Critiquing ITSA’s Pro-Adware Policy

These days, few advertisers defend “adware” advertising. It seems the world has largely noticed: Consumers hate adware-delivered popup ads. It’s rare that any consumer intentionally installs adware with an accurate understanding of what lies ahead. Since consumers don’t want adware, adware vendors get onto users’ computers by trickery and deception, without appropriate disclosures and informed consent. Problems plague even those vendors that claim to have reformed. (Recall Claria soliciting installations through other vendors nonconsensually-installed spyware and removing important phrases from its disclosures.)

Despite the rising backlash against adware, the Interactive Travel Services Association recently offered a rare contrary view. In its Statement Regarding the Use of Marketing Software Applications (PDF), ITSA effectively endorsed adware. ITSA claims adware “can be useful to many consumers because it provides timely, relevant and money-saving information.” Despite the bad consumer experience and lousy value proposition, ITSA goes on to say adware advertising is just fine, under strikingly vague and weak conditions.

My challenge to ITSA executives: Install Direct Revenue “adware” on your PCs for a month. Then report how much time and money you save.

I don’t understand why ITSA published these guidelines. Certainly I see why ITSA members want to discuss the problem of adware, and why they want to come to a joint decision on stopping bad advertising practices. After all, Expedia would understandably hesitate to stop targeting (say) Orbitz, if there was reason to worry Orbitz would keep running ads that target Expedia. This prisoner’s-dilemma problem calls for the intervention of a trade association, and ITSA seems a natural choice. But the right result from such intervention is to prohibit these bad practices and enforce members’ future compliance — not to sugar-coat the problem.

ITSA members aren’t gaining anything from adware. To the contrary, they pay big fees to adware vendors, but they’re often just trading customers who are already at ITSA member sites. Expedia would be better served by a policy that prevents Orbitz and Travelocity from stealing its traffic, in exchange for a reciprocal promise that Expedia will behave accordingly. Such a policy would serve consumers too, by reducing the funding available to adware vendors and limiting their incentives to sneak onto users’ PCs. That’s the approach I’d like to see from ITSA.

If ITSA is up for a challenge, it could focus on getting travel vendors’ ads out of adware — starting with its own members. ITSA member Cendant owns Cheap Tickets, Howard Johnson, and Super 8 — all three of which are still advertising with Direct Revenue. So is Travelocity. (All confirmed just yesterday, March 30.) Yesterday I also saw Cendant’s Budget Rent A Car still advertising with 180solutions, and Travelocity and Orbitz advertising with Hotbar. Is this what the new ITSA policy will bring? More advertisers for 180solutions, Direct Revenue, and Hotbar, but now with an ITSA stamp of approval? In my view, ITSA should focus on cleaning up its members’ practices, rather than singing adware vendors’ praises.

As best I can tell, adware vendors are the only group that benefits from ITSA’s new policy. No wonder 180solutions endorses ITSA’s approach.

See also criticism from travel expert and consumer advocate Christopher Elliott.

Advertisers Funding 180solutions

I’ve long believed that the spyware explosion results primarily from advertisers’ payments. It’s easy to see why advertisers love spyware: Where better to get a customer, than someone who is about to buy from a direct competitor? And spyware-delivered ads are so exceptionally intrusive — often full-screen pop-ups — that they’re likely to drive sales, even if users dislike the pop-up format.

Spyware advertising also suffers from a race-to-the-bottom effect. Consider a two-party example. If Expedia serves a big pop-up when users visit Orbitz, Expedia is likely to get lots of new customers from Orbitz. What should Orbitz do in response? They could sue, as many companies have. But more likely, they’ll just buy more spyware-delivered ads of their own — and try to grab back some of the users Expedia just took away. This yields high revenue to spyware vendors (in turn yielding more spyware), high costs to advertisers, and annoying popups for users. It’s nothing to celebrate.

With this problem in mind, I’ve written at length about spyware revenue models. My publications page shows a dozen articles on this subject, dating back to my 2003 report of advertisers using Gator (now Claria).

Click for thumbnails of selected 180solutions advertisersToday, the Center for Democracy and Technology posted a report (PDF) on the spyware advertising problem. Earlier this year, I provided CDT with a number of examples of advertisers still funding 180solutions (despite 180’s many known nonconsensual installations and other bad practices). See also my thumbnails of the ads I saw.

CDT’s report rightly criticizes advertisers that lack a policy for where their ads can appear. Of course just having a policy may not be enough. Apparently the travel industry has developed such a policy — yet I still see big travel companies advertising with Claria, Hotbar, and others. And travel companies’ partners and affiliates continue to advertise through the most notorious of spyware.

What comes next here? I’ve been pleased to see responsible advertisers withdrawing from the big-name spyware vendors — with a corresponding reduction on the number of users those vendors harm. That said, when advertisers terminate their direct relationships with spyware vendors, spyware vendors often find indirect ways to continue to get paid by the same advertisers. For example, spyware vendors show lots of pay-per-click ads (as I documented last year for Yahoo and Google [1, 2]). Spyware vendors also show affiliate ads (index of findings, some specific examples), syndicated banners, and more. At last week’s NYU/Princeton spyware conference, I showed new examples of some of these indirect relationships — including an example that combines spyware with click fraud against a Yahoo advertiser (slides 17-19). And CDT’s report (PDF, page 9) mentions my finding of many Netflix ads appearing through these indirect relationships, even after Netflix claimed my first example was “unique.” Common to all these examples: Advertisers’ ads appear in ways they didn’t specifically intend and often don’t even know about; and spyware vendors ultimately benefit from advertisers’ inattentiveness.

These ad syndication relationships will be a renewed priority for discussion on my site in the coming months. Sophisticated advertisers and ad networks need to understand that merely writing an ad policy won’t stop these bad relationships. Instead, advertisers need to establish testing procedures to make sure their ads actually comply with intended policy.

Pushing Spyware through Search

This article uses data from SiteAdvisor, a company to which I serve as an advisor.

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

Now, we all love Google. I use Google’s search site all day every day, and I enjoy their downloadable applications too. So I have the greatest respect for Google’s core service. But there’s another side to their business. Indirectly, Google and other search engines make big money from spyware, through paid search advertising that infects users who don’t know any better or don’t understand what they’re getting into.

Consider a Google search for “screensavers”:

Risky Entries in 'Screensavers' Search Results

The colored icons next to search results were inserted not by Google, but by the SiteAdvisor client application, based on the results of SiteAdvisor’s automated tests for each listed site. Six of Google’s ten sponsored links get “red” or “yellow” ratings — generally indicating unwanted advertising through spyware or, in some instances, high-volume commercial email. But without SiteAdvisor (or some similar protection), users would have no idea which sites were safe; they’d be at great risk of clicking through to an unsafe site, ultimately risking installation of unwanted software.

Screensaver Advertisers’ Business Model

Google surrounds its “screensavers” search results with ten ads selected from interested Google advertisers. Whenever I see a company buying an ad (online or offline) for a “free” product, I ask myself: How do they make money? With few exceptions, companies only buy online advertising when they expect to get something directly in return. (There are exceptions — dot-com bubble “eyeball” purchases, Fortune 500 “brand building,” perhaps some free ads offered by the Google Foundation.) But in the case of these screensaver providers, they’re almost certainly making money somehow if they can afford to pay Google’s high pay-per-click prices.

So how do Google’s screensaver advertisers make money? Most of Google’s screensaver advertisers really do offer screensavers that are “free” in the sense that users need not provide a credit card number. But they’re not free in the sense of being available without substantial adverse effects. Quite the contrary: Users must put up with various forms of intrusive advertising.

Let’s look at funscreenz.com, a top-ten Google advertiser for “screensavers.”

"Funscreenz installation page

Funscreenz.com is owned by BestOffersNetwork, which is another name for notorious “adware” company Direct Revenue. Recall Direct Revenue’s Newsweek profile – plenty of users (and multiple lawsuits) alleging that their software installs improperly and, in many cases, without consent. I’ve previously documented Direct Revenue installed in tricky popups, via false claims of purportedly-required add-ons, and through exploits without any consent at all.

Of course Funscreenz is not alone. Also in top “screensavers” Google results are ads for Claria, Ask Jeeves, and various adware bundlers (who distribute changing or multiple advertising programs). One top Google “screensaver” advertiser sends 15+ emails per week to those who provide an email address to get a screensaver. Results at Yahoo and MSN are similar.

Estimating Search Engine Revenues from Spyware Infections

Every time a user clicks through a search engine ad, the search engine gets paid. Google doesn’t ordinarily say how much advertisers pay. But Yahoo (which does) charges about $0.25 for a “screensavers” click. Let’s do some math. Of the users who click through to screensavers.com, suppose 10% actually download a screensaver – a conversion rate most web sites would celebrate. Then screensavers.com needs to earn $2.50 per download ($0.25/10%) just to break even. That’s a lot of money per download. But they’re buying the ads anyway, and they’re savvy decision-makers. So we can deduce that this site grosses at least $2.50 per download.

How much money do search engines make from these ads? Some initial back-of-the-envelope estimates: According to Yahoo’s keyword inventory tool, “screensaver” (and its hundred most common variants) received about 2.3 million searches in December 2005. Suppose 20% of those searchers clicked on paid links. (That’s conservative, since ads fill more than half of typical users’ screens.) As estimated above, suppose Yahoo collects $0.25 per paid click. Then Yahoo made about $115,000 in December 2005 from “screensaver” and variants. Throw in Google, with its bigger market share, and “screensaver” likely yields about $250,000 of revenue per month.

Of course, not all “screensaver” ads ultimately yield spyware. But from SiteAdvisor’s tests, it seems at least 60% push spyware, spam, or similar unwanted materials. So Google and Yahoo’s “dirty” revenue, from dubious screensavers ads, is probably about $150,000 per month.

But “screensaver” is only one of many terms that commonly leads to spyware and adware. I’ll look at other risky keywords in future articles, as I try to measure the prevalence of this problem in greater detail. Reviewing traffic data from Yahoo’s inventory tool, I’m confident that similarly-affected keywords total at least fifteen times the traffic to “screensavers.” Then Google and Yahoo make about $2.2 million per month, or $26 million per year, through this spyware-pushing advertising. That may not be big money to them, but to my eye it’s a lot.

Clearly there are quite a few estimates here. Send email for methodological improvements and alternative data sources.

Closing Thoughts

As with so many great Internet inventions, the bad guys have stormed the gates of search engines. Now is the time to start fighting back. That doesn’t mean search engines should blacklist every company I ever criticize, but some “adware” vendors are so shady that search engines could proudly refuse their money. Responsibility starts at home. More on search engines’ possible strategies in a future article.

Past work on search engines funding spyware: Yahoo ads syndicated into spyware, Google ads shown through spyware-delivered popups and other vendors’ improperly-installed toolbars.

Affiliate Hall of Shame updated February 19, 2006

I’ve always had high hopes for affiliate marketing — a great way for small web sites to cover their costs and make a reasonable return, by promoting well-known merchants relevant to their visitors. I stand by this optimism, in general. But after several years of watching this space, my expectations have fallen significantly. I’ve seen countless examples of “rogue” affiliates cheating their “partner” merchants. And I’ve seen plenty of underhanded practices from merchants too.

Popular wisdom says most “rogue” affiliates are small. The big guys have too much to lose by getting caught. So we can trust them to behave. Or can we?

Intro to Affiliate Marketing and Small-Time Rule Breakers

In principle there’s nothing unique about affiliate marketing: As in other marketing channels, merchants pay third parties to promote their products. And as in other marketing channels, sometimes this advertising goes terribly wrong — showing merchants’ ads in ways that don’t reflect well on the merchant or the ad channel, cheating merchants by claiming payments not fairly earned, and siphoning payments from other ad channels.

What’s notable about affiliates is the relative prevalence of bad practices. Through affiliate networks, merchants sign up to advertise with hundreds of small companies (and individuals) they don’t really know and haven’t reasonably investigated. Worse, when an affiliate gets caught breaking the rules, the affiliate often just signs up under a new name: Having earned little reputation, the affiliate has little to lose, so there’s little penalty for starting fresh under a new name. With such limited accountability, enforcement is tougher than in other channels. Hence my sense that there are more bad actors in affiliate marketing than in other kinds of marketing.

I show examples of these problems in my September piece on affiliates funding spyware and simultaneously defrauding merchants. See also my Affiliate Summit slides showing new examples of similar practices.

