Google Sues Click Inflators

Rollie Hawk writes "As is the case with any pay-per-click (PPC) advertising service, Google AdSense is vulnerable to click inflation, where the per-click values of ads go down thanks to excessive clicking. What is different this time is that it is not greedy webmasters clicking ads on their own site but rather the advertisers themselves. In a lawsuit filed last year, Google alleges that Auctions Expert used hired hands and automation to generate high numbers of ad clicks that resulted in $50,000 in revenues. This was done with two goals in mind: forcing wasted advertising expenses on competitors and inflating their own click values, lowering advertising costs. Industry insiders claim that Google AdSense and other PPC advertising providers are undermanned and therefore don't catch many of the estimated 20% fraudulent clicks. It certainly seems that some heuristic software could help reign-in some of these activities, yet Google seems to do a large amount of this work by hand. Often criticized for its policies of non-disclosure for many of its online services, Google claims the secrecy is justified in the case of not giving advertisers details on fraudulent clicking. They say the last thing they want to do is provide a 'road map' to would-be frauders."

Tracking purchases?

[Eunuch]

How hard is it to track purchases that are due to a particular click? That would solve the problem in a hurry. Wouldn't work for more "image" type advertising, but it would be an interesting challenge for a purchasing framework.

Re:Tracking purchases?

[wpmegee]

Not very, I would imagine. You could just have a cookie, and write down every single click you make for each visitor. Or without cookies, you could force your users to logon to the site and store it server-side.

Re:Tracking purchases?

[Mistlefoot]

That I don't purchase something means little.

I can not EVER remember purchasing ANYTHING the first time I have visited a site. It almost always requires a 2nd or 3rd visit. The internet allow me to search for better prices or better products. That does not mean that I have never purchased something from a website that I found through an ad online....to the contrary. I have purchased much this way.

It would not be fair to google for an advertiser to not be paid for getting me to a website via a google ad from work that led to me purchasing that item when I got home. I suspect that the majority of legitamite click throughs do not result in a purchase with the initial visit. Google (or any other ad provider) has done it's job properly though and should be rewarded.

Re:Tracking purchases?

[Anonymous+Luddite]

>> How hard is it to track purchases that are due to a particular click?

Let's put the shoe on the other foot. How hard is it to track an someone who generates nothing but worthless, non-buying clicks?

>>FTA: allegedly recruited as many as 50 people to click on online advertising, generating about $50,000 in ad revenue.

That's a lot of empty clicks. Kind of like going to the local Kwikkee mart for 6 hours a day every day for a month and never buying anything... small wonder they got noticed.

Re:Tracking purchases?

[pablomarx]

I used to work for MatchLogic, which was an non-evil DoubleClick. Regarding tracking of purchases, it's easily done. When you receive an ad, you get a bonus cookie with it. Then on the destination site (Dell, etc) there would be "web pings" (1x1 gifs) on various pages. This way we could track how far into the site you got, if you ended up making a purchase, etc. Not every advertiser did this with us, but those that did were always impressed. But it doesn't really help in terms of weeding out spiders/automated clicks/etc. I was actually involved heavily in that, and while lots of code was written to automate it, and logs were sent to an outside auditing firm, I'd still often take an hours worth of logs once a week and look it over manually (Which was still an impressive amount of data, about 12,500,000 log entries in an hours worth of logs).

Re:Tracking purchases?

[ewg]

Also, many people research products on the web site and then pick up the phone to place the order. The web site supported the sale, but that fact can't be tracked to any individual web session.

Re:Tracking purchases?

[atomic_toaster]

The thing is, they're not charging for how effective the ad is. They're charging for how effective its placement is, like how Superbowl ads cost a frigging fortune in comparison to something that runs on the local cable channel. It's very much as if Google was a huge shopping mall, and the advertisements are the signs and the ads in the windows of the stores. When you pay rent to the landlord to have your store in a mall, you pay more for the same square footage dependant on the location of the mall, the store's location in the mall, the popularity of the mall, etc. -- basically all of the things that the mall itself can provide that makes it more likely that people will come into your store. But it's not the landlord's responsibility to get the people actually into your store (that's your ads, signage, and window displays), or to buy anything in your store (that's based on your products and prices). PPC is just a way of tracking if the "mall" is actually drawing people to your "store". This makes Google tracking the click-to-purchase ratio pretty useless. Now, if the site itself is tracking the traffic-to-purchase ratio, that's a different matter entirely.

Re:Tracking purchases?

When you receive an ad, you get a bonus cookie with it. Then on the destination site (Dell, etc) there would be "web pings" (1x1 gifs) on various pages. This way we could track how far into the site you got, if you ended up making a purchase, etc.

I've worked for an online ad company and this is exactly how we did it too. Most of our clients used it to some extent, with a lot of them only paying the publisher (site that runs the ads) if a user bought something in response to the ad. As it's a cookie, you can tell when a user just sees an ad (doesn't click) but still goes to the advertiser site on their own accord and buys something later. Our reporting tool made pretty tables with columns like 'Buys per Thousand Impressions' and 'Buys per Thousand Clicks'. In the industry, it's called tracking.

Re:Tracking purchases?

[harvardian]

This is already standard practice for both Google and Overture. It's called "conversion tracking", since in industry parlance a "conversion" is a sale/subscription/any other concrete action taken as a result of an ad impression. Currently both services' "pay for performance" model prices based on click count, not conversion count (AFAIK), however.

Here's a little bit more info on Google/Overture conversion tracking: link.

Re:Tracking purchases?

[Evro]

Most retailers can track you across visits. Tracking your click-through history (which Google ads you've clicked on before making a purchase) is incredibly valuable information to the retailer. Just because you didn't buy something today doesn't mean your click wasn't tracked and can't be linked back to that click.

Re:Tracking purchases?

[ohzero]

The OSCommerce guys are/were working on something like this if I recall correctly...

Re:Tracking purchases?

[The-Bus]

I just mention this because I saw it on their site today... But Busted Tees pays you $4 to refer someone if they end up buying a shirt. Don't know how they do it (cookies?), but that's what they do.

Also, if you search for "Mortgage" on Google and click on the ads, someone paid $18 for you to do that. I'm sure other searches for high margin products (anything asbestos lawsuit related, maybe) is also high in price.

Next time you feel like spending money, click on 5 of those ads. $90 down the drain!

Re:Tracking purchases?

[rainman_bc]

But still, through some work they can tell when you've visited the site from google at all, and when you've made your purchase.

If ever there's an http_referrer of google it'd be up to the web site to track that and link it to a purchase.

Webmasters know where the referrers come from. Whether they chose to disclose it to Google OTOH is a much different story. I'd bet most web stores track from the referrer to the purchase, they just won't disclose that to anyone.

Re:Tracking purchases?

[mpcooke3]

This doesn't really matter. For ad networks using CPA (cost-per-acquisition) rather than CPC the tracking is done using cookies which will record a sign up or purchase even on repeat visits.

Although CPA based advertising is a lot less prone to fraud there are issues of which the biggest is in deploying pixels to do tracking on all sign up/purchase pages there are also more fixable issues with double counting (crediting to more than one ad network). CPA may be vulnerable to publisher fraud of course though this is usually less of an issue as you have a contractual relationship with them.

CPC click fraud was a problem long before google starting selling space on a CPC basis. I believe commission junction used to have a whole fraud detection team (they may still do).

Re:Tracking purchases?

[rainman_bc]

Really, touch shit for Google IMO. That's the nature of the beast. How can you, in any clear, decisive fashion, determine that the click-through ratio is too high, and need to suspend the account?

I mean, I had google ads on my wedding web site, and google determined all the /. visitors clicking ads was too high, and deactivated my account. The bastards.

Granted no one bought anything, but still... Bastards... Well I took them for a couple checks at least.

Re:Tracking purchases?

and its practically impossible to change a referrrer as well...

Re:Tracking purchases?

[_Sharp'r_]

The problem doesn't go away by switching to CPA, it just moves to the other side where merchants don't accurately track purchases and coincidently reduce the amount of commission they pay.

That's a lot easier to police if you are an affiliate and know where your users should be going, but much harder to manage in the kind of environment where the publisher's don't pick the advertisers and there are thousands of them showing on a single site.

There are many merchants who don't have the technical competence to make sure CPA is being tracked properly, let alone the ethics.

The other flipside is that moving from CPC to CPA, you have to worry about how well the merchant designed their site to convert incoming leads, where before you worried about how properly relevent the people making the clicks on the publisher's page are.

So yeah, you can change the problem by moving from CPC to CPA, but it just creates a different set of problems to deal with. The reality is that the advertisers have to discount a certain percentage of clicks (probably 1% in most non-volitile, low EPC industries) and the ad brokers like Google have to stay after finding invalid clicks.

Re:Tracking purchases?

[tompaulco]

I imagine they use some statistics to find out that on average the clickthrough to purchase ratio is X percent, but perhaps on your website it was more like X*LargeNumber percent.
The fact that you took them for a couple of checks means that you got some seriously large number of clicks on google ads. I get about 8,000 hits on my server per day, and only about 7 or 8 clicks on google ads per day, resulting in maybe $15 a month. They won't even issue checks unless you have $100, if I remember right.
If you got that many clicks and no one bought anything, that would be cause for some alarm, to be sure. How do you know no one purchased anything. My google reports don't tell me anything about people buying things, just that someone clicked, and what the pay rate of that click is.
Perhaps Google suspected you of telling slashdotters to come to your site and click on Google ads (not saying you did). Such a thing would be in violation of their contract.

Re:Tracking purchases?

Most retailers can track you across visits.

Not when I click the ad while at work and then later place my order from my home PC.

Re:Tracking purchases?

[T-Ranger]

Well, the service that Google offers is Pay-per-click not pay-per-lead or pay-per-sale. And services that sell ads per-view. But what Google does is pay-per-click.

The other style services all work, and have worked for a long time. Even the pay-per-sale systems are suceptable to fraud, CC charge backs and all. But they are different systems with different problems and benifits. If Google started doing pay-per-sale, then it would be an additional service, not a replacement service.

Re:Tracking purchases?

[rainman_bc]

Yeah, but I didn't violate it. My banner read "help me pay for my wedding by clicking here"

There was a paypal donate page, although the google-ads were kinda there too.

Really, I never violated the terms of use. They were just being bastards.

Oh, and I got over $600 in six months... Thanks /. ...

Re:Tracking purchases?

It's funny how people who complain about being kicked out of Adsense almost always reveal that they actually did break the contract (Yes, you did). Google couldn't stage this any better if they wanted to instill fear in new participants.

Another proof...

[Spy+der+Mann]

that pay-per-click is practically WORTHLESS.

Why don't the advertisers think of soething more effective... like pay-per-mail or something?

Re:Another proof...

[Reignking]

Pay-per-click is worthless? I guess that's why Google is about to go bankrupt...

Re:Another proof...

[stoanhart]

Well, the amount of mails received would be less than clicks, so to make it worth while, the price paid per mail would have to be substantially higher than price per click. That means crooked customers could mass mail, and make scam revenues way faster than with clicking, since they would have to repeat the act fewer times.

Re:Another proof...

[horahora.geo]

Not that I'm an advocate or anything, but try http://myinfopage.com. Pay per direct connection to a customer? Wow, what a concept.

Re:Another proof...

[ad0gg]

When fraud moves overseas or using zombie boxes and advertisers get pissed and start suing google more often. Google is going to be in world of hurt. Pay per click was destined to get frauded just like pay to surf was. Google and overture need to switch to a flat rate fee. A per sale fee solution won't work either because that will get frauded as well by the advertisers by under reporting sales.

Re:Another proof...

[JacquesItch]

Worthless? Not in our case. Our company just closed a $200,000+ contract after just 4 months of Google advertising.

Re:Another proof...

[Oktober+Sunset]

well, it would be if there weren't so many n00bs in the world. But there are enough n00bs for everyone, so round up those n00bs and lets take 'em to market!

Re:Another proof...

[leonmergen]

Just out of interrest, any idea how much many was spent in total ?

Re:Another proof...

[Spy+der+Mann]

Our company just closed a $200,000+ contract after just 4 months of Google advertising.

Yes, but you might as well have paid Google just the first time this customer contacted you. That's my point. Just clicking on a site doesn't guarantee a sale, that's what I'm talking aobut.

