How Expedia Funds Spyware

Unwanted advertising programs — typically called spyware — are funded by thousands of the world’s largest companies and most respected advertisers. Ask most of these advertisers about their support for spyware, and they’ll say they didn’t know. After all, their affiliates might have bought the ads. Their outsourced advertising placement firms might have made the decisions. Or pay-per-click search engines (including Google and Yahoo) might have syndicated their ads to spyware vendors, without advertisers’ knowledge or consent. (Details: Google, Yahoo)

But a few advertisers have the gall to defend advertising through spyware. Earlier this year, the Associated Press asked Expedia about its support for spyware. Expedia’s spokesman responded:

“It is just a marketing tool that we use.”

Expedia subsequently claimed to have “rigorous standards” for advertising software, including “mak[ing] sure customers want [the] ads.”

Despite Expedia’s claims of user consent, Expedia advertises with numerous programs that don’t get user consent at all.

Expedia Supports 180solutions, Direct Revenue, and eXact Advertising

The screenshots below show Expedia ads shown by the vendors listed at right. Below each vendor’s name are potentially-objectionable practices of that vendor — practices observed currently or in recent months. In each instance, practices include installation through security holes, with no notice or consent.

All ads were observed in September 2005. Click an ad to see a full-size screenshot with additional commentary.

An Expedia popup shown by 180solutions when I  browsed to aa.com.  

180solutions (Zango / 180search Assistant)

An Expedia popunder shown by Direct Revenue when I browsed to jetblue.com.  Shown after activation of the popunder.

Direct Revenue (Aurora, Ceres, etc.)

An Expedia popunder shown by eXact Advertising when I browsed to jetblue.com.  Shown after activation of the popunder.

eXact Advertising (BullsEye)

Intermediaries Placing and Tracking Expedia’s Spyware Ads

Comments from Expedia staff indicate that Expedia is aware of its relationships with “adware” vendors. Nonetheless, advertising intermediaries help facilitate, track, and fund these relationships. Users may therefore place some blame on advertising intermediaries.

In my May analysis of intermediaries helping to fund spyware, I offered as an example an Expedia ad served by 180solutions via aQuantive’s Atlas Solutions.

Other Expedia ads flow through other intermediaries, although each of the ads shown above ultimately reaches Expedia via Atlas Solutions. For example, the ad shown by eXact also passes through Xctrk.com (SearchBoss) and 24/7 Real Media before reaching Atlas.

Although spyware traffic reaches Expedia through advertising intermediaries, Expedia’s servers receive detailed information about the sources of newly-arrived users referred through spyware advertising. For example, see the partial screenshot below, showing an Expedia popup delivered by 180solutions, covering American Airlines at aa.com. Notice that the URL to Expedia includes the string “metdr” in the URL bar. “Metdr” is an abbreviation for MetricsDirect, 180’s advertising sales unit. The presence of this text in Expedia’s URL indicates Expedia’s specific knowledge that the ad is coming from 180solutions. Under these circumstances, Expedia cannot claim to be unaware that it is supporting 180solutions. My full ad screenshots present similar tracking codes in Expedia’s ads as shown by other spyware vendors.

What Expedia Should Do

While Expedia continues advertising with notorious spyware vendors, other major advertisers have ceased relationships with such vendors and publicly voiced their disapproval of these vendors’ practices. In June 2004, Major League Baseball announced (paid registration required)) that it won’t work with companies who use spyware — specifically mentioning unwanted advertisements as a negative consequence of spyware, and thereby seeking to implicate the various vendors Expedia supports. Verizon also said it would cease advertising through what it called “adware.” Wells Fargo staff wrote an op-ed criticizing spyware, noting negative effects of unwanted advertising software on PC reliability as well as on web site integrity. More recently, Netflix announced its intention to cease such advertising (though in my testing, some Netflix ads are still distributed through the vendors listed above, often intermediated through Netflix’s affiliate program).

Expedia’s recent comments to the Associated Press propose an appropriate initial standard — that ads shouldn’t be shown to users through advertising software users didn’t agree to install. But if Expedia aspires to enforce this standard, it needs to better examine how advertising software actually becomes installed. As indicated by the many links above, spyware researchers have uncovered numerous nonconsensual installations of the very programs Expedia currently supports. Expedia staff should review industry sources and perhaps even conduct hands-on tests of their own, to make sure the vendors Expedia supports are not vendors that install without consent or otherwise engage in undesired practices.

