Adverse Selection in Online ‘Trust’ Certifications

Edelman, Benjamin. “Adverse Selection in Online ‘Trust’ Certifications.” Proceedings of the International Conference on Electronic Commerce (2009): 205-212. (ACM International Conference Proceeding Series.)

Widely used online “trust” authorities issue certifications without substantial verification of recipients’ actual trustworthiness. This lax approach gives rise to adverse selection: the sites that seek and obtain trust certifications are actually less trustworthy than others. Using a new dataset on web site safety, I demonstrate that sites certified by the best-known authority, TRUSTe, are more than twice as likely to be untrustworthy as uncertified sites. This difference remains statistically and economically significant when restricted to “complex” commercial sites. In contrast, competing certification system BBBOnline imposes somewhat stricter requirements and appears to provide a certification of positive, albeit limited, value.

Ad Classification at Right Media (teaching materials)

Edelman, Benjamin. “Ad Classification at Right Media.” Harvard Business School Case 909-032, December 2008. (Revised June 2009.) (educator access at HBP. request a courtesy copy.)

Right media considers systems and policies to make sure that ads are only shown on web sites where they are appropriate, and vice versa. Setting standards is particularly challenging given the large and growing marketplace, the numerous participants, their diverse requirements, and the dynamics of policy enforcement when market participants are competing intensely.

Teaching materials:

Ad Classification at Right Media – Teaching Note (HBP 909037)

Ad Classification at Right media – Slide Supplement (HBP 911038)

Ad Classification at Right media – Slide Supplement (widescreen) (HBP 914054)

Ad Classification at Right media – Pre-Class Slides (HBP 911037)

False and Deceptive Pay-Per-Click Ads

I present and critique pay-per-click ads that don’t deliver what they promise. I consider implications for search engine revenues, and I analyze legal and ethical duties of advertisers and search engines. I offer a system for others to report similar ads that they find.

Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges.

In the sections that follow, I flag more than 30 different advertisers’ ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word “free”), or that make claims that are simply false. (All ads were observed on September 15 or later.) I then explain why this problem is substantially Google’s responsibility, and I present evidence suggesting Google’s substantial profits from these scams. Finally, I offer a mechanism for interested users to submit other false or deceptive ads, and I remark on Google’s failure to take action.

Charging for software that’s actually free

One scam Google doesn’t prohibit — and as best I can tell, does nothing to stop — is charging for software that’s actually free. Search for “Skype” and you’ll find half a dozen advertisers offering to sell eBay’s free telephone software. Search for “Kazaa” or “Grokster” and those products are sold too. Even Firefox has been targeted.

Each and every one of these ads includes the claim that the specified product is “free.” (These claims are expressed in ad titles, bodies, and/or display URLs). However, to the best of my knowledge, that claim is false, as applied to each and every ad shown above: The specified products are available from the specified sites only if the user pays a subscription fee.

These ads are particularly galling because, in each example, the specified program is available for free elsewhere on the web, e.g. directly from its developer’s web site. Since these products are free elsewhere, yet cost money at these sites (despite promises to the contrary), these sites offer users a particularly poor value.

Often these sites claim to offer tech support, but that’s also a ruse: Tests confirm there’s no real support.

Although sophisticated users will realize that these sites are bad deals, novice or hurried users may not. These sites bid for top search engine placement — often appearing above search engines’ organic (main) results. Some proportion of users see these prominent ads, click through, and get tricked into paying for these otherwise-free programs. Claiming a refund takes longer than it’s worth to most users. So as a practical matter, a site need only trick each user for an instant in order to receive its fee.

The “completely free” ringtones that aren’t

Ringtone ads often claim to be “free,” “totally free,” “all free,” “100% complimentary,” and available with “no credit card” and “no obligation” required. These claims typically appear in pay-per-click ad bodies, but they also often appear in ad titles and even in ad domain names, of course along with landing pages.

Often, these claims are simply false: An ad does not offer a “totally free” product if it touts a limited free trial followed by an auto-renewing paid service (a negative option plan).

Other claims are materially misleading. For example, claiming “no credit card required ” suggests that no charges will accrue. But that too is false, since ringtone sites generally charge users through cell phone billing systems, unbeknown to many users who believe a service has no way to impose a charge if a user provides no credit card number.

Each and every one of these ads includes the claim that the specified product is “free” (or some other claim substantially similar, e.g. “complimentary”). In most cases, subsequent language attempts to disavow these “free” claims. But in each case, to the best of my knowledge, service is available only if a user enters into a paid relationship (e.g. a paid subscription) — the very opposite of “free.” (Indeed, the subscription requirement applies even to unlimitedringtones.com, despite that ad’s claim that “no subscription [is] required.” The site’s fine print later asserts that by requesting a ringtone registration, a user “acknowledge[s] that [he is] subscribing to our service billed at $9.99 per month” — specifically contrary to site’s earlier “no subscription” promise.)

Vendors would likely defend their sites by claiming that (in general) their introductory offers are free, and by arguing that their fine print adequately discloses users’ subsequent obligations. This is interesting reasoning, but it’s ultimately unconvincing, thanks to clear regulatory duties to the contrary.

The FTC’s Guide Concerning the Use of the Word ‘Free’ is exactly on point. The guide instructs advertisers to use the word “free” (and all words similar in meaning) with “extreme care” “to avoid any possibility that consumers will be misled or deceived.” The guide sets out specific rules as to how and when the word “free” may be used, and it culminates with an incredible provision prohibiting fine print to disclaim what “free” promises. In particular, the rule’s section (c) instructs (emphasis added):

All the terms, conditions and obligations upon which receipt and retention of the ‘Free’ item are contingent should be set forth clearly and conspicuously at the outset of the offer … in close conjunction with the offer of ‘Free’ merchandise or service.

In case that instruction left any doubt, the FTC’s rule continues:

For example, disclosure of the terms of the offer set forth in a footnote of an advertisement to which reference is made by an asterisk or other symbol placed next to the offer, is not regarded as making disclosure at the outset.

Advertisers may not like this rule, but it’s remarkably clear. Under the FTC’s policy, ads simply cannot use a footnote or disclaimer to escape a “free” promise made earlier. Nor can an advertiser promise a “free” offer at an early stage (e.g. a search engine ad), only to impose additional conditions later (such as in a landing page, confirmation page, or other addendum). The initial confusion or deception is too strong to be cured by the subsequent revision.

Advertisers might claim that the prohibited “free” ads at issue come from their affiliates or other partners — that they’re not the advertisers’ fault. But the FTC’s Guide specifically speaks to the special duty of supervising business partners’ promotion of “free” offers. In particular, section (d) requires:

[I]f the supplier knows, or should know, that a ‘Free” offer he is promoting is not being passed on by a reseller, or otherwise is being used by a reseller as an instrumentality for deception, it is improper for the supplier to continue to offer the product as promoted to such reseller. He should take appropriate steps to bring an end to the deception, including the withdrawal of the ‘Free’ offer.

