Controversial Advertising Program Now Being Embedded in More Software

OpenCandy (OC) is a relatively new advertising product that more and more software developers are bundling with their programs. It can now be found in the installers of dozens of popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more.

OpenCandy employs some controversial techniques in its operation and this has created some heated discussions in internet forums and blogs. Some say it is adware or spyware while others say it is just another legitimate form of advertising. Whatever, you need to be aware of this product and its potential pitfalls.

How OpenCandy Works

OC makes software recommendations to users during the program installation process. That is, while you are installing one product you get an invitation to install others. Users can accept or reject these download recommendations from OC; it is their call. Here's an example of how it works when you install the excellent free archiving program IZArc.

At the start of the IZArc installation process you are presented with the licensing agreement which clearly flags OpenCandy as a separate agreement.

 

And here's what the agreement says:

 

If you agree to this you get offered other products to install before installing IZArc. The products offered depend on what you already have installed on your PC - OpenCandy scans your PC to find that out. Here's what I was offered:

 

Notice that neither option is preselected; you have to make a choice one way or another. Not all implementations of OC work like that. Sometimes the "install" option is preselected. That means that users who just mindlessly click through the installation of the product they want to install will also end up downloading and installing additional products. How OC is configured depends on the software vendor; the developer of IZArc in this case.

Harmless Advertising or a New Form of Spyware

Now to some readers all this may sound harmless enough but there is more to it:

  • The recommendations made by OC are partly based on the products you already have installed on your PC. OpenCandy determines this by secretly scanning your PC without ever asking your permission.
  • While you can elect not to download any of the programs suggested by OC you cannot opt out from installing OC itself; it is fully embedded in the installation process. The situation is made worse by the fact that some software vendors don’t even mention in their End User Licensing Agreement (EULA) that OC is included as part of the installation process for their product.
  • If you accept any of the software recommendations made by OC then not only will that software be downloaded and installed but OC will also permanently install itself on your PC as well.
  • Regardless of whether you accept or reject OC’s software recommendations OC will transmit information about your PC back to the OpenCandy Corporation.
  • Some anti-malware programs including Microsoft Security Essentials flag some products containing OpenCandy as adware.

The makers of OpenCandy have published some credible counter-arguments. They claim:

  • Many installers from reputable companies scan your PC during the installation process to check for old versions, the existence of essential components and more.
  • They also claim that OC installs nothing permanently on your computer should you choose not to accept any OC download recommendations.
  • They state that any data about your PC sent back to OC is the kind of general information collected when you visit a website and contains no personally identifiable information.

They also put forward an argument that OC is not adware as it does not conform with the Wikipedia definition of adware as programs that display ads during program operation or usage. Using definitions to deflect the argument is ridiculous. OpenCandy is without doubt adware. Yes, it displays ads during product installation rather than product operation but the effect is the same. To claim otherwise is fatuous.

But there is nothing particularly wrong with adware. Many reputable products like the free version of Avira AntiVir and AVG Antivirus are adware. The product ads are the price that many users are prepared to accept in order to get the product for free.

Is OC spyware? There is little evidence to suggest this rather it seems to be just another form of adware. However it does worry us that the distribution model OC uses could potentially be used to turn the product into spyware.

In fact that’s the aspect of OpenCandy we find most disturbing. With the product now installed on a huge number of computers the current or future owners of the product could be tempted at some time in the future to more aggressively utilize the huge installed base. Can the OpenCandy Corporation or its successor be trusted not to exploit this opportunity? Will a hacker break into their system and create a huge botnet? Who knows; nobody can know but the possibility itself is disquieting.

The Gizmo’s Freeware Policy on OpenCandy

We thought seriously about banning any product containing OpenCandy from our website but have decided against that on two grounds:

First we have no evidence that OpenCandy is a malicious product or spyware. It is simply an adware program. Yes it is a product that makes us feel uncomfortable in the way it pushes privacy limits and even more uncomfortable with the potential for the model to be exploited but these are ultimately soft objections.

Second to ban products containing OC would deprive our users of the right to make their own choices as to the products they wish to use. Some of the programs that contain OC are of outstanding quality. If users wish to use these products knowing that they contain OC then we need respect that choice.

We have however decided to attach some strong conditions to products that contain OpenCandy:

  • Gizmos’ Freeware will not list any program that contains OpenCandy in its installer and does not clearly state this fact in its End User Licensing Agreement (EULA).
  • Gizmo’s Freeware will not list any program that contains OpenCandy that does not provide users with the ability to opt out of all recommended downloads.
  • The presence of OpenCandy will be treated by our editors as a negative when preparing our lists of recommended programs. It will be left to individual editors whether a program’s features and other strengths are sufficient to offset the inclusion of OpenCandy.
  • Where we do list programs which we know contain OpenCandy, we will clearly alert our readers to this fact.