These lessons also apply to other large travel sites. In my testing, travel ads appear particularly frequently through spyware, and in the course of recent testing, I received spyware-delivered ads promoting Cheaptickets, Hotels.com, Hotwire, Orbitz, Priceline, and Travelocity. In many instances, these vendors hire spyware to target each other — e.g. Travelocity might buy ads that cover Priceline’s site, but once a user reaches Travelocity, a new Priceline pop-up ad will pull the consumer right back. These many spyware-delivered ads entail large payments from travel services (and ultimately the consumers who fund them) to spyware vendors. The online travel industry would surely be better off if all firms agreed to cease this aggressive spyware-delivered advertising. By reducing funding of spyware, such an agreement would offer substantial benefits to consumers too.

How Yahoo Funds Spyware updated September 5, 2005

Yahoo’s Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo’s network of advertisers. When users run searches at yahoo.com, Yahoo’s advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn’t just show advertisers’ ads on yahoo.com; Yahoo also distributes advertisers’ ads to Yahoo’s various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers’ ads to be shown by advertising software installed on users’ PCs — software typically known as spyware or adware. In my testing, Yahoo’s funding of spyware is widespread and prevalent — an important source of revenue for many spyware programs installed on millions of users’ PCs. Were it not for Yahoo’s funding of these programs, the programs would be far less profitable — and there would be fewer such programs trying to sneak onto users’ PCs.

Yahoo’s funding of spyware is not unique. I’ve recently written about Google’s funding of similar bad actors (1, 2). Earlier this year, FindWhat disclosed related problems, admitting that terminating its dubious distributors would reduce revenues by at least 5%. But in my hands-on testing of various spyware-infected PCs, I find that I receive Yahoo-syndicated ads more frequently than I receive such ads from any other single PPC network.

This article proceeds in three parts. First, I show examples of Yahoo ads supporting Claria, eXact Advertising, Direct Revenue, 180solutions, and various others; I also review the objectionable practices of each of these vendors. (Numerous additional examples on file.) Second, I review Yahoo’s disclosures to advertisers — finding that Yahoo has failed to tell advertisers about its controversial syndication partners, even in general terms. I conclude with recommendations to Yahoo (and other PPC search engines that allow syndication), as to how to put an end to this mess and avoid such problems in the future.

Claria (Gator / GAIN): SearchScout Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase.  Shown after activating the popunder. A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase. Shown after activating the popunder.

A Yahoo Overture popunder, delivered by Claria, showing sponsored results for A Yahoo Overture popunder, delivered by Claria, showing sponsored results for “computer” when users visit Dell.com. Shown after activating the popunder and right-clicking the ad to show its destination.

    PPC advertisers (i.e. Dell)    
money viewers
Yahoo Overture
money viewers
Claria (Gator / GAIN)

The money trail – how funds flow from advertisers to Yahoo Overture to Claria.

Likely Yahoo’s largest single advertising software syndicator, Claria shows Yahoo Overture pay-per-click ads in popunders triggered by users’ web browsing.

Before showing Yahoo ads, Claria software must first become installed on users’ computers. Claria’s installation often proceeds without meaningful user consent. For example, Claria often gets installed through software bundles — where a user seeks one program but gets Claria too. Historically, Claria’s bundles have featured lengthy license agreements (as long as 5,900+ words and 63 on-screen pages), broken license formatting (missing line breaks, making section headings hard to find), and substantively unreasonable terms (including restrictions on how users can remove Claria software). Claria also promotes its software through banner ads — including ads on kids sites, claiming to fix computer clocks or improve computer security, showing a license only after installation has begun and cannot be cancelled. Some Claria uninstallers don’t work — leading users in circles rather than actually removing Claria software.

Claria’s core business is showing pop-up ads specifically purchased by advertisers. (See my 2003 listings, including well-known advertisers. See also PC Pitstop listing based on Claria 2003 disclosures.) But Claria also shows popunders of Yahoo Overture sponsored links. Search for “computer repair” at any major search engine, and Claria adds a popunder giving Yahoo Overture ads for that same term. Sponsored link popunders also target specific web sites. Visiting Dell often yields a Claria popunder of Yahoo Overture ads for “computer.”

Claria’s provision of Yahoo Overture sponsored links raises clear questions of business benefit for affected advertisers. In the second screenshot at right, the user was already at the Dell.com site. (Indeed, Dell might have just paid several dollars to reach that user, via a pay-per-click ad at Yahoo, Google, or elsewhere.) Claria’s popunder risks drawing the user’s attention away from Dell — but if the user then clicks on the prominent Dell ad in Claria’s Overture listing, Dell has to pay again for the same user who was already at the Dell site. Why pay Yahoo and Claria to get the user back, when it was they who took the user from Dell in the first place?

