The Vanishing Click-Fraud Case

PreacherTom writes "In March of 2004, a computer programmer arrived at Google's offices with one goal in mind: blackmail. He had invented a program called "Google Clique", which could generate millions of fake clicks to Google's ads. The price to avoid disaster: $150,000. At the time, it didn't end well for the programmer; Google had the police in the next room. However, a few days ago the U.S. Attorney quietly dropped the case. The reason: apparently Google was unwilling to cooperate with prosecutors. Why the odd behavior?"

*groan*

[voice_of_all_reason]

What's with both the article and summary playing to the channel 5 action stopper team "Why?!?!?" question?

Duh, that's the point of blackmail. You don't show your hand until you have something that will discourage the victim from turning you into the police. Obviously, the guy could've released the method to the public and caused Google more than letting him go.

Re:*groan*

[TubeSteak]

Obviously, the guy could've released the method to the public and caused Google more than letting him go.

I bet Google was more worried about the discovery process than the guy's program.

The guy could really do some damage by requesting all kinds of information which might become public record... information that Google wouldn't want to let out.

Re:*groan*

[iamhassi]

Exactly. This is genius really. The guy's been dragged over the coals for the last 2 years. Arrested, interrogated, numerous court appearances, fear of 20 years in jail. Who would want to ever go through that again??

If I knew how to do click-fraud I'd just try and forget as soon as possible. In the US legal system you're pounded-in-the-ass by the law first, then you go to jail, so I don't wanna even be accused of knowing how.

Umm..

[OneSmartFellow]

First question: What did they have to gain by persuing it ? not much me thinks

Next question: What did they have to lose by persuing it ? trade secrets, embarassment, other

Analysis: Very predictable.

Re:Umm..

[jessecurry]

yeah, they already scared the guy, and didn't have to pay him $150,000
If they would've taken this to court there is a good chance that their algorithm would become public knowledge, which would cause them to lose much more money and credibility..... plus sending someone to jail might fall under the "evil" side of things, in a karmic sense at least.

Re:Umm..

[R2.0]

"Yeah, that's great corporate citizenship on Google's part. In order to avoid paying _A BLACKMAILER_they call law enforcement...(irrelevant crap)"

There, fixed that for ya. You see, blackmail is a criminal offense. It is the police and prosecutor's JOB to spend public resources going after suspected criminals. Google did their part by cooperating with the police in the investigation and arrest. If anything, the prosecutor should be sanctioned for NOT pursuing so obvious a case as this.

Re:Umm..

[R2.0]

How on earth is helping send a blackmailer to jail "evil" in ANY sense, karmically or other?

Re:Umm..

[jessecurry]

because being in jail is unnatural. there is a strong notion developing that jail does absolutely nothing to benefit society. Actually, most people in the US are in jail for drug related crimes, which are arguably victimless, so getting those people off the streets doesn't make the streets any safer.
I understand that blackmail is a different story, but putting someone in jail doesn't help the victims of the blackmail, nor does it do anything for society, other than creating another welfare case.
In New York they even found that as jail populations fell crime rates fell, contrary to popular belief.

Re:Umm..

[drinkypoo]

because being in jail is unnatural. there is a strong notion developing that jail does absolutely nothing to benefit society. Actually, most people in the US are in jail for drug related crimes, which are arguably victimless, so getting those people off the streets doesn't make the streets any safer.

Actually, less than fifty percent of the people in prison are there for drug-related crimes, more are there for violent crimes. Now, perhaps more than fifty percent of the people going through the courts are there for drug-related offenses, I wouldn't know.

Some prisons are having good luck rehabilitating prisoners. It seems the key is to actually try to rehabilitate them instead of just sticking them in a series of little boxes and encouraging them (through neglect) to be or at least act like a bunch of violent racists.

Just read an article (on Reuters oddly enough news, of all places) that talks about a prison that has a program to teach deep sea diving. Prisoners who have passed through the program have a 16% recidivism rate, as opposed to the 50% of other prisoners. Even given the fact that the prisoners who are likely to get into the program are almost necessarily different from other prisoners BEFORE they get there, it seems likely that using the proper methodology with prisoners might actually have positive results, whereas what we see with prisoners who are just traditionally incarcerated and allowed to rot is that they learn how to commit more serious crimes while they are in prison, or learn how to utilize legal constructs to disguise their crime as legal activity, so they can simply get away with it.

What I find appalling is that we spend more per prisoner than we do per student, and in many cases, corrections officers get more money than teachers. This has got to stop. If we spend that money in schools, on our future, perhaps less of those kids would end up in prison.