Of course not all affiliate fraud uses spyware. There’s affiliate cookie-stuffing, whereby affiliates claim commissions without users actually clicking through a link to merchants’ sites. (This violates networks’ rules, which say a merchant only has to pay a commission if a user clicks a link.) See also my index of additional affiliate research and testing.

In calling these rule-breakers “small,” I don’t mean to say they don’t make real money by cheating merchants. Quite the contrary! But these “small” affiliates earn fees without developing brand names for themselves. They’re “small” in the sense of appearing and disappearing willy-nilly, without anyone much caring or, in many cases, even noticing.

Big Affiliates Breaking the Rules: CoolSavings and MyPoints

With slim to nonexistent reputations, small affiliates are often tempted to flout the rules. But major affiliates also compromise ethics in order to increase profits.

Notorious among affiliates gone bad is ShopAtHomeSelect, whose software has been widely installed without consent and has been widely observed to “force clicks” without an affirmative end user action. These practices got SAHS kicked out of CJ in fall 2005. But oddly SAHS remains in LinkShare.

Turning to fresh research: Consider well-known affiliates CoolSavings and MyPoints. CoolSavings is a $16.7+ million company, featured in various LinkShare promotional materials, even touted in Wall Street Journal coverage of affiliate marketing. MyPoints is featured in a CJ case study, and LinkShare lists MyPoints with just five other premium “partners” on a special page. So CoolSavings and MyPoints are big, well-respected affiliates. If they don’t follow the rules, no one will.

As it turns out, CoolSavings and MyPoints are widely violating applicable rules. Despite clear prohibitions from affiliate networks, both CoolSavings and MyPoints recently began using “adware” (“spyware,” most users would say) to recruit new users, at the expense of their targeted “partner” merchants. See screenshots below, showing CoolSavings and MyPoints receiving traffic from Direct Revenue. When users visit targeted merchants, Direct Revenue shows CoolSavings or MyPoints pop-ups, which encourage users to register and ultimately to click through to merchants’ sites. Then merchants end up paying CoolSavings or MyPoints for users they already had — expenses they need not have paid, but for CoolSavings’ and MyPoints’ intervention.

CoolSavings Targeting Buy.Com via Direct  Revenue   MyPoints Targeting a CJ Merchant via Direct  Revenue
CoolSavings Targeting Buy.Com via Direct Revenue
(January 12, 2006)
  MyPoints Targeting a CJ Merchant via Direct Revenue
(January 2, 2006)

CoolSavings and MyPoints’ ads violate applicable affiliate network rules. Commission Junction prohibits affiliates from buying media from “ad services that download and install software on an end user’s computer” — so traffic from Direct Revenue is clearly off-limits. But that’s not the only rule these pop-ups violate. Recall CJ’s rule against “in any manner … modif[ying]” others’ sites. And LinkShare forbids (PDF) “alter[ing] in any manner the Web user’s … view … of … any network affiliate webpage” (rule 1.(a)(i)).

In my view, these Direct Revenue-delivered pop-ups are serious offenses against the targeted merchants. CoolSavings’ and MyPoints’ pop-ups appear as users browse affiliate merchants’ web sites. For example, a CoolSavings pop-up (shown above, at left) appeared as I browsed Buy.com, a CoolSavings partner: Buy.com pays CoolSavings for sending it customers. But despite this alliance and despite applicable affiliate network rules, CoolSavings still uses use Direct Revenue to grab Buy.com customers.

When MyPoints performs similar targeting of its merchant partners, MyPoints explicitly attempts to capitalize on its partners’ goodwill. In the areas blocked out in green (in the right screenshot above), MyPoints specifically names the company a user was visiting before MyPoints interrupted. These references give MyPoints’ ads a further appearance of legitimacy. But the references simultaneously tarnish MyPoints’ partners’ good names — by putting their names into Direct Revenue pop-ups.

Earlier this month, I brought MyPoints’ use of Direct Revenue to the attention of a targeted CJ merchant. Since that report, I haven’t seen many MyPoints pop-ups appearing through Direct Revenue. But affiliates ought to comply with applicable rules from the get-go, without me first identifying or reporting infractions. Merchants should demand no less.

I will update this piece with any material statements I receive from merchants, networks, or CoolSavings or MyPoints. I will be particularly interested in penalties, if any, assessed against these affiliates for their violations of networks’ rules.


Update (January 31): I have received no response from CoolSavings, MyPoints, or any affiliate network. But despite my public documentation of CoolSavings’s practices, CoolSavings’s “adware”-delivered ads continue. See screenshot below, showing a CoolSavings FreeStyleRewards popup delivered by 180solutions (“Zango”), as users browse Circuit City’s web site.

CoolSavings Targeting Buy.Com via Direct  RevenueCoolSavings’ FreeStyleRewards Continues to Target Circuitcity.com via 180solutions (January 28, 2006)

FreeStyleRewards’ merchant list (registration required) confirms that Circuit City is a FreeStyleRewards advertiser. So not only is CoolSavings FreeStyleRewards buying adware-delivered traffic (in specific violation of an applicable Commission Junction rule), but FreeStyleRewards is also targeting its business partner’s traffic.

CoolSavings FreeStyleRewards cannot claim ignorance of its traffic sources. For one, these practices have been publicly-documented for two weeks, since my initial January 16 article. Furthermore, 180 sends traffic to a FreeStyleRewards URL that specifically confirms CoolSavings FreeStyleRewards’s knowledge of the traffic’s origin: http://www.freestylerewards.com?ref=metricsdirect&bn=www_circuitcity_com&bl=lp-ce . Notice the highlighted reference to MetricsDirect, the advertising sales division of 180solutions.


Update (February 17): I have received a statement from MyPoints. I quote it here in its entirety:

“MyPoints is a leader in permission-based marketing and is firmly committed to marketing ourselves through channels and with products that respect the privacy and experience of consumers and deepen our productive relationships with our advertisers.

From November 2005 through the middle of January 2006, MyPoints ran a small-scale campaign with an “adware” firm.

When we became aware that the campaign might be in conflict with the best interests of our advertisers, we immediately pulled the advertisements and terminated our relationship with the company.

MyPoints will continue to be extra diligent with regard to selection of acquisition partners. We maintain extremely strong relationships with the affiliate networks and their merchant partners. MyPoints continues to be a leader in opt-in marketing and sets the highest bar possible with respect to privacy, permission and choice.”


CoolSavings Targeting Buy.Com via Direct  RevenueCoolSavings Continues to Target Its Merchants via Hotbar
(February 19, 2006)

Update (February 19): I have continued to observe CoolSavings ads appearing through advertising software, still in violation of applicable CJ rules and stil targeting CoolSavings merchants. See screenshot at right, observed last week on a PC running Hotbar, as I browsed the web site of a CoolSavings merchant.

Claria Shows Ads Through Exploit-Delivered Popups

Seeking to clean up its image, Claria has tried to distance itself from competing “adware” vendors — hiring a privacy officer, filing comments with the FTC, even setting up an anti-spyware site. It’s no surprise that Claria wants little to do with other vendors in this space: Other vendors’ entirely nonconsensual installations (1, 2, 3) are a magnet for criticism. These vendors even undercut Claria’s pricing — showing ads for as little as $0.015 per display, where Claria demands a minimum payment of $25,000 per ad campaign.

But despite Claria’s dislike of “spyware” vendors who install advertising software without any notion of user consent, Claria funds and supports such vendors in at least two distinct ways. First, Claria pays spyware vendors to show Claria’s own ads through their popups — thereby recruiting more users to install Claria’s advertising software. Second, Claria buys traffic from spyware vendors and uses this traffic to show ads for Claria’s advertiser clients — including merchants as reputable as Amazon.

So even as Claria reforms its own practices — improving its installation methods and scaling back its controversial popups — Claria is buying ads from others whose practices are far inferior.

Soliciting Installations through Spyware-Delivered Popups

At bottom-left, a Claria screensaver ad promoted by a Venus123 popup. The Venus123 popup was opened by spyware, which had become installed on a test PC without consent. The Venus123 popup is so large that it entirely covers the test PC's Start Menu and Taskbar.At bottom-left, a Claria screensaver ad shown within a Venus123 popup. The Venus123 popup was opened by ContextPlus, which had become installed on a test PC via a security exploit, without my consent. The Venus123 popup is so large that it entirely covers the test PC’s Start Menu and Taskbar.

    Claria    
(promoting installation of Claria “adware”)
money viewers
Zedo.com
(an ad network)
money viewers
02320.net
money viewers
Yieldmanager.com
(an ad network)
money viewers
Venus123.com
money viewers
ContextPlus
(spyware installed without consent)

The money trail — how funds flow from Claria to ad networks to spyware vendors (here, ContextPlus).

I have posted a series of pieces critiquing Claria’s installation methods — showing installations at kids sites, in tricky bundles, with substantively unreasonable license agreements. I haven’t recently seen the fake-user-interface Claria ads I wrote about previously — ads which encouraged users to install Claria by mimicking distinctive Windows dialog box formatting. But I am seeing Claria’s ads embedded within popups delivered by spyware — that is, delivered by advertising software installed on my test PC without my consent.

Consider the screenshot at right, showing the venus123.com site with a Claria screensaver ad at bottom-left. This venus123 ad was delivered to my test PC via ContextPlus spyware, which had become installed without my consent. ContextPlus sent traffic to clickandtrack.net which sent traffic to venus123.com. Then venus123.com embedded an ad from Yieldmanager.com, which in turn send traffic to 02320.net, which embedded an ad from Zedo.com, which finally sent the traffic on to Claria’s belnk.com server.

This ContextPlus-Claria ad display reflects an unusually lengthy series of relationships — summarized in the diagram at right. But the net effect is that Claria makes payments that ultimately flow back to ContextPlus — thereby funding spyware installed without consent. A partial URL log follows below, and I also retained a full packet log.

http://adchannel.contextplus.net/services/…
http://hits.clickandtrack.net/cgi-bin/hit?…
http://www.Venus123.com/homepage.precision…
http://ad.yieldmanager.com/imp?z=0&i=2578&…
http://ad.yieldmanager.com/iframe3?AAAAAAQ…
http://adchannel.02320.net/services/AdChan…
http://c5.zedo.com/jsc/c5/ff2.html?n=350;c…
http://c5.zedo.com/bar/v12-500/c5/jsc/ifra…
http://c4.zedo.com/ads2/d/2077/172/350/355…
http://c4.zedo.com//ads2/k/83990/2077/172/…
http://dist.belnk.com/4/placement/1461/?h=…

A Claria installation obtained through this ad may or may not be “consensual.” To reach a conclusion, we’d have to look at what follows when users click the ad — what they’re told about the advertising, privacy, and other relevant effects of installing Claria’s software. (Perhaps I’ll give these ads a close reading in the future, as I previously did for Claria’s fake-user-interface banner ads at kids sites.) But whether or not users ultimately consent to install Claria’s software, it’s troubling to see Claria using its purchasing power to support spyware installed without user consent.

Showing Advertisers’ BehaviorLink Ads through Spyware-Delivered Popups

An Amazon ad served through Claria BehaviorLink. The ad appears within Savings-card.com, a site which was opened in a popup by KVM Media, which had become installed on my test PC via a security exploit, without my consent.An Amazon ad served through Claria BehaviorLink within a popup from Savings-card.com. The Savings-card.com popup was opened by KVM Media, which had become installed on my test PC via a security exploit, without my consent.

Amazon
(and other BehaviorLink advertisers)
money viewers
Claria BehaviorLink
money viewers
Savings-Card.com
(and other sites buying traffic from spyware vendors)
money viewers
KVM Media
(spyware installed without consent)

The money trail — how funds flow from advertisers (here, Amazon) to spyware vendors, via Claria’s BehaviorLink service.

Claria’s funding of spyware (installed without consent) extends beyond Claria’s methods of obtaining new users for its software. Claria also purchases spyware-originated traffic on behalf of its advertiser customers.

In February 2005, Claria announced its new BehaviorLink advertising network. Unlike the controversial pop-ups of Claria’s GAIN — which have brought litigation from web publishers unhappy to see their sites covered by competitors’ popups — BehaviorLink will show ads within publishers’ sites, paying those publishers a share of Claria’s revenue. Viewed in the most favorable light, BehaviorLink would fund free software users want and would help support the sites users request — a winning offer for both users and web sites, Claria claims.