This policy is now in place but it will take some time** for us to check every product and decide whether we will continue to recommend it. If you are aware that any product we recommend that contains OpenCandy then please leave a comment at bottom of the program review.

Now I know some people will consider these initiatives to be an over-reaction while others feel we have not gone far enough. What we have tried to do is balance the right of our readers to make their own informed choices about the products they use against the concerns we have about the OpenCandy marketing model.

What I can say is that we will keep the situation under ongoing review. Should the OpenCandy company show any indications they are moving their product in a direction that is not in the interest of our users then we will immediately ban all products containing OpenCandy from this site.

** To the best of our knowledge, all products listed here which contain OpenCandy have now been identified and an appropriate advisory added to the text. The situation is fluid though as some authors will no doubt remove it and others will begin bundling it with new software. If you discover an incidence of OpenCandy within a product listed here which is not marked as such, please inform us by leaving a comment on the appropriate page, or by contacting one of the mod team directly.

 

Gizmo

 

Share this
4.763565
Average: 4.8 (774 votes)
Your rating: None

Comments

by beep54 on 2. August 2014 - 12:53  (117700)

OpenCandy may be far, far worse than you make out. I had recently downloaded something, I forget offhand what, from CNet. I had thought that one of my protection programs (probably Malewarebytes) had managed to block OpenCandy's installation. It would seem not. I more or less accidentally just found out about the netstat command which revealed the following:

TCP 0.0.0.0:135 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:2869 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:5357 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:12025 tracking.opencandy.com.s3.amazonaws.com:0 LISTENING
[AvastSvc.exe]

Plus a bunch of other entries. Perhaps I'm reading that wrong, but it seems that OpenCandy was on the machine and trying to listen. So I attempted to see if I could get rid of it. Absolutely nothing could find OpenCandy. NOTHING. Better, I could not edit the HOSTS file. Even better, web sites about dealing with OpenCandy were blocked! To check, I used another computer to open the same web sites with no problem.

Am hoping at this point that having done a restore I have killed the monster. At any rate, netstat is not showing the same type of activity.

I am one of those people who know just enough to be dangerous to their own machines without necessarily knowing completely what they are doing :) Any thoughts on this situation would be helpful.

BTW, the article that pointed out the netstat command to me was from the How-to -geek site. And even if I have read this whole situation incorrectly, at least I have found some nifty utilities such as HitmanPro and a useful new command :)

by rickz on 23. July 2014 - 19:23  (117523)

I simply do not want to be offered anything unless it is I who is asking to be offered. Installing something I want does not equate to permission for a Remora-type software (http://en.wikipedia.org/wiki/Remora), to also be installed. I am typically working on a specific task that I am installing a piece of software for and the last thing I want or need is another crapware distraction. So, to put it bluntly, leave me alone unless I am specifically asking for it. Installing or even viewing one thing is not the equivalent to asking for another. If I even smell OpenCandy or anything like it in something, I will move on to something else. Thank you for keeping us informed Gizmo.

by Lassar on 7. April 2014 - 13:41  (115549)

There are 2 things one should do to install a OpenCandy program.

1. Block OpenCandy servers in the windows host file.

You do not want OpenCandy to spy on you.

Click on your start button, go to programs, accessories, right click on notepad and run as administrator.

Click on file, open.
Go to C:\Windows\System32\drivers\etc
type *.* and click on host

Add this to the host file

127.0.0.1 tracking.opencandy.com.s3.amazonaws.com
127.0.0.1 media.opencandy.com
127.0.0.1 cdn.opencandy.com
127.0.0.1 tracking.opencandy.com
127.0.0.1 api.opencandy.com

And click save.

2. Now go to the command line and enter:

"ProgamName /NOCANDY"

The program will now install with no chance of installing third party software & no chance of spying on you by communicating with the OpenCandy servers.

by AJNorth on 20. July 2014 - 20:54  (117439)

Hello Lassar,

There is a very nifty free application, Unchecky, http://www.softpedia.com/get/System/OS-Enhancements/Unchecky.shtml that helps to keep the user on a path during installations/upgrades so as to minimize the likelihood of accidentally installing PUPs (Potentially Unwanted Programs).

In addition, it automatically writes the blocking entries you've listed to the HOSTS file, along with several additional ones (this is especially helpful for those a bit less technically inclined...).