Re:Another proof...

[JacquesItch]

About $14,000 spent on ads.

Microsoft claims new reason for avoiding OSS

They say the last thing they want to do is provide a "road map" to would-be hackers.

-Rick

Re:Microsoft claims new reason for avoiding OSS

-1 Offtopic?!?! It's called Irony!

-Rick

Re:Microsoft claims new reason for avoiding OSS

You? You're called Douchebag!

Re:Microsoft claims new reason for avoiding OSS

hahahahahahhahaahhaahaQ!!! awesome

-Not rick

Re:Microsoft claims new reason for avoiding OSS

Douche bag? for what? Making fun of Microsoft, Google and the Tin foil hat wearing forum winnies of /.?

-Rick

Re:Microsoft claims new reason for avoiding OSS

Hmm. Making fun of the slashdot weiners is always acceptable in my book. It wasn't you I was laughing at, but rather the succinctness of the hilarious douchebag post. No hard feelings, Rick.

-not rick

Security through obscurity?

[TripMaster+Monkey]

From the article:

Stricchiola harshly criticizes Google, saying the firm typically will not divulge much information to advertisers about the nature or scope of click fraud on their Web sites. Google defends the practice, saying it does not want to provide a road map for those with bad intentions.

<sarcasm>
Security through obscurity...always a sound threat-management strategy.
</sarcasm>

Seriously, what exactly does Google hope to accomplish by trying to keep a lid on this? News flash, Google: the 'road map' is already out there, and being used to the tune of approximately 20% of all clicks on ads (stat from TFA). The secret is out...no one can gain by covering up the problem...no one, that is, but the people perpetrating the click fraud.

Google better do an about-face on this issue, and fast, before it winds up biting them on the ass even more than it has already.

Re:Security through obscurity?

[HitByASquirrel]

Anybody else notice the rapid crapification of Google since the IPO? There's a difference between "crapification" and "legitimization."

Google needs to protect themselves and their legitimate clients. Why would a company allow practices that were essentially stealing money from them, and for that matter, why would someone invest in a company that allowed people to do such things?

Re:Security through obscurity?

Google needs to protect themselves and their legitimate clients.

Then why didn't we see crap like this before the IPO?

The answer: big money comes in, everything falls apart.

Re:Security through obscurity?

[vvaduva]

Maybe the problem is not as much that they don't want to share, but maybe they don't really know. How would Google know the exact number of fraudulent clicks taking place? They really don't have a clue...the system is built on a shaky foundation...pay-per-click IS worthless...

Re:Security through obscurity?

You know, "No security through obscurity!" is an aphorism, not a law of thermodynamics. It's not like disclosing their practices is going to accomplish anything (no, they're not waiting for your 1337ness to ride in and save them) and the fact that there's an existing problem isn't proof that things can't get any worse.

Sorry, "No security through obscurity!" is just something Slashbots repeat to sound smart...

Re:Security through obscurity?

[HitByASquirrel]

Then why didn't we see crap like this before the IPO?
The answer: big money comes in, everything falls apart.

That's a little short-sighted.

A) Maybe Google wasn't as a prominent presence on the web before
B) Maybe Google didn't have the money for people to steal that it does now.
C) Maybe people now feel that they can take advantage of a company if said company suddenly become "big money"

Some times people need to get off of their "all big companies must be horrible because they have the power to be" trip and think about what they would do in that situation.

Re:Security through obscurity?

[Florian+Weimer]

The secret is out...no one can gain by covering up the problem...no one, that is, but the people perpetrating the click fraud.

Not true. If you've got a solution for click fraud, you should keep it to yourself because it enables you to give better service to your customers, especially better than the competition who doesn't know of your discovery.

Have a look at spam filter heuristics for some inspiration. The most effective ones are not widely published, and thus not widely used. I don't think this is a coincidence.

Security through obscurity doesn't work in cryptography. A competitive edge through trade secrets is not completely unheard of. In the end economics win, and not cryptography.

Re:Security through obscurity?

Nowhere does it state that google are allowing this to happen. Infact its strictly prohibited in the EULA. and this article is all about them fighting it.

so Im not sure where you are getting this "company that allowed people to do such things"

Re:Security through obscurity?

News flash, Google: the 'road map' is already out there, and being used to the tune of approximately 20% of all clicks on ads (stat from TFA).

Very true, I just googled a few methods...

Re:Security through obscurity?

[ajs]

"Sorry, "No security through obscurity!" is just something Slashbots repeat to sound smart..."

What's more, it's often dead wrong.

"Security through obscurity is no security at all" is often the mantra, and yet when pressed, you have to admit that having a password; having some systems be honeypots that feed DNSBLs; and many other valid security approaches are STO *and* are valid additions to your security framework.

The key to good security is layering. Put out your STO layer, and then add in your logical security layer, followed by your physical security layer, followed by your auditing layer. This is how you build good security.

At every point in your security model, you should have a sense that there's some ablative layer that can be compromised without a full failure of security. What's more, you should be auditing that intrusion to discover the failure, and ideally reacting to that information (e.g. by modifying firewall rules to stop the intruder).

Getting back to our friends... Google is showing you the first layer of their security approach: don't tell them what our security model is. Now, if that's their whole model, then they're screwed, but it seems reasonable to assume that it's not (else, why bother not telling you?)

Re:Security through obscurity?

[HitByASquirrel]

Exactly, Google is fighting those who take advantage of the pay-per-click ad services. Therefore they are not a company that is "allowing people to do such things."

My question was a rhetorical one.

Re:Security through obscurity?

[mr.newt]

Nice troll. Since it's currently modded Insightful, I'll respond. Obviously, "No security through obscurity" is not simply an aphorism bandied around by slashbots. Instead, it is a concise way of saying that simply covering up your security flaws, rather than fixing them, is not a valid method of security. Anyone who has spent time working computer security knows that if you just hope no one will find out about your security vulnerabilities, and you brush them under the rug, they will come back to bite you on the ass.

In this case, though, the grandparent poster was not saying that Google should disclose the stats about the nature and extent of click fraud for the purpose of the community solving the problem for them, as you imply. Instead, these stats should be released for the sake of honest evaluation by companies who wish to use the service. Google makes the claim that they cannot divulge this information for security reasons, and the grandparent poster makes the case that this is BS, since the fraudsters are already well aware of how to take advantage of Google's program.

How was that for a long winded post? :)

Re:Security through obscurity?

[mr.newt]

I think you have totally misunderstood the concept of security through obscurity. It's a matter of degree. If you were being very literal, *all* security is security through obscurity. After all, encryption only works because the encryption key is obscure (in that case, only two people should know it). However, that term applies not to security in general, but security that is had by simply failing to disclose vulnerabilities that are easily discoverable anyway. Generally what is known as security through obscurity is only effective in keeping out very casual users of the system in question, and is not a valid reason for failing to disclose something relevant such as (in this case) type and extent of click fraud to paying advertisers.

Re:Security through obscurity?

[tshak]

Security through obscurity is a valid means of security. Security is a matter of depth, meaning that you rely on multiple layers of security within your system. Obscurity is one of those layers. The "security through obscurity" cliche that you often see here on /. is in regard to security solutions that rely almost soley on obscurity.

Re:Security through obscurity?

[martian265]

Seriously, what exactly does Google hope to accomplish by trying to keep a lid on this?

Are you asking what Google hopes to gain by NOT telling everyone how they detect the fraud? Are you serious? This is the exact same thing as a bank telling all of it's customers exactly how they detect fraud. Banks, governments etc never tell people "exactly" how they detect fraud and many other types of crimes. This would be telling the potential thieves, fraudists etc exactly how they can fool the institution. It would be like a rich person telling everyone how their alarm system works and all it's shortcomings, how to circumvent it etc. I have no clue where you got the idea that it's better for Google or really for anyone, if they were to tell us exactly how to they try to prevent this.

News flash, Google: the 'road map' is already out there, and being used to the tune of approximately 20% of all clicks on ads (stat from TFA).

Common sense says that your statement is not correct. If the 'road map' was out there, how would Google ever even know they were being frauded? They wouldn't because it would be "defeating" their tracking or surveillance strategy.

The secret is out...no one can gain by covering up the problem...no one, that is, but the people perpetrating the click fraud.

I don't think you quite understand what is going on here. They aren't keeping the lid on the fact that fraud is taking place (if they were, you wouldn't be reading TFA about it, duh). What they are being tight-lipped about is how they detect the fraud. And regardless of how much they are gaining by their strategy, they would be a complete loss if they told people how they detected (for instance, it might tell a company exactly what steps would fool their software/logs).

Google better do an about-face on this issue, and fast, before it winds up biting them on the ass even more than it has already.

Are you an out of work actor from a really bad sci-fi tv series or something? "do an about face" "news flash" "the secret is out", all sound like a bad plotline from some UPN show. Or perhaps do you have "sometime" employment with a company that is being sued by Google?

btw, I don't work for Google or any company that is associated, affiliated or even advertises with them. I just think this has to be one of the most pathetic posts that has been modded up in a while.

Re:Security through obscurity?

Just because you disagree with something doesn't mean they are trolling.

In this case, the parent is correct and you are wrong.

When you state "Obviously, "No security through obscurity" is not simply an aphorism bandied around by slashbots. Instead, it is a concise way of saying that simply covering up your security flaws, rather than fixing them, is not a valid method of security." you show that you write perfectly fine, but you don't read or think all that well.

It isn't obvious, and the 2 phrases don't even come close to meaning the same thing.

"Rarely decent, long-term security through obscurity only" is less catchy, but much much more correct.

Oh yes, just because 'fraudsters are already well aware of how to take advantage of Google's program' doesn't mean they have optimised it. Duh, the parent covered this.

Re:Security through obscurity?

This is ignorance at its finest. You have absolutely no idea what you are talking about. First, if pay-per-click were truly worthless as you say, nobody would be paying for it. As an advertiser, it is very easy to determine the value of the traffic you receive, and you can adjust your spend accordingly. The people you see advertising through this medium do so because they are making enough in sales to justify their advertising budgets. PPC advertisers are very sensitive to their ROI, and are quick to adjust how they spend their money. This is worlds different than more traditional advertising, which provides no direct link between leads and sales.

Secondly, while there is no exact determination of what is considered "fraudulent," there are many heuristics Google can use to determine what is a real person who is interested in the link he/she is following vs. what is someone/something clicking maliciously. There are two methods of determining quality of traffic - at the time the click is received, and in retrospective analysis. At the time of click, their system probably attempts to look at the source of the request, and also most likely does some aggregation analysis, and then decides whether or not to charge the advertiser. Retrospective analysis attempts to look at trends in data that has been collected, which will then be used to determine if sources of traffic are of sufficient quality.

It would be utterly stupid of Google to divulge their fraud determination practices. Right now, you see a blob of clicks and a blob of fraud. You don't know individually what gets charged and what does not. This is not security through obscurity, rather a protection of trade secrets. Additionally, the methods are obviously not perfect. Some fraud will be marked as quality. By the same token, some quality clicks will be marked as fraud. Google's goal isn't to sniff out each and every fraudulent click. Rather, it is to boost the value advertisers receive on their overall traffic to keep bid prices high. The market forces take care of the rest.

Re:Security through obscurity?

[mr.newt]

Just because you disagree with something doesn't mean they are trolling.

How right you are. They were trolling because their comment had nothing to do with the content of the post they replied to.

It isn't obvious, and the 2 phrases don't even come close to meaning the same thing.

It's quite obvious to me, and I assume, to other rational human beings. The two phrases actually mean the exact same thing. FYI: a wikipedia article on the topic.

*snip*doesn't mean they have optimised it.

20% fraudulent clicks sounds pretty damned optimized to me.

Re:Security through obscurity?

"Security through obscurity is no security at all" is often the mantra, and yet when pressed, you have to admit that having a password; having some systems be honeypots that feed DNSBLs; and many other valid security approaches are STO *and* are valid additions to your security framework.

Y.

Re:Security through obscurity?

"Security through obscurity is no security at all" is often the mantra, and yet when pressed, you have to admit that having a password; having some systems be honeypots that feed DNSBLs; and many other valid security approaches are STO *and* are valid additions to your security framework.

You are the biggest tard in the world. Obscurity refers to the hiding of the strategy so that it can't be peer reviewed and does not refer to relying on secret data as part of a bigger and more open strategy.

