Direct Revenue’s Dirty Documents

On Tuesday, the New York Attorney General filed suit against notorious spyware vendor Direct Revenue. In a detailed complaint, the NYAG alleged Direct Revenue surreptitiously installed spyware onto users’ computers and made its spyware exceptionally difficult to remove. The suit includes claims under New York’s General Business Law (prohibiting false advertising and deceptive business practices), New York’s Penal Law (prohibiting computer tampering), and New York’s common law prohibitions against trespass.

The NYAG’s complaint was accompanied by more than a thousand pages of exhibits and appendices. Some of these documents present the results of NYAG’s testing — narratives of misleading and nonconsensual installation, not unlike my own installation tests. But the NYAG also produced a treasure trove of documents: Internal Direct Revenue documents, records, and emails that present their strategy, intentions, and plans in great detail.

I have obtained these additional documents and posted them to a new page:

People of the State of New York v. Direct Revenue, LLC – Documents and Analysis

Some documents and findings of particular interest:

  • Revenues reported at $6.9 million in 2003, $39 million in 2004, $33 million in January-October 2005. 2004 expenses total only $13 million, for a profit margin of 66%.
  • Payments to Direct Revenue’s senior staff, totaling more than $27 million.
  • A list of distributors of Direct Revenue’s spyware, with the number of installations attributable to each.
  • Admission that Direct Revenue for a time sold a “majority” of its advertising through ad networks Traffic Marketplace and ValueClick.
  • Admission that Direct Revenue’s ads appear so frequently that they constitute “user abuse.” But reducing ad frequency lowers company revenues, so frequency stays high.
  • Admission that Direct Revenue previously tracked and transmited users’ GET and POST data — names, addresses, emails — and even sent this data to third parties Hitwise and Compete.com. Itemizes the specific personal information collected from online forms: first name, last name, e-mail address, street address, and zip code. Hitwise reports successfully analyzing and matching users’ IDs, genders, and phone numbers.
  • Instructs making Direct Revenue harder to remove, by deleting its entry from Control Panel’s Add/Remove Programs, because too many users were relying on that method to remove Direct Revenue.
  • Report of April-June 2005 payments from Yahoo, totaling more than $600,000 in those three months alone.
  • Installation by Direct Revenue of Ebates’ Moe Money Maker onto users’ computers.
  • Listing of Direct Revenue’s many names and shell companies, all used to confuse and deceive the public.
  • Complaints from Direct Revenue partners, such as Kazaa (which called Direct Revenue’s ads “purposefully confusing to the user”) and Integrated Search (which wanted Direct Revenue to include an uninstaller in Control Panel, as previously promised)
  • Threatening the Center for Democracy and Technology. Demanding revisions from CNET. Hiring an investigator to track anti-spyware researcher Webhelper, and planning tactics to intimidate him.
  • Claims I am “losing credibility in the industry” and calls me a “fanatic.”
  • Endorses NYAG’s suit against Intermix as an “important opportunity to draw a bright line between purveyors of spyware and legitimate behavioral marketing companies like Direct Revenue.”
  • Scores of complaints from users (1, 2, 3 , 4, 5, 6, 7, 8, 9) Direct Revenue staff call one complaining user an “idiot.”
  • Complaints from Direct Revenue’s investors get special handling. One investor worries that another member of his investment firm, former Secretary of the Treasury Bob Rubin, may learn of Direct Revenue’s practices.
  • Reports daily revenue per user at approximately $0.015 (one and one half cents per user per day). (Compare that revenue with the harm caused to users — the amount a typical user would be willing to pay not to have Direct Revenue installed.)

See also others’ analysis of the documents.

I still have a few more documents to post, and I’ll be uploading them later today.

The Spyware – Click-Fraud Connection — and Yahoo’s Role Revisited

In August I reported a startling number of notorious spyware programs receiving payments, directly or indirectly, from Yahoo!’s pay-per-click (PPC) (Overture) search system. Yahoo pays numerous other companies to show these ads via syndication relationships. So when a spyware vendor can’t find advertisers to buy its ad inventory directly, the spyware vendor can show Yahoo ads instead. Every time a user clicks on such an ad, the advertiser must pay Yahoo. Then Yahoo pays a revenue share to the spyware vendor that showed the ad. My August article documented relationships between Yahoo and 180solutions, Claria, Direct Revenue, eXact Advertising, IBIS, and SideFind.

My August article covered “just a few of the … examples I have observed and recorded.” Since then, my Yahoo-spyware collection has grown dramatically. I now have many dozens of different examples of Yahoo pay-per-click ads shown within spyware.

My August examples demonstrate what I call “syndication fraud” — Yahoo placing advertisers’ ads into spyware programs, and charging advertisers for resulting clicks. But Yahoo’s spyware problems extend beyond improper syndication. In my August syndication fraud examples, an advertiser only pays Yahoo if a user clicks the advertiser’s ad. Not so for three of today’s examples. Here, spyware completely fakes a click — causing Yahoo to charge an advertiser a “pay-per-click” fee, even though no user actually clicked on any pay-per-click link. This is “click fraud.”

This document offer four fully-documented examples of improper ad displays (1, 2, 3, 4), including three separate examples showing click fraud. I then develop a taxonomy of the problem and suggest strategies for improvement.

The Pay-Per-Click Promise; The Click Fraud Threat

When advertisers buy pay-per-click advertising, they largely expect and intend to buy search engine advertising. If a user goes to Yahoo and types a search term, interested advertisers want their ads to be shown. Ads are supposed to be carefully targeted, i.e. to the specific keywords advertisers specify. And an advertiser is only supposed to pay Yahoo when a user actually clicks the advertiser’s ad.

Click fraud attacks these promises. In canonical click fraud, one advertiser repeatedly clicks a competitor’s ads — or hires others to do so, or builds a robot to do so. Deplete a competitor’s budget, and he’ll leave the advertisement auction. Then the first advertiser can win the advertising auction with a lower bid.

Advertisement syndication also creates a risk of click fraud. Suppose Yahoo contracts with some site X to show Yahoo’s ads. If a user clicks a Yahoo ad at X, Yahoo commits to pay X (say) half the advertiser’s payment to Yahoo. Then X has an incentive to click the Yahoo ads on its site — or to hire others to do so, or to build robots to do so.

Spyware syndication falls within the general problem of syndication-based click fraud. Suppose X, the Yahoo partner site, hires a spyware vendor to send users to its site and to make it appear as if those users clicked X’s Yahoo ads. Then advertisers will pay Yahoo, and Yahoo will pay X, even though users never actually clicked the ads.

The following three examples show specific instances of spyware-syndicated PPC click fraud. In each example, I present video, screenshot, and packet log proof of how spyware vendors and advertisement syndicators defraud Yahoo’s advertisers.

Click Fraud by 180solutions, Nbcsearch, and eXact Advertising – December 17, 2005

PPC advertisers
money viewers
Yahoo Overture
money viewers
eXactSearch
money viewers
Nbcsearch
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions

On a test PC with 180solutions (among other unwanted software) (widely installed without consent), I browsed Nashbar.com, a popular bicycling retailer. I received a popup that immediately forwarded traffic to a Yahoo Overture PPC link — faking a click on that link, and charging an advertiser as if a user had clicked on that link, even though I had not actually done so.

Reviewing my packet log, I see that traffic flowed as listed below.

http://tv.180solutions.com/showme.aspx?keyword=bicycle%2aparts+cycling+cycling…
http://popsearch.nbcsearch.com/metricsdomains.php?search=mountain+bike
http://ww3.exactsearch.net/red.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbkiRR…
http://ww3.exactsearch.net/click.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbki…
http://207.97.227.18/clk/?31303b313133343836343333352e39347e74696572313b3030
http://www22.overture.com/d/sr/?xargs=15KPjg149StpXyl%5FruNLbXU7Demw1X18j2tJ5w…
http://clickserve.cc-dt.com/link/click?lid=43000000005485843
http://www.sportsmansguide.com/affiliate/ccx.asp?url=http%3A%2F%2Fshop%2Esport…

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays eXact Advertising (eXactSearch), which pays Nbcsearch, which pays 180solutions.

All these payments are predicated on a user purportedly clicking an ad — but in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud.

Click Fraud by 180solutions, Nbcsearch, and Ditto.com – March 2, 2006

PPC advertisers (i.e. SmartBargains)
money viewers
Yahoo Overture
money viewers
Ditto.com
money viewers
Nbcsearch
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions

On a test PC with 180solutions (among other unwanted software) (widely installed without consent), I browsed SmartBargains.com, a popular discount retailer. I received a popup that, in its title bar, indicated that it came from 180solutions. Mere seconds later, I was redirected to a duplicate window of SmartBargains.