It therefore appears that the ads shown above systematically violate the FTC’s “free” rules. Such ads fail to disclose the applicable conditions at the outset of the offer, as FTC rules require. And even where intermediaries have placed such ads, their involvement offers advertisers no valid defense.

Ads impersonating famous and well-known sites

Some pay-per-click ads affirmatively mislead users about who is advertising and what products are available. Consider the ads below, for site claiming to be (or to offer) Spybot. (Note text in their respective display URLs, shown in green type.) Despite the “Spybot” promise, these sites actually primarily offer other software, not Spybot. (Spybot-home.com includes one small link to Spybot, at the far bottom of its landing page. I could not find any link to the true Spybot site from within www-spybot.net.)

In addition, search engine ads often include listings for sites with names confusingly similar to the sites and products users request. For example, a user searching for “Spybot” often receives ads for SpyWareBot and SpyBoot — entirely different companies with entirely different products. US courts tend to hold that competitive trademark targeting — one company bidding on another company’s marks — is legal, in general. (French courts tend to disagree.) But to date, these cases have never considered the heightened confusion likely when a site goes beyond trademark-targeting and also copies or imitates another company’s name. Representative examples follow. Notice that each ad purports to offer (and is triggered by searches for the name of) a well-known product — but in fact these ads take users to competing vendors.

Google’s responsibility – law, ethics, and incentives

Google would likely blame its advertisers for these dubious ads. But Google’s other advertising policies demonstrate that Google has both the right and the ability to limit the ads shown on its site. Google certainly profits from the ads it is paid to show. Profits plus the right and ability to control yield exactly the requirements for vicarious liability in other areas of the law (e.g. copyright infringement). The FTC’s special “free” rules indicate little tolerance for finger-pointing — even specifically adding liability when “resellers” advertise a product improperly. These general rules provide an initial basis to seek greater efforts from Google.

Crucially, the Lanham Act specifically contemplates injunctive relief against a publisher for distributing false advertising. 15 USC § 1125(a)(1) prohibits false or misleading descriptions of material product characteristics. § 1114 (2) offers injunctive relief (albeit without money damages) where a publisher establishes it is an “innocent infringer.” If facing claims on such a theory, Google would surely attempt to invoke the “innocent infringer” doctrine — but that attempt might well fail, given the scope of the problem, given Google’s failure to stop even flagrant and longstanding violations, and given Google’s failure even to block improper ads specifically brought to its attention. (See e.g. World Wrestling Federation v. Posters, Inc., 2000 WL 1409831, holding that a publisher is not an innocent infringer if it “recklessly disregard[s] a high probability” of infringing others’ marks.)

Nonetheless, the Communications Decency Act’s 47 USC § 230(c)(1) potentially offers Google a remarkable protection: CDA § 230 instructs that Google, as a provider of an interactive computer service, may not be treated as the publisher of content others provide through that service. Even if a printed publication would face liability for printing the same ads Google shows, CDA § 230 may let Google distribute such ads online with impunity. From my perspective, that would be an improper result — bad policy in CDA § 230’s overbroad grant of immunity. A 2000 DOJ study seems to share my view, specifically concluding that “substantive regulation … should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world.” But in CDA § 230, Congress seems to have chosen a different approach.

That said, CDA § 230’s reach is limited by its exception for intellectual property laws. § 230(e)(2) provides that intellectual property laws are not affected by § 230(c)(1)’s protection. False advertising prohibitions are codified within the Lanham Act (an intellectual property statute), offering a potential argument that CDA § 230 does not block false advertising claims. This argument is worth pursuing, and it might well prevail. But § 230 cases indicate repeated successes for defendants attempting to escape liability on a variety of fact patterns and legal theories. On balance, I cannot confidently predict the result of litigation attempting to hold Google responsible for the ads it shows. As a practical matter, it’s unclear whether or when this question will be answered in court. Certainly no one has attempted such a suit to date.

Notwithstanding Google’s possible legal defenses, I think Google ought to do more to make ads safe as a matter of ethics. Google created this mess — by making it so easy for all companies, even scammers, to buy Internet advertising. So Google faces a special duty to help clean up the resulting problems. Google already takes steps to avoid sending users to web sites with security exploits, and Google already refuses ads in various substantive categories deemed off-limits. These scams are equally noxious — directly taking users’ money under false pretenses. And Google’s relationship with these sites is particularly unsavory since Google directly and substantially profits from their practices, as detailed in the next section.

Even self-interest ought to push Google to do more here. Google may make an easy profit now by selling ads to scammers. But in the long run, rip-off ads discourage users from clicking on Google’s sponsored links — potentially undermining Google’s primary revenue source.

Who really profits from rip-off ads?

When users suffer from scams like those described above, users’ money goes to scammers, in the first instance. But each scammer must pay Google whenever a user clicks its ad. So Google profits from scammers’ activities. If the scammers ceased operations — voluntarily, or because Google cut off their traffic — Google’s short-run revenues would decrease.

Users
service fees
   Scammers   
advertising fees
Google
How Google Profits from Scammers

Consider the business model of rogue web sites “selling” software like Skype. They have one source of revenue — users buying these programs. Their expenses tend to be low: they provide no substantial customer service, and often they link to downloads hosted elsewhere to avoid even incurring bandwidth costs. It seems the main expense of such sites is advertising — with pay-per-click ads from Google by all indications a primary component. The diagram at right shows the basic money trail: From users to scam advertisers to Google. When users are ripped off by scammers, at least some of the payment flows through to Google.

How much of users’ payments goes to Google, rather than being retained by scammers? My academic economics research offers some insight. Recall that search engine ads are sold through a complicated multi-unit second-price auction: Each advertiser’s payment is determined by the bid of the price of the advertiser below him. Many equilibria are possible, but my recent paper with Michael Ostrovsky and Michael Schwarz offers one outcome we think is reasonable — an explicit formula for each advertiser’s equilibrium bid as a function of its value (per click) and of others’ bids. In subsequent simulations (article forthcoming), Schwarz and I will demonstrate the useful properties of this bidding rule — that it dominates most other strategies under very general conditions. So there’s good reason to think markets might actually end up in this equilibrium, or one close to it. If so, we need only know advertisers’ valuations (which we can simulate from an appropriate distribution) to compute market outcomes (like advertiser profits and search engine revenues).