Claria’s provision of Yahoo Overture sponsored links also presents ethical concerns. Many advertisers dislike Claria’s practices — including its aggressive methods of becoming installed on users’ PCs, its serious effects on privacy, and its harm to computer performance. Indeed, when I previously revealed that, through another channel, Dell was advertising with Claria in mid 2004, Dell staff sought to distance Dell from Claria, commenting “[T]oday we do not do business with anyone like Claria.” But despite Dell’s stated dislike of Claria, Dell does help fund Claria when Dell purchases pay-per-click ads from Yahoo: Payment flows from Dell to Yahoo to Claria, as shown in the diagram at right. Same for thousands of other Yahoo Overture advertisers.

In the future, Claria purports to plan to shut down its popup business. That’s a move I applaud — it’s been a bad business from the start. But at present Claria still serves lots of popups — including Yahoo Overture popunders as frequently as every few minutes. These ads are big money: Claria’s 2003 SEC S1 discloses receiving $31 million from Yahoo in 2003 alone — despite a relationship only in place for 9 months of that year. Annualizing the payment and taking account of the dramatic increase in pay-per-click fees, Yahoo might now be paying Claria $50 million or more per year. (It’s hard to know for sure because Claria hasn’t filed more recent financial disclosures, and Yahoo doesn’t include this level of detail in its financial reports.)

eXact Advertising – Popups and Sidebars of Yahoo Sponsored Links

A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results. A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results.

  PPC advertisers
money viewers
   Yahoo Overture   
money viewers
eXact Advertising

The money trail – how funds flow from advertisers to Yahoo Overture to eXact Advertising.

Claria claims to always install with consent — however tricky or ill-gotten, per my testing and documentation. But other Yahoo Overture syndicators can’t even make this claim. On dozens of occasions, I have observed and recorded software from eXact Advertising installed through security holes, with no notice or consent. (Some examples: 1, 2.) I’ve also seen eXact installed by tricky popups claiming to be required to view sexually-explicit videos, and by unrequested popups claiming to offer “browser enhancements.” Others have reported eXact bundled by P2P-distributed videos purporting to offer child pornography, and even by instant messenger worms. In short, when a user has software from eXact, the user is unlikely to have granted meaningful informed consent to the installation, and the user may not have granted any consent at all. Reporters tell me that eXact claims to have fixed these problems, but that’s just not true: I’ve received nonconsensual installations of eXact software this very week. Videos on file.

Despite its poor installation practices, eXact receives Overture sponsored links, shows these advertisements to users, and presumably is paid by Yahoo for doing so.

See screenshot at right, showing an eXact auto-opening sidebar that appeared as I ran a search at Google. The sidebar shows Yahoo Overture links, and clicking a link sends users to Overture and on to the advertiser (without passing through any other search intermediary). Notice the Overture reference in the browser status bar as I hold my mouse over a sponsored link.

To typical users, the eXact-delivered Yahoo Overture sidebar appears to be an integrated part of search results — presumably delivered by Google (or whatever other search engine the user had requested). Notice the absence of any distinctive branding, logo, disclosure, or other identification that the sidebar comes from eXact and Overture. To find such a disclosure, a user must scroll to the bottom of the sidebar. Even there, the disclosure is truncated and hard to read. Screenshot.

eXact’s BullsEye service also shows sponsored link listings in freestanding windows. Here too, results are obtained from Yahoo Overture. Screenshot.

Direct Revenue – Popups and Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
Direct Revenue

The money trail – how funds flow from advertisers to Yahoo Overture to Direct Revenue.

Direct Revenue installations are at least as poor as eXact. I have numerous videos on file showing DR installed without consent (one such video on my public site). DR also uses various other tricky methods to get installed — like tricky popups, bundles, etc. But DR is perhaps worse than other advertising software in its unusual difficulty of removal (requiring downloading a special uninstaller from DR’s web site). DR is also unusual in its ability to disable and delete other software on a user’s PC.

Despite these troubling practices, DR also shows Yahoo Overture ads. See e.g. the example ad at right. The searchblazer results appeared when I browsed to Dell.com. Notice Direct Revenue’s “Aurora” branding in the upper-left corner and title bar. Although the ad’s body lacks any Direct Revenue branding or logo, the ad was loaded from the search.offeroptimizer.com server, a server under DR’s control. (Offeroptimizer.com is a well-known DR domain.) Furthermore, clicking on a sponsored link within the ad caused traffic that first passed through search.offeroptimizer.com en route to Overture. In short, this ad is not a rogue advertiser buying traffic from Direct Revenue. Rather, these sponsored links were specifically placed by Direct Revenue itself.

When I clicked on the first sponsored link shown at right, traffic flowed as listed below. See also full packet log.

http://xadsj.offeroptimizer.com/c/click.php?c=48685&s=5261&…
http://msxml.infospace.com/_1_B2HUEF099WI63__dirrev.feed.pu1/…
http://www10.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278&LID=230157&…

As indicated in the diagram at right and in the traffic flow above, Yahoo Overture syndicates its ads to InfoSpace, and InfoSpace in turn syndicates these ads to Direct Revenue. This series of relationships makes it particularly hard for Yahoo Overture to know where its advertisers’ ads will appear: Yahoo must count on InfoSpace to assure the quality, ethics, and compliance of InfoSpace’s partners.