Reviewing my packet log, I see that traffic flowed as listed below.

http://tv.180solutions.com/showme.aspx?keyword=%2esmartbargains%2ecom+smart+…
http://popsearch.nbcsearch.com/metricsdomains.php?search=smartbargains.com
http://ww2.ditto.com/red.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRRrZ…
http://ww2.ditto.com/click.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRR…
http://agentq.ditto.com/click.clk?pid=708811&ss=smartbargains.com&advname=sm…
http://www24.overture.com/d/sr/?xargs=15KPjg1%2DpSgJXyl%5FruNLbXU6TFhUBPycz2…
http://www.smartbargains.com/default.aspx?aid=47&tid=82136

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays Ditto.com, which pays Nbcsearch, which pays 180solutions.

All these payments are predicated on a user purportedly clicking an ad — but in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud.

This example also shows what I call “self-targeted traffic.” Notice that the net effect of this click fraud is to show the user the site the user had requested — but to show that site also in a second (“double”) window. Since users end up at the requested site, users may not notice that anything is wrong. But from an advertiser’s perspective, something is very wrong: This process asks SmartBargains to pay Yahoo Overture PPC fees for SmartBargains’ own organic traffic — a lousy deal, since Yahoo Overture is providing SmartBargains with no new leads and no genuine value.

Click Fraud by Look2me/Ad-w-a-r-e, Improvingyourlooks.com, and Two Unknown Parties – April 1, 2006

PPC advertisers (e.g. lasikcookeye.com)
money viewers
Yahoo Overture
money viewers
64.14.206.59
money viewers
improvingyourlooks.com
money viewers
12.129.178.27
money viewers
Look2me / Ad-w-a-r-e

The money trail – how funds flow from advertisers to Yahoo Overture to Look2me / Ad-w-a-r-e

On a test PC with Look2me/Ad-w-a-r-e (among other unwanted software) (installed without my consent), I received a popup that redirected me to and through a Yahoo Overture PPC link. The popup ultimately showed me the lasikcookeye.com site even though I had showed no prior interest in eye problems or eye surgery. Reviewing my packet log, I see that traffic flowed as listed below:

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://64.194.221.33/cgi-bin/KeywordV2?query=4047&ID={…}
http://12.129.178.27/redir?aid=1006&cid=162&xargs=ZmlkPTUxJmtleT1sYX…
http://search.improvingyourlooks.com/index.html?red=1&q=lasik%20eye%20su…
http://search.improvingyourlooks.com/?1143930576
http://64.14.206.59/cgi-bin/feedred?c=2188&p=2068&q=lasik%20eye%20surgery&de…
http://www10.overture.com/d/sr/?xargs=15KPjg17hS%2DZXyl%5FruNLbXU6TFhUBQxd7t…
http://www.lasikcookeye.com/

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays the operators of the server at 64.14.206.59, which pays improvingyourlooks.com, which pays 12.129.178.27, which pays Ad-w-a-r-e.

All these payments are predicated on a user purportedly clicking an ad — except that in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud. Furthermore, because my prior activity gave no sign of any interest in eye care, this popup sends the advertiser untargeted traffic — also contrary to Yahoo’s representations to advertisers.

Advertiser Lasikcookeye is the victim of these practices and the victim of this click fraud. Lasikcookeye contracted with Yahoo to buy pay-per-click ads shown at Yahoo.com when users performed relevant searches. Lasikcookeye intended (and reasonably expected) that its ad would be shown to appropriate users, and that it would only be charged if a user saw the ad, found it appealing, and specifically chose to click on it. Instead, Lasikcookeye here was charged for a “click” that never took place, and for its site being shown to a user who never asked to see it. Furthermore, Lasikcookeye’s site was shown in a popup, an advertising format users are known to dislike, which risks damaging Lasikcookeye’s good name.

Unlabeled PPC Links Inserted into Third Party Web Sites – by Qklinkserver.com / Srch-results.com, Searchdistribution.net, and Intermix’s Sirsearch – April 2, 2006

The circled link was inserted into the nytimes.com site by Qlinkserver.  Clicking the link sends traffic to Yahoo Overture PPC and on to an advertiser. The circled link was inserted into the nytimes.com site by Qklinkserver, without the Times’ consent. Clicking the link sends traffic to Yahoo Overture PPC and on to an advertiser.

PPC advertisers (e.g. shop.com)
money viewers
Yahoo Overture
money viewers
Intermix Sirsearch
money viewers
Searchdistribution.net
money viewers
Qklinkserver.com / Srch-results.com

The money trail – how funds flow from advertisers to Yahoo Overture to Qklinkserver

On a test PC with Qklinkserver (among other unwanted software) (installed without my consent), I observed numerous extraneous hyperlinks inserted into third parties’ sites. Checking these same sites on ordinary uninfected PCs, I received no such links. See e.g. the partial screenshot at right, showing an extra hyperlink inserted into the lead article listed on the New York Times site.

Clicking that extra New York Times link yielded traffic to a Yahoo Overture PPC link and on to a Yahoo Overture advertiser (here, shop.com). Reviewing my packet log, I see that traffic flowed as listed below:

http://www.qklinkserver.com/lm/rtl4.asp?si=20057&k=prime%20minister
http://search1.srch-results.com/search.asp
http://partnernet.searchdistribution.net/go3.aspx?encr=1&nv_click=9JT5m1b…
http://www.sirsearch.com/click.cfm?rurl=http%3a%2f%2fwww10.overture.com%2…
http://www10.overture.com/d/sr/?xargs=15KPjg1%5F5SjJXyl%5FruNLbXU6TFhUBPz…
http://www.shop.com/op/aprod-~Prime+Minister+Print?ost=prime+minister&sou…

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays Intermix (Sirsearch), then Intermix pays Searchdistribution.net which pays Qklinkserver.com / Srch-results.com.

As shown in the inset image above-right, Qklinkserver.com inserts links into other sites without any on-screen indication that the links come from Qklinkserver, not from the requested sites. Users seeing such links might reasonably think they reflect editorial selection by the requested sites (i.e. New York Times editors picking an appropriate link), when in fact the links merely point to whichever advertisers bid highest at Yahoo.

Note that traffic passes through Intermix’s Sirsearch servers. This is not Intermix’s first involvement with spyware, nor Intermix’s first involvement with Yahoo in the context of spyware. During the New York Attorney General’s summer 2005 investigation of Intermix for improper installation of advertising software onto users’ computers, a NYAG investigator reported that more than 10% of Intermix’s revenues came from Yahoo. The investigator further commented that the NYAG was “not ruling out … going after … Overture” for its role in funding Intermix. My findings here suggest that Intermix’s relationship with Yahoo and Intermix’s funding of spyware may extend beyond what was previously known.

I have tested the Qklinkserver advertising software at length. Of the links I have received from Qklinkserver, every single one ultimately passes through Yahoo Overture. As best I can tell, Yahoo Overture is the sole source of funding for Qklinkserver. (Compare: Yahoo Overture funding 31% of Claria, per Claria’s 2003 SEC S1.)

Understanding the Problem

I see six distinct problems with the Yahoo practices and partners at issue.