Is the truth as rosy as Claria’s promises? On some level it’s hard to know: Claria’s BehaviorLink says the service is in a “pilot,” and so far we’ve heard little from participating advertisers and publishers. Perhaps it’s too soon to say how well BehaviorLink will work.

But in my initial examination of BehaviorLink traffic, I see serious cause for concern. In particular, I have found that Claria is buying BehaviorLink ad inventory from web sites that receive traffic directly from some of the most notorious spyware, including spyware installed on users’ computers without notice or consent.

Consider the example at right. Savings-card.com buys traffic from KVM Media, which I have repeatedly observed install without notice or consent. So as users browse the web, KVM opens popups of Savings-card.com. But Savings-card.com, which in turns redirects users to Claria’s BehaviorLink. BehaviorLink them shows an ad from one of its partners. The example below at right shows an Amazon ad placed through BehaviorLink, arriving in exactly this way. See also a screenshot of the result of activating the View-Source menu command in the Savings-card popup. Below is a partial URL log showing traffic leading to the ad and (in the final entry) the result of clicking on the ad.

http://www.icannnews.com/cgi-bin/PopupV3?ID=…
http://www.savings-card.com/normal/yyy99.html
http://dist.belnk.com/4/placement/1968/
http://ath.belnk.com/placement/?cb=6747118&did=269085&pid=1968&mint128=343…
http://art.ath.belnk.com/4/creative/42514.1/content42514-0.html?at2=2&imp=…
http://www.amazon.com/exec/obidos/redirect?link_code=ure&camp=1789&tag=ce-…

Note that this popup appeared on a PC without BehaviorLink (or any other Claria software) installed. BehaviorLink’s web servers selected the Amazon ad randomly or on the basis of my other browsing on this test PC.

Claria’s Spyware-Delivered Advertising in Context

Claria’s own comments with the FTC concede that “spyware” is “illegal” under existing law to the extent that such software “is installed [on a consumer’s computer] without the consent of the consumer.” I agree. So Claria must be disheartened to find its ads and its clients’ ads shown through precisely this concededly-illegal software. I doubt that Claria intended to buy spyware-delivered advertising traffic. But by buying the cheapest available advertising space, Claria invited this result. Indeed, Claria’s BehaviorLink business model is premised on buying low-quality ads. Claria’s Scott Eagle told the New York Times in February: “We’ll take ad inventory that costs 50 or 75 cents, buy it in bulk, and turn it into gold by targeting $6 or $15 precision ads there. We’ll be the alchemists.” (cached copy)

To date, BehaviorLink has received strikingly positive press coverage. The media has largely accepted Claria’s promises — advertising software installed because users actually want it (not because they were tricked into accepting it, see above), and ads shown within high-quality partner web sites (not spyware-delivered popups). On the strength of these promises, it seems that Claria has been able to recruit remarkably high-quality advertisers like Amazon — advertisers who would not want to be associated with Claria’s traditional pop-ups.

My observations lead me to challenge these favorable assumptions about BehaviorLink. I still doubt whether users will install Claria’s software if Claria fully discloses the consequences of doing so (especially the effects on privacy). And the KVM Media example above shows BehaviorLink’s dependence on the quality of sites showing BehaviorLink ads. If Claria buys traffic from spyware vendors, directly or indirectly, then BehaviorLink ads get placed in spyware-delivered popups, not in web sites users actually want to visit. Then BehaviorLink ends up funding spyware, not funding the web sites users request.

Avoiding spyware-sourced traffic will require exceptional diligence on Claria’s part — inevitably driving up costs and reducing the profit margins Scott Eagle touted to the Times. I already have several more examples of BehaviorLink ads delivered in popups from exploit-installed spyware, and I’ll be watching for more.

Of course Claria is not the only network facing the problem of spyware-delivered ads. In May I examined more than 88,000 ads then served by 180solutions, finding that literally thousands flowed to or through major ad networks such as aQuantive’s AtlasDMT. These bogus syndication relationships remain widespread, as to popups served by 180solutions and numerous others. I’ve written a series of crawlers and robots to help me assess these problems — identifying which ad networks are involved, and identifying specific ad URLs that are affiliated with spyware vendors. But it’s a remarkably deep problem: Ads are passed from one ad network to another in ways that tend to confuse even my smartest crawlers. And ad networks have little incentive to investigate or stop these practices: They can only lose revenues by prohibiting such ads, so most networks seem to prefer to look the other way.

For now, spyware-delivered popups continue to promote many of the world’s leading merchants — including, thanks to Claria’s BehaviorLink, Amazon.com.

How Affiliate Programs Fund Spyware updated September 15, 2005

Affiliate networks offer an appealing promise for supporting free, independent content on the web: Any ordinary user can sign up to promote any interested merchant via a special affiliate tracking link. When a user clicks the link and makes a purchase from the merchant, the referring web site (“affiliate”) gets a payment from the merchant. Since merchants only pay affiliates when users actually make purchases, merchants feel free to partner with smaller affiliate sites — sites that might otherwise be too small or quirky to get advertisers’ attention. See one merchant’s diagram of the canonical affiliate relationship.

Despite the promise of affiliate marketing, haphazard marketing arrangements entail serious risks. If merchants sign up affiliates without investigation or monitoring, merchants risk accepting partners with undesirable business practices. Consider an affiliate who sends spam, or whose site is so controversial that no reasonable merchant would want to be seen there. So, experienced merchants have learned, they must monitor their affiliates for these kinds of dubious behaviors.

    Affiliate Merchants    
(i.e. Dell, Gateway, eLuxury, J&R)    
money viewers
Affiliate Networks
(i.e. LinkShare, Commission Junction)
money viewers
Affiliates
money viewers
Spyware Vendors
(i.e. 180solutions, Direct Revenue, eXact Advertising)

The money trail – how funds flow from merchants to affiliate networks to affiliates to spyware vendors.

Even more serious for most merchants, some affiliates promote merchants via unwanted advertising software — “spyware.” Some affiliates cause merchants’ ads to cover competitors’ sites — a merchant’s ad might appear through spyware without the merchant knowing about, intending, or requesting this result. Worse, affiliates can use spyware to steal commissions they haven’t earned — making tracking systems think users arrived at a merchant’s site via an affiliate link, when users actually just typed in a merchant’s domain name (such that no commission should be paid).

Because any affiliate can pay a spyware vendor to open the affiiliate’s links in spyware-delivered popups, catching these affiliates is not a trivial task. Enforcement cannot merely examine on affiliates’ names or stated practices: Affiliates’ names will not generally match the names of known “adware” vendors, and rogue affiliates are unlikely to describe their practices truthfully in their affiliate network applications. Instead, enforcement must entail actual examination of affiliates’ behavior — examination that most merchants and networks appear ill-equipped to perform.

There have been numerous reports of affiliates buying traffic from spyware — reports on my site (1, 2, 3, 4, 5) and elsewhere (1, 2, 3, 4). But to date, affiliate networks have failed to make substantial progress at stopping affiliate-spyware scams: These practices continue, affecting merchants with all major affiliate networks.

This piece proceeds in three parts. First, I show five specific examples of particular affiliates currently employing spyware to claim affiliate commissions, in apparent violation of applicable rules. (1, 2, 3, 4, 5) Second, I offer recommendations to concerned merchants. I conclude with recommendations for networks — suggesting technology and policy to stop this problem in the long run.

Example: Unknown Commission Junction Affiliate Targeting Dell with Gateway Popunders via Direct Revenue

A popunder promoting Gateway, purchased from Direct Revenue by a rogue affiliate. If a user ultimately makes a purchase from Gateway, the popunder causes Gateway to pay commissions to the affiliate, via Commission Junction. Gateway pays these commissions even though it did not know of or approve the affiliate's decision to place advertising with Direct Revenue. A popunder promoting Gateway, purchased from Direct Revenue by a rogue affiliate. If a user ultimately makes a purchase from Gateway, the popunder causes Gateway to pay commissions to the affiliate, via Commission Junction. Gateway pays these commissions even though it did not know of or approve the affiliate’s decision to place advertising with Direct Revenue.

When users visit Dell.com on PCs infected with Direct Revenue, users may receive Gateway popunders. See screenshot at right, showing the Gateway popunder in a window marked Aurora (a Direct Revenue product name).

This advertising for Gateway does not occur because Gateway has requested that Direct Revenue advertise Gateway when users visit Dell’s site. Rather, a Gateway affiliate has purchased these ads. If a user subsequently makes a purchase from Gateway, the affiliate gets a commission, and these commissions let the affiliate pay Direct Revenue for showing the ad in the first place.

The ad at right is loaded via the following excerpted DirectRevenue targeting code (as recorded by my network monitor / packet sniffer). Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number and green highlighting marks the command to open the popunder. Extraneous code is omitted for brevity.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.dell.com%2F&domainContext=dell.com … HTTP/1.1

Host: xadsj.offeroptimizer.com …
 
HTTP/1.1 200 OK…
<BODY>
<title>—</title>
<SCRIPT LANGUAGE=”JavaScript”>

url=”http://service.bfast.com/bfast/click?bfmid=37919389&siteid=41294023 &bfpage=bf_advanced&bfurl=http%3A%2F%2Fwww.gateway.com%2Fhome”;

winad=window.open(url, “_blank”, attrib);

This action by the Gateway affiliate violates multiple Commission Junction policies: Direct Revenue software sometimes installs invisibly and without consent. Direct Revenue-delivered affiliate popups constitute forced clicks, invoking affiliate links without any affirmative end user action. The affiliate at issue is buying traffic from adware it did not design and does not control. The affiliate’s behavior also serves to overwrite cookies set by other affiliates, reducing others’ commissions. Each of these behaviors violates CJ’s Publisher Code of Conduct.

Example: Unknown Commission Junction Affiliate Targeting Dell via Direct Revenue

A popunder of Dell, purchased by a rogue affiliate and delivered via Direct A popunder of Dell, purchased by a rogue affiliate and delivered via Direct Revenue as a user browses Dell.com. If a user ultimately makes a purchase from Dell, the popunder causes Dell to pay commission to the affiliate, via Commission Junction. So Dell ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit Dell.com on PCs infected with Direct Revenue, users may receive Dell popunders. See screenshot at right, showing such a popunder.

Here again, a rogue affiliate has placed ads through spyware — again without the merchant’s knowledge or approval. But notice the difference: In the Gateway example (above), the popup ad promoted a competitor of the site the user requested, whereas here the ad promotes the same site the user had already requested. What’s going on? Targeting Dell with Dell’s own affiliate link reveals an affiliate’s understanding that a user at Dell.com would probably most prefer to purchase from Dell, not Gateway. So the affiliate opens a Dell affiliate link — setting cookies such that if the user ultimately does purchase from Dell, the affiliate will get a commission. But the affiliate did nothing to facilitate the purchase or to fairly earn a commission; the users was already at Dell.com! Beyond cheating Dell, this affiliate also violated the CJ Publisher Code of Conduct for the reasons set out in the prior example.

Direct Revenue targeting code follows. Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number and green highlighting marks the command to open the popunder.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.dell.com%2Fcontent%2Fdefault.aspx%3Fc%3Dus%26cs%3D19%26l%3Den%26s%3Ddhs&domainContext=dell.com … HTTP/1.1

Host: xadsj.offeroptimizer.com

 
HTTP/1.1 200 OK

<BODY>
<title>—</title>
<SCRIPT LANGUAGE=”JavaScript”>

url=”http://service.bfast.com/bfast/click?bfmid=37628499&siteid=41115962&bfpage=banner1″;

winad=window.open(url, “_blank”, attrib);

Example: Unknown LinkShare Affiliate Targeting eLuxury via 180solutions

A popunder of Dell, purchased by a rogue affiliate and delivered via Direct A ‘double’ popup of eLuxury.com, purchased by a rogue affiliate and delivered via 180solutions as a user browses eLuxury. The popup claims commissions from eLuxury, via LinkShare, if a user ultimately makes a purchase from eLuxury. So eLuxury ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit eLuxury.com on PCs infected with 180solutions, users may receive popunders of the eLuxury site as reached through affiliate links. See screenshot at right, showing such a popup. Notice the resulting duplicate entries in the status bar (flagged at A), the creation of LinkShare cookies (B), and the second window just barely visible behind the new popup (C). (The usual 180solutions branding (in the browser title bar) was erased in the course of the LinkShare redirect.) See also a video of this popup, which presents the duplicate window particularly clearly.

