I'm not sure if you saw the portion of our article that develops the estimate and presents the methodology for the estimate. If not, that might be of interest.
As you say, it's hard to make a precise estimate. There are important pieces of data uniquely within Google's custody, and Google isn't talking. But in these circumstances, I do feel it's appropriate to make a good-faith estimate. If you think our numbers are in error, feel free to identify which specific numbers you think are off, in which direction, and for what reason. But realize that for every number you think is too high, there is likely to be another that might be too low. (We discuss some of these complications in the page linked above.) I don't think it's clear from first principles that our estimate is biased in one way or the other.
Surely it's not Google's fault that some people misspell. But our study shos that typosquatters register more domains targeting companies in sectors with high PPC prices. That tells us that PPC funding is *causing* and *exacerbating* typosquatting. Without PPC payments, there would be fewer typosquatting registrations -- much less reason for squatters to register these domains. Google's payments put the system in motion; squatters register domains exactly in anticipation of getting paid by Google. Google knows where it's showing ads. (Example: Google shows Expedia ads if you misspell Expedia, but Travelocity ads if you misspell Travelocity!) So it's natural to look to Google for resolution of these problems.
Incidentally, the federal ACPA statute is squarely on point: Your elected congressmen chose to prohibit not just "register[ing]" domains but also "us[ing]" domains. Showing ads on domains is surely a kind of "use."
So is Google "just offering an ad service"? No! Google analyzes a user's request, assess what domain the user was trying to reach, and selects ads accordingly. Google bills advertisers for each click and passes payment on to the typosquatters. These are proper reasons for the concerned public to demand more of Google.
Specks, you're right that merchants generally won't be able to figure this out merely from inspecting users' traffic or web server log files.
Instead, in my experience, the only robust enforcement strategy is testing: Get copies of the spyware, browse the web on infected test PCs, and see what happens. If an affiliate's link is invoked wrongfully and unexpectedly, then investigate and take appropriate action.
Is this trivially easy? Well, no. But it's the only clear way forward. And arguably it's appropriate: Any merchant paying out $$$$$ of affiliate commissions ought to put forth reasonable effort to confirm who they're paying and what they're paying for. In few other contexts would a company have as many suppliesr, subject to as little vetting (ex ante) and supervision (ex post), as in Internet advertising.
I did send a note to someone I know in marketing at Netflix. I don't know anyone at Blockbuster, so I couldn't readily contact them.
Of course the bigger issue extends beyond those two specific merchants. Most affiliate merchants lack the kind of tough oversight of their affiliates that would be needed to prevent these scams.
I don't have a strong view on pop-up blockers. I often use Google Toolbar. But in XP SP2, IE's internal pop-up blocker works fine too.
One key insight: Pop-up blockers don't stop spyware-originating pop-ups. Pop-up blockers stop pop-ups that load through a web browser, i.e. as a result of JavaScript code within pages users request. But pop-up blockers do nothing to stop full Windows programs (e.g. spyware) installed on users' computers.
I'm Ben Edelman, the author of the piece. I'm happy to answer any questions folks may have.
It would be particularly interesting to hear from merchants and by legit (non-spyware-using) affiliates who are ripped off by the practices I documented.
I'm Ben, the author of the article referenced in the original post.
Jah-Wren, your second paragraph exactly captures my view of the significance of this problem. If money flows with ads, and if ads follow measured traffic, then there's a striking incentive to inflate measured traffic. So advertisers, ad networks, and legit publishers have to be on the lookout -- lest cheaters reduce payments to legit web sites.
As to your third paragraph, proposing paying for "actual creative work done" rather than for ads: That's a lofty principle. But I think it's hard to implement in practice. Who would do the paying? Who would decide how much creative work had been done? One possibility is to ask a government (or many governments) to contribute, but that clearly raises problems of its own. Sticking to private sector solutions, payment for creative work is essentially bound to follow monetization of that creative work -- and with high transaction costs for readers/viewers paying for material, ads seem like the most plausible approach in the short run.