  • Click fraud. Through these improper ad displays, Yahoo charges advertisers for “clicks” that didn’t actually occur. This violates the core premise of pay-per-click advertising, i.e. that an advertiser only pays if a user affirmatively shows interest in the advertiser’s ad. Yahoo promises: “Pay only when a customer clicks on your listing.” But that’s just not true here. Instead, through click fraud, advertisers are asked to pay for spyware-delivered traffic, whether or not users actually click.
  • Untargeted traffic. Premium prices for PPC advertising reflect, in part, the extreme targeting of PPC leads: PPC ads are only supposed to be shown to users actively searching for the specified product, service, or term. Yahoo promises: “Advertise only to customers who are already interested in your products or services.” That’s also untrue in some of my examples. in fact spyware-delivered PPC results show Yahoo PPC ads to users with no interest in advertisers’ products or services.
  • Self-targeting traffic. Spyware-delivered PPC ads often target advertisers with their own ads. For example, in August I reported a user browsing the Dell site, then receiving spyware-delivered Yahoo PPC advertising promising “up to 1/3 off” if a user clicked a prominent link. But clicking that link didn’t actually provide any discounts or savings beyond Dell’s usual prices. However, each time a user clicked the link, Dell had to pay Yahoo a PPC advertising fee that I estimate at $3.30. That’s a bad deal for Dell: These users were already at Dell’s site, and there’s no reason why Dell should pay Yahoo or a spyware vendor just to keep them there. Same for self-targeting of SmartBargains, reported above.
  • Failure to label sponsored links as such. Through spyware syndication, Yahoo PPC ads often appear on users’ screens without appropriate labeling. When unlabeled ads appear in or adjacent to search engine results, these ads risk violating the FTC‘s 2002 instructions for advertising disclosures at search engines. See my prior SideFind example, where SideFind justifies bona fide search results with Yahoo PPC ads, without labeling Yahoo’s ads as such. Unlabeled ads also prevent users from understanding the nature of the linked content: For example, recall my Qklinkserver example. Seeing unlabeled text links inserted into ordinary web pages, users reasonably expect that such links were chosen by the sites users were visiting, when in fact such links were unilaterally inserted by unrelated spyware installed without user consent.
  • Low-quality traffic. Advertisers pay Yahoo a premium to reach desirable users at Yahoo.com — sophisticated users, users who are actively engaged in search. In contrast, spyware sends advertisers low-quality users, including users who are less likely to make a purchase. This traffic is not worth the premium price Yahoo charges. Consider: 180solutions sells popups for as little as $0.015 (one and a half cents) per ad display. In contrast, Yahoo charges a minimum of $0.10 — more than six times as much. Yahoo harms advertisers when Yahoo charges advertisers its premium prices for ads ultimately shown through low-quality low-cost channels like 180solutions.
  • Unethical spyware-sourced traffic. Industry norms, litigation, and instructions from policy makers (1, 2) all tell advertisers to keep their ads out of spyware. Discomfort with spyware reflects concerns about installation methods (misleading and nonconsensual installations), privacy effects, other harms to consumers, and harms to other web sites. For these and other reasons, many advertisers make a serious good-faith effort to stay away from spyware. These same advertisers also buy PPC ads from Yahoo — a standard, reasonable practice for anyone buying online advertising. Unfortunately, these Yahoo PPC ad purchases inevitably and automatically put advertisers into notorious spyware, including the programs reported above. By allowing these improper ad placements, Yahoo endangers its advertisers’ good names, and risks putting them in violation of best practices and policy-makers’ guidance.

Each of these problems is serious in its own right. But the examples at hand, in my current and prior reporting, inevitably combine several such problems — making them particularly troubling. The table below attempts to summarize my findings, as to the specific examples reported above and previously.

Click Fraud Untargeted traffic Self-targeting traffic Failure to label sponsored links as such Low-quality traffic Unethical spyware-sourced traffic Software sometimes installed without any user consent
180solutions / Nbcsearch / eXact (December 2005) x n/a* x x x
180solutions / Nbcsearch / Ditto (March 2006) x x n/a* x x x
Look2me / Ad-w-a-r-e / Improvingyourlooks (April 2006) x x n/a* x x x
Qklinkserver / Srch-results / Searchdistribution / Intermix SirSearch (April 2006) x x x x
Claria (August 2005) x x x
eXact Advertising (August 2005) x x x x
Direct Revenue / InfoSpace (August 2005) x x x x x
180solutions / InfoSpace (September 2005) x x x
IBIS / InfoSpace (June 2005) x x x
SurfSideKick / TrafficEngine (September 2005) x x x x x
Hotbar (November 2005) x x x x x

* – These examples entail click fraud — with nothing shown to a user before a PPC ad was invoked, and hence no opportunity for improper ad labeling.

An empty box should not be taken to be an endorsement of a vendor’s practices, or an indication that that vendor does not perform the specified practice. For example, although I have not chosen to post an example of eXact Advertising harming merchants via self-targeting, I have observed such self-targeting.

Yahoo’s Click Fraud and Syndication Fraud in Context

Many others have alleged click fraud at Yahoo. (1, 2, 3) But others generally infer click fraud based on otherwise-inexplicable entries in their web server log files — traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user). In contrast, my proof of click fraud is direct: As documented and linked above, I have captured click fraud on video and in packet logs. Yahoo may argue about advertisers’ inferences in other instances, i.e. disputing that advertisers have really found click fraud. But it’s far harder to deny the click fraud shown in my examples.

In the examples I show above and previously, Yahoo’s problem results from bad partners within its network. Yahoo syndicates ads to numerous partners, many of whom syndicate ads to others, some of whom then syndicate ads still further. The net effect is that Yahoo does not know who it’s dealing with, and therefore cannot exercise meaningful supervision over how its ads are displayed. I consider this a bad idea — bad business, bad for quality, bad for accountability. But Yahoo need not listen to me. Instead, consider instructions from New York Attorney General staff member Ken Dreifach: “Advertisers and marketers must be wary of fraud or deceptive practices committed by their affiliates, even [affiliates] that they have no working relationships with.” (Quote from MediaPost, summarizing Dreifach’s remarks.)

Yahoo’s “Whack-A-Mole” Problem

The many bad partners in Yahoo’s network make fraud particularly hard to block: When Yahoo terminates one fraudster, that fraudster’s partners find another way to continue operations.

Notice that the first and second examples (above) both show click fraud that originates with 180solutions and Nbcsearch. Yet Nbcsearch’s relationship with Yahoo Overture differs between these two examples: In the first, Nbcsearch gets ads from eXactSearch which gets ads from Yahoo; in the second, Nbcsearch instead gets Yahoo ads from Ditto.com. My testing suggests that Yahoo may have terminated the former ad channel at some point after my December testing. But Nbcsearch’s efforts to defraud Yahoo advertisers were not stymied by Yahoo’s possible termination of the first channel; Nbcsearch was able to find a new channel, i.e. Ditto.com, by which to continue to perform click fraud.

Yahoo’s enforcement difficulties are also borne out in its unsuccessful attempts to sever ties with 180solutions and Direct Revenue. After I highlighted these vendors in my August report, it seems Yahoo attempted to terminate its relationships with them. Yet 180 continued not just to show Yahoo ads, but also to perform click fraud, as documented in the first two examples above. Furthermore, as recently as February 2006, I have continued to see Direct Revenue serving popups that ultimately show Yahoo PPC ads. So even when Yahoo seeks to sever relationships with a partner as well-known as 180solutions or Direct Revenue, it seems Yahoo is unable to do so.

What Comes Next

After my August report, Yahoo terminated several of the specific wrongdoers I identified. I expect and hope that Yahoo will respond similarly to the findings reported here. If I learn of such a response, or if I receive any other relevant communication from Yahoo, I will update this page accordingly.

But it is not a sustainable approach for me to perform occasional public audits for Yahoo. These reports are infrequent, hardly sufficient to protect advertisers from ongoing fraud. Furthermore, these reports are merely illustrative — giving a few examples of a broad class of problems, but reporting only a small proportion of the fraud of which I am aware.

Yahoo recently announced its support (as a founding sponsor) of TRUSTe‘s forthcoming Trusted Download Program. The Trusted Download program intends to certify advertising software — so advertisers can confidently buy ads from such programs. I have a variety of concerns about the program — including that its standards may be too lax, that it will face exceptional difficulties in performing meaningful enforcement, and that I don’t know that any “adware” deserves a certification or endorsement. But even if Trusted Download were fully operational and working as expected, it would not have identified or prevented the problems described in this article. At best, Trusted Download would tell Yahoo that it may work with whatever adware vendors earn TRUSTe’s certification. But Yahoo’s problem isn’t uncertainty about which adware vendors are good. Instead, Yahoo’s problem is that, time and time again, it finds itself working with (and its advertisers defrauded by) notorious “adware” vendors — vendors Yahoo has already resolved to avoid (e.g. 180solutions, Direct Revenue), or vendors that wouldn’t come close to passing any ethics test (e.g. Qklinkserver, Look2me/Ad-w-a-r-e). Trusted Download doesn’t and won’t monitor advertisement syndication; Trusted Download won’t and can’t prevent these bad Yahoo PPC syndication relationships.

I see two basic strategies for Yahoo. Yahoo could try to limit its exposure to fraud, i.e. by scaling back its partner network, by more thoroughly vetting its partners, and by prohibiting its partners from further resyndicating Yahoo’s ads. Alternatively, Yahoo could try to detect fraud more thoroughly and more quickly, i.e. by implementing aggressive and robust testing methods to find more examples like those above, and like the dozens more examples I have on file. I tend to think both strategies are appropriate; in combination, they might serve to blunt this growing problem. But merely ignoring the issue is not a reasonable option; Yahoo’s advertisers pay top dollar for Yahoo PPC ads, and they deserve better.

Yahoo cannot expect these fraudulent techniques to disappear. Yahoo is an attractive target for fraudsters due to Yahoo’s high advertising charges and Yahoo’s high payments to partners. As spyware vendors find other revenue sources increasingly difficult (i.e. because advertisers do not want to buy spyware-delivered advertising), spyware vendors are likely to continue to turn to more complex advertising channels such as PPC, which are more amenable to fraud due to their reduced transparency and increased complexity. Yahoo, like other PPC services, needs to anticipate and block this growing problem.