This is not the first instance of InfoSpace partners with questionable practices. In June I documented Google ads syndicated to the IBIS Toolbar (also known to become installed without consent). Like Overture ads passing through InfoSpace en route to Direct Revenue, these Google ads were passed from Google InfoSpace to IBIS.

As in the Claria examples above, Direct Revenue syndications of Yahoo Overture ads often ask advertisers to pay for visitors already at their sites. In the example above, Dell was targeted by a list of sponsored links that places Dell in both of the top two positions. If a user clicks on one of these links, Dell pays Yahoo (and ultimately Direct Revenue) for a user who was already at the Dell site. Screenshot.

180solutions – Popups of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popup delivered by 180solutions.

  PPC advertisers (i.e. Driverloans)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions.

When I first posted this piece, I included no mention of 180solutions. My rationale: They’ve been involved in so many widely-publicized spyware scandals — from installing without consent, to installing with euphemisms (but no EULA) at kids sites, to installing at child porn sites — that undisclosed syndication of Yahoo Overture ads seemed like the least of their problems. Perhaps that’s right. But multiple readers asked me whether 180 wasn’t involved also, and why 180 wasn’t included in my write-up. So make no mistake about it: 180 shows Yahoo Overture ads too.

The screenshot at right shows a popup of Yahoo Overture ads delivered by 180solutions. In testing, I click on the ad, and traffic flows to InfoSpace, then to Overture, then to the advertiser. See traffic log below, and full packet log. See also a video of this click, showing the cookies created as a result of the click.

http://searchresults.180searchassistant.com/clicks.php?p==…
http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/…
http://www10.overture.com/d/sr/?xargs=…
http://www.driverloans.com/app/2p1a?x=seoyahoo:value

Other Advertising Software Installed Improperly – Showing Yahoo Sponsored Links

Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, targeting type-ins to Dell with Dell sponsored links. Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, showing Dell sponsored links in response to type-in requests for the Dell.com site.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
81.201.104.136
money viewers
trafficengine.net
money viewers
SideFind

The money trail – how funds flow from advertisers to Yahoo Overture to SideFind.

Claria, eXact Advertising, Direct Revenue, and 180solutions are all relatively well-known programs — each installed on millions (or tens of millions) of PCs, and each backed by major investors. But Yahoo also helps to fund vendors who are far less well-known.

Earlier this summer, in the course of documenting Google funding IBIS, I also prepared detailed proof showing how Yahoo ads get syndicated to IBIS too. Video and packet logs on file.

Just this past week, I happened to test a computer infected with a variety of unwanted software (a few disclosed in license agreements; most not). I observed that traffic was sent to Yahoo from both “Slotchbar” (an unrequested toolbar added to my test PC’s browser without my consent) and “SideFind” (an auto-opening browser sidebar, also installed without consent). I have video and packet logs on file, showing these nonconsensual installations as well as their syndication of PPC advertisements from Yahoo Overture. The screenshot at right shows the auto-activating SideFind sidebar, targeting a type-in request for Dell with various sponsored links, largely pointing back to Dell.

These are just a few of the additional examples I have observed and recorded.

In some instances, Yahoo’s dealings with these smaller spyware vendors entail traffic passing through multiple levels of intermediaries. For example, when SideFind sends traffic to Yahoo Overture, the traffic passes through trafficengine.net and then through an unnamed server at IP address 81.201.104.136 (reportedly operated by Copernic/Inktomi) before reaching Overture. See diagram at right, traffic log below, and full packet log.

http://www.sidefind.com/ist/scripts/log_clicks.php?account_id=…
http://feeds.trafficengine.net/click.ashx?key=computers…
http://81.201.104.136/fast-cgi/bsc?context=redir…
http://www6.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278…

In principle, these many levels of intermediation might make it especially hard for Yahoo to know where traffic begins. However, Yahoo ultimately has a direct relationship with some final source who sends the traffic to Yahoo. (In this example, Yahoo has a direct relationship with the operators of the 81.201.104.136 server.) So Yahoo can require that that final source take steps to keep Yahoo’s ads out of spyware. Furthermore, syndicated traffic often includes a HTTP Referer header that gives the name of the originating site. For example, in the Sidefind packet log, Yahoo’s servers receive a HTTP Referer header bearing the domain name sidefind.com, making it easy for Overture to see where traffic began. With its servers specifically receiving the name and URL of the traffic’s source, Yahoo cannot claim not to know where its ads are being shown.