Google are obscuring their strategy -- most probably because, if the world saw it, their business model would be threatened.

Re:Security through obscurity?

[CreamyCoffee]

I just thought your comment here was very wise. : )

Re:Security through obscurity?

You seem to have confused the concept of a 'secret' (e.g. a password) with 'obscurity' (e.g. a 'hidden' web page that 'cannot' be found because you have not given out the URL... at least, you don't think you have).

In some sense, any secret must also be somewhat 'obscure' (otherwise it could hardly be secret!), but that's not quite what's meant by "security through obscurity." The implication of "security through obscurity" is that the system is NOT secure, and the obscurity exists merely to hide that fact.

In this case, it may well be that Google realizes the system is insecure (and they would appear to be all but admitting that), and thus relys on the obscurity to prevent the exploits from becoming even more widespread. Indeed, it is hard to imagine any way to reliably detect the fraudulent clicks when, as they say, they're being generated by humans with computers being paid slave wages in some poor country. In that regard, keeping their detection methods secret does provide some value in preventing evasion, though it is decidedly not secure by any means--if it were, there would be no way to evade it, and no harm in disclosing it.

Re:Security through obscurity?

[ajs]

*all* security is security through obscurity

Eh? No.

An armed guard is not STO. A filtering firewall is not STO. Auditing is not STO. Security cameras are not STO. Re-writing multiple times and then degausing hard-drives is not STO.

STO is a very limited sub-set of security in which you keep a secret which, if known, defeats the security in question. Passwords, unpublished datacenter locations, public and private-key encryption, putting services on an unusual port, and using an OS that people don't use at home are all examples of security through obscurity. Some of them are very effective (encryption), some are only a partial solution (passwords) and some are effectively ignorable (unusual ports).

The problem is that people treat STO the same way they treat the word "script". It only refers to those thigns that I consider beneath my notice. Everything else is just "security" or a "program".

Re:Security through obscurity?

[ajs]

"In some sense, any secret must also be somewhat 'obscure' (otherwise it could hardly be secret!), but that's not quite what's meant by "security through obscurity." The implication of "security through obscurity" is that the system is NOT secure, and the obscurity exists merely to hide that fact."

You're making my point here. Read what you wrote, "that's not quite what is meant [...] the implication..." The definition of STO as I've always encountered it is simple: there is a secret. If the secret is revealed, your security is moot.

That's it. There's no "implication" or "not quite" or any such thing. It's a simple, concrete definition, but peoople seem to always want to bend the term so that it only means "the bad kind of security," which it does not.

Now, some such mechanisms are multi-layered, and some are not. For example, the password you use is a bit of obscurity. If I can social-engineer that password, I'm in. However, your system uses passwords in a generally secure way, and that extra layer makes me work harder (having to social engineer vs. just using some pre-fab intrusion tool). This is a good thing.

An example of a non-multi-layered STO would be using unusual port numbers. But even there you can add in a layer. Let's say you have some intrusion detection (snort-based, for example) and you automatically inject firewall rules to drop packets from hosts that port-scan. Now you have a bit of obscurity that is defended by a second layer. Of course, I can port-scan different ranges from different hosts until I find the correct one, but you've made me work for that small advantage, and I still need to get past the security in your application (which you again layer on more security for by frequently applying security updates, etc.)

Re:Security through obscurity?

[peachpuff]

There's a difference between secrecy and obscurity: the launch codes for nuclear missiles are secret; garage bands are merely obscure. Secret passwords are useful, but if your password is the name of your garage band . . .

Re:Security through obscurity?

[nothings]

In fact, the slogan "no security through obscurity" isn't even a good aphorism. "Obscurity" in this sort of context is another word for "secrecy", and guess what, secrecy is the fundamental building block of security.

This is pretty clear if you use the classic example, encryption.

Good: a well-tested published algorithm with a lot of bits in the secret key
Bad: a secret, private algorithm with however many bits in the key

But why is the one good and the other bad? The classic answer is "because the well-tested published algorithm is really secure, and the other one isn't". But that's not a good explanation; it's trivial to roll a no-less-secure (and possibly more secure) secret algorithm: just use a good published encryption algorithm, plus re-encrypt the results using whatever random crappy algorithm you've invented. (Or maybe in the other order is better.) This is no less secure for the obvious reason, and if you manage to keep your random crappy algorithm secret, most people are going to have more trouble breaking it. Maybe the NSA can still break it, but they'll have to work harder.

Here's the reality of the situation: bits are hard to keep secret. The fewer bits you have to keep secret, the better off you are. If you have some special custom crappy encryption algorithm, you have to express that in code and hand it off to the other people who need to encode and decode. That code is now bits you have to keep secret. So in addition to your, say, 256 key bits, you now have a, say, 16KB executable you're keeping secret. That means you need to keep 128,000 bits secret!

Even if you're using a custom crappy encryption that's not built on top of a published, secure one, and you're not an idiot, you probably will give your average DeCSS-level hacker a difficult time--if you can keep all the bits secret. But here's the point: maybe you'd be better off just using a 128,000 bit key with one of those well-published algorithms! (I realize this doesn't necessarily literally work, although you can do triple-DES-like stuff, though it might be too slow, but let's ignore performance since that's always going to change.)

What really matters is the ratio of quality-of-security to the amount of data you have to keep secret; the security-quality-per-bit (SQ/b). In the case of encryption, you are probably best off putting those bits into your secret key for a published algorithm, not into a secret algorithm. In the case of Google, nobody current knows of a magical "good solution to fraud prevention" for them to use, and their best solution is to keep their fraud detection measure secret. Yes, if those measures leaked (say, somebody at google ran off with them, or got socially engineered), they won't work very well, but there is NOTHING to be gained by leaking them, despite whatever bizarro world grandparent and the people who modded him "insightful" are living in. ("No one can gain by covering up the problem...no one, that is, but the people perpetrating the click fraud." wha? huh? Like parent says, publishing their fraud detection methods and the extent of the fraud isn't going to prevent "gain" on the part of the frauders, and certainly will increase the likelihood of current non-frauders being able to fraud.)

Re:Security through obscurity?

Security through obscurity means that you rely on people not knowing how something works. Real security is achieved only when people who know exactly how it works are not a threat. A password or a private key is a secret parameter of the system, not a component of the system. The system would not need to be changed at all to work with a different key. It's called "security through obscurity" for a reason. Otherwise we would call it "security through secrets".

Re:Security through obscurity?

There's a systematic difference. If data, which can be replaced easily, is required to be secret for the system to be secure, then that's referred to as "security through obscurity". You could call that "security through secrets". STO is a technical term describing security which is achieved by keeping the process/algorithm secret, not just data.

Re:Security through obscurity?

One day I'm actually going to read the preview page. Forgot a not:

If data, which can be replaced easily, is required to be secret for the system to be secure, then that's NOT referred to as "security through obscurity".

Re:Security through obscurity?

I think the idea here is that obscuring your security method is a hassle, but will not stop exploitation of security flaws. It's a stop-gap measure, and in the long run you have not protected your data. That's not to say that it's not useful. Hell, there are plenty of encryptions that can be broken given a certain amount of time. They can still be useful, just as long as you think that it will prevent would-be eavesdroppers from reading the data while it's still useful. So, yes you can point out that security through obscurity is a very useful process, but that doesn't mean that it makes your data secure.

Re:Security through obscurity?

[ajs]

There's a systematic difference. If data, which can be replaced easily, is required to be secret for the system to be secure, then that's [not] referred to as "security through obscurity"

A classic STO example which many people use these days: port randomization.

There's data: port number

There's process/algorithm: port randomization.

The only reason that we refer to this as STO and passwords as "security" is the fact that the process in question is very thin and easily defeated (port scanning), but as I've pointed out elsewhere, you can layer this STO approach with active filtering to gain new levels of security (by detecting port scans and blocking the scanning host(s)), which of course has countermeasures, which have countermeasures, etc. (insert kaizen sidebar here).

Re:Security through obscurity?

When the secret is so small and irrelevant by design, the weakness is considered to be part of the protocol. There is no secret worth noting, so to say.

Re:Security through obscurity?

[mr.newt]

I'm sorry if my post wasn't clear, you are making the same point I was. The post I was replying to was trying to make the case that you are arguing against, and I was arguing against him. (He specifically said that passwords were security through obscurity!) My point was that if you were going to use the term so freely as to include passwords, you were including pretty much every security measure out there, and that that's simply not what the term "security through obscurity" means.

Re:Security through obscurity?

[mr.newt]

An armed guard is not STO

We're talking about computer security. My god, let's try to keep it in context, ok?

*snip*

Um...are you arguing against my point or yours? You said that passwords were security through obscurity, and my point was that if that is security through obscurity, than every security measure out there is STO. This is obviously nonsense, which was my point...but you seem to be agreeing.

Security through obscurity?

The guys from Google used to be my heroes.

Anybody else notice the rapid crapification of Google since the IPO?

Time for a new crop of rebellious start-ups, I think.

Don't sue em!

[Marthisdil]

Find out their email addresses and send them out to all the spammers. :)

Re:Don't sue em!

[puiahappy]

very nice but i think it may help them free info about all concurent products hmm... better sue them !

Pay to Surf Fraud

[disc-chord]

During the early days of the "Pay 2 Surf" fad, some friends of mine in college devised some of the original scams (including bots that have led Yahoo and others to include image verification to determine if a real person is making an account). They were monumentally succesful, one claimed he paid for nearly a whole year's worth of tuition from scamming these guys.

None of them ever had the slightest bit of legal woes as a result of it, and none of them even got complaints from the companies. As far as the companies organizing Pay 2 Surf programs were concerned the more the merrier as it meant more ad revenue for them.

I wonder why Google has decided, against their own interests, to go after fraudsters like this.

Re:Pay to Surf Fraud

[millwall]

I wonder why Google has decided, against their own interests, to go after fraudsters like this.

I think it's a long term strategy from Google. If they would embrace the revenue generated by the scammers, the real and legitimate advertisers would get less out of their ads, and in the end stop using Google for marketing.

Re:Pay to Surf Fraud

[PunkXRock]

I can't imagine you're really that thick. "Against their own interests"? Maybe in the short-term, yeah. But if 20% of clicks are fraudulent right now, and they sit on their hands, that number will certainly go up. This might hurt profits in the short-term, but a long-term improvement to AdSense helps Google by encouraging more and more advertisers to use the program.

Re:Pay to Surf Fraud

[iammaxus]

It's simple. Though what they sell directly to their customers is clicks, what their customers want to be paying for is people visiting their website and actually browsing/buying/registering/whatever. If Google clicks start to lose value (as the percentage of clicks that turns into something valuable for the customer drops), customers will not be willing to pay as much for them. If what you say about the "Pay 2 Surf" fad is true, most likely, the people paying for advertising were not tracking what rate clicks were turning into something valuable, or if they were, they stopped buying ads and hence the end of Pay 2 Surf

Re:Pay to Surf Fraud

And you don't feel the slightest twinge of guilt for not turning in your "buddies". That money they got was not rightfully theirs, you know. People got laid off and suffered because of scammers like your friends.

Re:Pay to Surf Fraud

[Anonymous+Luddite]

>> I wonder why Google has decided, against their own interests, to go after fraudsters like this

They are doing it precisely because it is in their best interests to do so. Advertiser's have many places to spend their budget. A lack of confidence in the adwords program would drive those dollars elsewhere.

Re:Pay to Surf Fraud

[dfjghsk]

I think you're exactly right... The company I work for once tried to expand their advertising by using Looksmart... after 48 hours they put the advertising on hold -- they already received thousands of clicks and spent hundreds of dollars. After 3 months, not a single one of those visitors ever returned to our site, and we dropped Looksmart.. they probably won't get a dime from us ever again.

Re:Pay to Surf Fraud

[AviLazar]

I wonder why Google has decided, against their own interests, to go after fraudsters like this.

I wonder, why would Google want to go against fraudsters who are costing innocent people money.

Re:Pay to Surf Fraud

A guy I knew had one of those adbars, where it paid for you to keep the window open,as it was constantly showing you ads. If your screensaver went on, it stopped paying. So he put a piece of wood on an incline, put his mouse on it, and then tied the mouse cord to an oscillating fan. Bingo, instant "always on" surfing. ;)

Re:Pay to Surf Fraud

[m50d]

Because, and I'll get modded to hell for this, google is now evil. Really.