As in the preceding examples, this affiliate has purchased ads through spyware — targeting the merchant’s web site with its own affiliate links. If a user browses to eLuxury on an infected computer, receives this popup, and makes a purchase, tracking systems at eLuxury and LinkShare will indicate that the affiliate has earned a commission — though in fact the affiliate did nothing to facilitate the purchase.

This affiliate’s actions entail multiple violations of the LinkShare Shopping Technologies Addendum (PDF). The affiliate has altered the user’s access, view, and usage of the merchant’s site, in violation of requirement 1.(i). The affiliate has purchased network traffic keyed to particular keywords in users’ requests, in violation of provision 6.5.(ii). Furthermore, 180solutions can trigger on traffic originating with other affiliates, thereby reducing their commissions in violation of 1.(ii).

180solutions targeting code follows, as observed via my network monitor. Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number.

POST /showme.aspx?keyword=eluxury&…

Host: tv.180solutions.com

 
HTTP/1.1 200 OK

<HTML>

ad_url: <input id=ad_url name=ad_url value=http://click.linksynergy.com/fs-bin/click?id=DSOXp2QDjbg&amp;offerid=31266.10000067&amp;type=4&amp;subid=0>

Example: MyGeek (LinkShare Affiliate) Targeting J&R via Direct Revenue

A popunder of J&R, purchased by MyGeek and delivered via Direct Revenue as a user browses jr.com. If a user ultimately makes a purchase from J&R, the popunder causes J&R to pay commission to the affiliate, via LinkShare. So J&R ends up paying affiliate commissions even when users have requested its site specifically and by name -- a situation that would not otherwise entail paying affiliate commission. A popunder of J&R, purchased by MyGeek and delivered via Direct Revenue as a user browses jr.com. If a user ultimately makes a purchase from J&R, the popunder causes J&R to pay commission to the affiliate, via LinkShare. So J&R ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit jr.com on PCs infected with Direct Revenue, users may receive J&R popunders. See screenshot at right, showing such a popunder.

Like the examples above, the popunder here is a popunder of the merchant’s own affiliate link — designed to claim affiliate commission from purchases that would have occurred even without the popunder. But here the popunder targeting is routed through an intermediary, MyGeek. Direct Revenue targeting code reveals what is occurring: First Direct Revenue opens a popunder (green highlighting) of a MyGeek URL (blue) (referencing MyGeek via IP address 66.179.234.169, which Whois confirms is indeed a MyGeek host). Then MyGeek redirects to LinkShare (red).

GET /a/Drk.syn?adcontext=http://www.jr.com/images/cart/btn_proceed_to_scheckout.gif& … HTTP/1.1

Host: btg.btgrab.com

 
HTTP/1.1 200 OK

adurl=http://66.179.234.169/cpv.jsp?s=7453&c=53491&p=110077&adultfilter=on&aid=586& …

 
 
GET /cpv.jsp?s=7453&c=53491&p=110077&adultfilter=on&aid=586& …

Host: 66.179.234.169

 
HTTP/1.1 302 Found

Location: http://click.linksynergy.com/fs-bin/stat?id=OAfBJvRKlyk&offerid=58654

That MyGeek performs such targeting is not entirely unknown. See a recent discussion at ABestWeb, with multiple participants reporting such observations. See also a cached MyGeek page (Google Cache copy, local copy) disclosing 180solusions and “OfferOptimizer” (Direct Revenue) as syndication partners. Nonetheless, MyGeek’s use of LinkShare affiliate links seems to entail multiple violations of LinkShare rules, exactly as set out in the preceding section.

Example: Wholesalingonline (LinkShare Affiliate) Targeting Hickory Farms via eXact Advertising

A popunder of Wholesalingonline.com, delivered by eXact Advertising's BullsEye as a user browses hickoryfarms.com. The Wholesalingonline popunder uses tricky cookie-stuffing methods to set Hickoryfarms cookies automatically. So if a user ultimately makes a purchase from Hickory Farms, the popunder causes Hickory Farms to pay commission to Wholesalingonline, via LinkShare. So Hickory Farms ends up paying affiliate commissions even when users have requested its site specifically and by name -- a situation that would not otherwise entail paying affiliate commission. A popunder of Wholesalingonline.com, delivered by eXact Advertising’s BullsEye as a user browses hickoryfarms.com. The Wholesalingonline popunder uses tricky cookie-stuffing methods to set Hickoryfarms cookies automatically. So if a user ultimately makes a purchase from Hickory Farms, the popunder causes Hickory Farms to pay commission to Wholesalingonline, via LinkShare. So Hickory Farms ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit hickoryfarms.com on PCs infected with eXact Advertising, users may receive Wholesalingonline.com popunders. See screenshot at right, showing such a popunder.

At first glance, the Wholesalingonline popunder looks innocuous — just a random web site hoping to reach visitors who requested Hickory Farms. But the Wholesalingonline page at issue is specifically designed to set Hickory Farms affiliate cookies, despite the lack of any visible Hickory Farms content within the site. (For background on such practices, see my cookie-stuffing page, reporting dozens of such examples, all occurring without the use of spyware or adware.)

The Wholesalingonline page at issue sets cookies in the following way: First, Wholesalingonline delivers a page of encoded gibberish JavaScript, instructing use of the JavaScript “unescape” command to recover JavaScript code from hex-encoded ASCII. A snipped of the encoded original:

<HTML><HEAD><TITLE>Cut Out the Middle Man with Warehousing Direct</TITLE><SCRIPT type=”text/javascript”><!–
document.write(unescape(“%3C%53%43%52%49%50%54%20%74%79%70%65%3D%22%74%65%78%74%2F%6A …

Decoding this block of code yields the following secondary decoder function, “q()”

<SCRIPT type=”text/javascript”><!– function q(s){var o=””,a=new Array(),w=””,e=0;for(i=0;i<s.length;i++){c=s.charCodeAt(i);c=c^30;w+=String.fromCharCode(c);if(w.length>80){a[e++]=w;w=””}}o=a.join(“”)+w;return o}//–></SCRIPT>

Using the q() function to decode the remainder of the page yields the following HTML contents:

<frameset rows=”0,100%” onLoad=”top.mainFrame.location=’http://www.wholesalingonline.com’ …>
<frame src=”http://208.55.59.48/41128/268749.htm” …>
<frame src=”about:blank” …>

Notice that the page creates a frameset with two rows. The first, suspiciously set to be invisible (0 pixels in height), loads content from a server at 208.55.59.48. The second, the only visible frame, loads the wholesalingonline.com home page.

Sure enough, my packet sniffer confirms that the 208.55.59.48 page was indeed loaded immediately thereafter. That page offers an extremely lengthy (88KB) encoded JavaScript of its own, but decoding reveals the cookie-stuffing code copied below. Yellow highlighting flags the creation of an array of LinkShare affiliate links (IDs in red). Green highlighting flags random selection of a one of the affiliate links (chosen based on the current time). Finally, an IFRAME (blue) embeds the affiliate link within the page — thereby invoking the affiliate link and setting cookies accordingly.

link = new initArray(
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000171&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000148&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6currJnHbjuWM&offerid=6562.10000036&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″
);
 
var currentdate = new Date();
var core = currentdate.getSeconds() % link.length;
var ranlink = link[core];
 
document.write(‘<DIV align=center><IFRAME SRC=”‘ +ranlink+ ‘” WIDTH=0 HEIGHT=0 FRAMEBORDER=0 scrolling=”no”></IFRAME></a></DIV>’);

Examination of my packet log confirms that a LinkShare affiliate link was ultimately invoked in exactly the way that this code specifies. Notice HTTP Referer header, bearing the suspect 208.55.59.48 referring URL identified above (green).

GET /fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000036&type=3&subid=0 HTTP/1.1

Referer: http://208.55.59.48/41128/268749.htm

Wholesalingonline’s methods are clearly more sophisticated than the other affiliates shown above; the multiple levels of encoding, obfuscation, framesets, randomization, and other trickery reveal Wholesalingonline’s desire not to get caught. But ultimately Wholesalingonline’s strategy is identical to the others: To make a merchant’s tracking system think that a user arrived at a merchant through its affiliate tracking link, such that a commission should be paid, when in fact no such commission is in order.

Additional Examples

I have been documenting examples of this behavior since spring 2004, and I have literally hundreds of examples on file, reflecting targeting of most major affiliate merchants. The examples above happen to focus on targeting using notorious advertising software from Direct Revenue, 180solutions, and eXact Advertising, but similar targeting remains widespread using pop-ups from ContextPlus, Kvmedia, and numerous others.

What Merchants Should Do

The commissions at issue are ultimately paid by merchants. Sophisticated, dedicated merchants can detect these fraudulent claims — and refuse to pay the commissions at issue.

Some merchants look to networks to identify and block improper affiliate actions. But as shown in the examples above and as discussed below, networks have failed to address this problem. In addition, independent merchants (those who recruit affiliates directly, without using an afiliate network) have no network to assist them in fraud prevention — meaning they’re all the more vulnerable to rogue affiliates.

As a first step in preventing affiliates from buying traffic from spyware vendors, merchants should specifically prohibit this practice, via new provisions in their affiliate terms & conditions. Merchants should also examine the affiliates who apply to their affiliate programs. But even careful screening of affiliates’ applications and sites can’t detect all rogue affiliates; some affiliates are entirely legitimate but for their use of spyware. Where an affiliate combines a legitimate affiliate web site with additional traffic purchased from a spyware vendor, mere examination of the affiliate’s web site will not reveal the spyware traffic.

Some merchants seek out rogue affiliates by looking for transactions with missing HTTP Referer headers. When a user clicks from one web site to another, the second server generally receives the URL of the originating page on the first server — the “HTTP Referer.” But when a page is loaded by spyware, i.e. as an unrequested popup, the referrer field is blank. So affiliates with blank refererrs often turn out to be getting traffic from popups rather than from bona fide clicks within affiliates’ web pages. (That said, this method is imperfect too: Some popups submit fake referrer header data.)

These days, savvy merchants conduct testing of various spyware programs to identify rogue affiliates. It’s remarkably cheap to buy a few spare machines and infect them with a mix of spyware. For best results, merchants need to add packet sniffers or other detailed network logging, and all infected machines should be kept outside the corporate firewall. But with this equipment on hand, finding spyware-driven affiliates can require only a bit of browsing.

Other merchants hire outsiders to do this work. I provide this service to a few merchants, but there are plenty of other choices too. Some merchants even offer bounties (example: provision 3.b) to those who detect and report affiliates buying spyware traffic.

What Networks Should Do

Affiliate networks frequently boast of the quality of their affiliates. Commission Junction claims to “continually screen the network” for rogue affiliates, and to “monitor … all activity for signs of non-compliant client activity.” LinkShare claims that its network features “appropriate” affiliates. But in fact affiliate networks are plagued by affiliates whose practices defraud merchants rather than benefit them. Furthermore, despite their claims of quality, networks could do far more to eliminate rogue affiliates.

Stopping affiliates’ use of spyware must begin with comprehensive testing. In hands-on testing in my lab, I have documented literally hundreds of rogue affiliates — often dozens of different such affiliates in a single week. (See the examples above, as well as ten examples I posted during summer 2004.)

Beyond hands-on testing, efficient compliance requires special software to identify rogue affiliates automatically. I wrote such software earlier this year, and when I run this software against major adware programs, I often uncover dozens or scores of new rogue affiliates. In May, I posted summary results — analyzing 157,083 pop-up ads then shown by 180solutions, and finding that 686 claimed commissions via Commission Junction. (Others claimed commission via LinkShare, Performics, and numerous smaller or independent affiliate programs.) With automated testing methods now available, affiliate networks cannot credibly claim that large-scale testing is impractically difficult or unreasonably time-consuming.

It’s hard to know what testing methods affiliate networks actually use to conduct their testing: Networks usually treat their testing methods as confidential, either for competitive reasons or to avoid assisting would-be fraudsters. I sense that networks do do some hands-on testing, but their efforts may be less than merchants hope (especially given the size of networks’ fees). I don’t hear talk of affiliate networks running any automated testing of spyware programs. In any event, the scope of the spyware-affiliate problem reflects networks’ failure to resolve this issue: If networks were predictably catching affiliates who buy traffic from spyware, and if networks were predictably canceling any commissions claimed via such methods, scores of affiliates wouldn’t be continuing to attempt these methods.