Yahoo’s Failure to Disclose

If Yahoo’s advertisers were fairly advised of Yahoo’s plan to syndicate their ads to spyware programs, Yahoo might claim to be acting solely as their agent; perhaps advertisers want to buy advertising from Claria, eXact, DR, 180, and other such vendors. But in fact Yahoo fails to tell advertisers what will occur — so Yahoo’s syndication of advertisers’ ads cannot be claimed to occur with advertisers’ authorization.

Yahoo’s marketing materials are silent on the risk of spyware syndication, even where Yahoo’s syndication relationships are large and longstanding (i.e. Claria). Within Yahoo’s marketing materials to solicit new advertisers, Yahoo’s “Publisher Network” page mentions various syndicators of Yahoo ads, but Yahoo fails to mention even a single “adware”-type program. Yahoo’s formal Advertiser Terms and Conditions doesn’t mention adware either, and this document discloses advertisement syndication only to say that Yahoo syndicates ads to “various third parties who may be authorized by Overture to make the Sponsored Listings Marketplace Results available as a link from, an add-on service to, or otherwise in connection with Third Party Products.” Yahoo defines these third-party products broadly, as “Web sites, content, applications and/or e-mails.” “Applications” alludes to spyware — but makes no mention of the specific nature of these applications, nor of the likelihood that these applications install by security exploits, trickery, or taking advantage of users’ naivete.

Only at Yahoo’s privacy page does Yahoo make specific mention of any of its advertising software syndicators. Even there, Yahoo mentions only Claria, and Yahoo calls Claria an “ad network” — without mention of its adware, its software download, and its substantial privacy consequences. Furthermore, Yahoo’s privacy page states only that Yahoo has a “relationship” with Claria — but says nothing about the nature or scope of that relationship, i.e. that Claria shows Yahoo Overture ads. In any event, advertisers are unlikely to look to a page about consumer privacy in order to learn where their ads will be shown.

Given the perceived importance and value of Yahoo’s pay-per-click advertising network, some advertisers might choose to advertise with Yahoo despite the blemish of Yahoo’s dealings with spyware companies. Others might decide not to advertiser with Yahoo at all, if advertising with Yahoo necessarily entails supporting spyware. But where Yahoo fails to disclose these relationships, advertisers are denied this choice.

What Yahoo Should Do

In my view, Yahoo — and other PPC networks facing similar problems — should begin by developing and distributing clear rules for who may syndicate their ads. Last year a Yahoo spokesperson told eWeek that “Overture screens its distribution partners to make sure they gain user permission before downloading software.” “Permission” may sound clear-cut, but in practice it’s a surprisingly imprecise concept. What about “permission” obtained under false pretenses — like promising to fix a user’s clock or to improve security, but actually adding advertising software? What about “permission” obtained from a user at a kids site? What about syndicators that buy traffic from advertising software installed without consent, but that don’t make such software of their own? PPC networks need rules that speak to these situations — presumably forbidding all these methods of trickery and deception.

After clarifying their stance on spyware syndicating their ads, PPC networks need to redouble their efforts at enforcement. Tellingly, even Yahoo’s “permission” standard is violated by the frequent nonconsensual installations of Direct Revenue and eXact Advertising (links above). Nonconsensual installations of these programs are well known to those who test and study spyware, and they’re frequently reported at spyware news sites like Spyware Warrior. PPC network staff need to become familiar with these basic industry sources and testing methods, and they need to enforce their rules accordingly.

At present, Yahoo has many PPC syndicators — apparently hundreds or thousands. (Yahoo does not disclose all its syndicators.) Finding all rogue syndicators may prove hard, especially if Yahoo’s syndicators have further partners of their own (as in the Direct Revenue / InfoSpace and SideFind examples, above). In this article, I’ve focused on a few large and well-known syndicators who rely on software installed on millions of PCs, but smaller players are often harder to find and identify. Nonetheless, I’ve found dozens of rogue PPC syndicators using only a single off-the-shelf PC in my lab. (See above.) With all their resources, big PPC networks (like Yahoo) can surely do far better.

Enforcement also needs to include real penalties for those who break the rules. Merely ejecting a rogue syndicator does not deter future violations: Others see that they can make money from PPC syndication through spyware, anticipating only a slap on the wrist when these practices are discovered. A better enforcement strategy would seek to recapture fees previously paid to rogue syndicators — then refund advertisers for ads shown improperly. If a PPC network adopted this strategy and sued its rogue syndicators where necessary, other rogues would be less anxious to follow.

