If Yes, for How Long?


For the last several months, many responsible businesses have been working like mad to comply with new app requirements that AppEsteem – a company that certifies apps – and Microsoft announced (regarding Unwanted Software) they would apply in their review of apps. Perhaps the most controversial subject relates to apps that offer free scans.

For many in the software downloading industry, this required some major changes to the way they operate their apps. It required creative thinking and significant work to determine how best to comply. Indeed, leaders in the industry participated in a CleanApps.org webinar on the subject back in September, and shared best practices and ideas: see our post called “Best call ever”.

Since that time, quite a few CleanApps.org members have successfully submitted their apps for certification by AppEsteem. Most encouraging of all, apps that tens of millions of consumers around the world use, are now fully compliant with ACR 004, the specific app certification requirement at issue.

But we are now seeing something new. And this development is a disheartening one: a number of app makers around the world are still violating ACR 004, and so still posing a potential danger to consumers, and yet have not been blocked by the anti-malware companies and not called out as as Unwanted Software by the security industry or as Deceptors by AppEsteem (for those who don’t know: if an app is labelled a Deceptor by AppEsteem, the recommendation is for anti-malware companies to block the app from consumer devices). Even worse, some of them appear to be customers of AppEsteem.

This is frustrating for CleanApps.org and many of our members. After all, our organization is focused on three core components: a) a fair app marketplace, b) the prosperity of our members, and c) protecting consumers’ privacy and security. If there are apps violating 004, how can it be that they aren’t being held accountable? That seems unjust, especially given all the work so many members invested to comply, and all the notice that AppEsteem and Microsoft provided (though admittedly, not every app maker would have digested everything AppEsteem and Microsoft said).

On the other hand, we also recognize that complying with 004 doesn’t happen overnight. For those who didn’t previously know about this requirement, and yet now sign on as a customer of an app certifier like AppEsteem, those app makers are issuing a statement about their commitment to compliance. Shouldn’t they be given a bit of extra time to come into compliance before being called out? Don’t we want to encourage compliance?

I agree with app certifiers who have a policy to give signed-up customers something of a grace period before recommending their app be blocked by cybersecurity companies. We want to incentivize wayward but well-intentioned app makers to bring their apps into compliance, and one important way to do that is to encourage them to come forward and provide a short period of amnesty so they have time to come clean and do so without penalty.

But here’s the problem: this process can be easily gamed. What if an app maker signs up with an app certifier like AppEsteem, and then dilly dallies for months and months without complying and being removed from consumer machines? That scenario is terrible. It’s not fair. It’s bad for consumers. It’s bad for responsible businesses that invest time and money in compliance. And it undermines the entire movement for a cleaner ecosystem.

So how should the balance be struck? How long, for example, should the Deceptor grace period be? This isn’t an easy question. I believe reasonable minds can differ on the subject. But from where I sit, as the executive director of CleanApps.org, and having spoken with some members, I think that period needs to be long enough for a reasonably diligent app maker to address and repair all Deceptor issues, but no longer. And there needs to be a definitive period – it can’t be squishy and turn on “good faith” or some other subjective standard that can be second-guessed and undercut.

While this is more art than science, my opinion is the grace period should be 30 days. I think 30 days is enough time for fixes to be made. But it’s not too long, either, so doesn’t prolong the potential injury to consumers or make the playing field less level for an undue period. Moreover, a 30-day, bright line rule ensures transparency and predictability, two critical values that are so badly needed in this space.

This isn’t a perfect solution. It may well be that some people think the period should be shorter than 30 days. And some might think it should be longer.

I’d like to know what others think. Accordingly, we are asking our members to let us know by voting as soon when they get our survey email sent shortly after this is posted. And as you vote, remember: this isn’t just about your app, but the entire ecosystem. We need a length of time that ensures fairness to consumers, app makers who are already complying, and app makers who demonstrate their commitment to compliance by signing up to have their apps fully certified. So please think hard before letting us know your view.

Thank you!

UPDATE 1/1/2019:

Below are the results of the survey sent to CleanApps members.