Similar issues confront Google — though, in my testing, more often through bad syndication and less often through click fraud. I’ll cover Google’s problems in a future piece. Meanwhile, see my prior articles about Google and spyware: 1, 2.

Advertisers Funding Direct Revenue

Earlier this week, New York State Attorney General staff member Ken Dreifach told an advertiser conference they need to be careful where their ads appear. According to MediaPost coverage, Dreifach explained: “If you are sending stuff onto a consumer’s computer, it’s your responsibility to make sure the software you’re using belongs there.”

As to Direct Revenue’s notorious ad-serving software, there is no doubt that ads appear that don’t “belong,” and that users never agreed to accept. Recall my many documented examples of nonconsensual or otherwise improper Direct Revenue installations.

Click for thumbnails of selected 180solutions advertisersWhat advertisers pay for their ads to be shown by Direct Revenue, despite Dreifach’s warnings and Direct Revenue’s history of bad practices? To see for myself, I browsed the web on a PC with Direct Revenue installed. I received ads from plenty of big-name advertisers, including Citi, HSBC, True.com, and United Airlines. I received ads from technology companies Netzero and People PC (ISPs), Sage Software (makers of the Act! contact manager), Sprint, T-Mobile, and Vonage — companies that arguably should know not to advertise with Direct Revenue, since the Internet is the core of their businesses. Finally, despite a new ITSA policy on adware (my analysis), I saw ads from multiple ITSA members — including from Cendant properties Cheap Tickets, Howard Johnson, and Super 8, as well as from Travelocity.

Thumbnails of the Direct Revenue ads I received

Criticism of Direct Revenue generally focuses on the company’s nonconsensual installations, misleading installations, improper attempts to block removal, and use of many confusing company/product names. (Newsweek analysis.) But inspecting Direct Revenue’s ads reveals further cause for concern. For example, of the Direct Revenue ads I received, most arrived with their upper-right “X” button off-screen. Typical users rely on that button to close an unwanted window. By putting the X off-screen, Direct Revenue makes its ads that much harder for users to escape. Sophisticated users know other ways to dismiss the ads, and some users have larger screens where the X will be visible. But for ordinary folks — with ordinary computer skills and ordinary 800×600 PC screens — Direct Revenue’s ads are particularly hard to avoid.

Advertisers’ Denials and My Responses

Advertisers don’t always tell the truth about their advertising tactics, and they certainly don’t do everything possible to keep their ads out of spyware.

Last week, CDT posted a report (PDF) on advertisers funding 180solutions, based on advertisers I documented for CDT. Among the advertisers was Altrec, a Washington retailer of outdoor clothing and gear. When asked about its relationship with 180, Altrec told NewsFactor that the ads were an “experiment” of limited scope. Altrec also told c|net news.com that it spent less than $440 with 180 in the first quarter of 2006. See also Altrec’s press release.

I think Altrec’s relationship with 180 was actually considerably larger than Altrec suggests. For years, I have retrieved periodic listings of 180’s advertisers. In August 2004 data collection, I found Altrec targeting nine keywords for a display of its http://www.altrec.com/mpgate/180so/ page (a URL that indicates Altrec’s specific knowledge that traffic was coming from 180). By December 2004, Altrec was targeting 110 different URL fragments, including competing sites REI and Sierra Trading Post. Altrec is right to admit that its relationship with 180 was a mistake. But no online marketer needs two years to evaluate a new ad campaign. So Altrec’s characterization of the relationship as an “experiment” is not persuasive. Furthermore, Altrec misleads the concerned public by emphasizing its quarter-to-date spending without mentioning prior years’ spending. Finally, 180 isn’t the only “adware” program Altrec has used. In March 2005, I publicly reported Altrec advertising with eXact Advertising. In short, Altrec’s involvement with adware was substantially larger than Altrec’s statements indicate.

Netflix, also named in my prior work and CDT’s report, described itself as “very vigilant about this issue.” Netflix staff say improper ad placements are particularly difficult to stop because Netflix buys so much online advertising. Perhaps. Netflix’s 2004 annual report (the latest available) confirms that Netflix spent an incredible $98 million on marketing in 2004 alone. But which way does this big budget cut? If Netflix spends a lot on advertising, should the world lower its expectations for Netflix’s ethics and care? I have to wonder how much effort — and money — Netflix spent on auditing and testing. My testing methods use one $2,000 PC and one $189 copy of VMware, plus a bit of skill and elbow grease. With all its resources, Netflix could do a lot better. (For anyone who wants to accelerate my testing, here’s my one-item wishlist.) In any event, I’ve seen numerous Netflix ads appearing through Direct Revenue in recent weeks, but for brevity I include only one in today’s report.

Critiquing ITSA’s Pro-Adware Policy

These days, few advertisers defend “adware” advertising. It seems the world has largely noticed: Consumers hate adware-delivered popup ads. It’s rare that any consumer intentionally installs adware with an accurate understanding of what lies ahead. Since consumers don’t want adware, adware vendors get onto users’ computers by trickery and deception, without appropriate disclosures and informed consent. Problems plague even those vendors that claim to have reformed. (Recall Claria soliciting installations through other vendors nonconsensually-installed spyware and removing important phrases from its disclosures.)

Despite the rising backlash against adware, the Interactive Travel Services Association recently offered a rare contrary view. In its Statement Regarding the Use of Marketing Software Applications (PDF), ITSA effectively endorsed adware. ITSA claims adware “can be useful to many consumers because it provides timely, relevant and money-saving information.” Despite the bad consumer experience and lousy value proposition, ITSA goes on to say adware advertising is just fine, under strikingly vague and weak conditions.

My challenge to ITSA executives: Install Direct Revenue “adware” on your PCs for a month. Then report how much time and money you save.

I don’t understand why ITSA published these guidelines. Certainly I see why ITSA members want to discuss the problem of adware, and why they want to come to a joint decision on stopping bad advertising practices. After all, Expedia would understandably hesitate to stop targeting (say) Orbitz, if there was reason to worry Orbitz would keep running ads that target Expedia. This prisoner’s-dilemma problem calls for the intervention of a trade association, and ITSA seems a natural choice. But the right result from such intervention is to prohibit these bad practices and enforce members’ future compliance — not to sugar-coat the problem.

ITSA members aren’t gaining anything from adware. To the contrary, they pay big fees to adware vendors, but they’re often just trading customers who are already at ITSA member sites. Expedia would be better served by a policy that prevents Orbitz and Travelocity from stealing its traffic, in exchange for a reciprocal promise that Expedia will behave accordingly. Such a policy would serve consumers too, by reducing the funding available to adware vendors and limiting their incentives to sneak onto users’ PCs. That’s the approach I’d like to see from ITSA.

If ITSA is up for a challenge, it could focus on getting travel vendors’ ads out of adware — starting with its own members. ITSA member Cendant owns Cheap Tickets, Howard Johnson, and Super 8 — all three of which are still advertising with Direct Revenue. So is Travelocity. (All confirmed just yesterday, March 30.) Yesterday I also saw Cendant’s Budget Rent A Car still advertising with 180solutions, and Travelocity and Orbitz advertising with Hotbar. Is this what the new ITSA policy will bring? More advertisers for 180solutions, Direct Revenue, and Hotbar, but now with an ITSA stamp of approval? In my view, ITSA should focus on cleaning up its members’ practices, rather than singing adware vendors’ praises.

As best I can tell, adware vendors are the only group that benefits from ITSA’s new policy. No wonder 180solutions endorses ITSA’s approach.

See also criticism from travel expert and consumer advocate Christopher Elliott.

Advertisers Funding 180solutions

I’ve long believed that the spyware explosion results primarily from advertisers’ payments. It’s easy to see why advertisers love spyware: Where better to get a customer, than someone who is about to buy from a direct competitor? And spyware-delivered ads are so exceptionally intrusive — often full-screen pop-ups — that they’re likely to drive sales, even if users dislike the pop-up format.

Spyware advertising also suffers from a race-to-the-bottom effect. Consider a two-party example. If Expedia serves a big pop-up when users visit Orbitz, Expedia is likely to get lots of new customers from Orbitz. What should Orbitz do in response? They could sue, as many companies have. But more likely, they’ll just buy more spyware-delivered ads of their own — and try to grab back some of the users Expedia just took away. This yields high revenue to spyware vendors (in turn yielding more spyware), high costs to advertisers, and annoying popups for users. It’s nothing to celebrate.

With this problem in mind, I’ve written at length about spyware revenue models. My publications page shows a dozen articles on this subject, dating back to my 2003 report of advertisers using Gator (now Claria).

Click for thumbnails of selected 180solutions advertisersToday, the Center for Democracy and Technology posted a report (PDF) on the spyware advertising problem. Earlier this year, I provided CDT with a number of examples of advertisers still funding 180solutions (despite 180’s many known nonconsensual installations and other bad practices). See also my thumbnails of the ads I saw.