Beyond advertiser backlash and consumer demand, PPC networks face regulatory pressure to avoid supporting spyware through PPC syndication. For example, in the course of their investigation of Intermix, staff of the New York Attorney General revealed that Yahoo contributed 10% of Intermix’s revenue. NYAG staff say they’re “not ruling out” litigation against Yahoo for funding Intermix. More recently, rumors indicate a possible NYAG investigation of Direct Revenue. Given Yahoo’s past support for Intermix, I wonder how NYAG will react to seeing Yahoo funding Direct Revenue too.

If a PPC network can’t or won’t eliminate rogue syndicators, it could at least grant advertisers the ability to opt out of particular unwanted syndications. Others have offered this suggestion on various occasions (e.g. Kraft seeking to avoid syndicating its ads to white supremacy groups), as to both Yahoo Overture and Google. Affiliate networks all offer this level of granularity — letting each affiliate merchant decide what affiliates may earn fees for promoting it. But to my knowledge, no major PPC search engine offers this level of advertiser control.

Ultimately, PPC syndication offers savvy PPC networks a valuable opportunity — a chance to lead industry efforts to stop the spread of unwanted advertising software. Earlier this week, Azoogle launched its new “MPORT” network with the promise of keeping the network entirely adware-free. With a bit of effort and a renewed commitment to stopping spyware, Yahoo could bring MPORT’s no-adware benefit to Overture advertisers too.

Debunking ShopAtHomeSelect updated October 14, 2005

Reading ShopAtHomeSelect‘s marketing materials, their advertising software might seem to present compelling benefits. SAHS promises users rebates on products they’re already purchasing. And SAHS even offers reminder software to make sure forgetful users don’t miss out on the savings. What could be better than timely reminders of free money?

But the SAHS site doesn’t tell the whole story. My testing demonstrates that SAHS software is often installed without users wanting it, requesting it, or even accepting it. (Details.) When users receive an unwanted SAHS installation, SAHS still claims commissions on users’ purchases — but typical users will never see a penny of the proceeds. (Details.) Meanwhile, whether requested by users or not, SAHS’s commission-claiming practices seem to violate stated rules of affiliate networks. (Details.)

Despite these serious problems, SAHS boasts a superstar list of clients — the biggest merchants at all the major affiliate networks, including Dell, Buy.com, Expedia, Gap, and Apple. Why? Affiliate networks have little incentive to investigate SAHS’s practices or assure compliance with stated rules. (Details.) SAHS and affiliate networks profit, but users and merchants are left as victims. (Details.)

Update (October 14): Commission Junction has removed SAHS from its network, thereby ending SAHS’s relationships with all CJ merchants. No word on similar actions by LinkShare or Performics.

Wrongful Installations – No Consent, and Tricky So-Called “Consent”

ShopAtHomeSelect is widely known to become installed without meaningful consent — or, in many cases, without any consent at all. Most egregious are installations through security exploits, without any notice or consent. I continually test these installations in my lab, and I have repeatedly observed SAHS appearing unrequested — more than half a dozen such installs, occurring on distinct sites on distinct days. I posted one such video in May, and I retain the others on file.

3D Screensaver installs SAHS, although the SAHS license does not disclose inclusion of SAHSSAHS’s improper installations extend to many of SAHS’s bundling partners. I have repeatedly seen (and often recorded) SAHS disclosed midway through lengthy license agreements; users often have to scroll through dozens of pages to learn of SAHS’s inclusion. Even worse, some programs that bundle SAHS nonetheless fail to mention SAHS’s inclusion. See e.g. 3D Flying Icons, which shows a 12-page 2,286-word license that makes no mention of SAHS, yet 3D installs SAHS anyway. (Screenshot at right.)

PacerD installs SAHS, although the PacerD EULA does not disclose inclusion of SAHS.In other instances, ActiveX popups pressure users to accept multiple advertising programs in the guise of “browser enhancements” (or similar). In February 2005, I observed an ActiveX popup that labeled itself “website access” and “click yes to continue,” but immediately installed SAHS if users pressed yes once. More recently, I posted an analysis of the PacerD ActiveX. (Screenshot at left.) PacerD’s ActiveX popup links to a license agreement which discloses installation of eight advertising programs — but doesn’t mention SAHS, though Pacer in fact does install SAHS. So even when careful users take the time to examine Pacer’s 1,951-word license, in hopes of learning what they’re getting, there’s no way to learn that SAHS will be installed, not to mention grant or deny consent.

