|
|
|
|
Windows Secrets Newsletter • Issue 108 • 2007-05-17 • Circulation: over 270,000 |
|
Contents TOP STORY: Microsoft, McAfee, Symantec charge cards repeatedly KNOWN ISSUES: What code signing is and is not good for WACKY WEB WEEK: Practice your bunny-surgery skills online KNOWN ISSUES 2: The reality of Microsoft's signed-drivers policy WOODY'S WINDOWS: Windows Home Server looks like a winner PERIMETER SCAN: Microsoft launches new security products YOUR SUBSCRIPTION: How to change your address or unsubscribe |
|
For links to every subtopic in this issue, scroll down to the
Index |
|
ADS
|
|
TOP STORY Microsoft, McAfee, Symantec charge cards repeatedly
Subscription sabotage: a case study IT consultant and Windows Secrets subscriber Bruce Weiskopf received a routine notice that his Norton Internet Security product subscription was about to expire. Then, when he began examining some online forms, he became upset. There, in the fine print, he noticed a clause saying he was already signed up for automatic subscription renewal. "It's barely noticeable, and, in any event, you aren't given the opportunity to decline at this point," he told Windows Secrets. All he could see was a link for more information. So, he went to the Symantec Web site to find out more. According to Bruce, what ensued was an onerous process of hoop-jumping before he was finally able to tell the company not to renew his subscription and charge his credit card automatically each year. "It's really, really an unconscionable scam," Bruce adds. "I'm sure there are many consumers who don't pay attention to their credit card statements, enabling Symantec to make quite a profit at about $50 a pop!" For those who feel as Bruce does, the unfortunate truth is that the practice of enrolling customers in automatic renewal for antivirus and other security products is not limited to Symantec. Indeed, it has become an industry standard. Microsoft Windows Live OneCare, Symantec, McAfee, and ZoneAlarm all enroll customers into the companies' automatic subscription-renewal programs with the purchase of a subscription-based product. In most cases, customers aren't given a choice to opt out, and only find out about the annual renewals when they receive an e-mail notice or see a charge on their credit card. For some users, automatic renewal is a boon, since it saves the annual chore of manually renewing subscriptions to new virus definitions. Others view the policy with suspicion, especially since these policies are often not made clear at the outset. Moreover, the amount charged for the renewal each year can change, depending on the going rate for the subscription at the time of the renewal. In order to get to the bottom of this, I bought products from each of the following four security companies to see how transparent the auto-renewal policy is and just how difficult it is to get out of the scheme once you know about it. Windows Live OneCare is the least transparent Of all the companies I tested, Microsoft's all-in-one security and maintenance package, Windows Live OneCare, has the most-hidden automatic subscription-renewal policy and is the most difficult to learn how to cancel. You begin the process by signing up for a free Windows Live account (basically a Hotmail e-mail account). At the bottom of the form is a link to the Windows Live Service Agreement, a 6,708-word document that hints at what's to come. It reads, "If we informed you that the service will be provided indefinitely or automatically renewed, we may automatically renew your service and charge you for any renewal term." The actual commitment isn't made until you enter your credit-card information and are allowed to review your data before confirming the purchase. The review page shows no information on the subscription-renewal policy — that is, until you click View Details under Windows Live OneCare. Only if you open the link do you see this policy statement:
After your purchase, you can go to Microsoft's Billing and account management page and sign in with your Windows Live e-mail and password. There, you can click on the service you purchased (Windows Live OneCare) and see links for complete cancellation of the service itself. But nowhere is there information on simply canceling recurring credit-card charges. In the end, you have to phone Windows Live OneCare Support at 866-663-2273 in order to cancel only the automatic-renewal aspect of your subscription. (I was told by a Microsoft representative that this toll-free number also can be called from outside the U.S. if international dialing and the country code 1 is used, but I wasn't able to test this.) McAfee embeds auto-renewal policy in EULA A somewhat stealthy approach is taken by McAfee. As part of the online purchase process, users see a scrolling box containing a 3,280-word end-user license agreement (EULA). Buried in the scrolling text is a statement that reads:
How do you get out of it? The EULA goes on to say:
In case you missed the phone numbers in the EULA, you can always cancel auto-renewal of your subscription at the McAfee Web site. However, finding the right page isn't easy, especially since the site's search feature provides no quick answers. Here are the steps for U.S. customers: Step 1: Go to McAfee's main U.S. page. Step 2: At the right end of the navigation bar near the top, click My Account. Step 3: Log in using your e-mail address and password. Step 4: In the navigation pane on the left, select Auto-Renewal Setup under My Account. Step 5: Under Auto-Renewal Setup, the page should have check boxes corresponding to each product you've purchased. Uncheck the boxes for each item whose subscription you do not want to have renewed automatically. Then click Done. Customers outside the United States may need to contact a customer service representative either by e-mail, phone, or online chat. These options are available at McAfee's main customer service page. Symantec: Mandatory auto-renewal, but easier to cancel I found that Symantec actually has the second-best policy of the four security sites I tested. Symantec products give you no choice, requiring you to accept automatic subscription renewal as part of your purchase, but at least this is made pretty clear from the beginning. An explanation just below the credit-card form in Symantec's online store reads, in part:
