Opinion: Security companies' automatic renewals are a disgrace

Back in the 1980s and '90s, many people believed that antivirus vendors were writing and distributing viruses to create a need for their products. I cannot say unequivocally that there was no truth to that -- a lot of companies were trying to enter the market, and many disappeared quickly without a trace. But a conspiracy as big as imagined in the rumor mills would have been uncovered in the last 20 years. The fact is that a lot of people are cynical, and a significant number of them are prone to believe conspiracy theories. Personally, I tried to defend the antivirus product vendors whenever I heard such talk.

I'm not so charitable toward a current practice of antivirus vendors. Because of a recent experience, I have started advocating against subscribing to automatic renewals of antivirus software. I still believe that every system should run antivirus, anti-spyware and firewall software (yes, that includes Macs). Unfortunately, the two leading vendors , Symantec and McAfee, have shamed the industry by taking part in a scheme that is in many ways as bad as distributing viruses -- and certainly has the same motivation.

I submitted a version of this article earlier this week in which I complained about McAfee and what I consider to be one of the scummiest terms of service agreements I have ever seen. I've had to revise it a bit, but not to back down on my scorn for McAfee's scheme. The reason is that the next day, I saw an article saying that the New York attorney general had fined Symantec and McAfee $375,000 for their surreptitious automatic renewal clauses.

For me, this began when I received a notice from McAfee that it had taken the liberty of automatically renewing a license for software that I had no desire to renew. I found this liberty shocking

Making the matter worse, the message seemed fake. My initial reaction was to assume it was a phishing attempt, and I nearly deleted it. Red flags were a link, not to mcafee.com, but to a site with a similar name, mcafeehelp.com, and references to McAfee's international divisions.

Taking a cautious approach, I went to McAfee's Web site and found a customer service telephone number. To McAfee's credit, the customer service rep was efficient and canceled the automatic renewal without any trouble. Since I never sign up for automatic renewals of antivirus software, I asked the rep why McAfee had automatically renewed my subscription. The answer disturbed me: McAfee has built automatic renewal into its terms of service.

So, when you buy or renew McAfee software online, you are unwittingly agreeing to subscribe to McAfee forever. This fact is buried in the terms of service. You have to specifically opt out of this, and you are most likely going to know about it only fact after you have been charged, as was my case. McAfee specifically says that you agree to automatic descriptions not by actually agreeing to them, but by "charging a valid credit card number which you have provided to McAfee."

When you buy or renew online, there is no check box for selecting renewal as an option. There is no confirmation that you have basically agreed to buy this software for life, even if you get rid of the computer. To cancel, you have to go back at a later time. And let me be very clear: In the current scheme, you very well could pay for software that you don't need, and you might not know it. After all if you have multiple computers, you might not know exactly which license you are being billed for.

I have since attempted to find other industries that hide opt-out conditions where money would be automatically charged for services, and I couldn't find any. There are many cases where you provide a credit card for a free trial or knowingly sign up for unlimited renewal, and then you will be automatically charged until you cancel the renewal. In those cases, most people want the free stuff and forget to opt out. In this case, you receive nothing for free. You would assume that at least you would get a discount rate for the automatic renewal, but McAfee's terms of service specifically exclude any discounts.

While I am glad the New York attorney general stepped in, more needs to be done. After all, $375,000 amounts to about 4,750 unethically generated automatic renewals. That is a proverbial drop in the bucket, since McAfee and Symantec likely generate hundreds of thousands of unfair sales. And under the current agreement with New York, McAfee and Symantec can continue this practice as long as they give people an opportunity to cancel the agreement within 60 days of being billed. The fine amounts to more of a nuisance than a deterrent, as people still have to go out of their way to get their money back and are less likely to do so.

The reason I call attention to this is that if McAfee and Symantec get away with these conditions, which seem morally reprehensible, even if legal, more companies will adopt them.

Airlines test new fees by announcing them and hoping that other airlines follow. If they don't, the airline stops the new fee. But in the software industry, companies start policies like this and hope the people paying the fees don't notice. If they succeed, other companies pick up the policy. That's why we cannot let this policy stand.

I'd love to see the Federal Trade Commission look into this opt-out policy, but I frankly don't hold out much hope. The FTC has so far been largely detached from outrages in the computer industry. A better hope is for a class-action lawsuit or prosecution by other states' attorneys general. Or people who are charged the fees could all start calling up to cancel the renewal. That might be a harsher financial hit for the companies than the New York fine, since the companies have to pay people to answer the calls.

The greatest irony about this situation is that I actually endorse automatic renewal for security software -- as long as you realize that you are signing up for it. Too many people just let their licenses lapse. What's more, I otherwise respect McAfee's and Symantec's products and especially their people. My issue is that the automatic renewal clause was hidden and required an opt out. Frankly, I expect a security company to exercise better ethics than the typical software company might. If they keep pulling stunts like this, more people are going to believe them capable of writing and releasing viruses to drum up business.

Almost three years ago, I warned that AT&T's Internet service policies took way too many liberties with your data. And as I predicted, few people did anything about it, and the policy still stands, and other ISPs have implemented similar policies. I have a little more hope in this case because people are more inclined to ask for their money back than to demand their rights.

Security essentially means trust. Security vendors sell trust. Business practices like this compromise the impression that the security industry is deserving of trust. This is a black mark on the security industry. Two of the most well-known companies in the industry have been caught behaving like stereotypical used car dealers. One unintended consequence may be an uptick in people failing to renew their security software licenses out of retaliation for questionable business practices. And even though I couldn't find other examples of this practice, I'm sure they do exist. We all must be more careful than ever in reading agreements. We must also hope that the general public doesn't hold the actions of these two vendors against the entire industry. Sadly, unlike the rumors of antivirus companies distributing viruses, this rumor is very true.

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, www.irawinkler.com.


Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon