Google's Click-Fraud Crackdown

An anonymous reader writes "Wired reports that Google is making some effort to put a crack in the practice of click-fraud. Because of the pernicious abuse of the company's advertising business, it simply can't be sure that anyone is actually looking at the ads. Bruce Schneier talks about the problems of ensuring that people are really people, and Google's solution." From the article: "Google is testing a new advertising model to deal with click fraud: cost-per-action ads. Advertisers don't pay unless the customer performs a certain action: buys a product, fills out a survey, whatever. It's a hard model to make work — Google would become more of a partner in the final sale instead of an indifferent displayer of advertising — but it's the right security response to click fraud: Change the rules of the game so that click fraud doesn't matter."

that's bad

[doti]

That way, Google will want to enforce it's ad (avoid ad blockers, make them more visible, etc) even more.

Re:that's bad

[emurphy42]

But people are generally a lot less concerned about blocking Google ads, because they're Not Evil. Google knows this, and will make a strong effort to keep it that way.

Re:that's bad

[Firehed]

Exactly. I don't mind GoogleAds because they're unobtrusive, yet still informative enough to be useful. ANY site that uses popup advertising ensures themselves that they'll never make a penny from me, especially since they'll have had to abuse a loophole in order for me to have viewed it. I don't even mind some flash ads, as long as they're not those seizure-inducing type.

CPA good for google, but...

[truthsearch]

CPA is a good model for Google and a very good model for advertisers. Advertisers, in effect, can pay for only the advertising which results in a sale.

Small publishers, however, will likely suffer. The vast majority of click-throughs on text ads result in no sale. Yet publishers still get paid for it. The only way this would balance out would be for the payment to publishers per action to go up. That would be fair. But I think the small bloggers who like to use adsense will lose revenue from this model.

Re:CPA good for google, but...

[StarvingSE]

What about this scenario:

You are in the market for Widget X. While on a website about all things Widgety, you see an Adsense ad for a certain brand of Widget X. You click on it, you like it, and bookmark the site. Because you are a smart consumer, you shop around trying to find the best value for Widget X. Upon completion of said research, you decide the original site (the one found with adsense) is the best deal, and you go to that site and purchase (this is now a week later than the original click-through date).

Everytime you reboot your computer, you have your browser set to have all cookies wiped out.

How is google going to track this? This is still a sale generated through adsense.

Re:CPA good for google, but...

[truthsearch]

Such a tiny percentage of users delete their cookies that Google is willing to take the loss of ad revenue. It's far better than the huge cost of click fraud (loss of valuable advertisers, etc.).

Re:why do they care?

[Duhavid]

Perhaps because Google's customers care?

Re:why do they care?

[Threni]

> Why does Google care so much? They get more money when people abuse it. Just charge less per click
> if they're that concerned about it.

Because most people *don't* cheat, which means that Google would be making less money from everyone because of a tiny amount of fraud.

I like to think, though, that I've helped cause this problem by right clicking/open in new tab on ads I have no interest in. I also fill in questionaires with random answers if I have to complete them to proceed into an otherwise "free" website, though, so I'm not sure how long this proposed solution is going to do any good...

Re:why do they care?

[doti]

But if people abuse it, the adversiters will find less value on Google ads.
They are trying to protect the value of their product.

Re:why do they care?

[truthsearch]

Fraud results in distrust by advertisers. Many advertisers ignore adsense because of the high level of fraud. They don't want to pay for something that brings no sales. With enough fraud this whole business model disappears.

Re:why do they care?

[Orange+Crush]

1.) Because their company's culture is geared towards providing the best user experiences it can and that whole "Don't be evil." bit.

2.) Even if you think all of that's a crock, Google will make more money selling online advertising if they aren't continually making ~$90 million or so click fraud settlements periodically . . .

Dangerous ground

[Rob+T+Firefly]

This could open up a big can of worms, precisely because it increases Google's stake in the actual buying process. The protests over ads for controversial stuff like religious or medical items, "adult" materials, political stuff, and so on simmer to a faint background hum when Google is just churning out automatic ads, but if Google can be shown to be taking part in the actual sales and transactions of this stuff their critics are likely to pounce on that. "OMG Google is selling evil pr0n/Satanism books/weaponry/GTA San Andreas/Online Gambling/etc..."