I emphatically disagree. I've written plenty about security exploits, where users need not click "yes" (or anything else), nor need ActiveX, VBS, or any other such thing. Details.
In any event, the piece at issue in the original post considers many kinds of risks -- not just exploits, but also run-of-the-mill scams, like "free" ringtones that aren't. You may not regard such sites as "risky" or harmful, but there are plenty of others who do, because they don't like the prospect of being ripped off.
Ben Edelman here. I wrote the piece cited in the original post.
These Zango practices target all affiliate merchants, not just adult web sites. Earlier this morning I happened to see Match.com (a mainstream dating site) facing commission theft by Zango and a Zango advertiser. I document this kind of problem on an ongoing basis, and it remains remarkably widespread, even 2+ years after I first wrote about it.
I'm not here to criticize the adult industry or to defend it. But Zango's practices should rise or fall on their own merits. In my view, this is a scam -- asking a merchant to pay a commission to Zango or a Zango advertiser, when the user had already, independently reached the merchant's site. Much as some folks may not like adult sites, they ought not be defrauded by spyware or spyware-using affiliates.
Clarifying -- from the original author
on
When Ads Go Wandering
·
· Score: 5, Informative
Your four points above give an almost-complete statement of what happened, in one of my click fraud examples. Revising your points a bit to finish the story:
1. An Overture advertiser takes out an advert with Yahoo! 2. Yahoo! passes the ad to its partner Ditto 3. Ditto passes the ad to its partner NBCSearch (nothing to do with the TV channel) 4. NBCSearch passed it on to 180solutions.
This "passing on" was all in a way that told Yahoo, falsely, that a click had occurred. So the advertiser ultimately ended up paying for a click that never actually happened.
What's the big deal?
1. The advertiser got cheated. The advertiser paid for a click, but no click happened.
2. The spyware vendor got paid. Spyware comes from big companies, with real expenses. They need money to pay their bills -- their programmers, their installation partners, etc. If they couldn't find revenue sources, they'd disappear.
I'm on SiteAdvisor's advisory board, and I've tested their products at length. I've never seen anything like SiteAdvisor installing the Yahoo Toolbar, and I'm confident that there's some other explanation for what happened to your computer. Can you send me an email so we can troubleshoot what happened? I want to get to the bottom of this and clear SiteAdvisor's good name.
I post screenshots and packet logs showing how Yahoo ads get syndicated into notorious spyware -- Direct Revenue, eXact Advertising, 180solutions, and some smaller players too (SideFind, Slotchbar, etc.).
Thanks to the kind Slashdot'er who wrote with CSS suggestions. Those now visiting the site with Firefox will find a much more reasonable font-size, that still looks good in IE. (Solution: Instead of using medium, small, x-small, etc., use 1em, 0.9em, 0.8em, etc. as uf22 suggests.)
As to the small size of the article's text: I suspect you're using Firefox. My CSS has the problem recently described at codestore. I've hesitated to put absolute font-sizes ("10px") right into my CSS. But font-size x-small is what I need to use in IE to make my page look "right" to the millions of users with IE; Firefox, of course, has its own (arguably more sensible) ideas as to what's medium and what's in fact x-small. So the same code that looks great in IE looks lousy in Firefox.
Anyone want to suggest a fix for this, other than hard-coding size in CSS? If so, I'd certainly appreciate a tip by email.
You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).
Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?
I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).
Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.
WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.
Or perhaps someone else will be so kind as to take over where I've left off!
Just noticed this thread -- was offline most of the day.
The interview was a nice little piece -- but as several comments above mentioned, it really was just a little email discussion I had with the Orange Crate admins. Personally, I wouldn't have thought it worthy of the honor of a Slashdot thread all its own... But then again sometimes the things I think are important still don't get Slashdot threads...
Meanwhile, here's something that almost everyone will agree is important: Spyware companies getting endorsed by supposedly-impartial associations of anti-spyware vendors. Such endorsements are particularly problematic when based on spyware companies' claims of improved practices, but where such practices have yet to be observed in the real world. (Companies' true practices remain outrageous -- installation via security holes, no notice and consent, etc.) I have a very specific example in mind: 180solutions' endorsement by COAST just yesterday. See coverage at Spyware Warrior.