A porn video distributed by BitTorrent (P2P) installs SAHS. Disclosure occurs only if users scroll down several pages in the video's EULA.  Disclosure consists of only a single sentence, without even a link to more information.I’m not the only observer to notice SAHS installed improperly. Earlier this month, VitalSecurity.org reported SAHS installed via IM spam: Users receive an unsolicited instant message, and clicking the message’s link installs SAHS (among other programs) without any notice or consent. Last month, PC Pitstop (1, 2) and VitalSecurity.org reported SAHS bundled with porn videos distributed by BitTorrent — so a user seeking adult entertainment would unwittingly receive SAHS too. In my testing of these BitTorrent videos, SAHS was listed in a license agreement preceding the videos, but users had to scroll past four pages of other text to learn of SAHS’s inclusion, and even then SAHS’s mention was only a single sentence — without even a link to an external SAHS license agreement, and without any description of the privacy effects of installing SAHS software. (See screenshot at right.) Furthermore, these BitTorrent videos aren’t SAHS’s only tie to porn videos. In January, I analyzed ActiveX popups triggered by porn videos. These popups falsely claimed to be required to view the videos, but in fact they were mere ploys seeking to install SAHS and other advertising software.

In short, a user receiving SAHS cannot reasonably be claimed to have wanted SAHS, nor to have granted informed consent. Perhaps some SAHS users run SAHS willingly and knowingly, but many clearly do not.

In contrast, affiliate networks’ rules set a high burden for installation disclosure and consent. LinkShare’s Shopping Technologies Addendum (PDF) requires that disclosure be “full and prominent,” a standard met neither by SAHS’s nonconsensual installations, nor by its installation when bundled with porn videos. Commission Junction’s Publisher Code of Conduct requires that disclosure be “clearly presented to and accepted by” users, and CJ specifically prohibits software that is “installed invisibly” (as in the nonconsensual installations detailed above).

SAHS may claim that these wrongful installations have stopped. But that’s just not credible. I’ve continued to see (and record) these installations as recently as the past few days.

SAHS may say these wrongful installations are the fault of its distributors. (SAHS offered that argument when PC Pitstop inquired as to SAHS bundling with porn videos.) But affiliate networks’ rules do not forgive wrongful installations merely because the installations were performed by others. To the contrary, affiliate networks set out high consent requirements which apply no matter who installs the software. Furthermore, with so many diverse wrongful installations over such an extended period, it’s clear that something is fundamentally wrong with SAHS’s installation methods; SAHS can’t escape responsibility by vague finger-pointing.

Update (September 9): Staff from SAHS have prepared a document (PDF) purporting to rebut my findings of nonconsensual and dubious installations of SAHS. In each instance, SAHS claims they weren’t really installed in the manner I describe, so they say I am “mistaken” as to my allegations. Let’s look at each of the types of installations I described, and review the evidence:

Tricky popups (PacerD specifically): I previously posted an analysis of PacerD’s installation, including a screenshot of new folders created by PacerD. SAHS correctly notes that there’s no new folder containing SAHS files. But the lack of a new Program Files folder doesn’t mean SAHS wasn’t installed; quite the contrary, SAHS was installed by PacerD. Furthermore, SAHS was installed into the c:Windows directory, where inexperienced users are unlikely to look for it, and where its files tend to become jumbled with other files. To document this installation, I have added two new screenshots to my SAHS write-up, showing newly-created SAHS files placed in my c:Windows directory. I also have on file a video, showing the installation of the PacerD ActiveX followed (without interruption in the video) by the creation of these files. I also have on file a packet log indicating the newly-installed copy of SAHS contacting SAHS servers. So my initial write-up was right and SAHS’s response is wrong: PacerD did indeed install SAHS — and it did so without mentioning SAHS in any EULA or other disclosure.

Large bundles with little or no disclosure (3D Flying Icons specifically): Here again, SAHS makes the same analytical error. My write-up reports lots of new folders (within c:Program Files) reflecting other programs becoming installed. SAHS didn’t add a folder to c:Program Files, so it didn’t come up in my Program Files screenshots. But SAHS absolutely was installed by 3D. In a video I made at the time (now also posted to my public site), I observed a SAHS installer created in c:Temp (1:44), and I saw SAHS program files in c:Windows at 2:43, in each instance bearing distinctive SAHS icons as well as typical SAHS filenames. So there can be no disputing that 3D installs SAHS.

Nonconsensual installations through security holes: The section above links to a particular single security exploit video, one of literally scores I have on file. My automated network log analysis, file-change, and registry-change analysis confirm that SAHS was installed in the course of that security exploit, and Ad-Aware logs say the same, but the video does not specifically show the installation. That’s not particularly surprising — SAHS installs can be silent, and I wasn’t specifically seeking to document SAHS installs when I made that video. But rather than worry about this single example from so many months back, let me take this opportunity to post a recent example, showing a nonconsensual SAHS installation I happened to receive just last month (August 2005). In this video, I view a page at highconvert.com (video at 0:05), receive a series of security exploits (0:20-0:30), browse my file system and diagnostic tools, and then get a popup indicating that SAHS has been installed (1:57) (screenshot). My packet log and change-logs also confirm the SAHS installation.

