Arranging free trials for online services.

[Roedy Green]

I was disturbed when a grammar checking online service wanted my
credit card before they would even let me see the product. I
declined.

Then I started to wonder what such a service could to prevent people
from getting endless free trials. Software you install can hide
something in the registry, but what can online software do?

They have used a credit card number, which presumably they can check
for validity, and prevent reuse, then issue a login/password for the
trial period.

It would be nice if people had unique ids. Perhaps someday everyone
will get a code-signing cert to use as online ID.

You could track IP, but a student at a university plugging in anywhere
to a campus net would get a different IP and many students would get
the same IP.

You could run some JWS signed code to snoop on the CPU ID, but that
can be turned off and AMD chips don't have one.

Ideas?

 

[Roedy Green]

You could run some JWS signed code to snoop on the CPU ID, but that
can be turned off and AMD chips don't have one.

So long as you were prepared to force some traditional app code or a
JWS signed code to run before _every_ session you could handle it
there. However, that destroys the big advantage of using a browser
based app. No install, no security concerns.

 

[Arne Vajhøj]

I was disturbed when a grammar checking online service wanted my
credit card before they would even let me see the product. I
declined.

Then I started to wonder what such a service could to prevent people
from getting endless free trials. Software you install can hide
something in the registry, but what can online software do?

Very little.

You can tie the trial to an email address, but people can create
dozens of free email addresses, so ...

They have used a credit card number, which presumably they can check
for validity, and prevent reuse, then issue a login/password for the
trial period.

Credit card mean not really free.

It would be nice if people had unique ids. Perhaps someday everyone
will get a code-signing cert to use as online ID.

Some countries has it.

But it is not something a site can do anything about.

You could track IP, but a student at a university plugging in anywhere
to a campus net would get a different IP and many students would get
the same IP.

Absolutely hopeless.

You could run some JWS signed code to snoop on the CPU ID, but that
can be turned off and AMD chips don't have one.

And it also requires a lot of faith in the site to approve
that kind of privs.

Arne

 

[Lew]

Another possibility: make the cost to the user of applying for the free trial
higher than the benefit of using the service for <whatever> trial days.
Similarly, increase the cost to the user of each use of the free trial, which
alsoo adjusts the balance in your favour.

E.g. Make them solve some difficult capchas (or similar) before they can sign
up for the trial, then make them solve yet more captchas each time they log in
after the first time (or first very few times).

Or make them wait for an inconveniently long time between logging in and
actually using the service (except for the first time). Maybe have their
browser do some heavy number crunching for you while they're waiting.

Yeah, because annoying and inconveniencing your potential customers is the
surest way to convince them that you deserve their money.

I see why you're not employed in marketing.

 

[Roedy Green]

E.g. Make them solve some difficult capchas (or similar) before they can sign
up for the trial, then make them solve yet more captchas each time they log in
after the first time (or first very few times).

This is the problem. What is to stop them from presenting themselves
as a virgin over and over?

 

[Roedy Green]

I'm not enthused, to say the least, by your suggestion to fix certain
people's business model by an invasion of everyone's privacy -- not to
mention the inevitable statist structure which maintaining such a scheme
would require.

I had another idea I sent to Thawte, basically using code signing
certs as id. You don't put yourself at any financial risk and you
don't divulge anything of value.

The service they are trying to protect is in the order of $200 a
year, well worth some cheating. How can they offer a limited time free
trial without giving away the farm?

What is being used now is requiring a credit card number, something I
find unacceptable. I won't even do that when I buy something. It is
like handing over pile of blank cheques.

 

[Lew]

The service they are trying to protect is in the order of $200 a
year, well worth some cheating. How can they offer a limited time free

Wow. You have a very loose definition of "well worth some cheating". That's
less than 55₵/day.

trial without giving away the farm?

Where can you buy a farm for 55₵?

The answer is - just give it away. Require a valid customer ID for support.

What is being used now is requiring a credit card number, something I
find unacceptable. I won't even do that when I buy something. It is
like handing over pile of blank cheques.

Yeah, that's wrong. They should just give it away.

It's a great way to make money.

 

[Roedy Green]

Wow. You have a very loose definition of "well worth some cheating". That's=
=20
less than 55=E2=82=B5/day.

I think the hackers are motivated primarily by the challenge, and
perhaps the notoriety of playing Robin Hood, providing something
people want but perceive they cannot afford. $200 is sufficient
motivation, obviously not just for personal use though.

The Grammarly people are worried enough about it to demand a credit
card which they acknowledge scares off customers part way through the
free trial registration.

There should be out the box solutions to ordinary commerce problems
like this. I am endlessly astounded by how inept and fraud-friendly
commerce is, particularly the credit card. see
http://mindprod.com/jgloss/creditcard.html

 

[Daniele Futtorovic]

I had another idea I sent to Thawte, basically using code signing
certs as id. You don't put yourself at any financial risk and you
don't divulge anything of value.

Firstly, what these guys call "code signing certs" are really just certs
with digital signing usage.