Re:Pay to Surf Fraud

[Spudley]

And he never thought to just turn off his screensaver?

Re:Pay to Surf Fraud

News flash: That happenned in the 90s. Nobody gives a shit.

Re:Pay to Surf Fraud

[Evro]

Many companies track ad clicks to sales, and if they see huge increases in clicks without increases in spending, they will end their relationship with Google as it's not profitable for them.

Re:Pay to Surf Fraud

[Armadni+General]

The grandparent comment is wrong, it doesn't stop when your screensaver goes on, it stops when your computer is idle for a certain amount of time.

Think about it. Idle reporting. Ad delivery. This pay-to-surf crap came about way before the mainstream emergence of the adware/spyware problem. It was right under our noses.

Re:Pay to Surf Fraud

[The-Bus]

I noticed that too for a client that I set up. All the "searches" we were getting were coming from very very odd sites, that I can't imagine anyone would ever visit. (These are the sites spammers mention when they say "Add your site to over 45,000 search engines!"). Stupid sites like QuestSale.com or ABC911.com.

Needless to say we are not paying any more money to LookSmart.

Re:Pay to Surf Fraud

[Drachemorder]

Reminds me of that Simpsons episode where Homer set up a "pecking bird" toy to repeatedly press the "any" key on his computer so he could sleep instead of work.

Re:Pay to Surf Fraud

[eison]

It is strongly in their best interest to appear to be doing something about the problem. Issue is, it is also in their best interest to minimize the cost of doing something about it - so, put a guy on it in his spare time, publicize whatever he comes up with, leave it at that.

Re:Pay to Surf Fraud

[The+Barking+Dog]

I used a mouse-mover program to run my mouse around the screen, then click on a specific spot on the page. I then had a Perl script that would generate URLs from a list and link them to a graphic in the middle of the page. It would run for hours like that, always generating surfing activity, displaying the ad banner the whole time. Funny, AllAdvantage's program didn't last more than six months. I wonder why...

Good deal.

[Future+Man+3000]

Greed is ruining the Internet (pop-ups, e-mail spam, blog spam, P2P, ungrounded cease-and-desists, spyware/adware, "phone-home" software) and it's about time to defend one of the last remaining quality services of the Internet: search engines.

Google got to the top of the game by providing an excellent service efficiently. But like anything else, people have no problems ruining it to make a little more money.

Re:Good deal.

[PktLoss]

While google may not be doing the math. I (and other advertisers) most certainly do. I'm paying X for a click, %0.5 of clicks result in a sale, with a profit of X. If cost per click > profit per sale * percentage of sales, I stop buying.

Fraudlent clicks lower the percentage of clicks that result in sales. So the value of a click decreases, along with Google's margin on the transaction.

It's in their own best interest in the long run to combat this sort of thing.

Re:Good deal.

News Flash: Greed is ruining EVERYTHING.

Re:Good deal.

What the hell are you talking about?

Greed might be "ruining the internet" for you who actually believed in the wild west-like freedom of information. To us realists it's the wonderland.

Wake up and smell the coffee. The net is a huge business and as in any huge business the majority of the clients is going to get royally screwed. Just don't be one of them.

Re:Good deal.

[robertjw]

And has been since the dawn of time.

Re:Good deal.

[jericho4.0]

p2p saved the internet, as far as I'm concerned.

Re:Good deal.

Ah, shut up.

Re:Good deal.

[88NoSoup4U88]

Greed is ruining the Internet

Wait. And it's not ruining (part of) our daily real life ?

Re:Good deal.

[HermanAB]

We are living in a capitalist society - it depends on greed to function properly.

Re:Good deal.

[Armadni+General]

Not ruining it. Running it.

Re:Good deal.

[Future+Man+3000]

I've seen this sentiment on here before, but I think it's only part of the larger picture (I feel the same way when I see posts explaining that corporations' obligation to shareholder profit mandates a "scorched earth" approach towards consumers and employees.)

There is room for a small number of people or organizations to behave with little consideration to either long-term viability or their impact on others and by doing so gain (perhaps only temporary) advantage over their competition. Past a certain point the playing field is ruined for everyone involved.

Greed is perhaps the most primal motivator for capitalism, but I've noticed that companies in well-established industries don't rock the boat nearly as much as technology companies -- leading me to believe that a certain level of restraint (self- or legally-imposed) creates a more efficient operation over the long haul.

Re:Good deal.

[anthony_dipierro]

and it's about time to defend one of the last remaining quality services of the Internet

Advertising?

Re:Good deal.

[mcskoufis]

Personally, I think that the last remaining quality services are not unvulnerable. Not only on click fraud, but also on the results fetched for some queries.

How many times did you have to re-phrase your query in order to find the proper results? How many times did you see the first 20 or so results being the exact duplicated content from a spammer?

Sometimes I really think that search engines during the graphicless web days where bringing much better results than they do now, nomatter howmany billions of websites they now index.

They need to focus more on the quality of services they provide and not only on meeting investor expectations. However, the increased competition that we witness the past months will probably force them to improve their services.

Re:Good deal.

[lightknight]

It certainly does. But like any other type of society, it suffers greatly when people commit fraud or theft. Doesn't matter that greed is the engine (easier to look out for yourself (capitalism) than others (socialism/communism)), what matters is that in both types of society what they are doing would be considered a crime.

Some would argue that greed spawns these types of problems, but I'd put my money on stupidity (short-sightedness) i.e. get in (to the customers wallet), get out (with their money), get away (from the Law).

A greedy capitalist knows that providing a service over X years typically pays off better than jacking a client. Only idiots pursue the latter, and are not capitalists, but thieves.

Re:Good deal.

[HermanAB]

Oh, I agree hundred percent that ethical behaviour is best and makes the system work properly, but the beauty of the capitalist system is that it causes even crooks and scoundrels to contribute, while in other systems, they would only be spunging off the honest people.

Re:Good deal.

[HD+Webdev]

p2p saved the internet, as far as I'm concerned.

Yes, it kept the general public from noticing all of the quality file sharing going on in USENET and dropping in to mess it all up.

Re:Good deal.

[lightknight]

Curious. How do criminals and thieves contribute to a capitalist society, as opposed to spunging off people? (This is not a troll, I'm genuinely curious).

Re:Good deal.

[HermanAB]

Criminals are also trying to make money. Some run huge businesses, eg. Enron, Worldcom, Nortel and Tyco. Even natural disasters increase the GDP of a country, since it increases both production and consumption. Consequently a demand economy is boyed by both good and bad actions - although good works better.

In contrast, in a communist society, it is very difficult to raise the GDP, since most things are free - no rent, no payments for water, electricity or gas, no medical payments - the result is that everything stagnates, since the people have no motivation to do anything, except bare survival. Consequently, both good and bad actions are punished in an economic sense.

See how rapidly Russia and China improved in the last couple of decades, over the previous 70 years of a command economy.

Conversation went like this....

[Kjuib]

Webman: I am nNOT a "would-be frauders"...can I get a road-map please...
Google: Sure. Go to http://maps.google.com Thank you for your interest.

I don't understand the issue

[neurosis101]

Google sets up a way of doing advertising business with them. You sign a contract that most likely links your rate with your clicks, provided they aren't fraudulent. Now somebody got caught and they're gonna get sued. What's the problem? Its not like its a right to have an advertisement on their site. Google can tell you to shove it if they want. Reading the summary makes me think the issue is that Google isn't disclosing how they caught this advertiser because its done by hand. Again, why should Google disclose more than necessary to prove to the court in their case? I'm not seeing the issue.

Re:I don't understand the issue

The issue here is legitamate advertisers do not know the exact performance of the ads they are paying for, nor do they know how much they are paying each time someone clicks on their ads. Google has to become more transparent or advertisers will be forced to sign up for 3rd party services ala http://www.clickfacts.com/ If Google continues with their secrets, the advertisers will lose their trust in Google and leave.

Re:I don't understand the issue

[Nos.]

Most of us I think should actually encourage this action. The more fraudulent clicks that are not paid out the more valuable the service is. As a guy who tries to cover some of his costs by running google ads on a few sites, I'm happy they're going after this fraud. I'm not in this to make a fortune, but the more valuable the service overall is, the higher advertisers will pay for the click, the more money I make. If click fraud becomes rampant, the opposite happens and I lose the little bit of money I actually earn from my sites (I might actually cover the cost of my domain registrations this year!!!!)

Re:I don't understand the issue

[TedTschopp]

Here is one issue. We used Google ads for a while until they shut us off. Turned out that someone else (not those of us running the site) had set up a bot and had been clicking away at the links.

We have no idea if this was to 'help' us or to hurt us. But the problem remains. Want to screw someone over who has uses Googles Adwords on the site. You know how. Want to screw someone over who is advertising on Google. Now you know how.

The assumption that is being made by google is that there is a relationship between the clicking on an add and the recievership of money. In our case there might have been a relationship, but it was done without our knowledge. Now we can't use any of Google's Ads.

The issue is a bit harder than it orignally seems.

Ted

Re:I don't understand the issue

Err.. if "someone" was clicking on your ad using a bot, then you have their identity in your logs (hint, look for the IP address which is there 100,000 times rather than just two; can't be that difficult). Now you know who did it through usual means. If you really cared about the fraud and it "wasn't related to you" then you would do something about it. They're committing a crime and you can get them delt with. Perhaps if you put in that effort, you would find that Google would be willing to trust you in future.

Re:I don't understand the issue

You only have to request the webpage once and then request the javascript multiple times.

Now show me how I can find that bot in my logs!!?!

Perfect opportunity

[stecoop]

This sounds like a good outsourcing candidate. I would hate to click all day but I imainge someone overseas wouldn't mind making a buck doing it and best yet I bet that it wouldn't be illegal there nor even any recourse that a company could seek.

Re:Perfect opportunity

[flatt]

It happens but it is also very easy to simply block ip ranges from receiving ads... which also happens.

Re:Perfect opportunity

Why yes. We monkeys here behind The Great Lots of Blue Water would like to click on ads while banging our heads on the wall, wich is our main source of income.

When will You American dorks grow up - the rest of the world is not in middle ages, dorks.

Good for Them

[doublem]

Google ads don't annoy me. Fraud hurts their business model, and as a result may cause them to go away.

At which point we'll be left with pop-overs, pop-unders, flash and every other annoying thing marketing slime can come up with.

Click Fraud hurts my web browsing experience.

Re:Good for Them

[Buran]

And we don't have enough of that crap already? It's not going to go away no matter what.

Re:Good for Them

[FidelCatsro]

Protest with you skill , if i find an advertiser who uses any type of ad i find abusive on a site , i inform the site admin and use ad-block on firefox to block objects from the ad-server (for the worst offenders i have my router redirect traffic) till the situation is sorted.i get many many faviourable responses from the admins ,naturaly.

Not that i am so convinced that this is fraud , i imagine it would be a contract issue as i cant for the life of me think where else this would be coverd in the law, so it is rather daft of them to do it if the contract specificaly states this is something they should not do .

Re:Good for Them

[Armadni+General]

O/T: In regards to your sig, are you not aware that all children, upon turning 14, were REQUIRED to join the Hitler youth? Why don't you learn a thing or two before opening your mouth about it?

Re:Good for Them

[anthony_dipierro]

So if Google's targetted text ads stop working they're going to switch to an advertising model which works even less?

C'mon. How many times have you clicked on a popup ad? Now how many times have you clicked on a google ad. I can tell you in my case the ratio of google ads to popup ads I've clicked on is infinity.

The job is bad enough...

[TheWart]

Can you imagine having the job of clicking on your companies' ads all day?

"Yes, I am up to 100 clicks a minute, time for a bonus!"

Re:The job is bad enough...

[VoidWraith]

Why would you do it yourself? Its something a two-or-three line script could do. Maybe an every-few-seconds cron job.

Re:The job is bad enough...

[kesuki]

They were clicking on competitors ads... not their own. so that competitors ads would 'run out of clicks' and stop being viewed.

Umm, that's not what the article says...

[MadAnthony02]

The slashdot blurb gives the impression that Auctions Expert was clicking on other ads to drive up competitors advertising costs. But while that is mentioned in the article by another guy, what Auctions Experts was doing was standard "put google ads on our page, and keep clicking the links so we get paid"

From the article:

Auctions Expert allegedly recruited as many as 50 people to click on online advertising, generating about $50,000 in ad revenue. The self-clicking was "worthless to advertisers, but generated significant and unjust revenue for defendants," the Google lawsuit said. Auctions Expert, Google claims, appeared to be created solely to profit from manipulating the Internet ad process

Re:Umm, that's not what the article says...

[whitehatlurker]

That was my thought as well. I thought the blurb's innuendo was a provactive idea - why not cost your competitors some extra bucks? Especially when you might get the money. (This overlooks the ethics of such a task of course, but if you're going to defraud anyway, why not go big?)

Interestingly, there's nothing in the DoubleClick report about click fraud.

Re:Umm, that's not what the article says...

[Hard_Code]

Yeah, description contradicts the content of the actual article.

"it is not greedy webmasters clicking ads on their own site but rather the advertisers themselves"

No, actually it WAS in fact Auction Expers clicking on ads on their own site to generate revenue.

Sample mail form Google

[Virtual+Karma]

Hello YourName,

We've noticed that you're displaying AdWords ads on a site
(YourSiteURL) that violates our program policies.

Our program specialists regularly review AdSense websites for various
criteria, including, but not limited to, site content, clear navigation,
and the site's potential value to the AdSense program and the user
experience.

We've found that many of the ads that would appear on your site would not
be relevant to your site's content. Because these ads wouldn't provide a
valuable experience for your site's users or our advertisers, we believe
AdSense isn't currently appropriate for the website listed above. As a
result, we've disabled this URL.

Google has certain policies in place that we believe will help ensure the
effectiveness of AdWords ads for our publishers as well as our
advertisers. We believe strongly in freedom of expression and therefore
offer broad access to content across the web without censoring results. At
the same time, we reserve the right to exercise editorial discretion when
it comes to the ads we display in our AdWords program and the sites on
which we choose to display them in our AdSense program, as noted in our
respective terms and conditions.

Please feel to reply to this email with any questions. If you manage or
own another site on which you'd like to display AdWords ads, you may reply
to this email and include the URL in the message. We'll be happy to review
this site and consider it for Google AdSense. If the new site complies
with our program policies, we'll approve your application and allow you to
serve ads on that specific site.

Thank you for your understanding.

Sincerely,

The Google Team

pfft

[Arctic+Dragon]

"In a lawsuit filed last year, Google alleges that Auctions Expert used hired hands and automation to generate high numbers of ad clicks that resulted in $50,000 in revenues."

A real con artist would use 1000 monkeys with 1000 typewriters instead of hiring people (professional ad clickers?). More effective that way.

Re:pfft

OMG.. Have you seen the cost for monkeys these days? It is cheaper to hire humans even tho they are less successful than monkeys.

Re:pfft

[SpongeBobLinuxPants]

they were probably outsourced to India ad clickers

Click Fraud is a completely bogus non-issue

Its the "pay-per-click" method which is broken,
because its too simplistic. The advertisers and
search engines need to come up with better
technology to make sure that payment only follows
purchases.

Clicking your mouse on a search engine results
page, as many times as you want, should be
considered a First Amendment protected form of
Freedom of Expression. Clicking your mouse on your
stock broker's BUY button, for instance, is
obviously quite different, because you and the
broker have a contract where your clicks are
treated as orders.

But there is no contract between the users of a
search engine and the search engine's advertisers.
If companies want to transfer money between
themselves based on those clicks, they had better
think long and hard about the conditions where
that actually makes sense.

Re:Click Fraud is a completely bogus non-issue

...there was a contract, they're not suing users but a company which put adwords on their page AND SIGNED A CONTRACT. They broke the contract and are getting sued, how fuckin hard is that to udnerstand?

Re:Click Fraud is a completely bogus non-issue

[BobTheLawyer]

This is a brilliant piece of satire... isn't it?

Re:Click Fraud is a completely bogus non-issue

Hey folks...
I am on the Inside TRACK on these issues, and
a friend of mine wanted me to clear you in on a few things. So he opened this text window so I could type some words to help Global Internet Enlightenment.

Here we go -
First off, the original inventor of the MaxPrice Model that Google uses filed for a patent way back in 1999. That patent is about to come through from the patent office.
At that point, the inventor will act as the "Greenspan" of the pay-per click business.
Currently MaxPrice Model users such as Google, have SEVERAL UNETHICAL functions embedded in their software. And these functions will be disallowed, when the "Greenspan" of the MaxPrice Model comes into place.
For example.... why do you think Louis Vuitton in Paris, France, sued and won $270,000 in a case against Google!. The world needs a "Greenspan" kind of presence to manage and direct this thing, and its coming.
But what really is exciting,
is how much fun Internet users will have
in the near future.
Everything will be secure enough,
safe enough,
and done quickly enough,
do get about any service deal closed
in just a few minutes.
No more 3 weeks of marketing.
Need work? Find it in minutes.
Need something done? closed deal in minutes.
It's coming....

Re:Click Fraud is a completely bogus non-issue

The advertisers and search engines need to come up with better technology to make sure that payment only follows purchases.

Actually I think they should be going in the other direction - charge for ads per impression. Tracking purchases would be far too hard, and it's a model which wouldn't adapt well to a whole lot of different types of ads. What if the website isn't selling anything?

Of course, now you've got a problem on the other other end, how do you reward an affiliate who is placing ads better, or whose content allows google to better target ads, etc? I think the solution is, while you charge advertisers per impression, you pay your affiliates per click.

So at the end of the day, you might see that you've displayed an ad 10,000 times, gotten 100 clicks, and charged the advertiser $100. Keep 20% as profit (or whatever), and you've got $80. Now divide the $80 between the 100 clicks, and everyone gets 80 cents a click.

Yes, this will still allow for fraud on the affiliate end, but that's easier to catch, and pretty much impossible to avoid anyway. It'll completely stop the incentive to click on ads of your competitors though, as your competitors pay the same whether the ad is clicked or not.

Re:Click Fraud is a completely bogus non-issue

[yincrash]

The article doesn't refer to users clicking on the ads. It refers to the website owner clicking on the ads. When the website owner agreed to put the ads on his website, he agreed not to do the clicking himself.

Making payments that follow purchases only would work for places that sell things. Many people advertise things that are not for sale. Also, the praticality of making all advertises conform to one e-commerce standard just so they can advertise is outrageous.

Re:Click Fraud is a completely bogus non-issue

[michaelhood]

Other models already exist.. Lots of us have turned to lead generation. This is entirely CPA (cost per acquisition) based.

Re:Click Fraud is a completely bogus non-issue

lol what

So, should we really believe the previous article?

[nubbie]

Report on Last Decade of Online Advertising?

Typical and long standing recipe for success

[orionware]

1) Position yourself as the altrusitic, common man's company. Appear driven by community and the common good.

2) Shop yourselves to VC's and get that IPO in motion.

3) Now that you have the souls onboard, show your true motives. Profit!

Pay per click is a model that invites dishonesty. CPM (Cost per thousand) impressions is a much clearer model, however less profitable.

Re:Typical and long standing recipe for success

[oberondarksoul]

You run a successful, household name company. Some of your clients are fraudulently using the services solely for their own income. Would you honestly just sit back and let them? Google's not being evil here, they're doing what anyone would - trying to isolate the problem.

Re:Typical and long standing recipe for success

[orionware]

Sorry. It was actually two commentaries in one post.

I don't think Google is evil because they are protecting their product. I don't even think they are necessarily evil. What I do think is they are trying to appear to serve one master (community and the good of it) while actually serving another (the shareholders and board)

O

low value webpages

[PW2]

Another problem I've noticed is that some people post webpages that contain nothing more than a few keywords that somehow get highly ranked in Google searches. These low value webpages must be making money because I've seen more than a few of them. I'll check someday to see if Adsense has a place to report abuse like that.

Re:low value webpages

[Nos.]

Some of these are the result of expiring domains that have been snapped up. For a couple of days I kept an eye on expiring .ca and .com domains and ran them through a little google PR checker. I watched one .ca domain with an average PR of just below 6. .ca domains that have expired are released within a 15 minute window. I was doing a whois on the domain about twice every second. I never saw the status become available. It went directly from to be released, to registered.

There is a whole industry out there which revolves around snapping up expired domains with high PR. They have pages up within minutes of registering that are filled with nothing but ads, and maybe a few keywords.

Re:low value webpages

[bit01]

Maybe Google should track and zero expired domain page ranking. The page rank is meaningless for an expired domain. Just a bunch of parasites taking advantage of an error.

---

I'm not worried about the use of DRM. I'm worried about the abuse.

Re:low value webpages

Google already does reset the PR on expired domains.

But there are ways around it.

Waste of money

[Momoru]

There have been so many examples now of AdSense abuse, it seems that the ROI of AdSense ads is getting lower by the minute. As a webmaster who has tried AdSense, both from a generating money by putting it on my site and a paying to advertise on it point of view, neither gets you many results. Even on extremely popular sites you don't make more then a couple hundred advertising for them, while traditional banner ads brought my site in thousands. And from an advertiser point of view, you are much better off getting someone to "Google bomb" your site and get permanent good placement rather then 50% random people clicking your ad to make money off their blog and 50% "real" people.

Re:Waste of money

[jomagam]

Even on extremely popular sites you don't make more then a couple hundred advertising for them, while traditional banner ads brought my site in thousands.

I'm in the same boat as you. Who did you use for banners ?

Re:Waste of money

[anthony_dipierro]

Your website isn't very popular if you were only getting "a couple hundred" off Google ads. Alternatively, perhaps your content was too bland to get well targetted ads. My contract with google prohibits me from releasing the exact details, but suffice it to say that my tiny little website (alexa rank over half a million) receives more than a couple hundred dollars every month.

They don't want to release this metric

[EmbeddedJanitor]

It would be bad biz to show customers how bad the click-to-buy ratio really is.

Re:They don't want to release this metric

[budgenator]

The bad biz is more likely to be those clueless businesses and marketingdroids who insist on trying to measure the unmeasurable with misleading metrics, generated by semi-literate statiticians, to support the goals of some advertising company that is usualy hired as an consultant.

Re:They don't want to release this metric

It is speculated that click/sale is a metric which "smart pricing" uses to adjust the price of the ads. I think there's a major abuse potential if this is true. Advertisers should not have a way to influence their own cost per click, period. Publishers provide space on their own site and what the customer does on someone else's site is neither under the publishers' control nor is it any of their business.

Uh, this was reported in November of 2004...

http://www.eweek.com/article2/0,1759,1731167,00.as p

Re:Uh, this was reported in November of 2004...

Christ, you're right. Less than 6 months old and it's hit Slashdot already. They must be getting really desperate to hit their quota for Google stories.

Re:Uh, this was reported in November of 2004...

[Armadni+General]

http//www.eweek.com/article2/0,1759,1731167,00.asp

Proper link format

Use Bounty Hunters to Suppress Click Fraud

[rewinn]

The expense of detecting and suing over click-fraud could be greatly reduced by adding terms such as this to the ad contract:

1. The advertizer agrees not to [define prohibited conduct here]

2. Google may offer a bounty for truthful testimony by any person hired by advertizer to perform [prohibited conduct], and advertizer agrees to permit such truthful testimony on the subject of [prohibited conduct] notwithstanding any other agreement with any party.

Drones paid sub-minimum-wage for click-fraud would jump at a reasonable bounty, especially if advertizer has already agreed to allow it.

Re:Use Bounty Hunters to Suppress Click Fraud

[FidelCatsro]

im sure boba fett has better things to do , what with those sarlac wounds

Re:Use Bounty Hunters to Suppress Click Fraud

[Lehk228]

and advertizer agrees to permit such truthful testimony on the subject of [prohibited conduct] notwithstanding any other agreement with any party

I don't understand what you mean by that, how could the company NOT allow testimony against them in court.

Re:Use Bounty Hunters to Suppress Click Fraud

Bah...your idea sounded good until it turned out you just meant offering a reward for turning people in. They should put language in the contract that says Google will hire real bounty hunters to deal with click fraud. You know the kind of bounty hunters that track down fugitives that have jumped bail...

That'd pretty much eliminate click fraud.