Affiliate networks also need to impose tough penalties on those affiliates caught breaking the rules. For one, networks should take action promptly, not allow further commissions to be paid. But it’s not enough just to cancel current commissions: If breaking the rules yields only a slap on the wrist, then affiliates will continue the spyware assault, earning large profits until they’re ultimately caught. Instead, affiliate networks should get tough on spyware — demand repayment of commissions previously paid, to eliminate affiliates’ incentive to attempt to buy spyware traffic.

The more affiliate merchants pay out in commission, the larger merchants’ fees to affiliate networks. So networks have a clear incentive to look the other way, allowing spyware fraud to continue, with merchants paying the bill. But networks should not overplay their hand. It is at best unseemly for networks to profit when merchants are defrauded by rogue affiliates. Furthermore, the perception of spyware fraud in leading affiliate networks has created an opportunity for spyware and adware-free networks — Kowabunga, ShareASale, and others, as well as newcomer MPORT (which recently launched its network with the promise of blocking adware).

Last week’s announcement of LinkShare’s acquisition by Japanese portal Rakuten recalls the underlying promise of affiliate marketing. There is real value in affiliate relationships, and Rakuten certainly doesn’t intend to pay $425 million for a share in the spyware business. But does Rakuten understand the extent to which LinkShare funds payments to vendors who install advertising software without users’ consent? The extent to which LinkShare has failed to put a check on these behaviors? I’m not sure. Rakuten should demand better — and so should the merchants who ultimately pay for this mess.

How Expedia Funds Spyware

Unwanted advertising programs — typically called spyware — are funded by thousands of the world’s largest companies and most respected advertisers. Ask most of these advertisers about their support for spyware, and they’ll say they didn’t know. After all, their affiliates might have bought the ads. Their outsourced advertising placement firms might have made the decisions. Or pay-per-click search engines (including Google and Yahoo) might have syndicated their ads to spyware vendors, without advertisers’ knowledge or consent. (Details: Google, Yahoo)

But a few advertisers have the gall to defend advertising through spyware. Earlier this year, the Associated Press asked Expedia about its support for spyware. Expedia’s spokesman responded:

“It is just a marketing tool that we use.”

Expedia subsequently claimed to have “rigorous standards” for advertising software, including “mak[ing] sure customers want [the] ads.”

Despite Expedia’s claims of user consent, Expedia advertises with numerous programs that don’t get user consent at all.

Expedia Supports 180solutions, Direct Revenue, and eXact Advertising

The screenshots below show Expedia ads shown by the vendors listed at right. Below each vendor’s name are potentially-objectionable practices of that vendor — practices observed currently or in recent months. In each instance, practices include installation through security holes, with no notice or consent.

All ads were observed in September 2005. Click an ad to see a full-size screenshot with additional commentary.

An Expedia popup shown by 180solutions when I  browsed to aa.com.  

180solutions (Zango / 180search Assistant)

An Expedia popunder shown by Direct Revenue when I browsed to jetblue.com.  Shown after activation of the popunder.

Direct Revenue (Aurora, Ceres, etc.)

An Expedia popunder shown by eXact Advertising when I browsed to jetblue.com.  Shown after activation of the popunder.

eXact Advertising (BullsEye)

Intermediaries Placing and Tracking Expedia’s Spyware Ads

Comments from Expedia staff indicate that Expedia is aware of its relationships with “adware” vendors. Nonetheless, advertising intermediaries help facilitate, track, and fund these relationships. Users may therefore place some blame on advertising intermediaries.

In my May analysis of intermediaries helping to fund spyware, I offered as an example an Expedia ad served by 180solutions via aQuantive’s Atlas Solutions.

Other Expedia ads flow through other intermediaries, although each of the ads shown above ultimately reaches Expedia via Atlas Solutions. For example, the ad shown by eXact also passes through Xctrk.com (SearchBoss) and 24/7 Real Media before reaching Atlas.

Although spyware traffic reaches Expedia through advertising intermediaries, Expedia’s servers receive detailed information about the sources of newly-arrived users referred through spyware advertising. For example, see the partial screenshot below, showing an Expedia popup delivered by 180solutions, covering American Airlines at aa.com. Notice that the URL to Expedia includes the string “metdr” in the URL bar. “Metdr” is an abbreviation for MetricsDirect, 180’s advertising sales unit. The presence of this text in Expedia’s URL indicates Expedia’s specific knowledge that the ad is coming from 180solutions. Under these circumstances, Expedia cannot claim to be unaware that it is supporting 180solutions. My full ad screenshots present similar tracking codes in Expedia’s ads as shown by other spyware vendors.

What Expedia Should Do

While Expedia continues advertising with notorious spyware vendors, other major advertisers have ceased relationships with such vendors and publicly voiced their disapproval of these vendors’ practices. In June 2004, Major League Baseball announced (paid registration required)) that it won’t work with companies who use spyware — specifically mentioning unwanted advertisements as a negative consequence of spyware, and thereby seeking to implicate the various vendors Expedia supports. Verizon also said it would cease advertising through what it called “adware.” Wells Fargo staff wrote an op-ed criticizing spyware, noting negative effects of unwanted advertising software on PC reliability as well as on web site integrity. More recently, Netflix announced its intention to cease such advertising (though in my testing, some Netflix ads are still distributed through the vendors listed above, often intermediated through Netflix’s affiliate program).

Expedia’s recent comments to the Associated Press propose an appropriate initial standard — that ads shouldn’t be shown to users through advertising software users didn’t agree to install. But if Expedia aspires to enforce this standard, it needs to better examine how advertising software actually becomes installed. As indicated by the many links above, spyware researchers have uncovered numerous nonconsensual installations of the very programs Expedia currently supports. Expedia staff should review industry sources and perhaps even conduct hands-on tests of their own, to make sure the vendors Expedia supports are not vendors that install without consent or otherwise engage in undesired practices.

These lessons also apply to other large travel sites. In my testing, travel ads appear particularly frequently through spyware, and in the course of recent testing, I received spyware-delivered ads promoting Cheaptickets, Hotels.com, Hotwire, Orbitz, Priceline, and Travelocity. In many instances, these vendors hire spyware to target each other — e.g. Travelocity might buy ads that cover Priceline’s site, but once a user reaches Travelocity, a new Priceline pop-up ad will pull the consumer right back. These many spyware-delivered ads entail large payments from travel services (and ultimately the consumers who fund them) to spyware vendors. The online travel industry would surely be better off if all firms agreed to cease this aggressive spyware-delivered advertising. By reducing funding of spyware, such an agreement would offer substantial benefits to consumers too.

How Yahoo Funds Spyware updated September 5, 2005

Yahoo’s Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo’s network of advertisers. When users run searches at yahoo.com, Yahoo’s advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn’t just show advertisers’ ads on yahoo.com; Yahoo also distributes advertisers’ ads to Yahoo’s various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers’ ads to be shown by advertising software installed on users’ PCs — software typically known as spyware or adware. In my testing, Yahoo’s funding of spyware is widespread and prevalent — an important source of revenue for many spyware programs installed on millions of users’ PCs. Were it not for Yahoo’s funding of these programs, the programs would be far less profitable — and there would be fewer such programs trying to sneak onto users’ PCs.

Yahoo’s funding of spyware is not unique. I’ve recently written about Google’s funding of similar bad actors (1, 2). Earlier this year, FindWhat disclosed related problems, admitting that terminating its dubious distributors would reduce revenues by at least 5%. But in my hands-on testing of various spyware-infected PCs, I find that I receive Yahoo-syndicated ads more frequently than I receive such ads from any other single PPC network.

This article proceeds in three parts. First, I show examples of Yahoo ads supporting Claria, eXact Advertising, Direct Revenue, 180solutions, and various others; I also review the objectionable practices of each of these vendors. (Numerous additional examples on file.) Second, I review Yahoo’s disclosures to advertisers — finding that Yahoo has failed to tell advertisers about its controversial syndication partners, even in general terms. I conclude with recommendations to Yahoo (and other PPC search engines that allow syndication), as to how to put an end to this mess and avoid such problems in the future.

Claria (Gator / GAIN): SearchScout Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase.  Shown after activating the popunder. A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase. Shown after activating the popunder.

A Yahoo Overture popunder, delivered by Claria, showing sponsored results for A Yahoo Overture popunder, delivered by Claria, showing sponsored results for “computer” when users visit Dell.com. Shown after activating the popunder and right-clicking the ad to show its destination.

    PPC advertisers (i.e. Dell)    
money viewers
Yahoo Overture
money viewers
Claria (Gator / GAIN)

The money trail – how funds flow from advertisers to Yahoo Overture to Claria.

Likely Yahoo’s largest single advertising software syndicator, Claria shows Yahoo Overture pay-per-click ads in popunders triggered by users’ web browsing.

Before showing Yahoo ads, Claria software must first become installed on users’ computers. Claria’s installation often proceeds without meaningful user consent. For example, Claria often gets installed through software bundles — where a user seeks one program but gets Claria too. Historically, Claria’s bundles have featured lengthy license agreements (as long as 5,900+ words and 63 on-screen pages), broken license formatting (missing line breaks, making section headings hard to find), and substantively unreasonable terms (including restrictions on how users can remove Claria software). Claria also promotes its software through banner ads — including ads on kids sites, claiming to fix computer clocks or improve computer security, showing a license only after installation has begun and cannot be cancelled. Some Claria uninstallers don’t work — leading users in circles rather than actually removing Claria software.

Claria’s core business is showing pop-up ads specifically purchased by advertisers. (See my 2003 listings, including well-known advertisers. See also PC Pitstop listing based on Claria 2003 disclosures.) But Claria also shows popunders of Yahoo Overture sponsored links. Search for “computer repair” at any major search engine, and Claria adds a popunder giving Yahoo Overture ads for that same term. Sponsored link popunders also target specific web sites. Visiting Dell often yields a Claria popunder of Yahoo Overture ads for “computer.”

Claria’s provision of Yahoo Overture sponsored links raises clear questions of business benefit for affected advertisers. In the second screenshot at right, the user was already at the Dell.com site. (Indeed, Dell might have just paid several dollars to reach that user, via a pay-per-click ad at Yahoo, Google, or elsewhere.) Claria’s popunder risks drawing the user’s attention away from Dell — but if the user then clicks on the prominent Dell ad in Claria’s Overture listing, Dell has to pay again for the same user who was already at the Dell site. Why pay Yahoo and Claria to get the user back, when it was they who took the user from Dell in the first place?

Claria’s provision of Yahoo Overture sponsored links also presents ethical concerns. Many advertisers dislike Claria’s practices — including its aggressive methods of becoming installed on users’ PCs, its serious effects on privacy, and its harm to computer performance. Indeed, when I previously revealed that, through another channel, Dell was advertising with Claria in mid 2004, Dell staff sought to distance Dell from Claria, commenting “[T]oday we do not do business with anyone like Claria.” But despite Dell’s stated dislike of Claria, Dell does help fund Claria when Dell purchases pay-per-click ads from Yahoo: Payment flows from Dell to Yahoo to Claria, as shown in the diagram at right. Same for thousands of other Yahoo Overture advertisers.

In the future, Claria purports to plan to shut down its popup business. That’s a move I applaud — it’s been a bad business from the start. But at present Claria still serves lots of popups — including Yahoo Overture popunders as frequently as every few minutes. These ads are big money: Claria’s 2003 SEC S1 discloses receiving $31 million from Yahoo in 2003 alone — despite a relationship only in place for 9 months of that year. Annualizing the payment and taking account of the dramatic increase in pay-per-click fees, Yahoo might now be paying Claria $50 million or more per year. (It’s hard to know for sure because Claria hasn’t filed more recent financial disclosures, and Yahoo doesn’t include this level of detail in its financial reports.)

eXact Advertising – Popups and Sidebars of Yahoo Sponsored Links

A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results. A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results.

  PPC advertisers
money viewers
   Yahoo Overture   
money viewers
eXact Advertising

The money trail – how funds flow from advertisers to Yahoo Overture to eXact Advertising.