Earlier today I observed 180 installed through a security hole, where the page invoking the security hole was a privacy policy at a web site. Read the privacy policy, get spyware. What a world! I expect to add the video and write-up to my site shortly.
My records (packet sniffer logs, etc.) do tell me what specific exploits were used, though my public write-up doesn't include all these details. In any event, the video is certainly sufficient to validate the "hefty claim" of software installed through security holes.
Note the last word of criteria 1, following the semicolon: "and"
Programs must meet both criteria to be listed. I do not report companies that receive major funding but do not collect sensitive information or install without proper notice and consent. And I do not report companies that collect sensitive information and install without proper notice and consent, but have received no major funding (per publicly-available sources).
I have on hand lots of information about advertisers supporting these companies. One complication is that some of the advertisers are unintentional participants -- e.g. the ads were placed by affiliates, apparently often acting without authorization by the underlying merchants. Often, the link format makes it possible to tell the difference between an affiliate's ad and an "official" ad.
As to "Slashdot has not verified...": I've cited sources for each report of funding of each specified spyware company. See the links within my page -- just click on the "$40 million" and similar hyperlinks to see the source (news coverage, press release) reporting that funding.
Slashdot Mirror
I'm not sure if you saw the portion of our article that develops the estimate and presents the methodology for the estimate. If not, that might be of interest.
As you say, it's hard to make a precise estimate. There are important pieces of data uniquely within Google's custody, and Google isn't talking. But in these circumstances, I do feel it's appropriate to make a good-faith estimate. If you think our numbers are in error, feel free to identify which specific numbers you think are off, in which direction, and for what reason. But realize that for every number you think is too high, there is likely to be another that might be too low. (We discuss some of these complications in the page linked above.) I don't think it's clear from first principles that our estimate is biased in one way or the other.
Surely it's not Google's fault that some people misspell. But our study shos that typosquatters register more domains targeting companies in sectors with high PPC prices. That tells us that PPC funding is *causing* and *exacerbating* typosquatting. Without PPC payments, there would be fewer typosquatting registrations -- much less reason for squatters to register these domains. Google's payments put the system in motion; squatters register domains exactly in anticipation of getting paid by Google. Google knows where it's showing ads. (Example: Google shows Expedia ads if you misspell Expedia, but Travelocity ads if you misspell Travelocity!) So it's natural to look to Google for resolution of these problems.
Incidentally, the federal ACPA statute is squarely on point: Your elected congressmen chose to prohibit not just "register[ing]" domains but also "us[ing]" domains. Showing ads on domains is surely a kind of "use."
So is Google "just offering an ad service"? No! Google analyzes a user's request, assess what domain the user was trying to reach, and selects ads accordingly. Google bills advertisers for each click and passes payment on to the typosquatters. These are proper reasons for the concerned public to demand more of Google.
Specks, you're right that merchants generally won't be able to figure this out merely from inspecting users' traffic or web server log files.
Instead, in my experience, the only robust enforcement strategy is testing: Get copies of the spyware, browse the web on infected test PCs, and see what happens. If an affiliate's link is invoked wrongfully and unexpectedly, then investigate and take appropriate action.
Is this trivially easy? Well, no. But it's the only clear way forward. And arguably it's appropriate: Any merchant paying out $$$$$ of affiliate commissions ought to put forth reasonable effort to confirm who they're paying and what they're paying for. In few other contexts would a company have as many suppliesr, subject to as little vetting (ex ante) and supervision (ex post), as in Internet advertising.
I did send a note to someone I know in marketing at Netflix. I don't know anyone at Blockbuster, so I couldn't readily contact them.
Of course the bigger issue extends beyond those two specific merchants. Most affiliate merchants lack the kind of tough oversight of their affiliates that would be needed to prevent these scams.