Oh wait, that's why we do things that way. Got to keep those people in the corrections industry employed!

Re:Umm..

[SurturZ]

Q: Do no evil?

A: They're an advertising company!

Re:Umm..

[Dhalka226]

Erm... I didn't RTFA--is it substantially different from the summary? Because the summary says:

However, a few days ago the U.S. Attorney quietly dropped the case. The reason: apparently Google was unwilling to cooperate with prosecutors. Why the odd behavior?

Google called the cops, let them build a case, then refused to cooperate with the prosecution. They did NOT do their part by cooperating, and the prosecutor only dropped the case because of that.

Coincidence?

[spellraiser]

<tinfoilhat>

But on Nov. 22, the U.S. Attorney's Office quietly dismissed charges against Bradley.

November 22 is the day they killed Kennedy! Coincidence? You be the judge ...

</tinfoilhat>

Re:Coincidence?

[aitikin]

Best usage of I've ever seen.

Trade Secrets

[KermodeBear]

Google was unwilling to cooperate with prosecutors. Why the odd behavior?

This is pure speculation, but perhaps the courts wanted Google to reveal some, or all, of the methods it used to detect click fraud; they would not want that information revealed. A trade secret like that would be far more valuable than a guy in prison.

Did Google hire the guy?

[xxxJonBoyxxx]

Did Google hire the guy?

It's a serious question; some firms actually do hire the black hatters who targetted them.

Re:Did Google hire the guy?

[Intron]

I don't think so. He sounds like a real bozo. Here's an online conversation where he uses the name CountScubula and explains what he is doing. I suspect Google strung him along until they figured out what he had, then modified their anti-cfraud software to detect it, then dropped him.

Re:Did Google hire the guy?

[ZachPruckowski]

It's not that uncommon. The theory is that the you can buy the guy's loyalty, and if he's skilled enough to hack you, he's smarter than your guys (or at least smart enough to be on the team). There are a lot of things that are easier to "train" into someone than talent.

Re:Did Google hire the guy?

[try_anything]

Right. Black hat hackers really want boring, defensive corporate jobs; they just need a foot in the door. It's just like the time a teenager did donuts on my lawn, and I hired him as a chauffeur, because what he REALLY wanted was to wear a silly little hat and be at his employer's beck and call ten hours a day.

There's no risk of them getting bored and using your company resources to attack other targets, because they love bourgeois success too much to risk it for a thrill.

White hat hackers, on the other hand, are completely unemployable. They're whistleblowers waiting to happen.

Re:Did Google hire the guy?

[hymie!]

The United States Government.

Re:Did Google hire the guy?

[Unlucke]

some firms actually do hire the black hatters who targetted them

No, sorry; just because you read on the intarwebtubes-livejournal of xxxhax0rboixxx that he was hired by "teh Googel" does not make it true, as much as your hope for a bright future would like to make you want to believe it. with a comment like this, no wonder it was submitted by an Anonymous Coward... i do have a question though, did you happen to read his entire post, or did you only read the last part /derail_off

Re:Did Google hire the guy?

[Juha]

Isn't hiring criminals usually considered evil?

only 150K?

[elcid73]

I'm curious... if he could generate 30K per month with his program, why only extort for 150K?

Why not just run it for 5 months and call it good?

Re:only 150K?

[phoenix.bam!]

The lump sum payment would be guaranteed while he had no way of knowing if Google would be able to stop his software from running after a couple months, at even a few days.

Re:only 150K?

[antifoidulus]

One possibility that he was playing chicken with google and his software really didn't work as advertised. He probably figured that to an individual, $150k is a lot of money, but to google it is the proverbial fart in a windstorm so they would just let it slide under the table rather than generate lots of press. However, he figured wrong and even though google isn't pressing charges(perhaps due to the fact that they would reveal more information than its worth) the huckster still got just deserts: he did spend some time in prison and his name is pretty much ruined forever. Would you want to hire the guy who tried to defraud google out of $150k? Can't imagine it would help his job prospects any.

Re:only 150K?

[foniksonik]

It's like a a DOS attack... on it's own it isn't monetized. To make click fraud work he'd have had to go to a lot of effort... OTOH he could easily release it to the world and many others WOULD go through the effort and even if unsuccessful it would cause havoc and potentially lawsuits from legitimate service users... so extortion to NOT release it was the easiest route to take, AND he wanted to make it easy for them to buy him off.

It should have worked. Any normal company would have paid him off and made him sign an agreement to not release with significant penalties if he did.... which would no longer require an investigation to enforce.

Re:only 150K?