One clear result of my recent bidding simulations: When advertisers have similar valuations (as these advertisers do), they tend to “bid away” their surpluses. That is, they bid almost as much as a click is worth to them — so they earn low profits, while search engines reap high revenues. When a user pays such an advertiser, it wouldn’t be surprising if the majority of that advertiser’s gross profit flowed through to Google.

A specific example helps clarify my result. Consider a user who pays $38 to Freedownloadhq.com for a “free” copy of Skype. But Freedownloadhq also received, say, 37 other clicks from 37 other users who left the site without making a purchase. Freedownloadhq therefore computes its valuation per click (its expected gross profit per incoming visitor) to be $1. The other 10 advertisers for “Skype” use a similar business model, yielding similar valuations. They bid against each other, rationally comparing the benefits off high traffic volume (if they bid high to get top placement at Google) against the resulting higher costs (hence lower profits). In equilibrium, simulations report, with 10 bidders and 20% standard deviation in valuations (relative to valuation levels), Google will get 71% of advertisers’ expected gross profit. So of the user’s $38, fully $27 flows to Google. Even if Freedownloadhq’s business includes some marginal costs (e.g. credit card processing fees), Google will still get the same proportion of gross profit.

One need not believe my simulation results, and all the economic reasoning behind them, in order to credit the underlying result: That when an auctioneer sells to bidders with similar valuations, the bidders tend to bid close together — giving the auctioneer high revenues, but leaving bidders with low profits. And the implications are striking: For every user who pays Freedownloadhq, much of the user’s money actually goes to Google.

In January I estimated that Google and Yahoo make $2 million per year on ads for “screensavers” that ultimately give users spyware. Add in all the other terms with dubious ads — all the ringtone ads, the for-free software downloads, ads making false statements of product origin, and various other scams — and I wouldn’t be surprised if the payments at issue total one to two orders of magnitude higher.

Towards a solution

Some of these practices have been improving. For example, six months ago almost all “ringtones” ads claimed to be “free,” but today some ringtones ads omit such claims (even while other ads still include these false statements).

Recent changes in Google pricing rules seem to discourage some of the advertisers who place ads of the sort set out above. Google has increased its pricing to certain advertisers, based on Google’s assessment of their “low quality user experience.” But the specific details of Google’s rules remain unknown. And plenty of scam ads — including all those set out above — have remained on Google’s site well after the most recent round of rule changes. (All ads shown above were received on September 15, 2006, or later.)

Google already has systems in place to enforce its Adwords Content Policy. My core suggestion for Google: Expand that policy to prevent these scams — for example, explicitly prohibiting ads that claim a product is “free” when it isn’t, and explicitly prohibiting charging users for software that’s actually free. Then monitor ads for words like “free” and “complimentary” that are particularly likely to be associated with violations. When a bad ad is found, disable it, and investigate other ads from that advertiser.

To track and present more dubious ads, I have developed a system whereby interested users can submit ads they consider misleading for the general reasons set out above. Submit an ad or view others’ submissions.

These problems generally affect other search engines too — Yahoo, MSN, and Ask.com, among others. But as the largest search engine, and as a self-proclaimed leader on ethics issues, I look to Google first and foremost for leadership and improvement.

Google’s (Non-)Response

When Information Week requested a comment from Google as to the ads I reported, Google responded as follows:

When we become aware of deceptive ads, we take them down. … We will review the ads referenced in this report, and remove them if they do not adhere to our guidelines.

A week later, these ads remain available. So Google must have concluded that these ads are not deceptive (or else Google would have “take[n] them down” as its first sentence promised). And Google must have concluded that these ads do adhere to applicable Google policies, or else Google would have “remove[d] them” (per its second sentence).

Google’s inaction exactly confirms my allegation: That Google’s ad policies are inadequate to protect users from outright scams, even when these scams are specifically brought to Google’s attention.

All identifications and characterizations have been made to the best of my ability. Any errors or alleged errors may be brought to my attention by email.

I thank Rebecca Tushnet for helpful discussions on the legal duties of advertisers and search engines.

StatCounter - Free Web Tracker and Counter

Originally posted October 9, 2006. Last Updated: October 16, 2006.

PPC Ads, Misleading and Worse

Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges. For example, the ad at right claims to offer “100% complimentary” and “free” ringtones, when actually the site promotes a services that costs approximately $120 per year.

 


An example misleading ad, falsely claiming ringtones are An example misleading ad, falsely claiming ringtones are “complimentary” when they actualy carry a monthly fee.

In today’s article, I show more than 30 different advertisers’ ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word “free”), or that make claims that are simply false. I then analyze the legal and ethical principles that might require search engines to remove these ads. Finally, I offer a mechanism for interested users to submit other false or deceptive ads they find.

Details:

False and Deceptive Pay-Per-Click Ads

Certifications and Site Trustworthiness

When a stranger promises “you can trust me,” most people know to be extra vigilant. What conclusion should users draw when a web site touts a seal proclaiming its trustworthiness? Some sites that are widely regarded as extremely trustworthy present such seals. But those same seals feature prominently on sites that seek to scam users — whether through spyware infections, spam, or other unsavory practices.

It’s no great surprise that bad actors seek to free-ride on sites users rightly trust. Suppose users have seen a seal on dozens of sites that turn out to be legitimate. Dubious sites can present that same seal to encourage more users to buy, register, or download.

But certification issuers don’t have to let this happen. They could develop and enforce tough rules, so that every site showing a seal is a site users aren’t likely to regret visiting. Unfortunately, certification don’t always live up to this ideal. Writing tough rules isn’t easy, and enforcing them is even harder. Hard-hitting rules are particularly unlikely when certification authorities get paid for each certification they issue — but get nothing for rejecting an applicant.

Today I’m posting Adverse Selection in Online “Trust” Authorities, an empirical look at the best-known certification authority, TRUSTe. I cross-reference TRUSTe’s ratings with the findings of SiteAdvisor — where robots check web site downloads for spyware, and submit single-use addresses into email forms to check for spam, among other automated and manual tests. Of course SiteAdvisor data isn’t perfect either, but if SiteAdvisor says a site is bad news, while TRUSTe gives it a seal, most users are likely to side with SiteAdvisor. (Full disclosure: I’m on SiteAdvisor’s advisory board. But SiteAdvisor’s methodology speaks for itself.)

(update, July 2009: I have posted a revised version of Adverse Selection in Online “Trust” Authorities, as published in the Proceedings of ICEC’09)

What do I find? In short, nothing good. I examine a sampling of 500,000+ top web sites, as reported by a major ISP. Of the sites certified by TRUSTe, 5.4% are untrustworthy according to SiteAdvisor’s data, compared with just 2.5% untrustworthy sites in the rest of the ISP’s list. So TRUSTe-certified sites are more than twice as likely to be untrustworthy. This result also holds in a regression framework controlling for site popularity (traffic rank) and even a basic notion of site type.