Claria claims to always install with consent — however tricky or ill-gotten, per my testing and documentation. But other Yahoo Overture syndicators can’t even make this claim. On dozens of occasions, I have observed and recorded software from eXact Advertising installed through security holes, with no notice or consent. (Some examples: 1, 2.) I’ve also seen eXact installed by tricky popups claiming to be required to view sexually-explicit videos, and by unrequested popups claiming to offer “browser enhancements.” Others have reported eXact bundled by P2P-distributed videos purporting to offer child pornography, and even by instant messenger worms. In short, when a user has software from eXact, the user is unlikely to have granted meaningful informed consent to the installation, and the user may not have granted any consent at all. Reporters tell me that eXact claims to have fixed these problems, but that’s just not true: I’ve received nonconsensual installations of eXact software this very week. Videos on file.

Despite its poor installation practices, eXact receives Overture sponsored links, shows these advertisements to users, and presumably is paid by Yahoo for doing so.

See screenshot at right, showing an eXact auto-opening sidebar that appeared as I ran a search at Google. The sidebar shows Yahoo Overture links, and clicking a link sends users to Overture and on to the advertiser (without passing through any other search intermediary). Notice the Overture reference in the browser status bar as I hold my mouse over a sponsored link.

To typical users, the eXact-delivered Yahoo Overture sidebar appears to be an integrated part of search results — presumably delivered by Google (or whatever other search engine the user had requested). Notice the absence of any distinctive branding, logo, disclosure, or other identification that the sidebar comes from eXact and Overture. To find such a disclosure, a user must scroll to the bottom of the sidebar. Even there, the disclosure is truncated and hard to read. Screenshot.

eXact’s BullsEye service also shows sponsored link listings in freestanding windows. Here too, results are obtained from Yahoo Overture. Screenshot.

Direct Revenue – Popups and Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
Direct Revenue

The money trail – how funds flow from advertisers to Yahoo Overture to Direct Revenue.

Direct Revenue installations are at least as poor as eXact. I have numerous videos on file showing DR installed without consent (one such video on my public site). DR also uses various other tricky methods to get installed — like tricky popups, bundles, etc. But DR is perhaps worse than other advertising software in its unusual difficulty of removal (requiring downloading a special uninstaller from DR’s web site). DR is also unusual in its ability to disable and delete other software on a user’s PC.

Despite these troubling practices, DR also shows Yahoo Overture ads. See e.g. the example ad at right. The searchblazer results appeared when I browsed to Dell.com. Notice Direct Revenue’s “Aurora” branding in the upper-left corner and title bar. Although the ad’s body lacks any Direct Revenue branding or logo, the ad was loaded from the search.offeroptimizer.com server, a server under DR’s control. (Offeroptimizer.com is a well-known DR domain.) Furthermore, clicking on a sponsored link within the ad caused traffic that first passed through search.offeroptimizer.com en route to Overture. In short, this ad is not a rogue advertiser buying traffic from Direct Revenue. Rather, these sponsored links were specifically placed by Direct Revenue itself.

When I clicked on the first sponsored link shown at right, traffic flowed as listed below. See also full packet log.

http://xadsj.offeroptimizer.com/c/click.php?c=48685&s=5261&…
http://msxml.infospace.com/_1_B2HUEF099WI63__dirrev.feed.pu1/…
http://www10.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278&LID=230157&…

As indicated in the diagram at right and in the traffic flow above, Yahoo Overture syndicates its ads to InfoSpace, and InfoSpace in turn syndicates these ads to Direct Revenue. This series of relationships makes it particularly hard for Yahoo Overture to know where its advertisers’ ads will appear: Yahoo must count on InfoSpace to assure the quality, ethics, and compliance of InfoSpace’s partners.

This is not the first instance of InfoSpace partners with questionable practices. In June I documented Google ads syndicated to the IBIS Toolbar (also known to become installed without consent). Like Overture ads passing through InfoSpace en route to Direct Revenue, these Google ads were passed from Google InfoSpace to IBIS.

As in the Claria examples above, Direct Revenue syndications of Yahoo Overture ads often ask advertisers to pay for visitors already at their sites. In the example above, Dell was targeted by a list of sponsored links that places Dell in both of the top two positions. If a user clicks on one of these links, Dell pays Yahoo (and ultimately Direct Revenue) for a user who was already at the Dell site. Screenshot.

180solutions – Popups of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popup delivered by 180solutions.

  PPC advertisers (i.e. Driverloans)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions.

When I first posted this piece, I included no mention of 180solutions. My rationale: They’ve been involved in so many widely-publicized spyware scandals — from installing without consent, to installing with euphemisms (but no EULA) at kids sites, to installing at child porn sites — that undisclosed syndication of Yahoo Overture ads seemed like the least of their problems. Perhaps that’s right. But multiple readers asked me whether 180 wasn’t involved also, and why 180 wasn’t included in my write-up. So make no mistake about it: 180 shows Yahoo Overture ads too.

The screenshot at right shows a popup of Yahoo Overture ads delivered by 180solutions. In testing, I click on the ad, and traffic flows to InfoSpace, then to Overture, then to the advertiser. See traffic log below, and full packet log. See also a video of this click, showing the cookies created as a result of the click.

http://searchresults.180searchassistant.com/clicks.php?p==…
http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/…
http://www10.overture.com/d/sr/?xargs=…
http://www.driverloans.com/app/2p1a?x=seoyahoo:value

Other Advertising Software Installed Improperly – Showing Yahoo Sponsored Links

Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, targeting type-ins to Dell with Dell sponsored links. Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, showing Dell sponsored links in response to type-in requests for the Dell.com site.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
81.201.104.136
money viewers
trafficengine.net
money viewers
SideFind

The money trail – how funds flow from advertisers to Yahoo Overture to SideFind.

Claria, eXact Advertising, Direct Revenue, and 180solutions are all relatively well-known programs — each installed on millions (or tens of millions) of PCs, and each backed by major investors. But Yahoo also helps to fund vendors who are far less well-known.

Earlier this summer, in the course of documenting Google funding IBIS, I also prepared detailed proof showing how Yahoo ads get syndicated to IBIS too. Video and packet logs on file.

Just this past week, I happened to test a computer infected with a variety of unwanted software (a few disclosed in license agreements; most not). I observed that traffic was sent to Yahoo from both “Slotchbar” (an unrequested toolbar added to my test PC’s browser without my consent) and “SideFind” (an auto-opening browser sidebar, also installed without consent). I have video and packet logs on file, showing these nonconsensual installations as well as their syndication of PPC advertisements from Yahoo Overture. The screenshot at right shows the auto-activating SideFind sidebar, targeting a type-in request for Dell with various sponsored links, largely pointing back to Dell.

These are just a few of the additional examples I have observed and recorded.

In some instances, Yahoo’s dealings with these smaller spyware vendors entail traffic passing through multiple levels of intermediaries. For example, when SideFind sends traffic to Yahoo Overture, the traffic passes through trafficengine.net and then through an unnamed server at IP address 81.201.104.136 (reportedly operated by Copernic/Inktomi) before reaching Overture. See diagram at right, traffic log below, and full packet log.

http://www.sidefind.com/ist/scripts/log_clicks.php?account_id=…
http://feeds.trafficengine.net/click.ashx?key=computers…
http://81.201.104.136/fast-cgi/bsc?context=redir…
http://www6.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278…

In principle, these many levels of intermediation might make it especially hard for Yahoo to know where traffic begins. However, Yahoo ultimately has a direct relationship with some final source who sends the traffic to Yahoo. (In this example, Yahoo has a direct relationship with the operators of the 81.201.104.136 server.) So Yahoo can require that that final source take steps to keep Yahoo’s ads out of spyware. Furthermore, syndicated traffic often includes a HTTP Referer header that gives the name of the originating site. For example, in the Sidefind packet log, Yahoo’s servers receive a HTTP Referer header bearing the domain name sidefind.com, making it easy for Overture to see where traffic began. With its servers specifically receiving the name and URL of the traffic’s source, Yahoo cannot claim not to know where its ads are being shown.

Yahoo’s Failure to Disclose

If Yahoo’s advertisers were fairly advised of Yahoo’s plan to syndicate their ads to spyware programs, Yahoo might claim to be acting solely as their agent; perhaps advertisers want to buy advertising from Claria, eXact, DR, 180, and other such vendors. But in fact Yahoo fails to tell advertisers what will occur — so Yahoo’s syndication of advertisers’ ads cannot be claimed to occur with advertisers’ authorization.

Yahoo’s marketing materials are silent on the risk of spyware syndication, even where Yahoo’s syndication relationships are large and longstanding (i.e. Claria). Within Yahoo’s marketing materials to solicit new advertisers, Yahoo’s “Publisher Network” page mentions various syndicators of Yahoo ads, but Yahoo fails to mention even a single “adware”-type program. Yahoo’s formal Advertiser Terms and Conditions doesn’t mention adware either, and this document discloses advertisement syndication only to say that Yahoo syndicates ads to “various third parties who may be authorized by Overture to make the Sponsored Listings Marketplace Results available as a link from, an add-on service to, or otherwise in connection with Third Party Products.” Yahoo defines these third-party products broadly, as “Web sites, content, applications and/or e-mails.” “Applications” alludes to spyware — but makes no mention of the specific nature of these applications, nor of the likelihood that these applications install by security exploits, trickery, or taking advantage of users’ naivete.

Only at Yahoo’s privacy page does Yahoo make specific mention of any of its advertising software syndicators. Even there, Yahoo mentions only Claria, and Yahoo calls Claria an “ad network” — without mention of its adware, its software download, and its substantial privacy consequences. Furthermore, Yahoo’s privacy page states only that Yahoo has a “relationship” with Claria — but says nothing about the nature or scope of that relationship, i.e. that Claria shows Yahoo Overture ads. In any event, advertisers are unlikely to look to a page about consumer privacy in order to learn where their ads will be shown.

Given the perceived importance and value of Yahoo’s pay-per-click advertising network, some advertisers might choose to advertise with Yahoo despite the blemish of Yahoo’s dealings with spyware companies. Others might decide not to advertiser with Yahoo at all, if advertising with Yahoo necessarily entails supporting spyware. But where Yahoo fails to disclose these relationships, advertisers are denied this choice.

What Yahoo Should Do

In my view, Yahoo — and other PPC networks facing similar problems — should begin by developing and distributing clear rules for who may syndicate their ads. Last year a Yahoo spokesperson told eWeek that “Overture screens its distribution partners to make sure they gain user permission before downloading software.” “Permission” may sound clear-cut, but in practice it’s a surprisingly imprecise concept. What about “permission” obtained under false pretenses — like promising to fix a user’s clock or to improve security, but actually adding advertising software? What about “permission” obtained from a user at a kids site? What about syndicators that buy traffic from advertising software installed without consent, but that don’t make such software of their own? PPC networks need rules that speak to these situations — presumably forbidding all these methods of trickery and deception.

After clarifying their stance on spyware syndicating their ads, PPC networks need to redouble their efforts at enforcement. Tellingly, even Yahoo’s “permission” standard is violated by the frequent nonconsensual installations of Direct Revenue and eXact Advertising (links above). Nonconsensual installations of these programs are well known to those who test and study spyware, and they’re frequently reported at spyware news sites like Spyware Warrior. PPC network staff need to become familiar with these basic industry sources and testing methods, and they need to enforce their rules accordingly.

At present, Yahoo has many PPC syndicators — apparently hundreds or thousands. (Yahoo does not disclose all its syndicators.) Finding all rogue syndicators may prove hard, especially if Yahoo’s syndicators have further partners of their own (as in the Direct Revenue / InfoSpace and SideFind examples, above). In this article, I’ve focused on a few large and well-known syndicators who rely on software installed on millions of PCs, but smaller players are often harder to find and identify. Nonetheless, I’ve found dozens of rogue PPC syndicators using only a single off-the-shelf PC in my lab. (See above.) With all their resources, big PPC networks (like Yahoo) can surely do far better.

Enforcement also needs to include real penalties for those who break the rules. Merely ejecting a rogue syndicator does not deter future violations: Others see that they can make money from PPC syndication through spyware, anticipating only a slap on the wrist when these practices are discovered. A better enforcement strategy would seek to recapture fees previously paid to rogue syndicators — then refund advertisers for ads shown improperly. If a PPC network adopted this strategy and sued its rogue syndicators where necessary, other rogues would be less anxious to follow.