Re:Doesn't solve the wider problem

[Daniel_Staal]

Who cares whether it's actually a human? What you really care is that they purchased your product. If the payment is tied to that, it becomes irrelevent who clicked or how they clicked.

They spent money because of your ad. So you can afford to pay for the ad.

And if an AI was the one who spent the money, great. As long as their credit card works.

Re:Doesn't solve the wider problem

[truthsearch]

The action they're going to track will typically be a sale. There will be no fraud if the only way to commit the fraud is to make an actual purchase. This is already how product affiliate systems work. If people click through an ad but don't buy a product the merchant doesn't pay. No one's going to write bots to automatically buy products which cost more than the advertising.

Re:why do they care?

[danpat]

It's not that simple. Google is a middle-man, they're not creating the ads. Joes Pizza shop pays Google to display their ad when certain keywords are found on a web-page. They pay different rates for different words, and they pay by the number of times their ad is displayed.

Click-fraud hurts Joes Pizza because hey's paying Google to show his ad to potential customers, but during click-fraud, no-one is actually seeing it. He's paying for nothing. Google just takes a cut of what Joe paid, and passes the rest on to the websites that actually displayed the ads (or claimed they did).

Google only cares about this because if Joe thinks he's paying for nothing (i.e. no real people are actually seeing his ads, and all the "clicks" he's charged for are actually fraud), he might stop paying Google to farm out his ads. If that happens, Google loses their revenue stream.

Lots of clicks are good for Google, they get to charge Joes Pizza more. But they're only good if Joe thinks he's getting his message out to lots of people.

Re:why do they care?

[Nos.]

Actually, no, because Google charges the owner of the ad for that click and pays you (the adsense hoster) a portion of that amount. So in the end, the company paying to have the ads displayed loses money to invalid clicks. Google still makes money (ignoring legal costs and such) for each false click. However, it does make adsense a less valuable advertising tool and thus would cost them in the long run.

Re:Terrible Idea

[karmatic]

It depends on the term - it's easy to rack up $125/day for the right terms (mesotheliomatic cancer, anyone?). For a lot of people, that's a good chunk of money.

All you need is an internet connection, some proxies, greed, and a "they're rich americans (because they exploit everyone else) so they deserve what they get" mentality.

How do I know this? I'm an adwords advertiser, and I tracked down one of the site owners who was doing a fair amount of fraud on one of my terms. One of the proxies he used had an X-Forwarded-For header, and I found his IP in an IRC log, and finally managed to track him down on IRC. I pretended to be a fellow fraudster, and we compared account screenshots. The guy was very proud that he was making over $4000USD/mo. His sites were simply wikis with stolen content (it's easier to make pages for a specific term that way, I guess). He did the clicks himself, and had a proxy program that simply took from a list of proxies and picked a random one every page load. He actually sat there for several hours a day clicking, and made about $40/hour to do it.

For some advertisers, it is a huge problem, especially when paying $10+ per click.

Biometrics to record clickthrough...

[Baloo+Ursidae]

A better solution might be some kind of fingerprint reader that generates digitally signed "proof of life" which can be demanded by remote sites.

To record an ad impression? Let me get this straight. You're honestly suggesting that users submit their fingerprint to verify they've seen your ad and you expect people to submit to this? Are you high?

I mean, it's inconvenient, and invasive! Now if you can just find a way to make it really uncomfortable for the user while they're at it and you'll have achieved the prostate-exam trifecta that everybody shoots for when they want to pitch a new product idea.

CPA only works when there's a trackable action

[Goldenhawk]

CPA only works when there's a trackable action... and in many cases, the trackable action is going to be impossible to define. For example, I launched a new site in July (geochecker.com), which is a free geocaching-related site, supported by Google Adsense ads, and doesn't sell anything. To get some initial traffic, I used my existing Adwords account to run ads on related search terms. Now, since my only monetizing product is advertising (from Google itself!), and the services the site offers are free, how on earth can there be any action? As a matter of fact, the very "action" that I'm trying to get IS a click - I want them to visit the site. I don't have anything to sell beyond that, other than possibly deciding they don't really want to be there and leaving thru a similar click on the Adsense links. I just need to build traffic above the breakeven critical mass. Beyond that, I don't care what happens to any "conversion".

(And given the economy of Google ads, I'm basically paying about 50% of the Adwords cost because I get about a 1% click-in, and about 1% click-out, and the Adsense click-out pays about half of what an Adwords click-in costs me. So obviously I can't use Adwords long-term, but it's okay for building initial traffic, and incidentally for making sure my site got quickly indexed - thanks to daily visits by the Adwords robot.)

