Free-as-in-freedom software is very often free-as-in-beer, too. This is normally a good thing. But one open source project developer is calling out a troubling problem with free software: counterfeit applications.
The problem, according to VideoLAN developer Ludovic Fauvet, is this: VideoLAN's highly regarded VLC Media Player, which is licensed under the GPL, is being redistributed by various organizations' websites, some of which claim that VLC is actually their application to distribute. These websites attract users with paid Google AdWords ads that come up in various media-player related searches.
[Also see: Is it really a business vs. open source world?]
Right off the bat, this would be a clear violation of VideoLAN's intellectual property, but it gets worse. Many of the sites that redistribute VLC have wrapped the binary in installers that also install malware in the form of adware and spyware on unsuspecting user's computers, too.
"What bothers us the most is that many of them are bundling VLC with various crapware to monetize it in ways that mislead our users by thinking they’re downloading an original version. This is not acceptable. The result is a poor product that doesn’t work as intended, that can’t be uninstalled and that clearly abuses its users and their privacy," Fauvet wrote in his blog.
Fauvet even lists some of the offending websites, and after checking some of them (making darn sure to use my Linux browser so as not to pick up something catching on one of these sites), I can confirm what Fauvet describes. It's a bad scene out there, with websites that claim ownership of VLC, touting its features and heavily emphasizing the "free."
(I did find one correction in Fauvet's list. The supertelech.info site he lists actually doesn't feature VLC as a download, but uses the SEO-rich term "VLC media player" as a hook to draw people into a Valencia, Spain LASIK surgery clinic's web site.)
Some of you may be wondering what the problem is, since VLC is free for all to use. And in fact, the GPL does allow someone to take the source code for a particular application or other group of software, make some (or even no) changes, and re-distribute it as their own software. That's how the Red Hat Enterprise Linux-based distribution CentOS does it, and that's all cool.
But notice something about CentOS: they don't call their distro "Red Hat" anything. They can't, because Red Hat owns the RHEL trademarks. So any site that pushes VLC as their own is violating trademark.
Adding the malware is another violation, but not just because the software is evil. The GPL says if you make any changes to the software and distribute the changed software, you have to send those changes back to the original project. And while you and I know that there's no way VideoLAN would ever accept spyware as a code change, the fact that these groups aren't offering their lovely changes actually puts them in violation of the GPL, too.
As Fauvet points out, it's not just VLC that's getting shafted like this, though they seem to be the most-abused victim. Pretty much any FLOSS application that runs on Windows or Mac is vulnerable to this kind of thing. I ran a quick search on Google and discovered several counterfeit software AdWord campaigns, including ones for:
- Media Player Classic
Not every site that features FLOSS apps for download are problematic. OpenSourceWindows lists a whole bunch of open source Windows applications, but dutifully sends users to the official sites' download pages for each application.
But then there's sites like CNET Download, which also lists FLOSS software (among many other types of applications) for download, directly from CNET's servers. While CNET does not in any way represent that they "own" the software they're offering, nor do I seriously believe they are offering up malware, I can't be sure about the provenance of the Firefox 5 for Windows software they just offered me. Nor am I terribly sanguine about the "free scan for Windows errors" banner and box ads sitting on the download page.
Fauvet seems to have hit a wall when trying to approach Google about this, which is aiding and abetting this activity, whether they know it or not. Fauvet would like the search company to block ads from these counterfeit sites and has not gotten any response. Fauvet figures that since the counterfeiters are paying for ads and he and VideoLAN are not, then the VLC ads will continue.
I would argue that Google (and Yahoo! and Bing, because I checked, the ads are on those sites, too) could easily establish a proper registry for their ad programs that would block any links that take users to sites other than the official websites for these software applications. There aren't that many software projects affected by this kind of activity, and I seriously doubt the search companies are making that much money from these ads that they could not afford to drop them.
Because there is a lot of money coming from these ads, then one has to wonder where these counterfeiters are getting the coin to pay for such ads by offering free software. Revenue has to be coming from somewhere, and my fear is it's coming from the adware and spyware that is getting inserted onto users' PCs.
While we're waiting for the search companies to do the right thing, the usual safety tips apply: download your software only from the official sites. Luckily, the first unpaid links on the search results for these applications are properly displaying the correct sites, so they're not hard to find.
Not only will you find the most secure version of the software you are seeking, you will also have access to the best support and documentation. Your data and your privacy will thank you, and so will the hard-working FLOSS developers.