Secondly, if someone like Thawte did it (i.e., a PKI vendor), I guess I
would have no problem with it. But this really doesn't work out.

You go to site XXX, and they say: "you can access resource YYY if you
show conclusive evidence that you have the private key to a
Thawte-signed certificate"? So what then -- must I go to Thawte and buy
a cetificate? Or will the one providing the restricted service be buying
the cert for me? In other words: who pays?

And then: how does Thawte determine your identity, and that, regardless
of who pays for it, they didn't already issue you a signing certificate?
It's merely shifting the problem. I guess if the provider of the
restricted service were okay with whatever Thawte's due diligence were
to be, I wouldn't care. But we both know that given the technology,
Thawte's due diligence isn't going to be worth much. Or it will cost
much. And then: who pays?

The follow-up suggestion at this point is usually that the bloody gov't,
the pox on all its houses, should issue these certs like it issues IDs,
and enforce it with its armed thugs. Which would create criminality and
generally mean a huge burden for everyone. Do you want the internet
experience to feel like a trip to the DMV? Cause I sure don't. And all
this to help people, viz. the providers of the restricted services,
whose service I probably don't even give a rat's arse about.

So it boils down to what I said: fixing certain people's business model
by imposing a burden on every one else.

And there's a much simpler solution that doesn't affect the lives of
anyone but those who have an interest in the matter: you want the
service, you pay for it. And if the service provider isn't able to
provide appetisers for their service, too bad, but it ain't got nothing
to do with me.

The service they are trying to protect is in the order of $200 a
year, well worth some cheating. How can they offer a limited time free
trial without giving away the farm?

What is being used now is requiring a credit card number, something I
find unacceptable. I won't even do that when I buy something. It is
like handing over pile of blank cheques.

Which sounds perfectly reasonable. And which, I reckon, is those guys'
problem.

And if you have a problem with it, you obviously have chosen that it's
not a problem that weighs higher than the problem you would have with
giving our your credit card info. So I'd say just live with your choice.

 

[Joshua Cranmer]

I was disturbed when a grammar checking online service wanted my
credit card before they would even let me see the product. I
declined.

Then I started to wonder what such a service could to prevent people
from getting endless free trials. Software you install can hide
something in the registry, but what can online software do?

Send an email and require the user to reply to it. Email is a pretty
good unique identifier (few people share email addresses nowadays), and
some analysis on the replied email message can catch some people who are
using multiple email addresses to try to subvert the free trial.
Alternatively, a Facebook account seems an increasingly acceptable
alternative nowadays...

It would be nice if people had unique ids. Perhaps someday everyone
will get a code-signing cert to use as online ID.

We call these online IDs "email addresses." Despite all the constant
crowing about the death of email, email addresses remain the single most
common identifier on the internet.

You could track IP, but a student at a university plugging in anywhere
to a campus net would get a different IP and many students would get
the same IP.

You could run some JWS signed code to snoop on the CPU ID, but that
can be turned off and AMD chips don't have one.

There are several pieces of data which tend to be consistent over short
periods of time that you can combine for fingerprinting:

List of installed fonts
Number of CPUs
IP address
Browser User-Agent
All other HTTP request headers
Computer's username
Computer's local hostname

Many of these you can get by snooping the request data; the rest can be
triggered by watchdog plugins (Java applets or Flash objects). If you
take all of this data and let 1 or 2 pieces change, then you should be
able to build a sufficiently good unique identifier. The purpose of
security isn't to make your system unbreakable; it's to make it more
annoying to break than the person next door.

 

[Lew]

The problem with that approach is services like Mailinator which make
it quick and easy (and free) to use throw-away e-mail addresses at the
drop of a hat.

The goal isn't to eliminate all cheating. If your product is so all-fired valuable
that someone so all-fired enthusiastic is going to the trouble to use throwaway
email addresses just to avoid 55 cents a day, and it's going to cost you 56 cents
a day in direct, indirect plus opportunity costs to chase such folks down, why
bother? Take the 0.3% hit in sales you weren't going to get from such cheap-ass
bastards anyway and let them be a free mouthpiece to their friends about how
good your stuff is. Amortize that 55 cents across the thousands of people who
love your product and are not sleazy little petty thieves.

You don't need 100%. You only need X% where X is manageable and leaves you
a profit in both cash and time, and is less than 100.

 

[Gene Wirchenko]

Another possibility: make the cost to the user of applying for the free trial
higher than the benefit of using the service for <whatever> trial days.
Similarly, increase the cost to the user of each use of the free trial, which
alsoo adjusts the balance in your favour.

E.g. Make them solve some difficult capchas (or similar) before they can sign
up for the trial, then make them solve yet more captchas each time they log in
after the first time (or first very few times).

Or make them wait for an inconveniently long time between logging in and
actually using the service (except for the first time). Maybe have their
browser do some heavy number crunching for you while they're waiting.

I try a different service and never look back.

Sincerely,

Gene Wirchenko