On the chance the buyer might miss these statements, I went to Symantec's main site to see how hard it would be to find the cancellation page on my own. I entered cancel automatic renewal in the search box at the top of the page. The search returned three results, the first of which was an Enterprise Support Knowledge Base article entitled "How to cancel On-going Protection." The article included a link to the cancellation form. The actual cancellation process is a simple matter of filling out the form online and clicking Submit. (This only cancels auto-renewal, not your current subscription.) The only downside is that you'll need to have your name, e-mail address, order number, product activation key, and product serial number to complete the form! So remember to save your online receipt or the confirmation e-mail you received after your purchase. ZoneAlarm provides a fairly upfront choice As far as security products go, Check Point's ZoneAlarm is the least coercive when it comes to automatic subscription renewal. Unlike the other three companies I tested, the order form for ZoneAlarm provides a check box where you enter your credit-card information that reads "Automatically renew my subscription upon expiration." The box is checked by default, however, so if you miss it, you'll be signed up for automatic charges until you cancel. And the confirmation e-mail you receive won't clue you in to this fact. Once you're signed up for automatic renewal with a ZoneAlarm product, canceling the auto-renewal isn't too difficult — providing you know where on ZoneAlarm's site to look. I had to do a lot of clicking around to find the right page, and the site's search function was little to no help. Here's the solution: Step 1: On ZoneAlarm's main page, click Customer Support in the navigation pane on the left. Step 2: On the Customer Service page, click Login to My Account under Customer Service. You may be prompted whether to display both secure and nonsecure items. Step 3: On the Account Login page, enter the user ID and password you created when you purchased the product. Click Sign In Now! Again, you may be prompted whether to display both secure and nonsecure items. Step 4: On the My Account page, click Manage Subscriptions under the Manage Subscriptions heading. Step 5: On the Manage Subscriptions page, look in the section with the Automatic License Renewal heading. Choose Manually renew this license from the Renewal Option drop-down list. Click Submit. What's behind the hard-to-cancel policies? Not surprisingly, companies that enroll customers in automatic-renewal programs by default tend to describe the policy as an advantage for customers. A Microsoft spokeswoman explained that "the goal of implementing the automatic-renewal process was to protect customers from an interruption in their service. Recent studies show as many as two-thirds of antivirus users postpone their subscription renewal." (Microsoft policy prohibits identifying p.r. spokespeople by name.) John Gable, director of product management for Check Point's ZoneAlarm division, says the company's recently implemented auto-renewal practice was intended "to help consumers keep their subscriptions up to date, as well as in response to feedback from many users who felt subscription renewal reminders were too intrusive." Corporate altruism doesn't seem to be the only motive in the move to recurring credit-card charges, however. Last year, an article in TechWeb credited Symantec's then consumer-group chief Enrique Salem as saying that automatic renewal of product updates was one of several "revenue-generating" strategies to "pump up the consumer group's bottom line." (A representative I contacted at Symantec did not provide a comment by press time.) Consumer reaction is decidely negative Despite the promise of continued service that automatic renewal offers, some customers clearly don't like being signed up for recurring credit-card billing by default. It isn't difficult to find complaints about this practice posted in online forums. For example, a user with the screen name RideRed claimed in BroadbandReports.com that Symantec charged his credit card at renewal time without his consent, despite the fact that he had turned off automatic renewal at the time he made his purchase. Similarly, a user of Digg.com comments:
Nevertheless, it's safe to say most companies track customer complaints and respond when they reach a critical level. As ZoneAlarm's John Gable acknowledges, "We are continuing to run usability testing with regards to placement of the auto-renew option and whether to keep it checked by default or not. Therefore, the way we have it today may very well change based on user feedback." If you feel the pain, you must complain No product I reviewed has a completely clean record. ZoneAlarm, to its credit, actually does allow users to opt out of automatic renewal before completing a purchase (but opting out is not the default choice). Symantec, for its part, does make its auto-renewal process apparent and relatively easy to turn off — compared with the worst cases. I'm the first to agree that the ability to automatically renew a subscription, especially to an important security service, is a convenience most customers should consider. But to compel customers to adopt automatic charges and then hide or obscure that fact is quite another matter. Security companies compound the problem by making the cancellation process difficult and hard to find. In most cases, companies are implementing this policy in every country where they can lawfully do so. Microsoft's spokeswoman told me that the company "has taken steps to prevent their customers from being surprised by automatic renewals. Sign-up forms make it clear that online customers are entering an automatic-renewal program." But this is in direct contradiction to my own purchasing experience. It may come as a surprise to Microsoft that not everyone clicks every link to read the fine print during their online shopping experiences. Although the companies I surveyed send out reminders before the renewal fee is charged, customers can easily lose track of these notices in the deluge of spam and business promotions they receive each day. Corporations seldom change policies that make them rich, unless enough customers complain. If automatic renewal works for you, then by all means keep the service going. But, if you don't like the way it's been implemented by your security provider, it's time to let them know. Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant. |
|
ADS
|
|
KNOWN ISSUES What code signing is and isn't good for By Scott Dunn As I explained in my May 10 article, driver-signing requirements for the 64-bit version of Vista have slowed down developers, but not hackers. Readers wrote in, pointing out further complications, while cautioning that the practice of driver signing itself is still useful. Code signing is valuable, despite flaws Regarding my story on Microsoft's driver-signing strategy for Windows Vista, reader Donald P. Welker writes:
The point of the article was that the specific approach taken by Microsoft so far in Vista development has not been enough to stop serious hackers, while the certification process has created headaches for the legitimate driver developers. Another way to subvert driver signing Reader Robert Chapin has his own concerns about driver signing:
|
|
EDITOR'S BOOKSHELF
|
|
WACKY WEB WEEK Practice your bunny-surgery skills online
|
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. Vacation breaks occur in late August, Thanksgiving Week, and Christmas/New Year's. Publisher: WindowsSecrets.com, Attn.: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Managing Editor: Jody Braverman. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