[skotte]

This got me thinking. Perhaps he wanted the lump sum which he assessed as being the value of running it a number of months, until Google caught up with him and repaired the bug. Which then suggests a possible scenario in which he didn't so much come planing to blackmail, but rather came planning to sell his information. Mind you, I don't know the guy or the situation really. Some people have said he's a real knob, which could be. But I can easily imagine him identifying a hole, and thinking to himself "Hey I could use this, or I could sell it to anyone and everyone -- or I could sell it to google. That wouldn't be nearly as illegal as some options, and maybe they'd give me a real job." And then his line of thinking kind of spiraled out of control a bit. Google, fFor their part, saw a hacker kid, didn't really want to encourage him at all, but didn't see any need to nail him to a wall either. Code gets fFixed, kid goes fFree, Google doesn't spend a million dollars just to sue some geek.

Re:only 150K?

[metamatic]

I dunno, I don't think paying the guy off is ever a smart move. The thing is, writing software to generate clicks that appear to come from all over the Internet is really not that hard to do. The tough part is working out how to make money by doing it, without breaking the law and getting caught.

Re:only 150K?

[aminorex]

There is, of course, a very real difference between fraud and blackmail. Blackmail is often legal, for example, while fraud is generally not legal. If he had operated the program to Google's detriment he would have been perpetrating a fraud. The fact that the offer to Google was an offer to not commit an illegal act makes the offer an illegal form of blackmail.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Because Google makes money off click fraud

[Aladrin]

Except that if their plan was to profit from his 'fraud', they wouldn't have set him up in the first place. They'd have just 'called his bluff' and let him do it.

Instead, they chose to have him arrested and let the world know about his scheme. We don't know WHY they chose not to prosecute, but I seriously doubt it has anything to do with being evil.

Oxygen of Publicity

[DamonHD]

Maybe G just doesn't want to give the story any more credibility, but in any case, not exposing its anti-fraud methods in court would be a good enough reason. Why give the bad guys more info than you have to?

Rgds

Damon

Re:Oxygen of Publicity

[drsquare]

Or more than likely, Google like clickfraud because it increases their profits.

Why did they need google's info?

[phorm]

What I don't understand is why they needed to know about google's click or anti-click-fraud system to punish the guy. Yes, they might need to know such to assess damages for financial issues, but blackmail/extortion would be illegal regardless. If they've got the cops in the next room taping the guy making a "pay me out or else I'll do X", the feasibility or impact of X is not so important as the fact that the individual has already attempted to extort money from google.

Re:Why did they need google's info?

[mindwar23]

In order to proove that "I'll do X" would financially damage Google, they would have to provide some kind of supporting evidence that the product's public release would hurt them. I think it's safe to assume that this evidence consists of closely gaurded trade secrets that Google did not want to risk exposing in open court...

Re:Why did they need google's info?

[tsstahl]

"pay me out or else I'll do X"

There is a fine line between a business negotiation and extortion. The enterprising lad in question was trying to sell a program to Google. What that program does is a separate issue.

Re:Why did they need google's info?

[phorm]

Incorrect. It would be a sales attempt it he stated "I will sell you this software that does X for $150,000"

It's extortion if he states "If you don't pay me X I will give this software/info/etc to others that can use it against you"

The threat was not the sale of the software to google, but to others who would use it against them.

Re:Why did they need google's info?

[Onan]

You may be thinking of the wrong "they" here. The judge and the prosecutor might not feel that they need that information, but they're not the only parties involved.

If you're accused of a crime, you have fairly broad ability to subpoena any information that you can make an even remotely plausible case for being related to the issue at hand.

So all this guy's lawyer would need to say to the judge is, "We believe that click-fraud is so rampant that the defendant's tool would not have caused any further harm. And to prove that, we're subpoenaing every line of code Google uses to detect click fraud, every log of every hit they've ever had on an ad, and all the email and meeting minutes in which any employee of the company has ever discussed the issue of click fraud."

It doesn't matter whether the claim is true or not. If it the judge considers it to be even remotely possible that it _could_ be true and relevant, the subpeonas would be granted. At which point every detail of every tool Google has ever used to combat click fraud would become a matter of public record.

That certainly strikes me as a much bigger deal for Google than whether or not one moron goes to jail.

Re:Why did they need google's info?

[cswiger2005]

While it might be relevant in a civil trial where Google claimed a certain level of damages and the defendant claimed that the amount Google lost wasn't actually what Google claimed, Google doesn't have to prove it lost money from click-fraud for the criminal case to proceed, nor would showing that other people commit click-fraud be a mitigating defense against the blackmail/extortion attempt.