Particularly persuasive are some specific sites TRUSTe has certified as trustworthy, although in my experience typical users would disagree. I specifically call out four sites certified by TRUSTe as of January 2006:

  • Direct-revenue.com – Makes advertising software known to become installed without consent. Tracks what web sites users visit, and shows pop-up ads. Historically, blocks many attempts at removal, automatically reinstalls itself, and deletes certain other programs from users’ PCs. Faces litigation by the New York Attorney General plus consumer class actions.
  • Funwebproducts.com – This site, among other Ask.com toolbar distribution points, installs a toolbar into users’ web browsers when users install smileys, screensavers, cursors, or other trinkets. Moves a user’s Address Bar to the right side of the browser, such that typing an address into the standard top-left box performs a search rather than a direct navigation. Promotes its toolbar in ads shown by other vendors’ spyware.
  • Maxmoolah.com – Offers users “free” gifts if they complete numerous sequential partner offers. Privacy policy allows sharing of user’ email addresses and other information with third parties. In testing, providing an email address to Maxmoolah.com yielded a total of 485 distinct e-mails per week, from a wide variety of senders.
  • Webhancer.com – Makes online tracking software, which I have personally observed is often installed without consent. Monitors what web sites users visit, and sends this information to Webhancer’s servers.

This is an academic article — ultimately likely to be a portion of my Ph.D. dissertation. So it’s mathematical in places where that’s likely to be helpful (to some readers, at least), and it’s not as accessible as most of my work. But for those who are concerned about online safety, it may be worth a read. Feedback welcomed.


In its response to my article, TRUSTe points out that Direct Revenue and Maxmoolah no longer hold TRUSTe certifications. True. But Maxmoolah was certified for 13+ months (from February 2005 through at least March 2006), and Direct Revenue was certified for at least 8 months (from April 2005 or earlier, through at least January 2006). These companies’ practices were bad all along. TRUSTe need not have certified them in the first place.

TRUSTe then claims that its own web site made an “error” in listing FunWebProducts as a member. TRUSTe does not elaborate as to how it made so fundamental a mistake — reporting that a site has been certified when it has not. TRUSTe’s FunWebProducts error was compounded by the apparent additional inclusion of numerous other near-identical Ask.com properties (Cursormania, Funbuddyicons, Historyswatter, Mymailstationery, Smileycentral, Popularscreensavers). TRUSTe’s error is particularly troubling because at least some of the erroneously-listed sites were listed as certified for 17 months or longer (from May 2005 or earlier, through at least September 12, when Google last crawled TRUSTe’s member list).

As to Webhancer, TRUSTe claims further tests (part of TRUSTe’s Trusted Download program) will confirm the company’s practices. But that’s little benefit to consumers who currently see Webhancer’s seal and mistakenly conclude TRUSTe has already conducted an appropriate review of Webhancer’s products, when in fact it has not. Meanwhile, I have personally repeatedly observed Webhancer’s bad installation practices day in and day out — including widespread nonconsensual installations by the notorious Dollar Revenue, among others. These observations are trivial to reproduce, yet Webhancer remains a TRUSTe certificate holder to this day.

Consumers deserve certifications that are correctly issued in the first place — not merely revoked after months or years of notorious misbehavior, and not mistakenly listed as having been issued when in fact they were not. TRUSTe is wrong to focus on the few specific examples I chose to highlight. The problem with TRUSTe’s approach is more systemic, as indicated by the many other dubious TRUSTe-certified sites analyzed in my dataset but not called out by name in my paper or appendix.

Consider some of the other unsavory sites TRUSTe has certified:

  • TRUSTe certifies numerous sites that most users would call spammers — like focalex.com (which sends users 320+ emails per week, in SiteAdvisor’s tests), yourgiftcards.com (147 emails per week), and everyfreegift.com (86). All three of these sites remain TRUSTe members listed on TRUSTe’s current member list.
  • TRUSTe continues to certify freecreditreport.com, which offers a “free” credit report that actually costs users $12.95/month if they don’t remember to cancel — a practice so misleading it prompted FTC litigation.
  • TRUSTe has certified Hotbar (now owned by 180solutions) and Hotbar’s Wowpapers.com site — advertising software that tracks users’ browsing and shows extra pop-ups.
  • In January 2005, mere days after I reported eZula’s advertising software becoming installed without consent, TRUSTe’s newsletter specifically touted its certification of eZula.
  • TRUSTe even certified Gratis Internet, which was revealed to have sold 7.2 million users’ names, email addresses, home phone numbers, and street addresses, in specific violation of its privacy policy.

TRUSTe’s response claims that my conclusions somehow reflect SiteAdvisor idiosyncrasies. I disagree. I can’t imagine any reasonable, informed consumer wanting to do business with sites like these. TRUSTe can do better, and in the future, I hope it will.


I’m sometimes asked where I’m headed, personally and professionally. Posting a new academic article offers an appropriate occasion to explain. I’m still working on my economics Ph.D., having drafted several papers about pay-per-click advertising (bidding strategies, efficiency, revenue comparisons), with more in the pipeline. After that? An academic job might be a good fit, though that’s not the only option. Here too, I’d welcome suggestions.

Spyware Showing Unrequested Sexually-Explicit Images

Are pop-up ads anything more than an annoyance? For advertisers they can certainly be a bad deal — particularly when spyware-delivered pop-ups cheat advertisers through PPC click fraud, PPC syndication fraud, affiliate fraud, banner farms, or other improper ways of getting paid. For users, pop-ups in overwhelming quantities may cause substantial harm — especially because pop-up-delivering spyware reduces computer speed and reliability, and because spyware transmits sensitive user information to remote servers.

But spyware-delivered pop-ups can do more than annoy. They can also offend. Consider spyware that shows sexually-explicit (most would say, pornographic) pop-ups. When such ads appear unrequested, they’re likely to be shown to users who don’t want to see sexually-explicit material. It’s a troubling practice — but all too common even among “adware” vendors that claim to have reformed. Meanwhile, some old tricks remain — like pop-ups with their “X” buttons off-screen, making the ads particularly hard to close.

ZenoTecnico and AlmondNet Showing AdultFriendFinder

The ZenoTecnico ad, edited to cover sexually-explicit areas. The ZenoTecnico ad, edited to cover sexually-explicit areas.

AdultFriendFinder
money viewers
AlmondNet / ProMarket
money viewers
ZenoTecnico

The money trail for this ad.

Let’s start with a simple example. On a test PC, I browsed the Findromance.com site. That’s definitely a dating site — but it’s not sexually explicit. Many users browse online dating service without wanting to see online porn.