Beyond advertiser backlash and consumer demand, PPC networks face regulatory pressure to avoid supporting spyware through PPC syndication. For example, in the course of their investigation of Intermix, staff of the New York Attorney General revealed that Yahoo contributed 10% of Intermix’s revenue. NYAG staff say they’re “not ruling out” litigation against Yahoo for funding Intermix. More recently, rumors indicate a possible NYAG investigation of Direct Revenue. Given Yahoo’s past support for Intermix, I wonder how NYAG will react to seeing Yahoo funding Direct Revenue too.

If a PPC network can’t or won’t eliminate rogue syndicators, it could at least grant advertisers the ability to opt out of particular unwanted syndications. Others have offered this suggestion on various occasions (e.g. Kraft seeking to avoid syndicating its ads to white supremacy groups), as to both Yahoo Overture and Google. Affiliate networks all offer this level of granularity — letting each affiliate merchant decide what affiliates may earn fees for promoting it. But to my knowledge, no major PPC search engine offers this level of advertiser control.

Ultimately, PPC syndication offers savvy PPC networks a valuable opportunity — a chance to lead industry efforts to stop the spread of unwanted advertising software. Earlier this week, Azoogle launched its new “MPORT” network with the promise of keeping the network entirely adware-free. With a bit of effort and a renewed commitment to stopping spyware, Yahoo could bring MPORT’s no-adware benefit to Overture advertisers too.

More on Google’s Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

I’ve previously written about two different ways that Google gets involved in distributing and funding spyware: Allowing Blogspot to be used to foist spyware through tricky ActiveX popups and paying fees to AdSense sites who in turn buy pop-ups through 180solutions (such that revenue ultimately flows from advertiser to Google to AdSense site to 180solutions).

Many of Blogspot’s ActiveX popups have disappeared since my February article, and Google promises to put a check on AdSense popups too. But Google’s role goes much further: Through syndication relationships, Google provides ads to multiple web toolbar operators, including to toolbars installed on users’ PCs without notice or consent. Google pays these toolbar companies for the ads they show — thereby supporting and funding their operations.

Google’s Rules and Policies

Google repeatedly tells its advertisers that their ads will appear only on Google’s “high-quality” partner sites.

What does “high-quality” mean? Google doesn’t say. But last year Google published a set of “Software Principles” for advertising programs — calling for improved notice and consent before advertising software becomes installed. A basic notion of “high-quality” sites is that they don’t solicit traffic through software violating Google’s Software Principles, and that they also don’t make or distribute such software. My sense is that an advertising channel cannot be considered “high-quality” if it is predicated on installing software onto users’ PCs without their consent or without their informed consent.

Ask Jeeves and Its Ill-Gotten Toolbars

I’ve previously shown that Ask Jeeves’ toolbars sometimes install without asking for permission (additional videos on file). Other Jeeves toolbars install in effective stealth or otherwise without informed consent. Some examples:

  • The AJ toolbar bundled with the iMesh P2P program is disclosed only at page 27 of iMesh’s 56 page license. Users who manage to locate this paragraph are likely to face some difficulty in understanding it; the text largely uses euphemisms in place of the word “toolbar” to describe AJ’s software. (Until recently, the license didn’t use the word “toolbar” at all.) See also analysis by SearchEngineWatch.
  • Kazaa has long bundled AJ’s MySearch toolbar (though a recent revision to Kazaa seems to have replaced it with a competing toolbar). Historically, AJ’s inclusion has been prominently disclosed in the Kazaa installer. But users wanting to learn more about AJ have had no reasonable way to find details or even to read AJ’s license: Kazaa oddly placed the AJ license agreement at page 32 of a document puzzlingly labeled “Altnet License Agreement” (without mention of AJ).
  • When Ask Jeeves promotes its toolbars in banner advertising, it again fails to obtain the kind of consent that Google seeks. AJ advertises on kids sites, using euphemisms in place of plain language, and showing pictures of smiley faces rather than pictures of its advertising toolbar. AJ’s installation does not affirmatively show a license agreement providing more detailed terms. On 800×600 screens (such as many older PCs), AJ even fails to show a properly-labeled link to a license or to mention the word “toolbar” in on-screen text prior to installation..

So even if a user has an AJ toolbar, the user may not want it, may not know how it arrived, and may not have granted meaningful consent (if any consent at all). These various behaviors seem to constitute multiple violations of Google’s Software Principles — among others, installation without any consent at all, as well as failure to provide appropriate “upfront disclosure.”

    PPC advertisers    
money viewers
Google AdWords
money viewers
Ask Jeeves

How Funds flow from advertisers to Ask Jeeves

Notwithstanding the tricky installation methods used by these Ask Jeeves toolbars, AJ’s revenues ultimately largely come from Google: Enter a search term into an AJ toolbar, and most of the resulting ads are Google AdWords ads. AJ’s recent 10-Q says AJ gets 74% of its total revenues from Google. With AJ’s 2005 Q1 revenue at $94.9 million, Google apparently pays AJ approximately $278 million per year. Fees flow from advertiser to Google to AJ, as shown at right.

Google’s relationship with Ask Jeeves is widely publicized: Google issued a press release announcing its relationship with AJ, and Google’s main AdWords page even shows AJ’s logo. But Google’s statements to advertisers fail to mention the possibility that AJ will send advertisers traffic that was obtained from toolbars installed without proper notice and consent or, in some instances, any notice or consent at all.

Of course, Google’s relationships with toolbar makers doesn’t stop with Ask Jeeves. Google ads end up shown through other distribution channels with even worse installation practices.

How Google Supports IBIS WebSearch


I’ve long watched the IBIS WebSearch toolbar and its troubled installation practices. I’ve often seen IBIS installed through security holes with no notice or consent. (Multiple additional videos on file.) I’ve also posted documentation of IBIS installed in tricky bundles with minimal notice. I’ve even seen IBIS offered in repeated ActiveX popups that tell users “you must click yes to continue” if users initially refuse installation. Other IBIS ActiveX popups offer a defective license link; clicking the license yields no license. (Video proof on file.)

These practices seem to violate almost every one of Google’s Software Principles. Google says to let users decline an unwanted installation, to give users upfront disclosure of major program functions, to clearly disclose changes to browser configuration, and only to come bundled with other programs meeting these rules. But my records show IBIS failing to meet each of these requirements.

 PPC advertisers 
money viewers
   Google AdWords   
money viewers
Go2Net
money viewers
IBIS WebSearch

How Funds flow from advertisers to IBIS WebSearch

Notwithstanding these apparent violations of Google’s Software Principles, IBIS shows many Google ads, seemingly receiving payment for such displays. Run a search in IBIS, and the ads often match Google ads. See screenshot at left. See also a video showing a search conducted through the IBIS WebSearch toolbar, a click on an ad, and the immediate creation of Go2Net and Google cookies. (Note that Google ads typically fill the entire screen of an 800×600 web browser.)

Click on a WebSearch ad, and traffic flows from WebSearch to Go2Net to Google to advertiser. Payment flows in the opposite direction. See diagram at right.

Using a network monitor (“packet sniffer”), I recorded the raw traffic that occurred when I clicked on the Orbitz ad shown above. In particular, my browser retrieved the URLs listed below. See also the full packet log of the associated transmissions, showing the full parameters of all redirects.

http://www.websearch.com/xfb_redir.aspx?CP=
http://clickit.go2net.com/search?pos=1&ppos=1&plnks=5&query=car+rental
http://clickit.go2net.com/search/id?pos=1&ppos=1&plnks=5&query=car+rental
http://www.google.com/url?sa=l&q=http://www.orbitz.com/App/DisplayCarSearch&ai=
http://www.google.com/url?q=http://www.orbitz.com/&ai=
http://www.orbitz.com/App/DisplayCarSearch?semsource=goog&semkeyword=car+rental

Google’s listing of ad partners confirms that Google ads can be shown by InfoSpace, owner of Go2Net. Note that InfoSpace is a publicly-traded company (NASDAQ: INSP).

The example above shows an Orbitz ad being shown by IBIS WebSearch. In my testing, Orbitz often advertises through programs often called spyware. (Examples: Orbitz ads shown by Claria/Gator, eXact Advertising and Hotbar.) But because IBIS WebSearch syndicates and shows many Google ads for many keywords, IBIS shows ads even for advertisers who otherwise refuse to do business with spyware firms. Indeed, thanks to syndication from Google, IBIS even shows (and receives payment for showing) ads from firms that have filed suit against makers of such software. For example, I have captured proof of IBIS showing Google AdWords ads from the Hertz, LL Bean, and the New York Times, each of which has taken a stand against unwanted advertising software by suing Claria.

Enforcement Challenges

Google’s Software Principles document concludes by noting that “Responsible … advertisers can work to prevent [undesirable software] by avoiding these types of business relationships [those violating the principles set out above], even if … through intermediaries.” This is surely good advice. But Google’s far-reaching relationships with Ask Jeeves, IBIS, and others indicate that Google’s actions fall short of Google’s own recommendations to others.

Most of Google’s AdWords partners are probably highly trustworthy — unlikely to show ads except in the ways that Google intends and permits. But where Google’s partners have partners of their own (as InfoSpace/Go2Net does in WebSearch), enforcement is likely to be more difficult and accountability lacking. Google could eliminate this problem by prohibiting its partners from syndicating Google ads on to further partners of their own — though such a rule would narrow the network showing Google sites and thereby reduce Google’s revenues. Google’s existing partners may also have contractual rights to distribute Google ads to partners; AJ’s 10-Q comments that AJ “display[s] paid listings from Google on … many of the third-party sites in our network” (page 18).

My testing of Go2Net/WebSearch was made particularly difficult by the fact that the Google ads at issue apparently occur only on nights and weekends. During the business day, I have observed that WebSearch generally shows ads from other sources, not from Google. This type of change tends to undermine and confuse casual efforts at testing and enforcement.

Tough enforcement is particularly difficult due to the large amount of money at issue. Ask Jeeves’ relationship with Google has grown to hundreds of millions of dollars per year. Yet my documentation of AJ’s installation practices demonstrates that some AJ traffic to Google comes from AJ toolbars installed without consent or installed without consent that meets Google’s standards. With huge money on the line, will Google terminate its relationship with AJ, as its Principles seem to require (“avoid… these types of business relationships”)? The wrongful installations cannot immediately be undone — it’s hard (though probably not impossible) to determine exactly which AJ toolbar installations lacked consent or lacked the kind of consent Google calls for. But it seems clear that AJ’s practices don’t live up to Google’s standards. What will Google do now?

Intermediaries’ Role in the Spyware Mess updated May 28, 2005

When unwanted programs (“spyware” and others) sneak onto users’ computers, their main goal is often to show extra ads, typically pop-ups. If a vendor’s program steals users’ credit card numbers or social security numbers, the vendor will get in real trouble. But, historically, software vendors have been able to show extra ads with impunity.

Where do these ads come from? What companies are willing to support the advertising software that users so despise? It turns out some of the world’s biggest companies are advertising in this way. In 2003, I posted a list of some of Gator’s then-biggest advertisers, work that PC Pitstop updated in 2003 (using Claria’s S1 filing). More recently, I’ve posted a list of substantially all eXact advertising advertisers. More to come.

These advertisers aren’t working in a vacuum. To the contrary, many of their ads appear through spyware only thanks to major ad intermediaries that facilitate and track those placements, and that assist in the associated payments.

Are ad intermediaries responsible when their ads are shown by software installed improperly? Marquette law professor Eric Goldman thinks not. But the New York Attorney General’s office has repeatedly suggested they might be. My take: Advertiser and intermediary liability is an interesting question of law, well beyond my aspirations for this brief piece. But where ad intermediaries purport to certify or stand behind the quality of the venues where their ads are shown, I’m not receptive to their claims that they can’t do what they’ve promised. Where ad intermediaries merely count advertisement clicks without even claiming to assure traffic quality, the case for blaming intermediaries for improper use of their tracking links may be somewhat weaker (though still cognizable).

One fact about which there is no reasonable dispute: Spyware would be far less profitable — and there would be far less of it trying to sneak onto users’ PCs — if big advertisers weren’t advertising this way and if big ad intermediaries weren’t helping to facilitate such advertisements.