Sure, a defendant does have fairly broad rights to subpoena relevant information to his defense, by no means does that information become a matter of public record-- it's quite normal for a company to claim some information is a trade secret, and have discovery limited to what is actually relevant rather than the judge granting an over-broad permission for everything, and/or to have the information filed under seal.

Re:Why did they need google's info?

[greenrd]

It's extortion if he states "If you don't pay me X I will give this software/info/etc to others that can use it against you"

But doesn't this happen in perfectly legal negotiations, such as business takeover negotiations? "If you don't buy my company and its technology for the price I'm asking, I'll sell it to your competitors"...

Re:Because Google makes money off click fraud

[krotkruton]

"Do no evil", my ass.

Right, because a company ONLY cares about money and making more of it. And the only way to make more money is to do things that are "evil" because having morals and making decisions based on them wouldn't be good for business.

fixed

[tehwebguy]

maybe google just fixed it

Has anyone done that since the 80s?

[Beryllium+Sphere(tm)]

All the cases I'd heard of were long, long ago. Are there any recent examples of somebody being that dumb?

Scale and time

[Beryllium+Sphere(tm)]

>Why not just run it for 5 months and call it good?

Crime has cost-benefit analyses just like legitimate business.

If he ran the scam himself, he'd be limited to what one individual could do before some Google engineer figured out a way to block it.

If he tried to sell his program to other criminals, he'd be betting that criminals wouldn't pass along unauthorized copies.

If he released it for free, it would cost Google way more than he could have stolen on his own, but he wouldn't see most of that kajillion dollars.

So the big payoff was in extortion, telling Google "Nice advertising business ya got here, be a shame if something happened that cost a kajillion dollars, when you could buy insurance for only $150,000". At the risk of getting arrested, a bigger risk than if he'd run the click fraud himself.

What lesson does this teach the next evil genious?

[vinn01]

To me it says: There is no profit in independent security research. Go ahead and release your research findings to the public. It will cost Google (or whatever corporation) untold millions of dollars, but they will pay nothing for your work. If you ask for money, you will be accused of blackmail and sent to jail (until they fix the exploit and drop the charges).

Why are exploits expected to be donated? I acknowledge that there is a fine line between asking for a bounty and blackmail. But to treat bountyhunters like blackmailers seems to be a poor way to promote security.

Re:What lesson does this teach the next evil genio

[cswiger2005]

Some organizations like iDefense will pay a bounty for independent security research.

Otherwise, you can gain some degree of credibility by detecting and publishing security exploits, and there are organizations which will hire "white-hat" teams to perform penetration testing, or hire people who have a good security track record to fix major security holes, but a big part of that involves working with the organizations and being willing to not publicize security exploits until the vendor has had a reasonable period of time to fix things. Trying to coerce an organization into paying you is another matter entirely....

Re:Because Google makes money off click fraud

[Atrox666]

If you are the CEO or any senior exec of a public company you have to sign a piece of paper that commits you legally to chasing profit for the stock holders.

If there was any commitment from government toward making society better then maybe there would be repercussions for certain activities that would punish execs who do things like screw up the environment or rip off their customers.

Since corporations run government maybe we should get to vote for CEOs.
Then we could call our system a democracy again.

Re:Because Google makes money off click fraud

[krotkruton]

If you are the CEO or any senior exec of a public company you have to sign a piece of paper that commits you legally to chasing profit for the stock holders.

Yeah, I get that, but where does it say that the only way to raise profits is to do evil things? So many people have adopted this idea that corporations are evil because all they care about is money, while this isn't true at all. You can care about money and still do good things. Here's a real shocker: you can do good things and make money by doing it! Knowing that doing an "evil thing" will lead to increased profit at the moment is easy, but having the foresight to to know that it will lead to drops in profit in the future is much better. Google doesn't have to do "evil" things just because its a corporation.

I thought it was kinda obvious.

[Anachragnome]

Call the cops in, prosecution gets court orders to search his properties (including hardrives, etc.), have that info shared under discovery (probably shared by the prosecution in order to build a case and verify that he actually had something in which to blackmail with. Important in a blackmail case as it shows intent.), then drop the whole shebang.

Once they have the information, they can then fix/modify the filters, all without having to pay the guy his blackmail demands or ever allow any of it to reach the public domain.

Problem solved.

...like AT&T's Blue Box response.

[ivi]

  Maybe the Programmer hinted (or threatened) a release
  of How To Do It info... to all the rest of us

Absolute Power

[stuffduff]

Didn't Google Invent Click-Fraud? I thought they held the patent! When I see the Google adds they almost never take me to the website, but if I Google the site name I can usually find a url that gets me reasonibly close to where I was hesded in the first place.