In testing in May 2006, ZenoTecnico served me the pop-up shown at right (modified to cover the bare breasts exposed in the original). ZenoTecnico is notorious spyware which I have seen installed through a variety of misleading bundles and security exploits. Zeno’s web site claims an address in Panama, but I believe this address is a sham. I’m working on identifying their true location.

Packet log analysis shows that traffic flowed in the way shown in the diagram at right: From ZenoTecnico to ProMarket (part of New York-based AlmondNet) to AdultFriendFinder. See also the associated packet log.

Set against the more complex examples that follow, this Zeno-ProMarket-AdultFriendFinder is particularly notable: These three parties alone decided to show this ad, in this way, under these circumstances and with this targeting (or lack thereof), without influence by any other spyware installed on my test PC, and with a reasonably direct relationship between advertiser and spyware vendor, as shown at right. They may blame each other. But as best I can tell, they have no one but each other to blame.

Direct Revenue Showing MorpheusOfPorn

The Direct Revenue ad, edited to cover sexually-explicit areas. The Direct Revenue ad, edited to cover explicit areas.

MorpheusOfPorn
money viewers
Direct Revenue

The money trail for this ad.

It’s well-known that most spyware-infected computers contain multiple spyware programs. When multiple spyware programs interact, they are particularly likely to show sexually-explicit images without a user requesting any such materials.

The screenshot at right presents a pop-up shown to me on a massively infected test PC. The pop-up bears Direct Revenue’s branding (“The Best Offers”), and packet log analysis confirms that the ad came through the Direct Revenue pop-up system.

What caused Direct Revenue to show this ad? Mere seconds earlier, unidentified spyware on my test PC had sent traffic to ad network YieldManager, which had in turn redirected me to AdultFriendFinder. Direct Revenue saw that traffic to AdultFriendFinder and took that as a trigger to display the explicit pop-up shown at right. See the associated packet log (showing the preceding YieldManager traffic), as well as a video of the sequence (edited to cover sexually-explicit areas).

Observing my computer’s traffic to AdultFriendFinder.com, Direct Revenue’s advertising software assumed I was seeking sexually-explicit material. But where the AdultFriendFinder site itself appears unrequested, as in my example, Direct Revenue’s assumption is badly in error. To the contrary, sexually-explicit content is unlikely to be desired or appropriate when other spyware has decided to show a user AdultFriendFinder.

Even AdultFriendFinder recognized that it might not be appropriate to show a sexually-explicit image to users reaching its site in the manner captured in my testing. See a screenshot (from video at 2:46) of the landing page AdultFriendFinder showed me. As delivered to my test PC (via the undetermined spyware), AdultFriendFinder’s site included no visible sexually-explicit images. Instead, the page was a mere doorway — with a disclosure (“Warning! You are about to view…”) along with separate links for users above 18 (to enter) and below age 18 (to go elsewhere).

It is particularly notable for Direct Revenue to show unrequested sexually-explicit materials because Direct Revenue has specifically promised not to do so. In the proposed settlement of a consumer class action lawsuit against Direct Revenue, provision (m) specifically requires that Direct Revenue’s software “will not display adult content ads unless the user is viewing adult websites.” In this example, I did not request any adult web site. Neither did I actually view any adult material (prior to the material shown by Direct Revenue): The AdultFriendFinder page at issue cannot be categorized as “adult,” because it includes no sexually-explicit images. In short, on these facts, I see a strong argument that Direct Revenue violated its duties under its settlement agreement.

Deskwizz/SearchingBooth, Z-Quest, YieldManager and Zedo Showing Vitalix

The SearchingBooth ad, edited to cover sexually-explicit areas. The SearchingBooth ad, edited to cover explicit areas.

Vitalix
money viewers
Zedo
money viewers
YieldManager
money viewers
Z-Quest
money viewers
Deskwizz / SearchingBooth

The money trail for this ad.

Deskwizz/SearchingBooth shows a variety of intrusive advertisements, largely untargeted. Many of its ads are injected into others’ sites (without those sites’ consent), as in this screenshot showing a Vonage ad injected into the Vistaprint site. The SearchingBooth.com web site gives an address in Quebec. I have repeatedly observed Deskwizz/SearchingBooth installed through exploits and in large bundles (e.g. the Dollarrevenue bundle) without meaningful user consent.

The screenshot at right shows an ad served to me on a PC with SearchingBooth installed. The ad shows a total of four nude individuals, and I have edited the ad to cover sexually-explicit areas.

Packet log analysis indicates that traffic flowed in the following way: First, SearchingBooth spyware sent traffic to its SearchingBooth.com controlling server, seeking an ad to be displayed. SearchingBooth.com replied with a URL to a Z-quest.com (a Canadian company whose site describes meta-search services as well as a toolbar). Z-quest sent me on to YieldManager. YieldManager in turn sent me to Zedo (a San Francisco ad server that features Internet luminary Esther Dyson on its advisory board). Finally, Zedo opened a new window of Vitalix, which showed the sexually-explicit content at issue. These relationships are set out in the diagram at right, in the URL list below, and in the full packet log.

http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/html…
http://ads.z-quest.com/MarkSect720x300.html
http://ad.yieldmanager.com/imp?z=0&s=16185&r=1&y=23&w=720&h=300
http://c5.zedo.com/jsc/c5/ff2.html?n=377;c=40;s=17;d=15;w=1;h=1
http://c4.zedo.com/ads2/d/3869/172/377/40/i4.js?z=5414
http://l5.zedo.com//log/p.html?a=146636;x=3869;g=172,0;c=377000040,37…
http://ads.vitalix.net/ads/3day/wb03/index.html?prov=seedcorn&subprov…

The longer chain of relationships in this example makes it more difficult to determine who is responsible for the unrequested display of sexually-explicit content. One might reasonably blame Deskwizz/SearchingBooth, whose nonconsensually-installed spyware was the root cause of any ad being shown at all. But also responsible is Zedo, which had the last clear chance to prevent the display of this ad, and which showed these sexually-explicit images without obtaining a correct and reliable verification that such a display was appropriate. Meanwhile, ad placement system YieldManager was squarely in the middle of the chain, and YM’s detailed Media Guard blog suggests they’ve thought at length about the special problems of sexually-explicit ads. Yet they too failed to prevent this sexually-explicit ad from appearing unrequested.