Re:Use Bounty Hunters to Suppress Click Fraud

[rewinn]

how could the company NOT allow testimony

Excellent, real-world question!

Believe it or not, some companies may try to blundgeon workers with secrecy clauses. They may not be enforceable after a long court fight, but often sub-minimum-wage workers are not interested in taking the chance (...especially if their immigration status is in question...). Hence the purpose of the clause: to set up a contract violation if the company threatens their workers

Google got lawyers! Shock! Horror!

Reminds me of the old BC cartoon strip[*] gag "Clams got legs!". Only shocking if you've never considered the possibility before. I've lost count, is Google +1 OK or -1 Untrustworthy today?

[*]From the time, alas long since passed, before Johny Hart got religion with a capital C.

SPC

[avandesande]

Wouldn't SPC (statistical process control) be a good candidate for stopping this?

Re:SPC

[poopdeville]

I was thinking that topological statistics might be most appropriate. The idea is pretty simple: say you want to measure three (possibly dependent) variables. You make each datum a real triple. Then you measure the distances between distinct points. You might want to set a fixed radius about each point in which to measure in, to avoid dealing with billions of data points at a time. If you collect enough data and analyze it using a small enough neighborhood, assuming that the variables are independent, you end up with a nice blobby picture to look at and analyze. Isolated clusters, surfaces, and curves indicate that one or more of the variables aren't independent, i.e., something suspicious is happening. This is similar to what Apple uses in their mail client. Only instead of alerting you of anomalies, it just throws them out.

Bullshit is part of the game....

[EmbeddedJanitor]

or any game actually. One just has to look at "independent market analysis" used by Microsoft and others or benchmarks generated by CPU and compiler vendors etc.

I agree that the clicking thing is fraudulent, but no more so than many other activities. It seems we're getting immune to this and expect to be lied to.

Oh, wow!

[James+A.+Y.+Joyce]

You mean Google doesn't exist solely to satisfy Internet users?! Shurely shome mishtake!

Come on, people. Just because something's on the Internet doesn't mean that defrauding cash from a company is magically illegal. Simply because you're physically removed from Google's computers doesn't mean you can't be busted for scamming them out of $$$.

Re:Oh, wow!

[SmokeHalo]

Just because something's on the Internet doesn't mean that defrauding cash from a company is magically illegal.

I presume you meant to say magically legal, rather than illegal, seeing as how the term "defrauding" refers to an illegal act.

Re:Oh, wow!

You mean Google doesn't exist solely to satisfy Internet users?!

Of course not, Google exists primarily to be the subject of Slashdot articles. Just wait for Google to sue Apple, or the other way around, Slashdot will post it 71 times (narrowly beating the previous dupe record).

Wait and see

[CKnight]

Municipal WiFi is gonna reek havoc on PPC systems. When entire cities are being identified by a single IP Google and other players will have to go back to the drawing board to decipher fraudulent from legitimate clicks

PPC concept is doomed IMHO...

[bitkid]

Inflated clicks are not the only problem PPC concepts have lately. It's a pretty challenging problem to prevent click-fraud; open-proxies/botnets and so on make this even harder.

A bunch of interesting links:

• Adwords DOS flaw
• A c't magazine testing how well Google found their own fraudulent clicks
• Some guy claiming that Overture is negligent with their click-fraud protection
• Some other link-collection about the topic

Google AdSense Account Status

[Skudd]

Hello Tim Garrison,

It has come to our attention that invalid clicks have been generated on
the ads on your web pages.

As a reminder, any method of generating invalid clicks is strictly
prohibited. Invalid clicks include but are not limited to any clicks
that are generated through the use of robots, automated clicking tools,
manual clicks by a publisher on the publisher's own web pages, or a
publisher encouraging others to click on his ads.

Publishers may not provide incentives of any kind to encourage or
require users to click on the ads, due to the potential for inflation
of advertiser costs. If we find your account to be in violation again,
action may be taken against your account and payment may be withheld.
Please be sure to review and remain in compliance with our Terms and
Conditions and program policies:

https://www.google.com/adsense/localized-terms?h l= en_US
https://www.google.com/adsense/policies?hl= en_US

Sincerely,

The Google Team


I'm one of the little guys, too. I have only ever clicked my own ads maybe twice. I never had more than 1 click per day, so they can't really bitch. What's worse, they refused to prove to me that there were actually invalid clicks. My solution: I removed the ads from all my sites and replaced them with "Get Firefox" ads.

Re:Google AdSense Account Status

I wonder why don't simply filter website owners clicking on their own ads.

It must be that they can't filter out the real fraudsters, so they just kick out webmasters which clicked on their own ads...

Anyway, if you are clever enough, they can't detect you anyway. You could create a bot, which, over time, creates a few identies (doing random google searches) using different ips (eg. proxies), then once in a while surfs your website and clicks on your ad. This would even be easier when ipv6 comes :).

(Something I could write during my holidays where I planned to do an google internship, but didn't even get a first interview. :-))

Re:Google AdSense Account Status

[The+Bungi]

I removed the ads from all my sites and replaced them with "Get Firefox" ads.

Whoa, that'll show them.

Re:Google AdSense Account Status

[Skudd]

Heh. I actually considered the concept of it once. My idea used public proxies. In fact, I did it once just to put some bogus referrers in a friend's httpd logs. :P

They should filter out the publishers, though. Each publisher gets a cookie set when they login. Granted, there's many people that have their cookies disabled, but there's many that don't as well. Just track that cookie.

if(isset($_COOKIE['ad_publisher'])) $track = false;
else $track = true;

Simple. I actually had that planned for an ads system that I started working. Too bad I got burned out with the idea though. :P

Re:Google AdSense Account Status

[Skudd]

It wasn't intended to "show them" anything. I just feel the need to advertise something, so why not replace some capitalist marketing with some F/OSS marketing? :)

Still trying to figure out..

[d_jedi]

How to adblock the google ads.
Any ideas?

Re:Still trying to figure out..

[Buran]

Right click on them and select "Adblock iframe" and set the string to 'http://*.googlesyndication.com'. Or 'http://*/pagead/*'. Or 'http://*/show_ads.js'.

Try it on this URL:

VWvortex Forums: Golf IV & Jetta IV

I also have blocks on this page on:

http://*.qksrv.net/* /*banner/

What ads? ;) Though for that site I do buy from banner advertisers that sell things on it. The ads are relevant -- I just don't want to see the banners themselves since they make the page look bad. It's much cleaner without them. They even provide a nice little directory:

VWvortex - The Volkswagen Enthusiast Website

Re:Still trying to figure out..

[pgrote]

Add this to your hosts file:
127.0.0.1 pagead2.googlesyndication.com

---

Fetch Free Reports

Re:Still trying to figure out..

[Urusai]

Add a filter: http://*.google.com/*

Google: Now we're really dot-com!

Re:Still trying to figure out..

Google is suing people who were committing fraud. Big fucking deal.

Adblocking text-based ads? For fucks sake. You fuckers think you deserve absolutely everything for free. Go to another site if you don't like it.

Re:Still trying to figure out..

[FreakinSyco]

Add *googlesyndication.com/pagead/* to addblock.

Re:Still trying to figure out..

[FreakinSyco]

Auctully I take that back remove the "/pagead/" part because not all google adds have that as part of the URL.

Re:Still trying to figure out..

[LiquidCoooled]

Stop using the internet.

Google adverts are simple and unobtrusive.

I would rather keep these reputable advertising avenues open than have them replaced by something worse.

Re:Still trying to figure out..

Just block *.googlesyndication.*

Re:Still trying to figure out..

[88NoSoup4U88]

Gauge your eyes out.

Re:Still trying to figure out..

Couldn't you just point *.googlesyndication.com to localhost via a hosts file? A quick look at the ads make me think they all come from
pagead2.googlesyndication.com, but YMMV.

I've never really found them annoying enough to want to block personally, but to each their own.

Re:Still trying to figure out..

[grolschie]

Thanks dude! I have blocked 'googlesyndication.com' and 'qksrv.net' in my router now.

Perhaps I should add 'ads.osdn.com' to the list? :-)

mod parent up informative

See, that makes a lot more sense. This speculation about the suit being "against Google's interests" is moot. Google can do nothing but lose when an adwords partner is gaining fraudulent revenue.

TLAs.

...pay-per-click (PPC)...

Oh no, PPC is PowerPC! Or sometimes PocketPC!

But it's not something about advertising!

Fraud is Illegal

[HannethCom]

I don't see why people are bashing Google over this. They are trying to protect their company for illegal activities.

I can also understand why this is a human process instead of an automated one. People always find ways around programs meant to detect unethical behavior. Just look at how often junk mail filter technology has to be changed. With people looking over the data, they can see things that you wouldn't think of writing software to look for.

As for not disclosing their process, DUH! Sure people are getting past their checks, but they don't want to encourage people to try by telling them how they check for cheaters.

Google let you see it

[grahamsz]

If you run an advertizing campaign then they have hooks to let you feed in associated sales and you can look at your response not just in clicks per $ but in revenue per $ advertizing.

Tracking click to purchase is difficult

[mcguyver]

It's not easy to track from the click to a purchase. There are several reasons why: Google does not control the shopping cart. Sales can have multiple states, ex pending, completed, reversed. You may encounter scaleability problems as the number of clicks increase.

Being able to track the customer down to the purchase is what separates CPC (cost per click, overture, adwords) ad networks from CPA (cost per aquisition, linkshare, cj.com) networks. Google does allow you to place a pixel on the confirmation page of a shopping cart however that's just a crutch. Google is a long ways from being able to do CPA.

Mitigating Abuse

Google's Adsense allows you to set your preferences so that the ads appear only on Google and not on the websites of its less-than-trustworthy evil little minions. Obviously you can't stop competitors from clicking your ads in an attempt to financially damage you, but because it doesn't generate a source of income for them, such clicks are malicious but not profitable.

how about suing me?

[supernova87a]

Reading an article on the new pope, I just clicked on a bunch of silly religious links associated on the page because they were annoying (and from somewhat offensive sects of evangelical groups). Just so I could try to max out their advertising budgets for the day.

So, can I get sued now? What if it had been some guy on the street corner handing out pamphlets, and I walked by repeatedly, taking his literature so that he'd run out and have no more message to distribute? I think it's the same thing, don't you?

Re:how about suing me?

Why the hell do slashbots use a really stupid counter-example when they don't agree with something? There is an obvious point at which someone is stepping over the line.

This is not far off "Well, I ripped an mp3 from a CD someone else owned, how about the RIAA sue me?" as a counter-example to mass-piracy.

There is a limit to activities like this. Stop being a prick.

Re:how about suing me?

[DogDude]

So, can I get sued now? What if it had been some guy on the street corner handing out pamphlets, and I walked by repeatedly, taking his literature so that he'd run out and have no more message to distribute?

That guy would stop handing you flyers if he recognized you, or he'd beat the living shit out of you, both of which Google is entitled to do.

Re:how about suing me?

[2short]

"...can I get sued now?"

Sure! Anyone can get sued, at least theoretically. You won't, however, be sued successfully in this particular case, because you have not committed fraud, which the people Google is suing have (assuming Googles allegations are accurate).

"...I think it's the same thing, don't you?"

Did you sign a contract where you agreed not to click on the religious links or to take the pamphlets? No? Then, no, I don't think it's the same thing, and neither does our legal system.

Re:how about suing me?

No, they just get refunded by Google.

advertising?

[Karma+Sucks]

Bah, why should anyone care about any of this?

In my book, the sooner the advertisement industry crumbles the better. All we have to do is sit back and watch the fireworks.

Remember kids, adverts eat your branes!

Re:advertising?

[rzebram]

It should be considered that Google makes a great deal of their income from these advertisements. Are you ready to accept the loss of Google just to rid your browsing experience of ads like these?

Re:advertising?

Yes, i would trade google for a adfree browser experience any day of the week.

Advertising effectiveness

[erroneus]

I just happen to (presently) work at a company where advertising is the primary source of revenue. It would seem to me that they should attempt to follow a more simple model for advertisment without all the unreliable and exploitable complications of counting clicks.