CDT’s report rightly criticizes advertisers that lack a policy for where their ads can appear. Of course just having a policy may not be enough. Apparently the travel industry has developed such a policy — yet I still see big travel companies advertising with Claria, Hotbar, and others. And travel companies’ partners and affiliates continue to advertise through the most notorious of spyware.

What comes next here? I’ve been pleased to see responsible advertisers withdrawing from the big-name spyware vendors — with a corresponding reduction on the number of users those vendors harm. That said, when advertisers terminate their direct relationships with spyware vendors, spyware vendors often find indirect ways to continue to get paid by the same advertisers. For example, spyware vendors show lots of pay-per-click ads (as I documented last year for Yahoo and Google [1, 2]). Spyware vendors also show affiliate ads (index of findings, some specific examples), syndicated banners, and more. At last week’s NYU/Princeton spyware conference, I showed new examples of some of these indirect relationships — including an example that combines spyware with click fraud against a Yahoo advertiser (slides 17-19). And CDT’s report (PDF, page 9) mentions my finding of many Netflix ads appearing through these indirect relationships, even after Netflix claimed my first example was “unique.” Common to all these examples: Advertisers’ ads appear in ways they didn’t specifically intend and often don’t even know about; and spyware vendors ultimately benefit from advertisers’ inattentiveness.

These ad syndication relationships will be a renewed priority for discussion on my site in the coming months. Sophisticated advertisers and ad networks need to understand that merely writing an ad policy won’t stop these bad relationships. Instead, advertisers need to establish testing procedures to make sure their ads actually comply with intended policy.

Nonconsensual 180 Installations Continue, Despite 180’s "S3" Screen updated February 24, 2006

On Friday morning (February 17), I received a nonconsensual installation of 180solutions Zango software through a security exploit. I was browsing an ordinary commercial web site, when I got a popup from exitexchange.com (a major US ad network, with headquarters in Portland, Oregon) . The popup sent me to a third-party’s web site. (I’ll call that third party “X” for convenience. Details.) Then X ran a series of exploits to take control of my test PC, including using the widely-reported WMF exploit uncovered last month. Once X took control of my PC, X caused my computer to install and run 180solutions Zango software, among a dozen other programs. Notably, X fully installed 180’s Zango without me taking any action whatsoever — without me clicking “I agree,” “Yes,” “Finish,” or any other button of any kind. X installed 180’s Zango despite 180’s new “S3” protections, intended to block these nonconsensual installations.

Most aspects of this installation are remarkably standard. “Adware” installations through security exploits are all too common. And it’s not that unusual to see traffic flowing through an ad network — even a big US ad network.

But what’s newsworthy here is that 180solutions got installed, even though 180 last year told the world that these nonconsensual installations were impossible. Effective January 1, 2006, all 180solutions distributors were required to switch to 180’s “S3” installer. 180 claimed huge benefits from the new S3 system: 180’s October 2005 press release promised:

“The S3-enabled clients … mean[] 180solutions will own the entire experience from beginning to end on all installations of its products.”

180’s S3 Whitepaper (PDF) also falsely promises major benefits from S3:

“[I]nstallation cannot continue until the user gives consent.”

“Since the consent box comes directly from 180solutions, publishers are unable to turn it off.”

To the contrary, my video shows installation continuing even when a user does not consent. And my video shows a distributor faking a user’s click on the consent button.

See video of the nonconsensual installation of 180 Zango, including bypassing of the 180 S3 screen. (Note: Video has been edited to hide the identity of the installer at issue. Learn why. Within the video, yellow markup provides my comments and analysis.)

180’s S3 Technology and Its Design Flaws


180's S3 installation system180’s S3 installation system

Historically, 180’s installer programs have installed 180 software immediately, on the misguided assumption that 180’s distributors already obtained user consent. That approach is overly optimistic because 180’s distributors have no incentive to ask users’ permission: If distributors seek users’ permission, users might decline that unwanted offer, preventing distributors from getting paid by 180. So it comes as no surprise that many distributors have installed 180 without obtaining users’ consent. I have publicly posted at least five different videos showing such installations (1, 2, 3, 4, 5), and I have many more on file. Others have repeatedly found the same (1, 2, 3, 4, 5).

180’s S3 system seeks to address these nonconsensual installations by showing users a notice screen before 180solutions software installs onto their PCs. 180’s distributors are now supposed to run 180’s “stub” installer to display this notice screen; then users can choose whether or not to proceed. See example screen at right.

As a threshold matter, I don’t think 180’s S3 screen provides an accurate, truthful, complete disclosure of 180’s important effects. As I explained last month, the S3 screen oddly describes 180 only as showing “ads,” without mentioning that these ads appear in “pop-ups” — the essential characteristic reasonable users most need to know in order to decide whether they want 180’s software. The S3 screen also fails to describe the important privacy effects of installing 180’s software — that 180’s software will tell 180’s servers many of the sites users visit. The S3 screen does show a EULA — but it’s in an oddly-shaped box, and its text can’t be copied to the clipboard. Finally, the S3 screen labels its affirmative button “Finish” — even though the S3 screen is known to appear in circumstances where it is the first screen mentioning installation of 180’s software. A user cannot be asked to “finish” what he has not yet agreed to start; an “I agree” or “I accept” label would more clearly indicating the consent that the button is claimed to grant.

But beyond these important problems of wording and layout, the S3 installer also features a fundamental design flaw: Self-interested installers can easily bypass the S3 prompt. Installers can easily fake a click on the “Finish” button — just by simulating a single stroke of the “enter” key, or by simulating a click on a predictable button location. So faking a user’s consent is trivial — just a single Windows SendKeys API call.

Sure enough, my “X” installation reflects an installer using exactly these methods. In my video of X’s exploit-based installation of 180, the S3 notice was visible on screen for less than half a second — between 19.08 seconds and 19.57 seconds into the video. During that half-second, exploit-delivered software (installed on my test PC mere seconds before) pressed “Finish,” at which point 180 completed its installation, putting itself in my System Tray (next to the Windows clock), beginning to download its supplemental files, and beginning to monitor my web browsing.

180’s Bad Partners and 180’s Flawed Business Model

180 seems to intend its S3 installer to protect 180 and users from the untrustworthiness of 180’s distribution partners. 180 is right to think that S3 makes it somewhat harder for distributors to install 180 without getting users’ consent. But the increase in difficulty isn’t much — certainly not enough to deter any serious installer. Those who want to get paid for installing 180 will find that S3 presents at most a small speedbump; it’s hardly the airtight blockade 180’s press release claims.

For 180, the appropriate response to nonconsensual installations is not merely a small improvement in installer program design. Rather, 180 should rethink its entire distribution business model. 180 has repeatedly written about the “long tail” of distributors (1, 2, 3) — 180’s plan for thousands of different web sites installing 180’s software when users browse their materials, and thousands of different programs bundling 180. It’s an interesting vision, but in my view impractical and unwise. With so many distributors, 180 will be unable to assure that each distributor really does obtain consent — rather than cheating the system, as X did.

180’s October press release correctly describes the serious harms that occur when users receive many advertising programs. “A myriad of unwanted software … can often negatively impact system performance,” 180 admitted. But 180 then claimed that S3 would keep 180 out of such bundles. I disagree. According to my records, the installation at issue also installed Ad-w-a-r-e, Adservs, Integrated Search Technologies, Internet Optimizer, Media Tickets, New.net, Quicklinks, Surfsidekick, Tagasaurus, Targetsaver, Toolbar888, Ucmore, Webhancer, Web Nexus, WinFixer, and more. These many programs collectively bombarded my test PC with an incredible 730 registry keys, 1194 registry values, 461 files, and 43 file folders. Worse, the newly-installed programs caused 61 processes to run on my test PC, via 24 EXEs set to load each time I turned on my computer. The programs even added three different toolbars to my web browser. This overwhelming burden made it difficult even to inventory and track the programs’ additions and effects. So many co-bundled programs hardly satisfy the “prevent[ing] customers … from receiving a myriad of unwanted software” promise in 180’s press release.

Why “X” and an Obscured Video?

Long-time visitors to my web site may reasonably wonder: Why the markings in my screen-capture video? And why refer to the 180 distributor as “X,” rather than by its actual name and URL? After all, I’ve long provided video proof of my observations, and I’ve been naming names ever since my 2003 listing of advertisers using Gator (now Claria).

But I’ve run out of patience for being outside quality control staff for 180solutions. An episode last month was particularly instructive: Security company FaceTime found an AOL Instant Messenger worm that was installing 180solutions. 180’s response? After FaceTime reported the details, 180 trivialized the finding and issued a self-serving press release. Rather than admit that their software still becomes installed improperly, 180 danced around the issue and tried to use these wrongful installations to obtain a public relations benefit.