I don't have a strong view on pop-up blockers. I often use Google Toolbar. But in XP SP2, IE's internal pop-up blocker works fine too.
One key insight: Pop-up blockers don't stop spyware-originating pop-ups. Pop-up blockers stop pop-ups that load through a web browser, i.e. as a result of JavaScript code within pages users request. But pop-up blockers do nothing to stop full Windows programs (e.g. spyware) installed on users' computers.
I'm Ben Edelman, the author of the piece. I'm happy to answer any questions folks may have.
It would be particularly interesting to hear from merchants and by legit (non-spyware-using) affiliates who are ripped off by the practices I documented.
I'm Ben, the author of the article referenced in the original post.
Jah-Wren, your second paragraph exactly captures my view of the significance of this problem. If money flows with ads, and if ads follow measured traffic, then there's a striking incentive to inflate measured traffic. So advertisers, ad networks, and legit publishers have to be on the lookout -- lest cheaters reduce payments to legit web sites.
As to your third paragraph, proposing paying for "actual creative work done" rather than for ads: That's a lofty principle. But I think it's hard to implement in practice. Who would do the paying? Who would decide how much creative work had been done? One possibility is to ask a government (or many governments) to contribute, but that clearly raises problems of its own. Sticking to private sector solutions, payment for creative work is essentially bound to follow monetization of that creative work -- and with high transaction costs for readers/viewers paying for material, ads seem like the most plausible approach in the short run.
I emphatically disagree. I've written plenty about security exploits, where users need not click "yes" (or anything else), nor need ActiveX, VBS, or any other such thing. Details.
In any event, the piece at issue in the original post considers many kinds of risks -- not just exploits, but also run-of-the-mill scams, like "free" ringtones that aren't. You may not regard such sites as "risky" or harmful, but there are plenty of others who do, because they don't like the prospect of being ripped off.
Ben Edelman here. I wrote the piece cited in the original post.
These Zango practices target all affiliate merchants, not just adult web sites. Earlier this morning I happened to see Match.com (a mainstream dating site) facing commission theft by Zango and a Zango advertiser. I document this kind of problem on an ongoing basis, and it remains remarkably widespread, even 2+ years after I first wrote about it.
I'm not here to criticize the adult industry or to defend it. But Zango's practices should rise or fall on their own merits. In my view, this is a scam -- asking a merchant to pay a commission to Zango or a Zango advertiser, when the user had already, independently reached the merchant's site. Much as some folks may not like adult sites, they ought not be defrauded by spyware or spyware-using affiliates.
I wrote the original article at issue: The Spyware - Click-Fraud Connection -- and Yahoo's Role Revisited. I tried to be as clear as possible -- complete with diagrams of what I observed.
Your four points above give an almost-complete statement of what happened, in one of my click fraud examples. Revising your points a bit to finish the story:
1. An Overture advertiser takes out an advert with Yahoo!
2. Yahoo! passes the ad to its partner Ditto
3. Ditto passes the ad to its partner NBCSearch (nothing to do with the TV channel)
4. NBCSearch passed it on to 180solutions.
This "passing on" was all in a way that told Yahoo, falsely, that a click had occurred. So the advertiser ultimately ended up paying for a click that never actually happened.
What's the big deal?
1. The advertiser got cheated. The advertiser paid for a click, but no click happened.
2. The spyware vendor got paid. Spyware comes from big companies, with real expenses. They need money to pay their bills -- their programmers, their installation partners, etc. If they couldn't find revenue sources, they'd disappear.
Bombadier,
I'm on SiteAdvisor's advisory board, and I've tested their products at length. I've never seen anything like SiteAdvisor installing the Yahoo Toolbar, and I'm confident that there's some other explanation for what happened to your computer. Can you send me an email so we can troubleshoot what happened? I want to get to the bottom of this and clear SiteAdvisor's good name.
Ben Edelman
Yes, this is the same 180solutions whose software has been so frequently observed to become installed through security exploits.