Typical users are likely to find this sexually-explicit ad particularly intrusive and particularly hard to remove because the ad’s “X” button appears off-screen. Notice the absence of a title bar, “X” button, or minimize button in the screenshot at right. Sophisticated users may know they can press Alt-F4 to close the ad. But novices don’t. Reviewing the packet log, it appears that Zedo is responsible for this partially-off-screen window placement: The ad is placed in the specified location by JavaScript code served from the Zedo server, which instructs as follows:

zzWindow.moveTo(Math.ceil((screen.availWidth – 380) / 2), Math.ceil((screen.availHeight – 680) / 2));

This code moves the ad window to a vertical location given by the screen’s available height (in pixels) minus 680 (the intended height of the ad at issue), divided by two. If the user’s screen is more than 680 pixels tall, this code has the effect of centering the window vertically on the user’s screen. But if the user’s screen is less than 680 pixels tall, e.g. a 800×600 pixel screen common on many older laptops and some older desktops, then this code predictably and inevitably has the effect of placing the “X” button off-screen. Zedo and its advertiser should have checked the user’s actual screen-height (e.g. via the code “if screen.availHeight>680”), to make sure they were not positioning the pop-up with its “X” off-screen.

Look2me/Ad-w-a-r-e, FirstAdSolution, YieldManager, Falk AG/DoubleClick, eXact Advertising, MyGeek Showing Naughtyplay

The SearchingBooth ad, edited to cover sexually-explicit areas. The SearchingBooth ad, edited to cover explicit areas.

Naughtyplay
money viewers
MyGeek
money viewers
Instant Navigation / eXact Advertising
money viewers
Falk AG / DoubleClick
money viewers
YieldManager
money viewers
FirstAdSolution / Oridian
money viewers
Look2me / Ad-w-a-r-e / Intern-etadvertising

The money trail for this ad.

From Minnesota-based NicTech Networks, Look2me/Ad-w-a-r-e spyware is widely installed through security exploits and misleading bundles. Its revenue sources are equally broad. I’ve seen Look2me/Ad-w-a-r-e getting paid by performing click fraud against Yahoo advertisers, and by seizing unearned commission through merchants’ affiliate programs. But Look2me/Ad-w-a-r-e also shows ordinary banner ads and pop-up ads, including untargeted run-of-network ads through sites such as its buyer-shabit.com banner loading page (among many others).

The screenshot at right shows an ad served to me on a PC with Look2me/Ad-w-a-r-e installed. The ad is exceptionally explicit: Its large images show four women completely nude and one partially disrobed, in addition to two protruding male members from men not otherwise pictured. Smaller images show at least sixteen women and ten male members (although not a single male face). In total, the ad pictures at least thirty-three individuals in an overwhelming array of sexual positions. The ad arrived on my screen as a full-screen pop-up, but with its upper-right “X” button entirely off-screen, just as shown in the screenshot and thumbnail.

Packet log analysis indicates that traffic flowed in the following way: First, Look2me sought an ad from its controlling server, Ad-w-a-r-e.com. Ad-w-a-r-e specified an ad at intern-etadvertising.com, a standard Look2me loading page which shows untargeted (run-of-network) ads. Intern-etadvertising specified that the ad was to come from Firstadsolution.com (Oridian Online Media Solutions of Israel), which in turn sent me to YieldManager, which specified that the ad was actually at Falkag.net. Falk AG (recently acquired by DoubleClick) in turn sent me on to Instantnavigation.com (whose Contact Us page indicates that it is part of Brainfox.com, recently acquired by eXact Advertising). Instantnavigation sent me to the 207.97.227.29 server (eXact Advertising), which redirected me to MyGeek, which finally passed me to Naughtyplay, the explicit web site shown in the pop-up.

These relationships are set out in the diagram at right, in the URL list below, and in the full packet log.

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://www.intern-etadvertising.com/muon.html
http://ad.firstadsolution.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.inter…
http://ad.yieldmanager.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.intern-e…
http://a.as-us.falkag.net/dat/cjf/00/14/73/07.js
http://a.as-us.falkag.net/dat/dlv/aslframe.html?dat=147307&kid=130138…
http://www.instantnavigation.com/search.php?cat=dvd&partner=ap_tk
http://207.97.227.29/clk/?313b313134373035373939352e34327e61705f746b3…
http://xmlsearch.mygeek.com/presults.jsp?partnerid=110126&vendorI…
http://www.naughtyplay.com/pornstars/heatherhunter/index.html

By all indications, the 207.97.227.29 server performed click fraud against MyGeek. The structure and obfuscation of the HTML on that server indicate a special desire to avoid being caught, as does eXact’s unilateral insertion of purported search keywords (“heather hunter”) not specified earlier in the traffic. I have observed nearby server addresses with the same URL syntax serving in a click fraud chain against Yahoo Overture. Furthermore, I understand that the xmlsearch.mygeek.com server runs a pay-per-click advertising system, distinct from MyGeek’s separate “cost per view” system for which advertisers may be charged without a click occurring. Traffic to and through that server, without a bona fide user click, seems to constitute click fraud.

This chain of relationships is notable for its extreme length — five intermediaries between spyware vendor and advertiser. These many relationships provide numerous opportunities for ad context to be lost — for ad networks to fail to tell each other that a sexually-explicit ad is not appropriate here.

Policy Recommendations; The Problem In Context

The four examples shown above are just a tiny portion of the problem of sexually-explicit images shown to users who didn’t request such materials. I have numerous additional examples on file. In one example on file, spyware on my test PC identifies the name of a fashion designer on a well-known retailer’s site, then uses that word as a trigger for an ad, ultimately showing an ad that is sexually-explicit. In another example, spyware on my test PC observes me browsing the children’s section of an online shoe store, a page mentioning “girls” in its title. The spyware then serves me a full-screen sexually-explicit pop-up. Notably, the pop-up was obtained via click fraud against a major pay-per-click search engine.

In my view, unrequested displays of sexually-explicit content largely arise out of the unaccountability pervasive in the spyware space. In each of the examples above, I anticipate that the parties involved will blame each other. Ad networks may claim that other ad networks told them (through tags, attributes, or contracts) that traffic was suitable for sexually-explicit ad display. Spyware vendors will blame other spyware for having suggested that users wanted such content. In all likelihood, no party will take responsibility for the bad outcomes that resulted.

In other contexts, online service providers face serious penalties for showing unrequested sexually-explicit images. Section 521 of the PROTECT Act creates criminal liability (up to two years imprisonment) for “us[ing] a misleading domain name … with the intent to deceive a person into viewing material constituting obscenity”, and additional liability for deceiving minors into viewing material that is harmful to minors. This law responded to the problem of typosquatters and other bulk domain registrants showing adult materials — such that users would stumble onto sexually-explicit images unrequested. But no such law protects users from unrequested pornography shown by spyware.