CDT‘s experience with 180 is similarly instructive. After two years of alerting 180solutions to its various bad practices, CDT recently ceased working with 180, instead electing to file a complaint with the FTC.

I too have decided no longer to share my work with 180solutions. As discussed in the preceding section, I have concluded that 180’s business model is fundamentally broken — that 180 cannot implement technology or enforcement to assure the proper installation of its software. Accordingly, just as CDT terminated its discussions with 180, I have resolved not to tell 180solutions which specific distributor was responsible for this installation.

Despite my decision not to work with 180 on resolving these installations, I will make my research available to those with a legitimate need to know. I expect to provide (and in some cases already have provided) this information to law enforcement officials considering action against 180solutions, to private attorneys in litigation against 180solutions, to members of the press seeking to verify my findings, and to other security researchers. Please contact me to request the original raw video file. As usual, I also retain full packet logs, raw screen-captures, registry change logs, filesystem change logs, HijackThis logs, Ad-Aware logs, and additional records.

Update (February 24): My Response to 180’s Press Release

180solutions has found and terminated the distributor I described above, which I’m now happy to reveal was crosskirknet.com. But what a road to get there! 180’s press release suggests 180 figured this all out within hours of my initial post. I’m convinced that that’s false. First, 180 terminated some other bad installer — only later realizing that the installer I found was someone different. Sunbelt has the details — how we figured out (and proved) that 180 hadn’t cut off this installer when 180 issued the press release saying they had. In a blog post, 180 now admits that we’re right and their press release was wrong. (Of course the right response to a false statement in a press release is a correction press release, not a mere blog post. Otherwise, many readers might get the press release, e.g. via the news wire, but never see the blog post.).

180’s press release claims that S3 “enabled the company to go back and re-message every user who received its software [from this nonconsensual installer] and provide them a one-click uninstall.” 180’s blog says the same: “We re-messaged each of [these] installs and provided … a one-click uninstall of our software.” In both documents, 180 writes in the past tense (“enabled”, “re-messaged”, “provided” ), seemingly indicating that these re-notifications have already occurred. But I have yet to receive any such prompt, despite substantial efforts to seek it out (e.g. by repeatedly restarting my test PC). I’ve also received many 180solutions ads on my infected test PC, despite 180’s claim that it “shut off all advertisements to all installs” from this distributor. So here too, I think 180’s statements are off-base. 180 may intend or aspire to provide renotifications, and 180 may intend to shut off ads. But by all indications, 180 hasn’t actually done so, at least not yet. I’ve confirmed my findings with Sunbelt; they haven’t seen this re-notification either, and they’re still getting ads too.

180’s press release quotes 180’s CEO as saying “No software is ever hack-proof.” I agree. But 180 has previously made public statements falsely indicating that its software is not susceptible to those who want to install 180 without consent. Recall 180’s S3 Whitepaper (PDF), explicitly stating “[I]nstallation cannot continue until the user gives consent” and “Publishers are unable to turn [the consent screen] off” (emphasis added). These are not claims of mere hopes or aspirations. No, 180 promised that installation “cannot” proceed without consent. But now that I’ve disproven 180’s claim, 180 tries to backpeddle and to weaken its unambiguous statement. The better approach would be to admit that 180’s prior promises went too far, and that 180’s software cannot actually deliver the benefits 180 previously described.

180’s press release concludes with a section 180 labels “a call for ‘responsible disclosure’.” Citing practice among those who find security vulnerabilities in widely-deployed software, 180 says researchers should tell 180 when they find nonconsensual installations of its software, rather than keep this information to themselves or provide it to law enforcement. I understand that 180 would like to receive this information, and I do follow responsible disclosure principles when I find software vulnerabilities. But responsible disclosure principles just don’t apply to records of nonconsensual installations.

Responsible disclosure principles seek to prevent hackers from taking advantage of newly-uncovered security vulnerabilities. If hackers learned about vulnerabilities before software vendors had time to prepare patches, users would face increased security risks, with few good options for protection. So responsible disclosure principles have a clear purpose and a clear benefit to users — which is why I followed these principles when I previously found vulnerabilities in widely-deployed software.

But what I uncovered, above, is not a security vulnerability. I didn’t find a new security hole, or a new way to take advantage of some existing hole. All I found was some bad guy who’s already using these methods — and who 180 has been prepared to pay for his efforts. There’s no heightened risk of harm to users from my reporting what’s already happening. Perhaps this particular bad actor got to continue his scheme for a few more days while 180 struggled to figure out who was responsible. But that’s the entire harm that resulted from my refusal to tell 180 what happened — that’s the usual, background, ongoing risk of harm; it’s not a heightened risk created by my disclosure itself. When I posted information about these nonconsensual 180 installs, I didn’t put users at special risk of any worm or exploit, in the way that responsible disclosure principles intend to prevent.

So where does this leave us? 180’s S3 system is still broken in all the ways I initially set out. 180’s press release made claims that can be shown to be false, as did 180’s prior statements of S3’s benefits, but 180 has not properly retracted its false statements. And 180’s analogies don’t add up. I’d still like to see 180 spend more time improving its practices, and less time on premature press releases and public relations.

Thanks to TechSmith for providing me with a complimentary license of its Camtasia Studio, the video annotation software I used to mark up my screen-capture video of this installation.

Pushing Spyware through Search

This article uses data from SiteAdvisor, a company to which I serve as an advisor.

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

Now, we all love Google. I use Google’s search site all day every day, and I enjoy their downloadable applications too. So I have the greatest respect for Google’s core service. But there’s another side to their business. Indirectly, Google and other search engines make big money from spyware, through paid search advertising that infects users who don’t know any better or don’t understand what they’re getting into.

Consider a Google search for “screensavers”:

Risky Entries in 'Screensavers' Search Results

The colored icons next to search results were inserted not by Google, but by the SiteAdvisor client application, based on the results of SiteAdvisor’s automated tests for each listed site. Six of Google’s ten sponsored links get “red” or “yellow” ratings — generally indicating unwanted advertising through spyware or, in some instances, high-volume commercial email. But without SiteAdvisor (or some similar protection), users would have no idea which sites were safe; they’d be at great risk of clicking through to an unsafe site, ultimately risking installation of unwanted software.

Screensaver Advertisers’ Business Model

Google surrounds its “screensavers” search results with ten ads selected from interested Google advertisers. Whenever I see a company buying an ad (online or offline) for a “free” product, I ask myself: How do they make money? With few exceptions, companies only buy online advertising when they expect to get something directly in return. (There are exceptions — dot-com bubble “eyeball” purchases, Fortune 500 “brand building,” perhaps some free ads offered by the Google Foundation.) But in the case of these screensaver providers, they’re almost certainly making money somehow if they can afford to pay Google’s high pay-per-click prices.

So how do Google’s screensaver advertisers make money? Most of Google’s screensaver advertisers really do offer screensavers that are “free” in the sense that users need not provide a credit card number. But they’re not free in the sense of being available without substantial adverse effects. Quite the contrary: Users must put up with various forms of intrusive advertising.

Let’s look at funscreenz.com, a top-ten Google advertiser for “screensavers.”

"Funscreenz installation page

Funscreenz.com is owned by BestOffersNetwork, which is another name for notorious “adware” company Direct Revenue. Recall Direct Revenue’s Newsweek profile – plenty of users (and multiple lawsuits) alleging that their software installs improperly and, in many cases, without consent. I’ve previously documented Direct Revenue installed in tricky popups, via false claims of purportedly-required add-ons, and through exploits without any consent at all.

Of course Funscreenz is not alone. Also in top “screensavers” Google results are ads for Claria, Ask Jeeves, and various adware bundlers (who distribute changing or multiple advertising programs). One top Google “screensaver” advertiser sends 15+ emails per week to those who provide an email address to get a screensaver. Results at Yahoo and MSN are similar.

Estimating Search Engine Revenues from Spyware Infections

Every time a user clicks through a search engine ad, the search engine gets paid. Google doesn’t ordinarily say how much advertisers pay. But Yahoo (which does) charges about $0.25 for a “screensavers” click. Let’s do some math. Of the users who click through to screensavers.com, suppose 10% actually download a screensaver – a conversion rate most web sites would celebrate. Then screensavers.com needs to earn $2.50 per download ($0.25/10%) just to break even. That’s a lot of money per download. But they’re buying the ads anyway, and they’re savvy decision-makers. So we can deduce that this site grosses at least $2.50 per download.