Most recently -- just last week! -- I posted video proof showing 180 installing even after users specifically decline and refuse 180. Details.
Too little too late, indeed!
How Yahoo Funds Spyware
I post screenshots and packet logs showing how Yahoo ads get syndicated into notorious spyware -- Direct Revenue, eXact Advertising, 180solutions, and some smaller players too (SideFind, Slotchbar, etc.).
I independently observed the same thing -- Claria set to Ignore within MSAS. See image on my site, final paragraph of http://www.benedelman.org/news/063005-1.html .
I've written about this on multiple occasions. Some links:
a tor/gator-customers.html
r s
Claria/Gator: http://cyber.law.harvard.edu/people/edelman/ads/g
eXact Advertising: http://www.benedelman.org/spyware/exact-advertise
Thanks to the kind Slashdot'er who wrote with CSS suggestions. Those now visiting the site with Firefox will find a much more reasonable font-size, that still looks good in IE. (Solution: Instead of using medium, small, x-small, etc., use 1em, 0.9em, 0.8em, etc. as uf22 suggests.)
As to the small size of the article's text: I suspect you're using Firefox. My CSS has the problem recently described at codestore. I've hesitated to put absolute font-sizes ("10px") right into my CSS. But font-size x-small is what I need to use in IE to make my page look "right" to the millions of users with IE; Firefox, of course, has its own (arguably more sensible) ideas as to what's medium and what's in fact x-small. So the same code that looks great in IE looks lousy in Firefox.
Anyone want to suggest a fix for this, other than hard-coding size in CSS? If so, I'd certainly appreciate a tip by email.
Skyshock21,
You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).
Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?
I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).
Ben
Robogun,
Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.
WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.
Or perhaps someone else will be so kind as to take over where I've left off!
Ben
Just noticed this thread -- was offline most of the day.
The interview was a nice little piece -- but as several comments above mentioned, it really was just a little email discussion I had with the Orange Crate admins. Personally, I wouldn't have thought it worthy of the honor of a Slashdot thread all its own... But then again sometimes the things I think are important still don't get Slashdot threads...
Meanwhile, here's something that almost everyone will agree is important: Spyware companies getting endorsed by supposedly-impartial associations of anti-spyware vendors. Such endorsements are particularly problematic when based on spyware companies' claims of improved practices, but where such practices have yet to be observed in the real world. (Companies' true practices remain outrageous -- installation via security holes, no notice and consent, etc.) I have a very specific example in mind: 180solutions' endorsement by COAST just yesterday. See coverage at Spyware Warrior.
Earlier today I observed 180 installed through a security hole, where the page invoking the security hole was a privacy policy at a web site. Read the privacy policy, get spyware. What a world! I expect to add the video and write-up to my site shortly.
Ben
Thanks. I've added those SEC disclosure links to my site.
I recently made a video showing spyware installed through security holes.
My records (packet sniffer logs, etc.) do tell me what specific exploits were used, though my public write-up doesn't include all these details. In any event, the video is certainly sufficient to validate the "hefty claim" of software installed through security holes.
Note the last word of criteria 1, following the semicolon: "and"
Programs must meet both criteria to be listed. I do not report companies that receive major funding but do not collect sensitive information or install without proper notice and consent. And I do not report companies that collect sensitive information and install without proper notice and consent, but have received no major funding (per publicly-available sources).
I have on hand lots of information about advertisers supporting these companies. One complication is that some of the advertisers are unintentional participants -- e.g. the ads were placed by affiliates, apparently often acting without authorization by the underlying merchants. Often, the link format makes it possible to tell the difference between an affiliate's ad and an "official" ad.
As to Gator advertisers: See Gator advertisers as of 2003 and Gator advertisers based on data from Claria's S-1 disclosure.
In any event, I'll be updating my site with more advertiser information in the future. It's at the top of my list of priorities.
As to "Slashdot has not verified...": I've cited sources for each report of funding of each specified spyware company. See the links within my page -- just click on the "$40 million" and similar hyperlinks to see the source (news coverage, press release) reporting that funding.