Radio, TV and print ads are only generally predictable when it comes to exposure and public response are concerned. But with generalities, a "value" for the ad placement could be assessed. Sell based on those things. Now a buyer of advertisment needs to feel like he has value in his purchase right? That's why Radio and TV have ratings and print advertisers have circulation numbers. So, at present, no one has devised a web site traffic authority(?) that will independantly serve as a third-party hit counter that will provide "ratings" to people interested in buying advertisment at any particular web site. So how would such a system be devised? You decide, but I think it would be good in that user feedback could shape the advertising on the internet in the future -- people complaining about spam and popups will be heard and an affect could be had! How about that... So who's gonna do it? Not me... I'm too busy sleeping.

Re:Advertising effectiveness

[avandesande]

they could use a formula where the number of given competitors for a given keyword are taken into account. You would ramp up the cost for a given keyword (1st come users not effected) depending on the number of advertisers.

Yeah, I got slammed by this...

[writermike]

I am a one-person PC repair shop and I used Google Adwords for my business last year. I targeted well, thanks to their help, and had AMAZING returns. In the first three months, I spent ~$70 and made well over $1000.00. I was determined to stick with it.

Then, suddenly, my per-month charges from Google went up. First it was $50, then $100, up to $300.00 per month. All this time, I had set on the same keywords, using the same targeting that I had been using. I pulled back a little and the numbers CONTINUED to climb.

I wrote Google, hoping they would be as helpful as they were when I first set this up. (They hand-held my creating the first ads.) No response. I just bailed.

Re:Yeah, I got slammed by this...

I spent ~$70 and made well over $1000.00.

It seems like Google doesn't know where their bread and butter is on the adwords. If they scare you off, who is going to step in your place?

Re:Yeah, I got slammed by this...

[ad0gg]

Use overture, since the only fraud you'll get with overture is your competitors clicking your ads. AdWords has both website owners and your competitors defrauding it. I run both adword and overture, and my conversion ratio off overture is more than double that of adwords. I keep adwords around because even with the terrible conversion rate, there lowered ppc price evens it out in the end.

applying the formula

I (and other advertisers) most certainly do. I'm paying X for a click, %0.5 of clicks result in a sale, with a profit of X. If cost per click > profit per sale * percentage of sales, I stop buying.

Q: what website do you work for?
A: a major one.

click ratios

[SuperBanana]

I had a conversation with a VP of marketing at a former employer.

"Clickthrough rates are typically (insert some number under 10) per thousand views."

He got very angry when I told him that sounded like people accidentally clicking on the banner, and said I had no idea what I was talking about.

I countered that the only time I had ever clicked a banner ad while surfing the web was completely by accident. Stuff like my mouse falling off the desk, or my hand slipping.

Re:click ratios

[rsadelle]

Or not seeing it. If I've blocked images from an ad serving server, there's a big white space on my screen where it used to be. Occasionally I'll hit that instead of the actually empty white space I wanted (to change focus to that window), and it'll send me through to whatever it was advertising.

I have clicked on banner ads on purpose, but only ones advertising merchandise for the site I'm already at, such as Penny Arcade or Television Without Pity.

Re:click ratios

[slim]

If I've blocked images from an ad serving server, there's a big white space on my screen where it used to be. Occasionally I'll hit that instead of the actually empty white space I wanted (to change focus to that window), and it'll send me through to whatever it was advertising.

I don't block ads (I have some sympathy with the "breaking a social contract" view) but sometimes ads either have a transparent background, or a background that's the same colour as the space around it.

I've accidentally clicked on such ads when cancelling a pulldown menu.

Simple...

[borawjm]

One could probably use a similiar approach to generate AdSense revenue as they would do a DDOS attack....

1.) send out trojan and infect 1000's of computers
2.) command zombies to goto your website and click on links
3.) profit!

But, then again, the average user doesn't have this capability

Re:Simple...

[nietsch]

except that clicktrough rates are typically around 1% or less. So to avoid being detected by google as fraudulend clicker, your 1000 pc's need to view a lot of pages for each adsense-click, and you need to do that in a more or less human-like pattern. So dong your clicks at 10 per second all day and night will quickly label you as fraudulent.

..to would be fraudsters?

[pg110404]

Auctions Expert used hired hands and automation........
They say the last thing they want to do is provide a "road map" to would-be frauders."

Why use hired hands to do repetitive tasks? All I have to do is go to one of the first google hits for "crack search" and by simply loading that web page, my computer becomes silently infected with dozens of spyware. Some of which go around trolling for advertising links to click.

It seems all one needs to do to make money these days is to provide some kind of web site with questionable content (porn, game cracks, etc), infest it with spyware that takes advantage of IE security flaws and have one's own ad clicking web client drone coming back to their 'advertiser' banners and 'clicking' on them.

This to me is nothing new, although might be for google. Either that or they're finally starting to do something about it.

Scruples? We don't need no stinkin' scruples!

[Gogela]

As a web designer, this fraudulent clicking has me concerned. I want to get on board with click inflation, and would really appreciate a "roadmap" that will help me increase my cash flow. I am not unique. There are many guys and gals just like me who would destroy the per-click-advertising method if given an easy and profitable opportunity to abuse it. Google is wise not to provide the details.

Tired of companies without a roadmap

They say the last thing they want to do is provide a "road map" to would-be frauders."

Thats backwards thinking. The idea should be to have a roadmap. Let everyone know about it. Then you throw in the speed traps, check points, and patrol cars to make sure anyone trying to abuse that gets caught.

Re:Another proof...an insider's perspective

Coming from a person on the inside of a giant search engine.

1. We don't release a lot information about how click fraud was committed, because we don't want to give away new techniques. Believe it or not, there are a lot of different techniques, ranging from relatively sophisticated to utilizing teams of zombie machines, to defraud the systems. And people do trade notes, witness PubCon.

Humans are still required to help sort out the most complicated cases, pattern matching only goes as far as patterns can be detected.

2. While nobody wants fraud to continue, an important thing to note is that, at least on Overture, the placement is determined by bid. There is an organic marketplace for CPC ads, therefore, advertisers will only pay for what works for them.

3. For the guy who said that CPC is worthless, you obviously know nothing about online advertising and revenue generation. Show me a direct marketing media that can be as precisely controlled and tracked as search. Pay per mail already exists, it is called postage.

But is it really illegal?

[LWATCDR]

I mean when does it become fraud?
If it is a program not a person click the link is it fraud?
If I wrote a spider that crawled every link on a page and it hit a page with Ad Sense links is it fraud?

Do I have to be a potential customer?
If I find an Ad Sense link to a competitors site and I click on it am I committing fraud?
What if I just want to see what the heck the ad is for but have no intention of buying it?

When does it become fraud?
And how can following a link be illegal?

Re:But is it really illegal?

Following a link can easily be illegal, as can any other action. If what they did is not illegal, it certainly should be. If I were the upstream ISP for the companies doing this, I would pull their connections. PERIOD.

Re:But is it really illegal?

[anthony_dipierro]

When does it become fraud?

In the strict legal sense, or in the colloquial sense? Because Google probably isn't suing for "fraud", but rather for breach of contract and/or tortious interference. In a colloquial sense, what they're doing is fraud because they clearly aren't clicking on the ads just to see what the heck the ad is for.

And how can following a link be illegal?

Criminally, I'm not going to guess (but it probably is criminal behavior). Civilly, they are either breaking a contract or inducing others to break a contract. Both of these things are grounds for a lawsuit.

Re:But is it really illegal?

[LWATCDR]

"Civilly, they are either breaking a contract or inducing others to break a contract. "

What contract? I do not remeber signing any contract with Google?

Re:But is it really illegal?

[anthony_dipierro]

The contract that is signed when someone signs up for AdSense and/or AdWords.

Re:But is it really illegal?

[Rollie+Hawk]

It's not illegal. It's a violation of the terms.

Re:But is it really illegal?

Suppose you're not using Adsense or Adwords. Suppose you want to cost your competition money. Suppose you're working in a competitive field where a minimum-wage drone causes significantly higher cost to the competition than you have to pay to make it happen. Where is the contract violation? Granted, it's a different scenario. More often people click ads on their own sites to get their share of the advertisers' money or an advertiser clicks on a competitor's ads to remove him from the top spot without increasing his own cost.

Re:But is it really illegal?

[anthony_dipierro]

Suppose you're not using Adsense or Adwords. Suppose you want to cost your competition money.

That'd be an interesting case. I'm not sure of any law that'd apply. It seems clear that the courts wouldn't apply trespass to chattel, as long you weren't "clicking" so much as to actually cause a DOS attack. There might be some sort of unfair business practice law, but let's say you're not even a competitor.

I'd say it should be legal. If google wants to close its servers so that you must sign up with an account and agree to a contract before using them, they can do that. But unless they do, you should have the right to click on whatever you want.

two things:

[ohzero]

I don't know too many people in the -real- business community who are going to get crushed by this. Remember how we hated banner ads in the beginning, and then we just gave up hating them, because that was way too much hating for any one person or small group of people to take on? Well guess what... the negative vibes paid off. The bottom line here is that some dipshits who make some money off the most annoying thing ever are getting sued by the other dipshits who allow them to do it / encourage it. If I had to pick between the dipshits, I pick the guys getting sued by the publicly traded company, but that's just me... I always root for the little guy.

OT: Your .sig is stupid

[Zordak]

You know, I'm not a Catholic, I really don't know a lot about the new Pope and I have no particular interest in defending him, but I find your .sig ridiculously provocative and disingenuous. It's not like this guy was some kind of rising star in the Nazi party. The article that you linked to indicates that his family was forced to move several times because of his father's anti-Nazi activism, that he joined the Hitler youth only after it became compulsory, that he got out very quickly, that his service in the German military was minimal, uneventful and no more than would be expected of the citizen of a nation that is at war, and that nobody is even alleging that he was responsible for any war crimes. Basically your .sig is accusing the man of living in Nazi Germany while he was young. Are you really prepared to say that all of the people of a nation are guilty of the war time behavior of its leaders? Is this man's prior service so meritorious that the best mud you can find to sling at him is that he was once a teenager in a country that was run by a brutal dictator? Or are you just a disgruntled liberal ex-Catholic looking for a whipping boy?

Greed is ruining... [was: Re:Good deal.]

[Maow]

Greed is ruining the Internet

That makes the Internet more like real-life everyday. :(

Greed is good

[DogDude]

In case you have forgotten, greed also created the Net. Technically, the government created it, but it got to be ubiquitous because of greed, not altruism. Altruism got us as far as Gopher, and the first few months of the Web. How do you think that all of the backbone gets laid, by fairies? Nope. Greed.

Re:so ...

[Armadni+General]

We'll laugh at your crappy web design, and so forth. Really, why can't moderators simply delete comments? Just because something's marked -1 doesn't mean people are going to skip over it.

Easy Re:But is it really illegal?

[hacksoncode]

This isn't hard to answer. The difference is intent. If any of these things is done with the intent to defraud either Google or a competitor then it's fraud.

The legal system is quite adept at making this distinction, in spite of it being hard to write literally into law (or at least it considers itself to be adept :-).

Per Purchase wouldn't work.

[Timmy+D+Programmer]

Because it would require the vendor's system to report back to google whether or not there was a successful purchase.

I for one don't trust the vendors to report that honestly.

Re:OT: Your .sig is stupid

in a word, yes.

Well

[northcat]

What is different this time is that it is not greedy webmasters clicking ads on their own site but rather the advertisers themselves.

RTFA. It *was* a greedy webmaster clicking ads on his own site. Auctin Experts is no advertiser.

I thought they fixed it already?

[jromz03]

I did an experiment on my forums (with adsense)... and clicked an add 100 times.

It did register but my earnings were so small that i must have ignored all 99 clicks.

unless, the clicker keeps changing his/her IP before clicking.

Re:I thought they fixed it already?

turn off cookies?

Build up to it...

[Otto]

Nah, you just need to make each trojan behave more like a normal human-like pattern. The total effect is cumulative.

Maybe each one loads the ads and your page 10 times a day, and clicks on one of the ads maybe 1 out of those 10 times (chosen at random). Have it replicate to a thousand machines, and you've got something.

In order to make it more randomish and human, you use a random timer between each page load, a more randomised click counter (maybe once every 15-30 loads gets a ad-click, with the number between ad clicks being randomized as well), and so forth. Add enough randomization and it will look a lot like your site just gained popularity. Then make your site a blog, and post to it every day like any other blog, to make it a "real" site instead an obvious money maker via ad-forgery.