The current list of entries it writes is:

127.0.0.1 localhost

# unchecky_begin
# These rules were added by the Unchecky program in order to block advertising software modules
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com
0.0.0.0 cdn.bisrv.com
0.0.0.0 cdn.cdndp.com
0.0.0.0 cdn.download.sweetpacks.com
0.0.0.0 cdn.dpdownload.com
0.0.0.0 cdn.visualbee.net
# unchecky_end

Very low on system resources, Unchecky also updates itself automatically. Though still technically in beta, it has been regularly updated over the past several months, and I highly recommended it.

Regards,

AJN

by beep54 on 1. August 2014 - 14:13  (117687)

Thank you for the Unchecky post. I've recently been running across OpenCandy with a few things and have wondered about it. Fortunately, something (Malwarebytes?, I forget) has been blocking it while allowing the rest of the installation to continue. Or at least, that's what I'm hoping is happening. Regardless, will be downloading Unchecky to check out.

by RussAdams on 8. June 2014 - 14:11  (116678)

The actual file name is: HOSTS

That's host with an 's'.

This is an old trick that works on Windows machines. YMMV on Apple/Unix/Linux.

What it does is re-direct any name listed on the right hand side to whatever URL is listed on the left hand side.

127.0.0.1 effectively does not exist.

Add the above list to your HOSTS file and what windows does is redirect any attempt to communicate to the name (ex: api.opencandy.com) to the URL 127.0.0.1. This will result in a 'cannot connect' type message.

I already had in my HOSTS file:
127.0.0.1 opencandy.com
127.0.0.1 api.opencandy.com

So I've added in the new ones. Thanks!

To see what's going on, try pasting/keying 127.0.0.1 into your browser address bar and see what you get. I got this in Firefox:

"Firefox can't establish a connection to the server at 127.0.0.1"

It's a nice trick, although a bit 'under the hood' geeky. But then if you are not a least a little geeky, whatcha doing here at Gizmo? (grin)

Wiki has more to say here:

https://en.wikipedia.org/wiki/Hosts_(file)

Russ

by BallyIrish on 27. July 2013 - 7:12  (109657)

I have used PeaZip for some time, and found it fulfills all my.zip file needs, and does it well too.
OpenCandy has always accompanied PeaZip, but separately, and I have always uninstalled it.
OpenCandy is now integrated with PeaZip to prevent uninstallation, I assume. The latest versions of PeaZip therefore cannot be used without OpenCandy.

Open Candy's EULA, now accompanies PeaZip (see below), and appears quite innocuous to me, and perfectly lawful.

The fact remains, however, that this is MY Computer and OpenCandy is passing information relevant to the type of software I use, along with my email address, of course. This, PeaZip claims is lawful.
On the whole, I get such good results from PeaZip, that I am not in the least concerned, now that I have read Open Candy's EULA, that my privacy is not in any way DETRIMENTALLY compromised.

It is therefore my own choice to install or reject any software recommended to me by third parties.
No unwanted software is therefore forced upon me, neither is such software surreptitiously installed on my PC.

Until a law forbidding this sort of practice is passed, PeaZip may continue, lawfully, to include OpenCandy. I have the choice either to continue to use and update PeaZip, or refrain from its further use. I choose to continue to use it, along with OpnCandy, as PeaZip is useful to me.

PeaZip openly states before one installs it, that OpenCandy forms part of PeaZip. I appreciate that sort of openness. What I HATE is purchasing a program which contains Adware.(like RegClean Pro from Systweak only to find that a large portion of the interface is devoted to Adware, advertising Advanced System Optimizer v.3 - all my attempts to obtain a refund from Systweak have failed . It was purhased through Cleverbridge.)

[Moderator's note: Unnecessary posting of Peazip license removed.]

by Ellam88 on 3. September 2014 - 11:08  (118356)

I've posted months ago about the OpenCandy bundling, now I checked back new version (32 and 64 bit) of PeaZip and it seems no longer bundling it, as for the eula and for Virustotal scan result.
Also, Techsupportalert page no longer reports it being ad-supported, so I can safely assume OpenCandy is no more being bundled.

by Pippin on 8. February 2014 - 6:30  (114314)

BallyIrish - I appreciate the time you took to do the research for your input on Open Candy (OC) and thanks sharing that info because now I'm aware of their integrity or lack thereof.

I respect your decision if its right for you but I disagree that your "privacy is not in any way DETRIMENTALLY compromised" or their terms of usage are innocuous. If it was then why do they need to force it on PeaZip users? Once they have your info - its theirs for as long as they want it and You have no way of predicting what they'll do with it in the future. they claim they don't collect or share your "personal" info. Really? Then why obtain the email at all? Plus keeping track of the software you use as well as having your email address is VERY personal and THEY decide what to do with it - not you.