Now, in that model, as with many other businesses who are not selling online, it becomes impossible to track CPA, and the CPC is really the only valid business model. And this is true of millions of link-farm sites (not that I'd mind most of THEM disappearing).

As others have mentioned above, advertising is about much more than simple action-tracking - if you put a favorable ad in front of a potential customer enough times, it will build brand awareness and eventually convert. But not in enough time to make CPA useful, and usually in ways that cannot be directly tracked anyway.

Sorry, but I think CPC is going to be around for quite some time. And I'm sure Google is well aware of these dynamics.

Re:Doesn't solve the wider problem

[Jerf]

Why would you report to Google that a product has been purchased any earlier than the completion of the transaction?

If, at that point, you start to have trouble with people cancelling, that's easy: You require them to call in to cancel. You may find that in the real world, this is already the case, if you can cancel at all. By the time a bot can fake a phone call, we'll have other problems and solutions.

I'm not sure if it's possible to reverse credit charges without a phone call, but again, if an automated credit charge reverser is online, and it starts to get abused, it'll come offline real quick. If there isn't one online, again, no bot is going to be calling the credit card company and reversing charges.

I'm not sure how a botnet can attack this when properly implemented. The gaming opportunities are moved to the advertiser side, and while that too will have some issues, I believe they will also be solvable, unlike the current situation where the bots have a natural advantage that can not be practically overcome.

Stupid question

[element-o.p.]

Please excuse the stupid question, but most Apache (and I think IIS, as well) can log the referrer's and the client's IP address. Would it really be that hard to place a cap on the number of clicks from the same pair of client IP / referrer IPs within a given period of time from which the AdSense bill is generated? I would think you could also drop on the floor anything from either an RFC-1918 IP address or an address that matches the referring web server's address, as well.

I'm not real familiar with how AdSense works, since I've never run it on any of my web servers, but I would expect that if a shady webmaster is engaging in click fraud then either:

1. He is using computers on different networks to click on the add, in which case there is a limited subset of hosts from which he can operate (home computer, business computer, wireless from the coffee shop, etc.);
2. The fraudulent clicks will come from a number of RFC-1918 addresses, and therefore must have originated from the webmaster's internal network (assuming that AdSense sends the IP address from which the shady webmaster's server saw the click);
3. The fraudulent clicks will come from a single public IP address from which the shady webmaster's internal network is NAT'ed (assuming that the AdSense client's web server logs the IP address of the computer from which the click was generated).

In the first and third cases, the cap on clicks per unit of time from a single IP address will serve to reduce (but admittedly, not eliminate) click fraud. In the second case, dropping RFC-1918 addresses on the floor will prevent fraud, since *only* the webmaster's internal network could possibly have accessed the server from private IP space.

Re:Stupid question

[bennomatic]

In addition to zombie PCs, which the other poster mentioned, there are zombie proxies. I used to work for one of the original click-through advertising companies, which is now mostly defunct. To protect the annoyed-at-not-being-successful, I won't ssaayy it's name. Anyway, we had a "client" who kept setting up accounts under slightly different names (different combinations of about 6 first and last names), and then those accounts would make 10 times more money than any of our other clients.

We finally found that what they were doing was searching for unprotected proxy servers--specifically, ones running something called SQUID, which is apparently easily scriptable--and they would have different IPs hitting their pages from all over the world. Thousands of times an hour from thousands of IP addresses. Looked totally normal. But with 1-2% click-through rate, they would have made $1000/mo from all their accounts, but we caught on that something funny was happening after the first couple of payments went out. It was easy to see that something was wrong, but just what was difficult. Eventually, we simply stopped showing any paid ads to any requests from SQUID servers. That solved the problem, but unfortunately, while the technology was great, it was a little ahead of itself, and we didn't really have a marketing team, so unfortunately, it went the way of the dodo.

Sigh

Re:Doesn't solve the wider problem

[IamTheRealMike]

It matters because not every advertiser on AdWords is actually selling something. So, cost per action ads even if fully deployed won't solve the problem for everybody.

Re:victim of click-fraud

[Random832]

Of course google closes accounts with no investigation - the money train is showing no signs of slowing down anyway, and this lets them keep it all to themselves.