The real secret is to not get too greedy. :)

Its not illegal

[ad0gg]

Its violation of a contract. Websites who host google adsense have agreed not to inflate clicks. If the guy wasn't greedy and instead just hired people to click adwords on the google search engine, google would have no case. Since there is no contract between using google search and the user.

Re:Tracking purchases? DEflate the INflators...

[davidsyes]

As for the Click Inflators, Google should DEflate them...

Google should hurry up and automate their scripts to track the multi-click abusers and then deny them the ads information.

If the contract (lega/business, not SOCIAL contract) between Google and the ad spot placers is written to account for this, then Google could exercise its option to exORcise the offending ad/content owner, just by not passing and not telling them they have information.

Then, when an inquirer picks up the phone to place an order for a product, an order not directly attributable to the ad on Google, the CSR will log the caller and the claim that that an ad on Google led them to make a purchase (and the number of however many times the con/Prosumer saw and considered the ad prior to making the call for infomation or the consummate a purchase), which then won't jibe with that company's own "placements" they paid for.

THen, Google can say, well, you're playing games with our system, which tries to be fair, but your games are exploitative, deceptive, abusive, and unctuous. You're being uncouth, greedy, manipulative thieves, stealing from US the price you are supposed to pay, or agreed to pay. We could take you to court, but then you'll cost US money and time and personnel resources. So, we'll just delay or deprive you of your ads/banners hits information.

This will either enlighten or starve the abusive companies.

Now, being a Libra and trying to consider the implications of "SOCIAL CONTRACT" of accepting ads for access to free content...

I don't currently believe I SHOULD be bombarded with junk, nor should cookies be foisted onto my system. Cleaning that SHIT up is time-consuming, enraging, and makes me conjure up "get-even" schemes. It's tantamount, no, it's EQUAL to TRESPASS. So, were I a programmer or someone skilled in cookie decryption, I'd break those cookies open, implant bullshit into them, and then send them on their way.

Is there a product to do that? I'd pay $100 for it, JUST to be able to poison, not just delete, cookies and that cookie monster reconstruction stuff that's floating around. When a person says, "DON'T TRACK me", WTF does that mean to ad sponsors? Anything? Nothing? A big "SCREW YOU, browser/person"?

I guess soon, though, the people like me will see their downloads increasingly throttled down as punishment or spite.

I realize that a number of sites DEPEND upon receving ads so they generate revenue to offset operating costs, and I am considering setting up a website, a blog, or other interface that may also dependd upon having advertisers. But, my advertisers of choice will be SCREENED, whittled, and chosen tailored to my site visitors, and now allowed to just willy-nilly/surreptitiously/sneakily obtain any and all kinds of information from my visitors.

Any visitors who DON'T want to be tracked are likely so small a number as to be negligible. Advertisers OUGHT to respect that, and fear it, but they so much fear it or bullishly abuse their position that they force it down most people's throats. Either they are, or the site pushing or receving the cookies from routing sources are spending an INORDINATE (30 seconds, and longer) trying in VAIN to get a response from my and other people's browsers when a damn cookie is being blocked or not allowed onto the machine (yep, I locked down my Konqueror temp cache (gave it to root, but I browse as my own user) for my username so I no longer store cookies. I tell Konqueror and Firestarter to deny such and such IP and host name, and when the cookies from those particular sites I deny still show up, I become enraged, but I don't break any laws. Were I a lesser person, I'd start an "Anti-Cookie Exec Bounty Hunter" organization...

David Syes

This has me worried

[BillsPetMonkey]

Google claims the secrecy is justified in the case of not giving advertisers details on fraudulent clicking. They say the last thing they want to do is provide a "road map" to would-be frauders."

That can also be used to prevent diclosing the real value of advertising space. It's the same argument used by credit agencies not giving people their own credit information.

Wow!

"They say the last thing they want to do is provide a "road map" to would-be frauders."

So I guess in that vein we should immediately close all Linux source so as not to provide a "Roadmap" for hackers as well!

I used to do just that

[grahamsz]

I figured out that my main competitor for a sane inbox was the bulk email industry, so i wrote a neat little perl script to search overture every few hours and click on some sponsored links.

I'm not sure if the email companies got billed, but some of them were paying almost $10 a click!?!

Thats great!

[ad0gg]

So now i can really screw my competitors. Hire a bunch of people to click the adwords on my competitors website while pretending to be my competitor. They in return google sues me or should i say my competitor. Then my competitor gets hit with a big lawsuit and I win. Thats such a great idea. Thats almost as good as getting your competitor black listed off the search engines by buying links to them on link farms.

Re:Thats great!

[rewinn]

...while pretending to be my competitor.

Then what? You go testify that you worked for your competitor. Your competitors says, "OK, show me a pay stub."

The judge finds you lied under oath. Go to jail. Go directly to jail.

Simple

Hosts file entrys.

127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead1.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 adwords.google.com

Every os can use a hosts file. Why are you not?

I have zero problem blocking all ads. Since i've never clicked one. And would never buy anything from an ad based source. If i want something i'll go out and SEARCH for it. Duh...

Re:OT: Your .sig is stupid

[doublem]

Or are you just a disgruntled liberal ex-Catholic looking for a whipping boy?

LOL

Protestant.

We have a long history of baiting Catholics.

Value of Advertising

[michaelhood]

Full Disclosure: I am affiliated with a lead generation company linked later in this post.

I'm seeing a lot of posts on this story saying that PPC is worthless, and getting modded to troll/flamebait. PPC isn't worthless. It's worthless when its managed ineffectively, or by an inexperienced person. Big companies outsource their PPC management, or use alternative methods of advertising.

CPA (Cost-per-acquisition) is becoming increasingly popular in these times of PPC troubles. eBay uses it, they pay $20 per ACRU (active current registered user, someone who signs up and bids) via their affiliate program.

Many large companies have turned to lead generation companies that accept payment on a CPA basis. These companies take on the risk involved with PPC and are better equipped to handle them via special tools and relationships they have with the PPC providers. Their customers only pay for "sales leads" they receive. These leads contain the information about a prospective customer that they need to make an informed sales presentation. The leads are generally delivered in real-time via e-mail or web interfaces, and clients usually find their ROI (return-on-investment) to be much higher than with a standard PPC campaign.

In summary, if you know what you're doing and have the time and experience to manage a large-scale PPC campaign, then it is cheaper to do so. However, if you don't have the time/experience/manpower to dedicate approximately 1 hour per day per every $100/day spent, then lead generation is probably more cost effective.

once again- fuckedgoogle.com had it first

[googisgod]

http://www.fuckedgoogle.com/

It's funny how it takes ages for mainstream press to see things that are as obvious as the nose on someone's face.

Click Fraud?

[Ulrich+Hobelmann]

It's not clicking, it's sending HTTP requests to google.

Even if someone pays somebody else to click on advertisements, what's the problem? It just raises the miss rate of advertising a bit. Instead of having maybe 10% of click-on-your-ad users buying something, you have 2% of request-your-website users buying something. It's just a cost to be reckoned with and basically increases the numbers of click-through ads you have to buy.

In the future? See zombie mobs of hacked Windows PCs accessing advertising links :D

Re:Tracking purchases? DEflate the INflators...

I think your Caps Lock key might be broken.

heh

what was that other one somethingoretheforfree.net that payed you per click. This is not the only time this sort of shit happened

Word usage error

[premchai21]

It's supposed to be "rein in". Seriously, guys.

A solution, but...

[shmlco]

That's a solution, but now you have evil third-party cookies, and evil third-party images and web-bugs. All things that the average "I have the right to block everything" /.er will kill on site... er, sight.

Re:Still trying to figure out..-AdSense is broken.

Google adverts are simple and unobtrusive.

And they are powered by JavaScript which is exploitable by spammers and computer crackers.

After reading one webmaster's 'horror story' of 'abusing' Google AdSense, I added the line

127.0.0.1 pagead2.googlesyndication.com

to my hosts file to block them all and save some bandwidth as well.

Though Google has 'sold out' and became a publicly traded company, I still use their search engine though it is 'spamdexed' like crazy by commercial interests. Someday, perhaps somebody will come up with a better search engine than Google that *DOESN'T* become clogged with advertising which makes it extremely difficult to find *REAL* information....

Google is fighting back...

[Robotech_Master]

...by sending people nastygrams for saying things they don't like in their blogs.

An entry of my essay journal, discussing the ads, had a bit where I half-jokingly encouraged people to click through.

We've found that you have language on your site that draws undue attention to the Google ads you're serving through AdSense. This language may encourage your users to click on the ads that you're serving through AdSense. However, if users click on ads without the intention of converting to customers, advertiser costs can be artificially inflated. Therefore, such activity is in violation of our program policies and we kindly ask that you remove the following language from your website[...]

So, I made the requested changes, turning it from this into this. For a couple of minor phrases in such an old entry, it wasn't worth kicking up a fuss.

Still, I'm thinking at some point soon it will be time to write a lengthy journal entry about how I do not encourage people to click on the ads, would not appreciate it if people click on multiple ads just to get me a bit of money, and do not appreciate the support. I could probably go on in that vein at quite some length.

Or perhaps I'll just remove the ads altogether. It's not like I'm ever going to see a penny of the revenue (I doubt I'll ever reach the $100 minimum) and it's annoying to give someone else a lien on what I'm allowed to say.

deflation

Wouldn't the price of something falling be an example deflation, rather than inflation?

Re:deflation

[Rollie+Hawk]

Not in economics.

Ads, Spam and the universe

[northwind]

There is a sorry analogy in so far that the ads popping up on our screens are just as unwanted as the spam mails in the inbox.
This brings us to spammers suing firewall and mail filetering services.... sigh....
In other words: who cares???
Did the advertisement industry ever care about customers for other than their money? And who is actually paying for the bandwidth they use to showcase their stuff on my screen?

Where's the Royalty?

[lifer_red]

I think you meant "rein in", not "reign-in" :-)

Reign = what a king or queen does
Rein = the rope/leather used to hold back an animal

And why use a hyphen?

Educating Slashdot!

If it *is* broken, *do* fix it!

[ajs318]

The simple truth is, "pay per click" is a broken business model. Since even early versions of Mozilla, it's been riduculously easy just to click on an advert, and open it in a new tab in the background where you don't have to pay it any attention -- just close the tab when the bar gets too full to be readable.

You can try to track visitors with cookies, but the savvy ones empty the cookie jar once in awhile {and Firefox even allows you to "pretend" to accept cookies, but ditch them at the end of the session}. As you've every right to do: after all, it's your browser, and you -- not the content provider -- have the right to decide what you see.

Anyway, the public no longer wish to be bombarded with advertisements. In my case, seeing an advert actually makes me more likely to choose an alternative where I know my money is not going to be wasted on advertising. Here's a clue for all advertisers: When I wish to buy your tat, I will contact you. If I have not contacted you, it is because I do not wish to buy anything from you. Get it?

Wow, I'm glad you're not a lawyer

[jbellis]

News flash: hiring someone to break the law for you is illegal too.

Re:OT: Your .sig is stupid

[doublem]

Is this headline better?

Extreme Homophobe Ratzinger Elected New Pope

Not Gay myself, but I have enough Gay friends to not be fond of someone who wants priests to stop ministering to gays and lesbians.

From the article:

A nun who was ordered by Ratzinger to stop ministering to gays and lesbians called his election to pope "devastating" for those who believe the Catholic Church needs to be more tolerant on social issues such as homosexuality.

Yeah, he's a real peach, isn't he?

Re:Secrecy

[devbone]

How the hell is my post off topic. Google is using secrecy to hide their operating procedures. Bad Moderation Bad

when there is intent to deceive...

It's that simple. That's what fraud is.

Another good example is if you go to a store to buy something with the intent of returning it. Like maybe to try out a digital camera before buying it online or "borrowing" a camcorder for your senior trip.

It's not illegal to buy something and return it. But buying something with the intent of returning it, even though it is the same action, is fraud.

Re:OT: Your .sig is stupid

[Zordak]

Well, that would at least say something meaningful about him and establish your stance on an issue open to useful discussion. But hey, it's your .sig. Feel free to put what you want in it and I'll feel free to grouse about it.

Re:OT: Your .sig is stupid

[doublem]

Freedom of Speech is a wonderful thing, isn't it?

click fraud

[bez7]

www.clickmonkeys.com says it all...