honorable, just because the nice guy says he believes it.

Of course I don't have any proof that the nice guy is telling the truth or that he believes what he is saying..."

The proof about what I'm saying about OpenCandy is being verified (in real time) by people like @mouser and @cmpm.

The proof that I believe what I'm saying...is that I'm saying it. Just like the proof that you believe what you are saying is that YOU are saying it.

I didn't blindly believe what the folks at OpenCandy told me previous to, and during my interview. I did research, I asked the hard questions. I wanted to know that joining OpenCandy (if I was hired) actually aligned with who I am as a person (which at the end of the day is a user advocate).

@app103 If I ever see you broken down on the side of the road........................................ You guessed it. I'd be the person that stops to help... and yes, I'll still help even if it's you! :)

Off-topic: I started a thread entitled "What makes an application "useful"?" at https://www.donationcoder.com/forum/index.php?topic=18350.0 Check it out and share your thoughts.

Thanks again everyone. :)

Dr. Apps

Apology accepted @superboyac. And sorry about the signature everyone. There wasn't anything subversive or psychological about it. I'm kind of an old school/old fashioned guy and sometimes I'm perhaps a little too formal... My father was pretty strict which is probably the reason (I also tend to be overly polite). In this case I thought the right thing to do was put my info in the bottom of my posts, not knowing that some people like to hide (I didn't even know you could hide) signatures on DC. I should have spent time going through my profile and putting my signature in there. Side note: If anyone here every meets me in person, you'll notice I'm even worse at saying goodbyes. I'm the type of person that worries that every time I say goodbye to a person (even if I'm supposed to see them the next day) that it could be the last time I ever seen them.

And now for my shocking (and slightly embarrassing) revelation: Until now the only time I'd ever posted on a forum was about 10 years ago... on a Volkswagen forum. :) When I started the Appsolute Tech Show (my defunct podcast about great Windows/Mac/Linux software) it was the first time I was using my tech knowledge to give back to the online community (I've been doing it offline for a long time). From there I discovered Twitter and thought it would be a good place to help people with hardware/software problems and post when updates to software that I loved were available. So, historically, I've pretty much kept to myself on the internet. Which explains why I'm still learning forums and good "netiquette". :)

To that end: I added my signature via the DonationCoder profile settings and I will no longer manually put it in the body of my posts. :)

@kartal

No personal offence taken. When I interviewed for my position at OpenCandy I was skeptical as well. I'd been around long enough that MY intuition was telling me something could be fishy. But something in my head made me make the decision to get on a plane for the first time in 15 years and fly 3000 miles to meet with the OpenCandy team (the whole story is here: http://www.opencandy.com/blog/entry.php?id=7). My intuition was wrong (which is rare)... I made the right choice to visit with the team because I found people that are passionate about solving a problem: regular people still have trouble discovering great software and developers still need new (or better) methods of distributing software and some developers (like freeware and open source) would like to make money (outside of donations or Cafepress t-shirts) from their existing software distribution but do it in a way not previously possible (user-friendly, opt-in recommendations for software they personally use and/or love).

We all have to find a way to make a living. To me the greatest thing you can do is to find a way to get paid doing something you love and are passionate about. I'm passionate about software and have personally (face to face) introduced hundreds of people to software they had no idea existed. Now I have the chance to reach even more people.

@cmpm

I think I understand what you are asking, but if I miss something, please let me know. :)

@cmpm "Is it a download that will install in the computer?"

You mean OpenCandy right? OpenCandy is a plugin that developers integrate into their software installer to make recommendations. The OpenCandy plugin has absolutely no functionality outside of the software installer it was integrated with. If you choose to accept a recommendation, then the OpenCandy download manager (which is part of the plugin) will open up and download the installer for the software you choose to install. That's it. The OpenCandy plugin/download manager has no persistent functionality.

@cmpm "Probably like one of those update checkers."