How much money do search engines make from these ads? Some initial back-of-the-envelope estimates: According to Yahoo’s keyword inventory tool, “screensaver” (and its hundred most common variants) received about 2.3 million searches in December 2005. Suppose 20% of those searchers clicked on paid links. (That’s conservative, since ads fill more than half of typical users’ screens.) As estimated above, suppose Yahoo collects $0.25 per paid click. Then Yahoo made about $115,000 in December 2005 from “screensaver” and variants. Throw in Google, with its bigger market share, and “screensaver” likely yields about $250,000 of revenue per month.

Of course, not all “screensaver” ads ultimately yield spyware. But from SiteAdvisor’s tests, it seems at least 60% push spyware, spam, or similar unwanted materials. So Google and Yahoo’s “dirty” revenue, from dubious screensavers ads, is probably about $150,000 per month.

But “screensaver” is only one of many terms that commonly leads to spyware and adware. I’ll look at other risky keywords in future articles, as I try to measure the prevalence of this problem in greater detail. Reviewing traffic data from Yahoo’s inventory tool, I’m confident that similarly-affected keywords total at least fifteen times the traffic to “screensavers.” Then Google and Yahoo make about $2.2 million per month, or $26 million per year, through this spyware-pushing advertising. That may not be big money to them, but to my eye it’s a lot.

Clearly there are quite a few estimates here. Send email for methodological improvements and alternative data sources.

Closing Thoughts

As with so many great Internet inventions, the bad guys have stormed the gates of search engines. Now is the time to start fighting back. That doesn’t mean search engines should blacklist every company I ever criticize, but some “adware” vendors are so shady that search engines could proudly refuse their money. Responsibility starts at home. More on search engines’ possible strategies in a future article.

Past work on search engines funding spyware: Yahoo ads syndicated into spyware, Google ads shown through spyware-delivered popups and other vendors’ improperly-installed toolbars.

Affiliate Hall of Shame updated February 19, 2006

I’ve always had high hopes for affiliate marketing — a great way for small web sites to cover their costs and make a reasonable return, by promoting well-known merchants relevant to their visitors. I stand by this optimism, in general. But after several years of watching this space, my expectations have fallen significantly. I’ve seen countless examples of “rogue” affiliates cheating their “partner” merchants. And I’ve seen plenty of underhanded practices from merchants too.

Popular wisdom says most “rogue” affiliates are small. The big guys have too much to lose by getting caught. So we can trust them to behave. Or can we?

Intro to Affiliate Marketing and Small-Time Rule Breakers

In principle there’s nothing unique about affiliate marketing: As in other marketing channels, merchants pay third parties to promote their products. And as in other marketing channels, sometimes this advertising goes terribly wrong — showing merchants’ ads in ways that don’t reflect well on the merchant or the ad channel, cheating merchants by claiming payments not fairly earned, and siphoning payments from other ad channels.

What’s notable about affiliates is the relative prevalence of bad practices. Through affiliate networks, merchants sign up to advertise with hundreds of small companies (and individuals) they don’t really know and haven’t reasonably investigated. Worse, when an affiliate gets caught breaking the rules, the affiliate often just signs up under a new name: Having earned little reputation, the affiliate has little to lose, so there’s little penalty for starting fresh under a new name. With such limited accountability, enforcement is tougher than in other channels. Hence my sense that there are more bad actors in affiliate marketing than in other kinds of marketing.

I show examples of these problems in my September piece on affiliates funding spyware and simultaneously defrauding merchants. See also my Affiliate Summit slides showing new examples of similar practices.

Of course not all affiliate fraud uses spyware. There’s affiliate cookie-stuffing, whereby affiliates claim commissions without users actually clicking through a link to merchants’ sites. (This violates networks’ rules, which say a merchant only has to pay a commission if a user clicks a link.) See also my index of additional affiliate research and testing.

In calling these rule-breakers “small,” I don’t mean to say they don’t make real money by cheating merchants. Quite the contrary! But these “small” affiliates earn fees without developing brand names for themselves. They’re “small” in the sense of appearing and disappearing willy-nilly, without anyone much caring or, in many cases, even noticing.

Big Affiliates Breaking the Rules: CoolSavings and MyPoints

With slim to nonexistent reputations, small affiliates are often tempted to flout the rules. But major affiliates also compromise ethics in order to increase profits.

Notorious among affiliates gone bad is ShopAtHomeSelect, whose software has been widely installed without consent and has been widely observed to “force clicks” without an affirmative end user action. These practices got SAHS kicked out of CJ in fall 2005. But oddly SAHS remains in LinkShare.

Turning to fresh research: Consider well-known affiliates CoolSavings and MyPoints. CoolSavings is a $16.7+ million company, featured in various LinkShare promotional materials, even touted in Wall Street Journal coverage of affiliate marketing. MyPoints is featured in a CJ case study, and LinkShare lists MyPoints with just five other premium “partners” on a special page. So CoolSavings and MyPoints are big, well-respected affiliates. If they don’t follow the rules, no one will.

As it turns out, CoolSavings and MyPoints are widely violating applicable rules. Despite clear prohibitions from affiliate networks, both CoolSavings and MyPoints recently began using “adware” (“spyware,” most users would say) to recruit new users, at the expense of their targeted “partner” merchants. See screenshots below, showing CoolSavings and MyPoints receiving traffic from Direct Revenue. When users visit targeted merchants, Direct Revenue shows CoolSavings or MyPoints pop-ups, which encourage users to register and ultimately to click through to merchants’ sites. Then merchants end up paying CoolSavings or MyPoints for users they already had — expenses they need not have paid, but for CoolSavings’ and MyPoints’ intervention.

CoolSavings Targeting Buy.Com via Direct  Revenue   MyPoints Targeting a CJ Merchant via Direct  Revenue
CoolSavings Targeting Buy.Com via Direct Revenue
(January 12, 2006)
  MyPoints Targeting a CJ Merchant via Direct Revenue
(January 2, 2006)

CoolSavings and MyPoints’ ads violate applicable affiliate network rules. Commission Junction prohibits affiliates from buying media from “ad services that download and install software on an end user’s computer” — so traffic from Direct Revenue is clearly off-limits. But that’s not the only rule these pop-ups violate. Recall CJ’s rule against “in any manner … modif[ying]” others’ sites. And LinkShare forbids (PDF) “alter[ing] in any manner the Web user’s … view … of … any network affiliate webpage” (rule 1.(a)(i)).

In my view, these Direct Revenue-delivered pop-ups are serious offenses against the targeted merchants. CoolSavings’ and MyPoints’ pop-ups appear as users browse affiliate merchants’ web sites. For example, a CoolSavings pop-up (shown above, at left) appeared as I browsed Buy.com, a CoolSavings partner: Buy.com pays CoolSavings for sending it customers. But despite this alliance and despite applicable affiliate network rules, CoolSavings still uses use Direct Revenue to grab Buy.com customers.

When MyPoints performs similar targeting of its merchant partners, MyPoints explicitly attempts to capitalize on its partners’ goodwill. In the areas blocked out in green (in the right screenshot above), MyPoints specifically names the company a user was visiting before MyPoints interrupted. These references give MyPoints’ ads a further appearance of legitimacy. But the references simultaneously tarnish MyPoints’ partners’ good names — by putting their names into Direct Revenue pop-ups.

Earlier this month, I brought MyPoints’ use of Direct Revenue to the attention of a targeted CJ merchant. Since that report, I haven’t seen many MyPoints pop-ups appearing through Direct Revenue. But affiliates ought to comply with applicable rules from the get-go, without me first identifying or reporting infractions. Merchants should demand no less.

I will update this piece with any material statements I receive from merchants, networks, or CoolSavings or MyPoints. I will be particularly interested in penalties, if any, assessed against these affiliates for their violations of networks’ rules.


Update (January 31): I have received no response from CoolSavings, MyPoints, or any affiliate network. But despite my public documentation of CoolSavings’s practices, CoolSavings’s “adware”-delivered ads continue. See screenshot below, showing a CoolSavings FreeStyleRewards popup delivered by 180solutions (“Zango”), as users browse Circuit City’s web site.

CoolSavings Targeting Buy.Com via Direct  RevenueCoolSavings’ FreeStyleRewards Continues to Target Circuitcity.com via 180solutions (January 28, 2006)

FreeStyleRewards’ merchant list (registration required) confirms that Circuit City is a FreeStyleRewards advertiser. So not only is CoolSavings FreeStyleRewards buying adware-delivered traffic (in specific violation of an applicable Commission Junction rule), but FreeStyleRewards is also targeting its business partner’s traffic.

CoolSavings FreeStyleRewards cannot claim ignorance of its traffic sources. For one, these practices have been publicly-documented for two weeks, since my initial January 16 article. Furthermore, 180 sends traffic to a FreeStyleRewards URL that specifically confirms CoolSavings FreeStyleRewards’s knowledge of the traffic’s origin: http://www.freestylerewards.com?ref=metricsdirect&bn=www_circuitcity_com&bl=lp-ce . Notice the highlighted reference to MetricsDirect, the advertising sales division of 180solutions.


