Updated Friday at 3:17 p.m. PDT with comments from Digsby.

When it comes to program installation, I'm a strong believer in caveat emptor. If a software publisher warns you during the installation process that it will install the Yahoo search bar or a Firefox extension along with its program, and makes it clear that you can opt out of it, then so be it. Nobody's forcing a gun to your head, and it's important to read each of the installation screens no matter which program you're installing--at the very least to make sure that the program is not legitimately changing a directory or installing somewhere you don't want it to be.

The section of Digsby's EULA where they tell you they're going to use your idle CPU cycles. (Credit: Screenshot by Seth Rosenblatt/CNET)

However, what's made clear in this Lifehacker post, and I've verified, is that popular multi-protocol instant messaging client Digsby will grab your processor cycles when you're not looking and use them without giving you a say in the matter. Whether Digsby is using your CPU for cancer research, the hunt for Yoda, or to help marketing agencies crunch their numbers is irrelevant. By not giving you the opportunity to choose to do so, they are distributing malware. Before you think that's too harsh of a comparison, a botnet like the notorious Conficker does the same thing: it grabs your processor, and gives you no choice about it. Digsby is merely polite about it, giving notice in the EULA and waiting until your system is idle. Of course, nobody is forcing you to install the program, but they're not exactly making this information prominently available.

To be fair to Digsby, they called out this behavior in a blog post back in December 2008. However, it's not noted in the installation process itself, whereas the other opt-out choices have been made easy to see and decide upon. This is abusing a user's trust, because--like the mention in the EULA--the information is essentially buried and inaccessible unless you know to look for it. As the comments to the Digsby blog post indicate, it's been receiving negative feedback about this since it announced it. To take no steps to rectify the situation except to give users more choices on promoting Digsby is unethical.

In light of all this, and the Digsby team's reluctance to address what we consider a serious flaw in the program, the Download.com editorial team has decided to lower the ratings score for Digsby.

I've requested comment from Digsby about their policies, and will update this post when I have a response.

Users looking for alternative multi-protocol IM clients should look at Pidgin, Miranda, Trillian, or VoxOx.

UPDATE: Digsby representatives have commented on the situation, both in a new blog post and directly to me. I found this new blog post to be somewhat disingenuous. It starts off by saying, "Several months ago, we started testing two unique revenue models to help us keep Digsby free and ad-free for all our users," and then the next sentence points to the above-cited blog post from December 2008. That's eight months ago, not exactly the standard definition ascribed to "several." It's a minor point, but one I found emblematic of Digsby's reaction to the situation because, as you'll see, nothing's changed.

The post continues, explaining that its relatively new installer is no different from other software publishers that offer a free product but force users to opt-out of installing a toolbar or search results hack. As noted above, I agree with that premise. Although it's unfortunate that you have to opt-out to avoid these changes to your system, they are definitely presented clearly.

Digsby build 61 on the left, and build 62 on the right. As you can see, the only change is a link in the research option to an explanation of what it is and how to turn it off. (Credit: Screenshot by Seth Rosenblatt/CNET)

After that, there's an explanation of the "research module," named Plura, which is the bit that borrows your CPU cycles. "Some of the research Digsby conducts may be for nonprofit projects like the ones mentioned above (in the blog post) and some may be for paid projects, which will help us keep Digsby completely free," the blog states, which means that whatever the project is that you're being asked to donate your spare processor time to, you're not going to learn what it is and it's none of your business. At least with SETI, you know what it is you're donating your cycles to. With Digsby, it's a crap-shoot--and hardly a transparent process.

When asked for comment last night, Steve Shapiro of Digsby said, "It's clear from this that a lot of users still weren't aware of it since they don't read the terms of service or track the blog closely," and I think that's a point we can all agree on. He also said: "(W)e will be making a change in the product to make sure that every user we have now and every user who signs up from this point forward is clearly informed of what we do to keep Digsby free and shown how to enable/disable the functionality."

Further e-mails with Digsby's Director of Public Relations Erick Davidson revealed what those changes were: "When it runs for the first time, there will be a pop-up that will stay until the user reads more about it." Despite having left my computer idle for 30 minutes after doing a clean install of Digsby build 62, when the Plura system theoretically would be running, I saw no pop-up warning when I returned to it.

Rushed out overnight, build 62 of Digsby does not include any changes to the installation process. When asked, Davidson stated that this was because the installer is provided by another company, and added in a follow-up e-mail that there is no time line at the moment for introducing a toggle to Plura into the installer.

Users who want to keep Digsby but don't want the Plura system to run can disable it by going to the menu bar Help option, clicking on Support Digsby, and choosing Disable for Help Digsby Conduct Research.

As I've said, the issue for me isn't that Digsby is running Plura, it's that it's doing it without giving users the ability to opt-out before installation. Given that Digsby's competitors are able to offer similar and, in some cases, identical features, and that they're able to do it without burying a bad-faith feature in the EULA or behind a semi-functional pop-up, I'm going to stand by my assessment from yesterday: For now, don't use Digsby.