I think I covered that in the previous question. But no, OpenCandy is not like an update checker, it's only functionality is allowing a developer to recommend software during installation of their software and to download the recommended software if the user chooses to accept the recommendation.

@cmpm "Is it web based or a program to be installed?"

OpenCandy's technology includes both an installer plugin and our backend technology which instructs the installer which software it can recommend based on the pool of applications the developer chose.

@cmpm "Hope you get the thing in the open soon.
Then it can be tested."

It can be tested today. OpenCandy recommendations are in millions of downloads every month. To see it in action you can check out some of the programs I mentioned a few posts up.

@Carol Haynes

"When you install an application are the recommended title installers included in the download or does the installer download the extra software as required by the user? If the latter is the case then this is a better alternative than every bit of software you download including extra crap - I am personally sick of wasting time and bandwidth downloading Yahoo toolbar every time I download a shareware trial or update an application (like CCleaner). If the installer merely contain the suggestion and a pointer that to me would be a step forward."

OpenCandy = No extra software bundling! That's one of the unique things about how the OpenCandy system works. The only thing included is the OpenCandy plugin that goes in the installer of the application that wishes to recommend other software (installer plugin is about 300k). Only WHEN/IF the user chooses to ACCEPT a recommendation does our download manager launch to download the accepted program's installer.

@Carol Haynes "How easy wold this system be to spoof and cause real mayhem across the internet - if there is no control over where you choose to download applications from I think there is a serious potential for major abuse of people's systems."

Good news: OpenCandy can't be spoofed like that!:) Each developer (who has been approved) that uses OpenCandy to recommend software receives a unique API keys specific to their installer. So the only software that can be recommended is the software that developer chose to recommend.

The installer for an ACCEPTED recommendation is downloaded via our download manager from a repository of installers on Amazon S3 that we maintain.

Those installers are the exact ones available from a developers website (that's were we get them from for open source software such as Audacity or Flock and for companies paying to have their software recommended they directly provide their installer directly to us for auditing and subsequent uploading into our download repository). Each time an application (recommended via OpenCandy) is updated, we check the new installer to ensure it's still "kosher" before we upload the updated installer into our repository. This is to ensure a previously reputable developer hasn't gone rogue and decided to throw their reputation out the windows all the sudden and decide "Hey, let's put a keylogger in our program).

@Carol Haynes "In the long post above a number of checks are listed. I have serious problems with some of those checks - McAfee SiteAdvisor is known to be broken because they don't update their system often enough. I have also found a number of legitimate sites blocked by some of the free HOSTS files you mentioned (and is one of the reasons I gave up using a downloadable HOSTS file for security - there is no way anyone can check 170000 entries manually so how do you know they are legitimately blocked)."

None of those checks are perfect in and of themself, they are all part of the puzzle of ensuring the software in our network is good. By having a multi-tiered approach to auditing software we can do the best job possible of keeping out the bad eggs.

When I go to a site I believe is legimate and is blocked by my hosts files, I do research to figure out why and then I make the decision to unblock or leave them blocked. I've definitely come across my fair share of legimate sites (Softpedia, Bink.nu, Creative.com, Promotions.newegg.com, Inc.com etc) that are blocked by those lists and I unblocked them. My hosts files is a good first line of defense. :)

Regarding SiteAdvisor, I've seen a decent amount of false positives there as well. Take FileMenuTools for example from LopeSoft (http://www.lopesoft.com/en/fmtools/info.html and no he DOESN'T participate in OpenCandy and probably doesn't know about us at all, I just LOVE FileMenuTools). I trust his software and it's safe, but he has some links to other sites labeled RED by McAfee
(http://www.siteadvisor.com/sites/lopesoft.com) and so, his site is labeled RED.

Here's a great example of how combining those checks helped me prevent one such "baddie" from joining OpenCandy:

My second day on the job at OpenCandy we received an email from a developer who filled out our web form and said "I'd like to commit $15k to pay developers to recommend my software". That in itself was unusual; my teammates said that we don't get a lot of requests in that manner because we weren't very well known.