Update (February 17): I have received a statement from MyPoints. I quote it here in its entirety:

“MyPoints is a leader in permission-based marketing and is firmly committed to marketing ourselves through channels and with products that respect the privacy and experience of consumers and deepen our productive relationships with our advertisers.

From November 2005 through the middle of January 2006, MyPoints ran a small-scale campaign with an “adware” firm.

When we became aware that the campaign might be in conflict with the best interests of our advertisers, we immediately pulled the advertisements and terminated our relationship with the company.

MyPoints will continue to be extra diligent with regard to selection of acquisition partners. We maintain extremely strong relationships with the affiliate networks and their merchant partners. MyPoints continues to be a leader in opt-in marketing and sets the highest bar possible with respect to privacy, permission and choice.”


CoolSavings Targeting Buy.Com via Direct  RevenueCoolSavings Continues to Target Its Merchants via Hotbar
(February 19, 2006)

Update (February 19): I have continued to observe CoolSavings ads appearing through advertising software, still in violation of applicable CJ rules and stil targeting CoolSavings merchants. See screenshot at right, observed last week on a PC running Hotbar, as I browsed the web site of a CoolSavings merchant.

180’s Newest Installation Practices

I’ve previously covered a variety of misleading and/or nonconsensual installations by 180solutions. I’ve recorded numerous installations through exploits (1, 2, 3, 4, 5) — without any user consent at all. I’ve found installations in poorly-disclosed bundles — for example, disclosing 180’s inclusion, but only if users happen to scroll to page 16 of a 54-page license. I’ve even documented deceptive installations at kids sites, where 180 installs without showing or mentioning a license agreement.

The Doll Idol site, which encourages users to install 180 software without a frank disclosure of 180's true effects.The Doll Idol site, which encourages users to install 180 software without a frank disclosure of 180’s true effects.

180 has cleaned up some of these practices, but the core deception remains. 180 still installs its software in circumstances where reasonable users wouldn’t expect to receive such software — including web sites that substantially cater to kids. And users still aren’t fairly told what they’re slated to receive. 180 says that it shows “advertising,” but no on-screen text warns users that these ads appear in much-hated pop-ups. 180 systematically downplays the privacy consequences of installing its software — prominently telling users what the software won’t do, but failing to disclose what the software does track and transmit. All told, users may have to press a button before 180 installs on their computer, but users can’t reasonably be claimed to understand what they’re purportedly accepting.

Screenshots and detailed analysis:

180solutions’s Misleading Installation Methods – Dollidol.com

Cleaning Up Sony’s Rootkit Mess updated December 17, 2005

Late last month, Windows expert Mark Russinovich revealed Sony installing a rootkit to hide its “XCP” DRM (digital rights management) software as installed on users’ PCs. The DRM software isn’t something a typical user would want; the “rights” it manages are Sony’s rights, i.e. by preventing users from making copies of Sony music, and this protection for Sony comes at the cost of 1%-2% of CPU time (whether or not users are playing a Sony CD). Notably, Sony didn’t disclose its practices in its installer or even in its license agreement. At least as bad, Sony initially provided no uninstall for the rootkit, and when Sony added an uninstaller, the process was needlessly complicated, prone to crashing, and a security risk. See timeline & index, parts 1 and 2.

Having bungled this situation, Sony has recalled affected CDs and announced an exchange program to swap customers’ affected CDs for XCP-free replacements. For savvy consumers who have followed this story, the exchange looks straightforward. But what about ordinary users, who don’t read the technology press and aren’t likely to learn their rights?

As it turns out, there’s a clear solution: A self-updating messaging system already built into Sony’s XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony’s server. As Russinovich explained, usually Sony’s server sends back a null response. But with small adjustments on Sony’s end — just changing the output of a single script on a Sony web server — the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.

Sony’s Messaging System; A Demonstration Message

The Sony messaging system works as follows: Whenever a user plays an affected XCP CD, and whenever a user browses within certain sections of the player, the player sends a message to Sony’s connected.sonymusic.com server. A typical outbound message is shown below. A “uId” parameter (yellow) marks the CD being played and the specific section of the player in use.

GET /toc/Connect?type=redirect&uId=1171 HTTP/1.1
Accept: application/*, audio/*, image/*, message/*, model/*, multipart/*, text/*, video/*
User Agent: SecureNet Xtra
Host: connected.sonymusic.com
Connection: Keep Alive
Cache Control: no cache

Sony’s web server typically replies with a reference to a “nobanner.xml” file (green).

HTTP/1.1 302 Moved Temporarily
Set Cookie: ARPT=JKXVXZS64.14.39.161CKMJU; path=/
Date: Sat, 12 Nov 2005 18:36:49 GMT
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7d
Location: http://www.sonymusic.com/access/banners/nobanner.xml
Keep Alive: timeout=10
Connection: Keep Alive
Transfer Encoding: chunked
Content Type: text/plain
<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor=”#FFFFFF”>
<p>This document you requested has moved temporarily.</p>
<p>It’s now at <a href=”http://www.sonymusic.com/access/banners/nobanner.xml“>http://www.sonymusic.com/access/banners/nobanner.xml</a>.</p>
</body></html>

In place of this “nobanner” response, what if Sony’s connected server instead replied by sending a reference to a XML file that included relevant, timely disclosures? Using the HOSTS file on a test PC, I caused my test PC to think the connected.sonymusic.com server was at an IP address I controlled (rather than on a real Sony server). I then wrote a replacement /toc/Connect?… script that sent back a reference to an XML file I wrote, rather than the ordinary reference to Sony’s nobanner.xml file. Finally, I posted an XML banner configuration file. Notice my inclusion of a banner image (blue) and a hyperlink (red).

<?xml version=”1.0″ encoding=”UTF-8″ ?>
<rotatingbanner>
<banner src=”http://www.benedelman.org/sony/image1.jpg” href=”http://cp.sonybmg.com/xcp/” time=”4000″ />
</rotatingbanner>

In my test environment, Sony’s XCP player automatically retrieved my XML file, then retrieved the banner and showed it within the large banner box at the bottom of the player. Clicking the banner opened a browser window to the URL specified in the HREF parameter.

A notification banner shown in my Sony XCP Player, demonstrating the feasibility of using the banner system to notify users of the software installed on their computers.A notification banner shown in my Sony XCP Player, demonstrating the feasibility of using the banner system to notify users of the software installed on their computers.

For a very few artists, Sony already uses the notification system to provide updates to the XCP player’s information screens. Fortunately, the banner system explicitly anticipates placing multiple pieces of information in a single banner space. Notice the “rotatingbanner” and “time” constructs in the XML banner file above. If the <banner> tag is repeated, the XCP player automatically rotates between the specified images.

Implications and Discussion

Sony’s recall of affected CDs is a sensible start in undoing the harm and ill will XCP has caused. But for the recall to make a meaningful difference — in actually helping ordinary users, not just in improving Sony’s PR standing — Sony needs to spread the word widely.

Unlike Amazon (which already emailed users who bought an affected CD), Sony does not know the names or addresses of affected customers. But Sony’s existing banner messaging system gives Sony an easy, cost-effective way to reach them. Sony should implement the method described above. Via these banners, Sony can assure that as many affected consumers as possible have timely, authoritative information about what has been done to their computers and about how Sony offers to make them whole.

What I propose is not an auto-updater as that term is generally used. A “real” auto-updater downloads and installs executable program code onto a user’s computer. In contrast, my demonstration downloads only data — a single XML configuration file and a single graphic image. The difference has substantial implications for computer security and user control: Downloading and running executable code risks a substantial intrusion onto users’ PCs, for lack of any technology-enforced limit to what the auto-updater can do. In contrast, merely updating graphics entails no clear harms to computer security or reliability.

Sony’s initial inclusion of self-updating message screens entails clear privacy consequences — transmissions to Sony servers that report users’ IP addresses, playing habits, and CDs on hand. But these transmissions occur whether Sony sends a null “nobanner” answer or sends a useful banner with information users urgently need. Under the circumstances, Sony might as well put the notification system to use.

Sony Takes My Suggestion       (This section added on December 17, 2005.)

Sony has accepted my suggestion of using XCP’s existing banner system to notify users about the XCP software. Today, upon inserting an affected Sony XCP CD, I received the banner shown below. Clicking the banner led me to http://cp.sonybmg.com/worldwide and onwards to instructions to update XCP (including removing the XCP rootkit) or to remove XCP altogether.

An actual banner shown in my Sony XCP Player on December 17, 2005.An actual banner shown in my Sony XCP Player on December 17, 2005.