Even without legislative intervention, well-intentioned ad networks have tools at their disposal to prevent the unrequested display of sexually-explicit materials. One natural approach is to make all ads and landing pages non-explicit. Then a mistaken ad display does not show sexually-explicit materials (although it might still link to such materials). Ad networks could also redouble their supervision of their partners — checking the specific circumstances in which explicit ads may be shown, and confirming that these circumstances leave no doubt that a user actually wanted to receive explicit content. Tough ad networks could create financial incentives that penalize their partners for any errors uncovered — warnings, fines, and contract termination. Finally, ad networks could improve their public statements of applicable policies and procedures, making it easier for consumers to report unwanted images — including helping consumers learn where and how to submit such reports. Ad networks that find these steps too difficult or too costly could simply leave the business of serving or placing sexually-explicit advertisements.

Semi-explicit sites raise particular problems for spyware targeting. In my Direct Revenue example (above) and in various other examples I have on file, AdultFriendFinder buys spyware-delivered traffic and shows ads that, while suggestive, are not sexually-explicit. But then other spyware observes this AdultFriendFinder traffic, using this traffic as a catalyst to show ads that are explicit. Spyware vendors need to recognize that while some AdultFriendFinder ads are explicit (e.g. my first example above), others are not. With AdultFriendFinder’s mix of ads, and with typical spyware-infected PCs running multiple spyware programs, a visit to AdultFriendFinder cannot be interpreted as a proper trigger to show sexually-explicit images. Same for any other sites that buy run-of-network (or other spyware-delivered) advertising, or that otherwise straddle the border between explicit and non-explicit materials.

Yesterday the Direct Marketing Association released best practices for online advertising networks and affiliate marketing.The DMA calls for obtaining assurances of compliance with applicable law, performing due diligence on prospective partners, and monitoring compliance. It’s easy to criticize these approaches as obvious or overdue. But if the ad networks above were using the DMA’s recommended methods, these problems would be substantially less widespread. Meanwhile, I continue to think the DMA’s final recommendation — “develop a system to routinely monitor your ad placements” — remains essential yet under-appreciated. Tough enforcement and real penalties could stop thesepractices: Spyware purveyorswouldn’t run these (or any other) ads if they weren’t getting paid for it.

Deciding Who To Trust

This article is a bit different from most of my site: My other articles generally discuss specific vendors, their practices, and how they cause harm. This article offers a possible solution — from a company that, let me say at the outset, has invited me to join its advisory board. They didn’t ask me to write this; I’m writing on my own. And they don’t control me or what I write. But for those not interested in a commercial service that may help protect users from spyware, please read no further.

Much of the spyware problem results from users visiting sites that turn out to be untrustworthy or simply malevolent. I’m certainly not inclined to blame the victimized users — it’s hardly their fault that sites run security exploits, offer undisclosed advertising software, or show tricky EULAs that are dozens of pages long. But the resulting software ultimately ends up on users’ computers because users browsed to sites that didn’t pan out.

How to fix this problem? In theory, it seems easy enough. First, someone needs to examine popular web sites, to figure out which are untrustworthy. Then users’ computers need to automatically notify them — warn them! — before users reach untrustworthy sites. These aren’t new ideas. Indeed, half a dozen vendors have tried such strategies in the past. But for various reasons, their efforts never solved the problem. (Details below).

This month, a new company is announcing a system to protect users from untrustworthy web sites: SiteAdvisor. They’ve designed a set of robots — automated web crawlers, virtual machines, and databases — that have browsed hundreds of thousands of web sites. They’ve tracked which sites install spyware — what files installed, what registry changes, what network traffic. And they’ve built a browser plug-in that provides automated notification of worrisome sites — handy red balloons when users stray into risky areas, along with annotations on search result pages at leading search engines.

The SiteAdvisor Idea

I’ve long known that the best way to assess a web site’s trustworthiness is to examine and test the site. In general that’s remarkably time-consuming — requiring at least a few minutes of time, of a high-skill human researcher. But a tester is inevitably looking for a few basic characteristics. Does the site offer programs for download? If it does, do those programs come with bundled adware or spyware? In principle this is work better suited to a robot — a system that can perform tests around the clock, with full automation, in massive parallel, at far lower cost than a human staff person. SiteAdvisor has built such robots, and they’re running even as I write this. The results are impressive. See an example report.

Of course automated testing of web sites can find more than just spyware. What about spam? Whenever I see a web form that requests my email address, I always worry: Will the web site send me spam? Or sell my name to spammers? As with spyware, it’s a problem of trust. And it’s a problem SiteAdvisor can investigate. Fill out hundreds of thousands of forms, putting a different email address into each. Wait a few months and see which addresses get spam. Case closed.

To provide users with timely information about who to trust, SiteAdvisor has to put a plug-in into users’ browsers. In general I’m no fan of browser plug-ins; most plug-ins serve marketing companies’ interests (i.e. by showing ads) rather than actually helping users. But at just 92 pixels in width, SiteAdvisor’s plug-in is remarkably unobtrusive. I run it on my main PC, and it shares space otherwise left vacant by the Google Toolbar (the only other browser plug-in I accept). See first screenshot below, showing SiteAdvisor in action.

SiteAdvisor in action, evaluating zango.com.   SiteAdvisor's detailed "dossier" report of entertainmentwallpaper.com -- reporting what downloads it offers (and what software they bundle), as well as links, emails, and other areas of  possible concern.

Of course there’s more to SiteAdvisor than just these pop-up balloons. If a user clicks “More” in a warning balloon, or otherwise searches the SiteAdvisor site, SiteAdvisor gives detailed information about the risks it found. These detailed “dossiers” report what downloads a site offers (and what software they bundle), as well as links to other sites (potentially hostile or tricky), emails (potential spam), and other areas of possible concern. See right image above, and additional screenshots.

My Role in SiteAdvisor – and How Others Can Help

I’ve been excited about SiteAdvisor — about their product, their technology, and (most importantly) their ability to help users with a serious problem — ever since I learned about the company. I’m so impressed that I agreed to join the company’s advisory board. I’m not involved in day-to-day operations, so specific suggestions are best sent to SiteAdvisor staff, not to me. That said, my relationship with SiteAdvisor is likely to be longer and deeper than my typical consulting gigs, reflecting the seriousness of my commitment to SiteAdvisor.

It’s not easy to design robots that automatically rate the web, and despite SiteAdvisor’s best efforts, their initial ratings aren’t quite perfect. With that in mind, they’re running a preview program. Interested readers can browse SiteAdvisor’s ratings and flag anything that seems wrong or incomplete. SiteAdvisor’s system anticipates its own fallibility — it offers numerous areas for users to contribute comments. There’s even space for reviewed web sites to comment on their ratings — for example, to explain why they think they’ve been unfairly criticized.