The software they wanted to recommend was a "system utility". Now, I'd never heard of this software before, which isn't necessarily a red flag, but certainly strange because I download and test a LOT of software (in April 2009 I downloaded over 1755 installers/zip files for shareware, freeware and open source software -- a total of 18.5GB). The first thing I did was go to their website, hmmm "Page not found". I fired up HostsMan to check to see if I blocked them via my hosts files. Sure enough I did. But that's not so weird, because yes, some legitimate sites get blocked by the hosts file block-lists I use. Then I went to SiteAdvisor and saw that they were labeled RED and there was a bunch of horror stories about this company's poor business practices. Next I went to download.com to see if their software was listed for download. Oddly, it was. The SiteAdvisor comments were bad enough to mean exclusion from our network. But I still decided to search for other independent reviews of this software -- I DID NOT find a SINGLE one! Long story short, I did more digging and discovered even more disturbing things about the "company" behind the software. Mind you, this is my SECOND day on the job. I'm in my "lab" pacing around in circles wondering what's going to happen when I tell my bosses/teammates what I found and if everything I believed about what we are trying to do at OpenCandy (help users discover great software) was going to hold true. So I called my bosses/teammates and said "It's great that someone wants to spend $15k to have their software recommended via OpenCandy, unfortunately we ABSOLUTELY CANNOT allow this company or it's products in our network!" I then explained my findings and held my breath... The next words out of everyone's mouth was "THANKS DOC, AWESOME JOB! That's why you're here, to make sure stuff like that ISN'T in our network!" You have no idea how much of a relief that was to me. It again confirmed that the whole team was committed to doing the right thing.. Even, in a case like this, when it means having to forgo revenue.

@Carol Haynes"prefer that you list your recommendations simply with a link tot he developers website and preferably a link to a trusted download website where apps are test for spyware and allow user feedback."

Since I've covered our mission/vision throughout this post (in short: to help users discover great software while helping developers expand their distribution or make money from their existing distribution). And I've explained the extraordinary measures we take to ensure only good software is in our network (heck as illustrated above, a piece of software that was good enough for download.com wasn't good enough to be in the network) and how we take into account a variety of measures to make that happen.

I'll briefly explain why we do it the way we do.

I'm working on getting some hard statistics (they really don't exist in the software world), but this is what I know: There is a dropoff from someone visiting a developers website, finding where the download is, downloading the application and then installing it. From what developers have told us and from other info around the net, the dropoff between someone downloading and installing a piece of software is at least 50%. That means that for every 100 people that download an application, less than 50% actually install it (for various reasons).

That's where OpenCandy comes in. If a developer acting as a publisher (those who recommend software) believes that another application can provide value or solve a problem for their users, then they want to do whatever they can do to EASILY make that happen. Yes, you can just put a link in the developer's website (and as discussed earlier we'll be incorporating informational links into the recommendation screens soon), but then the likelihood of the person actually visiting the site, downloading the app, and installing it gets lower and lower each and every step of the process. With an OpenCandy recommendation the user gets to see a few bulletpoints about the recommended application's main features and can decide right then if it's software they're interesting in using.

-Users already in the process of installing software provide a great engagement point to discover other software they may find useful.

-Being able to download the installer for an ACCEPTED recommendation instantly (after the install for the original software they were installing completes) translates into a higher likelihood the user will actually install the software. It also leads itself to a higher quality user for the developer of the recommended application since the user read the information about the recommended software and CONSCIOUSLY chose to install it.

I hope this info helps. It's the weekend and I want to spend some time with my daughter (http://twitpic.com/58dzv). But I'll try to be around if anybody has questions/comments/concerns/ideas. Thanks for the lively discussion! :)

Dr. Apps (I'm still going to put that)

EDITED: I hope this answer this info helps to I hope this info helps.