Its easy for them to say "we don't collect or share your personal information" its an incredibly vague statement. In what world is collecting your email address NOT collecting it? It just gives them range to be "creative" with your information. There are ways of getting around that claim and justify that it falls under the archaic laws already in place - which were written without consideration of the internet. Most new laws are poorly written too.

The practices employed by these companies are out of touch with the right way to market/advertise. First, they don't consider whether you're a logical consumer candidate, they don't put enough effort into targeting the audience. Instead they mass market or mass advertise thinking this works even though analytical data shows its not cost effective. They under estimate the intelligence of consumers such as using the kind of tactics used by OC - forcing THEIR marketing policy on ALL the PeaZip users instead having the option to opt out. This tactic will never promote trust or loyalty. They think overkill is consistency when its really obnoxious.

As a consumer with many years of marketing experience as well as education in color marketing both online and off I can say without hesitation that these kinds of practices alienate consumers more than attracting them.

by Himagain on 4. November 2013 - 4:18  (111995)

Equally as valuable as the great reviews we get here is the personal support of the Editors themselves in clarifying any misunderstood points.

All of which is topped off by the intelligent friendly commenters to found here as well.
---------------

@Ballyirish I agree with your post completely. The only other addition I would add is that we should all make it clear to the initial program suppliers how we feel.

I now actively support Wot.com and DO take the time to communicate with program suppliers for the good AND the bad.
It is surprising how few people ever do say thanks for a freebie, sadly.

by Ellam88 on 26. September 2013 - 14:51  (111033)

I've used recent versions, including current one, and for what I know ads were always not mandatory.
http://peazip.sourceforge.net/peazip-partnership.html page says anything preventing unistallation or otherwise tricking the end user should be reported to be banned.
PeaZip homepage anyway still links a package without OpenCandy in the same paragraph talking of the bundle, and of course there is the Portable version that is just a zip file.

by MidnightCowboy on 27. July 2013 - 9:32  (109660)

There is more information about this here:

http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_prog...

I think it is important to understand that things are "promoted" simply because no one would buy them otherwise. If for instance the true benefits of tweak tools and registry cleaners were ever researched and the results published by an impartial source, then no one would buy one ever, or even use a free one come to that. Everyone is open to this type of influence though and I am evidence of same having once been the proud owner of a Bullworker. :D

Folks are free to classify OpenCandy as they see fit but it still remains a back door money making exercise that is hard sold to developers for them to include in their software. This is then forced on consumers in a way that most find detestable as illustrated by this being the largest number of complaints we receive on any subject. MC - Site Manager.

by Himagain on 4. November 2013 - 4:25  (111996)

I come from the "Old School" where we tried in marketing to create good relationships with prospective clients and the prevalence of the unethical assaults on our computers should be made illegal.

This comment of yours should be a sub-header all over your Site - as a warning to programmers!

YOUR QUOTE:
This is then forced on consumers in a way that most find detestable as illustrated by this being the largest number of complaints we receive on any subject. MC - Site Manager.
ENDQUOTE

Himagain

by Anupam on 27. July 2013 - 9:02  (109659)

The unnecessary posting of the license has been removed. It's long, and not suitable for posting here... and if anyone did want to see the license, they can do so by downloading PeaZip.

Yes, it's a personal choice whether or not a person likes the adware that are being bundled with the software or not. Some people are OK with it, some are not.

But, fact remains that this is adware. There is an option to decline the software recommendation shown by OpenCandy, but, if you decline that, OpenCandy files should not be stored on the system. But, OpenCandy files and registry entries do get on the system, and this can be considered to be a kind of spyware activity by some.

You wrote about purchasing the program shown by OpenCandy as a recommendation. You did not had to purchase it, unless you wanted to. That is just a recommendation, and the users are not bound to buy that software, to use PeaZip.

That is what adware is, it shows ads, and wants you to purchase the software it recommends, which is what you did, and this is how these adware succeed. You can already see the kind of crap programs they recommend. I think it was a mistake on your part to decide to buy the software that was recommended. It was a recommendation, and you could have declined it.

If you want to avoid OpenCandy, you can download the portable version of PeaZip, which should be free from OpenCandy.

http://peazip.sourceforge.net/peazip-portable.html

by zacharia on 28. March 2013 - 17:07  (106614)

awesome article. well written, great intent.

thank you.

Gizmo's Freeware is Recruiting!

Gizmos Needs YouShare your knowledge of free software with millions of Gizmo's readers by joining our editing team.  Details here.