Why get involved? If you think, as I do, that SiteAdvisor will attract a large group of passionate users, then it’s sensible to help improve the reviews these users receive. Also, SiteAdvisor has produced an incredible dataset, which they’ll be sharing under a Creative Commons license. In the coming months, I’ll be using this data for research; I’m anticipating some exciting articles analyzing how and where users get infected with spyware. Meanwhile, preview participants get access to SiteAdvisor’s fascinating dossiers (example) — a great way to track which programs install which spyware.

SiteAdvisor in Context

As I mentioned above, SiteAdvisor isn’t the first group seeking to improve the web by rating web sites. But SiteAdvisor makes major advances over previous efforts.


An ActiveX installer with a misleading company name, purportedly  "click yes to continue."An ActiveX installer with a misleading company name, purportedly “click yes to continue.”

Consider, for example, the code-signing system associated with ActiveX controls. (See example at right.) Anticipating security problems with ActiveX, Microsoft designed IE so that it only shows an ActiveX installation prompt if the ActiveX package is properly signed by an accredited code-signer like (in this example) VeriSign. VeriSign in turn sets criteria on who can receive these certificates. But despite these checks, the system turns out to be woefully insecure. For one, VeriSign wasn’t always tough in limiting who can get its certs. (The cert at right was issued a company calling itself “click yes to continue,” a highly misleading company name. Additional examples.) In addition, VeriSign’s main requirement is that a company provide a verifiable name. A company’s software may be highly objectionable — pop-up ads, privacy violations, spam zombies, you name it — but if the company gives its true name and pays VeriSign $200 to $600, then they’re likely to receive a certificate. After I criticized VeriSign’s cert-issuing practices this spring, VeriSign tightened its processes somewhat, but its Thawte subsidiary continues to issue certificates to companies that users rightly dislike. And other cert-issuers are even worse.

The ActiveX debacle shows at least three problems that can plague a certification system.

1) Certifying the wrong thing. ActiveX code-signing certifies characteristics of lesser concern to typical users. In particular, ActiveX code-signing it certifies that a vendor is who it says it is, and code-signing certifies that the specified vendor really did develop the program being offered. That’s a nice start, but it’s not what most users are most worried about other. Instead, users reasonably want to know: Is this program safe? Will it hurt my computer? As it turns out, a code-signing certificate says nothing about trustworthiness of the underlying code. But seeing the “verified” statement and VeriSign’s well-respected name, users mistakenly think code-signing means a program is sure to be safe.

2) Dependent on payment. I worry about certification businesses that receive payment from the companies being certified. If VeriSign issues a code-signing certificate, it gets paid $200 to $600. If it denies a cert, it gets $0. So it’s no surprise that lots of certificates get issued. I credit VeriSign’s good intentions, on the whole. But VeriSign staff face some odd and troubling incentives as they try to meet their code-signing financial objectives.

3) Complaints. There’s often no clear procedure for users to complain of improperly-issued certificates. I previously noted that VeriSign lacked a formal complaint and investigation process. After my article, VeriSign established a complaint form. But there are no public records of complaints received, of pending complaints, or of complaint dispositions. VeriSign may be doing a great job of handling complaints and of correcting any errors, but the public has no way to know.

Remarkably, these same problems plague other self-styled trust authorities. TRUSTe‘s main seal, its Web Privacy Seal, largely certifies that a web site has a privacy policy and that the site has agreed to resolve disputes in the way that TRUSTe requires. The policy might be highly objectionable and one-sided, but TRUSTe will still issue its seal. From the perspective of typical users, this is a “certifying the wrong thing” problem: Users expect TRUSTe to tell them that a site’s privacy policy is fair and that users can confidently provide personal information to the site, but in fact the certificate implies no such thing. (Indeed, six months after I revealed Direct Revenue, eZula, Hotbar, and Webhancer as TRUSTe certificate-holders, TRUSTe’s member list says all but eZula are all still members in good standing. In addition, these companies are known not for their web sites but for their advertising software — products TRUSTe’s certificate doesn’t cover at all. So TRUSTe’s certification is especially likely to mislead users seeking to evaluate these vendors.) Furthermore, TRUSTe receives much of its funding from the vendors it certifies, raising the worry of financial incentives to issue undeserved certificates. Finally, when I’ve sent complaints to TRUSTe, I haven’t always felt I received a prompt or appropriate response. So in my view TRUSTe suffers the same three problems I flag for the VeriSign/code-signing system.


TrustWatch‘s search engine and toolbar are superficially similar to SiteAdvisor: Both companies offer toolbars that claim to help users stay safe online. But TrustWatch suffers from the same kinds of mistakes described above. TrustWatch generally endorses a site if it has a certificate from GeoTrust, Entrust, TRUSTe, or HackerSafe. These groups vary in their respective policies, but none of them affirmatively checks for the privacy violations, spyware, spam, or other ill effects that users reasonably worry about. Instead, their focus is on SSL certificates — important for some purposes, but peripheral to today’s biggest security problems. Meanwhile, the TrustWatch endorsers charge for their certs — raising the payment problems flagged above. Predictably, TrustWatch’s system yields poor results. For example, TrustWatch certifies 180solutions and Direct Revenue with its highest “verified secure” rating. That’s an endorsement few security experts would share.

At least one certification system (besides SiteAdvisor) seems immune from the problems described above: Stan JamesOutfoxed provides a non-profit self-organizing assessment of web site trustworthiness, based on recommendations from a web of trusted experts. Because individual users can decide which recommenders to trust, Outfoxed offers the prospect of ratings based on characteristics users actually care about — solving the “wrong thing” problem. Outfoxed doesn’t charge web sites for ratings, and Outfoxed’s relationship-based trust assessments can distribute meaningful feedback to assure rating accuracy. So Outfoxed addresses the problems described above, and I think it reflects a major step forward. That said, as a self-organizing system, Outfoxed needs a critical mass of experts in order to take off. I worry that it might not get there.

Separately, a few security firms have designed automated systems to seek out spyware. See Microsoft’s HoneyMonkeys and Webroot’s Phileas. But these projects only detect exploits. In particular, they don’t identify the social engineering and misleading installations that web users face with increasing regularity.

SiteAdvisor won’t suffer from the three major problems described above. SiteAdvisor tests the specific behaviors most objectionable to typical users — extra pop-up ads, privacy violations, gummed up PCs, and of course spam — and SiteAdvisor doesn’t give a site a green light just because it has an SSL cert or a posted privacy policy. SiteAdvisor won’t issue certifications upon payment of a fee. And in addition to soliciting an abundance of comments, SiteAdvisor promptly and automatically publishes comments for public review. So, though I’ve been critical of other certification systems, I’m truly excited about SiteAdvisor.