An Initial Example: Atlas DMT Assisting with Expedia Ads Shown by 180solutions


An Expedia ad shown by 180solutions, via Atlas DMT tracking.An Expedia ad shown by 180solutions, via Atlas DMT tracking

The many relationships in spyware advertising can be quite complicated, all the more so because advertising and payment structures take so many forms. But let me start with a relatively straightforward example: When users visit aa.com (American Airlines) on PCs with advertising software from 180solutions, 180 may show a popup of Expedia’s web site. See inset image at right.

Expedia
(advertiser)
viewers
Atlas DMT
(intermediary)
viewers
  180solutions  

Traffic Flow

Although 180 could show the Expedia site directly, traffic more typically passes through intermediaries like, in this case, aQuantive’s Atlas DMT. In particular, 180 invokes the Atlas tracking link http://expedia.click-url.com/ go/www18epd0600005172ave/ direct/01, which then redirects users to the specified page at Expedia. So users reach Expedia through Atlas, as shown in the diagram at right.

Ads are placed through intermediaries for a variety of reasons. Sometimes intermediaries help to broker the deal — making connections between advertisers and venues where ads can be shown. Some advertisers might not want to do business with 180solutions directly — maybe they haven’t heard of 180, or have heard only bad things; but doing business with Atlas seems reasonable thanks to Atlas’s better reputation. Or perhaps Atlas adds accountability: An advertiser might not trust 180’s record-keeping, but the advertiser might feel confident that Atlas will accurately count how many times each ad was shown. Intermediaries can also provide efficient and centralized payment, reducing administrative costs. Whatever the reason, ads tend to flow through intermediaries — and so intermediaries like Atlas are well-equipped to stop such ads from appearing, if they care to do so.

Of course this Expedia/Atlas example is but one of many. See e.g. a more detailed example I posted in July 2004, showing a 180solutions ad for Hawaiian Airlines ad, also served by Atlas, substantially covering the Delta.com site.

A Case Study: Advertising Intermediaries Supporting 180solutions

Beyond the Expedia ad shown above, I’ve also been looking at all 180’s other ads, along with examining where these ads come from.

For those interested in advertisers supporting unwanted software, 180solutions is a natural place to start. 180solutions is often installed with no consent at all (videos: 1, 2), via misleading promises at kids sites, in poorly-disclosed bundles, and otherwise without appropriate notice and consent — so ads shown by 180 are presumptively unwanted. Meanwhile, my testing confirms that 180solutions tracks what web sites users visit — rightly earning the name “spyware” since 180 installations can be nonconsensual. 180 also attracts attention for its large installed base and substantial venture funding. Crucially, 180’s self-serve advertising sales system, MetricsDirect, lets anyone hire 180 to show a given ad URL when users visit URLs with a given keyword — without so much as speaking to a 180 representative. In combination, these factors make 180 among the worst offenders at showing problematic ads: Bad actors can use 180 to show advertisers’ sites to millions of users, without meaningful scrutiny by 180 and, thanks to ad intermediaries’ tracking systems, sometimes even without advertisers’ knowledge.

Earlier this month, I found that 180solutions tracks a total of 510,211 keywords within the URLs users visit. In my testing, 157,083 of these keywords are actively targeted with ads. A total of 88,388 distinct ads target these keywords. (As expected, many ads target more than one keyword. I measure “distinct ads” based on use of distinct ad URLs.)

Of these 88,388 ads, many pass through well-known intermediaries which serve to facilitate relationships between advertisers and 180; to track views, clicks, or purchases; and/or to track orcoordinate facilitate payment. The listing below gives a summary of the number of ads (of these 88,388) found to be actively loading content from the specified intermediaries. The listing reports only intermediaries associated with 500 or more different 180solutions ads.

Advertising intermediary
     # ads
Traditional banner ad networks / tracking services
Atlas DMT (aQuantive) (NASDAQ: AQNT)
2,666
Adteractive
2,231
DoubleClick (NASDAQ: DCLK)
1,352
FastClick (NASDAQ: FSTC)
513
Affiliate networks
ClickBank
1,054
Commission Junction (including BeFree) (ValueClick) (NASDAQ: VCLK)   
686
Syndicated search engine advertising
Google (NASDAQ: GOOG)
4,678

See disclosure as to Advertising.com (AOL).

Update: I’ve been asked for details about the “actively loading content from” criteria that governs inclusion in the table above. My scripts check for content loaded from an intermediary by looking for redirects, for loading an intermediary’s content in a FRAME or IFRAME, or for use of JavaScript to load arbitrary code from an intermediary. Most of the listed intermediaries primarily use the redirects and FRAME/IFRAME methods. But Google AdSense sites typically use JavaScript to load Google’s inline ads in a JavaScript-created subwindow. What all these practices have in common is that they actually show substantial content from the ad intermediary — not merely (for example) a small text link to an affiliate network.

Do Ad Intermediaries Intend to Support 180?

Multiple advertising intermediaries (and some big advertisers) have recently written to me to tell me that they “can’t” track how ads are being shown using their networks and systems. They apparently consider it impossible to track all their ads — so they think they shouldn’t be blamed if they fail, i.e. if their ads are shown through software installed improperly on users’ PCs.

I emphatically disagree. The task is definitely doable. I know because I’ve already done it.

advertisers
money viewers
ad intermediaries
(e.g. Commission Junction)
money viewers
independent intermediaries
(e.g. Top3offers)
money viewers
spyware
(e.g. 180solutions)

Flow of Traffic and Payments

Ad intermediaries are correct that the design of spyware and similar systems makes their traditional enforcement procedures ineffective. Historically, if an ad intermediary noticed that some client or site was showing its ads in a way the intermediary didn’t like, the intermediary could simply cancel the corresponding entity’s contract and withhold payments to that entity or refuse future business from that entity.

180solutions’ design (and others like it) wreaks havoc on this simple enforcement model. Many of 180’s ads are placed by 180 advertisers, acting in their own names, in general without disclosing that the resulting traffic will be shown in 180solutions pop-ups. For example, Top3offers.com pays 180solutions to show Top3offers URLs when users visit certain keywords pertaining to online dating. Top3offers then sends such traffic to Yahoo Personals via a Commission Junction tracking link, ultimately receiving payments for leads or signups. Yahoo and CJ did not request that Top3offers take any such action — and if they search their advertiser databases for 180solutions, they won’t find a match, because the underlying account is in the name of Top3offers, not 180. And of course Top3offers is just one of hundreds — thousands? — of middle-men using similar methods. (See e.g. ten specific examples I posted in detail last year — complete with packet logs, videos, etc.)

So it’s insufficient for ad intermediaries to merely search their databases for the names of known wrongdoers. Rather, rigorous enforcement requires examining actions, not just names. Savvy intermediaries need an enforcement system that monitors ads at trouble spots like 180solutions, that flags suspect ads shown there, and that does not naively assume that bad actors will be truthful in their statements to ad intermediaries. Conveniently, that’s precisely how my ad-tracking robot works — that’s precisely how I generated the table above.

This CJ/Top3offers example is just one of many, and of course facts vary across types of ad intermediaries. Because affiliate networks like Commission Junction generally pay commissions only when users make purchases, they tend to be particularly indiscriminate as to who can place such links and earn such commissions — operating under the mistaken assumption that if a user made a purchase, the traffic must have been legitimate. (They ignore the risk that the ad was improperly shown to the user, without appropriate prior consent.) Indeed, despite CJ having ended its direct relationship with 180, 180’s advertisers (the “independent intermediaries” in the diagram above) continue to run CJ links — apparently in the expectation of continuing to receive payment, i.e. because CJ won’t catch them. If CJ can’t identify and block this traffic, then CJ still earns its commissions on such traffic — so paradoxically CJ still profits from the activities of 180 and its advertisers.

How Google Gets Involved

PPC advertisers
money viewers
   Google (AdWords)   
money viewers
AdSense sites
money viewers
180solutions

Flow of Traffic and Payments via Google

Google’s relationship with 180 proceeds in the convoluted path shown at right. Pay-per-click advertisers pay Google to show their ads on Google’s AdSense partner sites. Some AdSense members then pay 180 to show the members’ sites via 180solutions popups, such that funding ultimately flows as shown at right: From pay-per-click advertiser to Google to AdSense member site to 180solutions. (Example.)

Google’s relationship with 180 merits special discussion for at least two reasons. First, where other intermediaries often withhold from making claims about the quality of the sites they track or serve, Google tells its advertisers that sites showing Google ads are “high-quality” and “reviewed and monitored according to … rigorous standards.” Furthermore, Google’s AdSense Program Policies provide that AdSense ads may not be displayed in pop-ups or via client software (like 180).

Second, notwithstanding Google’s statements about the quality of sites in its network, Google’s relationship with 180 is surprisingly large: Of the 88,388 current 180solutions ads, some 4,678 (5%+) include Google AdSense ads, making Google the most prevalent source of funding for web sites advertising with 180solutions (at least when measured by the methods set out above).

Despite the “quality” claims in Google’s statements to its advertisers, it is unclear what steps Google takes to enforce its stated rules. I sent an inquiry to Google staff two weeks ago, but I have not yet received a response.

That Google AdSense members promote their sites through pop-ups like 180’s is entirely foreseeable. Indeed, Google apparently foresaw this problem when it included AdSense policy text to specifically forbid this practice. Now that the problem is observed and now that it turns out to be substantial, will Google enforce its existing rule?

Update: In a blog entry responding to this piece, Eric Goldman concludes “nothing about traffic to AdSense sites sourced by adware vendors runs contrary to Google’s stated policies.” Perhaps I haven’t explained (what I view to be) the violation sufficiently clearly. So let me try again. First, AdSense Program Policies require that “No Google ad … may be displayed on any … pop-ups” — seemingly violated when 180 shows pop-ups of sites that include AdSense ads. Second, AdSense’s Terms and Conditions provide as follows (emphasis added):

“5. Prohibited Uses. You shall not, and shall not authorize or encourage any third party to … (vi) directly or indirectly accessAds … through or fromany software application.

My example shows behavior that seems to exactly match the prohibited activity: An AdSense site hires 180 (surely “authoriz[ation]” and “encourage[ment]” within the meaning of the rule) to show the AdSense site, including showing (and thereby “access[ing]”) the site’s AdSense ads, as a result of the 180 software application observing the user viewing certain targeted sites. To me, the inconsistency between this practice and the stated rule seems abundantly clear.

Methodology, Enhancements, and Future Work

For those interested in my methodology: I’ve previously written about how to learn what ads 180 shows when users visit certain sites. The results above are derived from this list of ad URLs by processing with a robot that looks at the contents of each ad URL, attempting to determine and classify any ad networks or other intermediaries forwarding users to other advertising elsewhere.

Because my robots are imperfect, my methods tend to undercount the number of ads actually coming from each ad intermediary. My robots can track and analyze most standard HTML, including server-side redirects, client-side redirects, frames, iframes, and even basic JavaScript. But encoded JavaScript and certain other tricks currently serve to stop my robots from successfully and fully analyzing all ads.

In the coming weeks I’ll be posting more specific data — perhaps a listing of specific ads shown through unwanted software on users’ PCs, passing through some or all of the ad intermediaries listed above; perhaps videos and packets logs examining particular examples in detail. Interested readers should feel free to send suggestions and requests. Note that my March 2005 eXact Advertising testing reported the intermediaries associated with most of eXact’s current ads.

Where Do We Go From Here?

At a recent NAI Spyware conference, advertising executives reportedly discussed “creating robot-like technology to follow … advertisement[s].” They’re on the right track — but it’s unfortunate that they’re still just “discussing” rather than actively moving forward with the work. If I can do the analysis above — using just my ordinary cablemodem, some VB scripts running within Microsoft Access, and a single spare PC in my lab — then surely NAI’s members can do a lot better.

NAI members like aQuantive and DoubleClick are currently placing and tracking thousands of ads that are helping to fund the unwanted software plaguing users’ PCs. The time for talking has long since ended.

Disclosure: I serve as a consultant to AOL on certain matters related to spyware. If AOL’s Advertising.com ads had been sufficiently frequent to meet the criteria for inclusion in the table, I would have included them. However, in fact AOL / Advertising.com serve/track/support substantially less than 500 ads shown by 180solutions, therefore not calling for inclusion in the table. This calculation is based on 180solutions ads as they stood before I sent AOL any report as to its Advertising.com ads being shown by or through 180solutions. To the extent that AOL’s numbers are below those of other ad intermediaries, I attribute this to AOL’s March 2005 decision to stop doing business with all adware companies.