So where does this leave my claims of improper SAHS installations? Notwithstanding SAHS’s promises of legitimacy, there can be no doubt of SAHS becoming installed without consent. SAHS may not like to admit it, and SAHS produces intense rhetoric to deny it, but users with SAHS aren’t all “opt-in.” To the contrary, some SAHS users have SAHS just because they’re unlucky enough to get it foisted upon them. And contrary to SAHS’s claim that my findings are “incorrect,” I have ample proof of these nonconsensual SAHS installs.

 

Wrongful Operation – Forced Clicks

In addition to regulating installation methods, affiliate networks’ rules limit the ways in which affiliates may claim affiliate commissions. Commission Junction’s Publisher Code of Conduct prohibits claiming commissions on “non-end-user initiated events” — invoking affiliate links without an “affirmative end-user action.” LinkShare’s Shopping Technologies Addendum (PDF) lacks a corresponding prohibition of non-end-user initiated events, but LinkShare’s Affiliate Membership Agreement repeatedly calls for affirmative user actions as a necessary condition to earning commission. For example, LinkShare’s provision 1.1 says commissions are payable only for “users who activate the hyperlink” (emphasis added); the “users … activate” wording specifically contemplates a user taking an affirmative action, not merely a software program automatically opening a link. (Since LinkShare’s special Addendum lacks any provision to the contrary, these Agreement terms still apply.)

There are good reasons for these rules: Affiliate merchants often make substantial payments if an affiliate link is activated and a user makes a purchase. (For example, Dell could easily pay $10+ for a single purchase through a single link.) So software programs aren’t allowed to “click” on affiliate links automatically. Instead, users must actually show some interest in the links — protecting merchants from being asked to pay commissions when an affiliate did nothing to earn a fee.

Although applicable network rules require that clicks on affiliate links be affirmative and that such clicks actually be performed by users (not just by software), SAHS software opens affiliate links and claims commissions without users taking any specific action. See e.g. this SAHS-Dell video, showing a user requesting www.dell.com on a computer with SAHS installed. SAHS immediately redirects the user to its affiliate link to Dell (video at 0:06), and LinkShare affiliate cookies are created (0:08), all without a user affirmatively clicking on any SAHS affiliate link. See also a corresponding SAHS video for Buy.com, showing affiliate link being loaded (0:06) and cookies created (0:10), again without any user interaction.

So SAHS’s operation constitutes an apparent violation of applicable network rules — claiming affiliate commission without the required user click on an affiliate ad, seemingly contrary to network rules.

Affiliate Networks’ Motives

I began this piece with the claim that affiliate networks have allowed SAHS to remain in their networks, notwithstanding the violations set out above. Why?

One possibility is that the affiliate networks simply never noticed the violations. But that’s a suggestion I can’t accept. Consider the many articles above, each reporting wrongful installations. Much of this work received extensive media coverage, including discussions on industry sites of record. Furthermore, most of these findings can be verified easily using any ordinary PC. So affiliate networks can’t credibly claim ignorance of what was occurring.

More persuasive, in my view, is the theory that affiliate networks declined to punish SAHS because SAHS’s actions are profitable for affiliate networks. When an affiliate merchant pays a commission to an affiliate, that merchant must also pay a fee to the intermediary affiliate network. Commission Junction’s public pricing list reports that this fee is 30% — so for every $1 of commission paid to SAHS, CJ earns another $0.30. As a result, affiliate networks have clear financial incentives to retain even rogue affiliates. (Indeed, at the same time that adware has exploded to infect tens of millions of PCs, CJ and LinkShare are reporting unusually strong earnings. [1, 2])

I don’t want to overstate my worry of affiliate networks’ profit motivation. In recent months, affiliate networks have repeatedly kicked out long-time rule-breakers, even where the rule-breakers make money for the networks. (See e.g. LinkShare kicking out 180solutions, and CJ kicking out 180solutions, Direct Revenue and eXact Advertising.) But these actions generally only occur after an extended period of user and analyst outcry. (See e.g. my writing last summer about 180solutions’ effects on affiliate systems.) In contrast, to date, little attention has been focused on SAHS.

Update (October 14): Commission Junction has removed SAHS from its network, thereby ending SAHS’s relationships with all CJ merchants. No word on similar actions by LinkShare or Performics.

Merchants and Users as Victims

As shown in the example video linked above, SAHS claims affiliate commissions even when users specifically request merchants’ sites. Dell and Buy.com get no bona fide benefit from paying 1%-2% to SAHS, as shown in the videos above. SAHS might claim that it pays users rebates as a way to encourage their purchases from participating merchants. But when SAHS arrives on users’ PCs unrequested, and even without users’ acknowledgement or acceptance of its arrival, users are unlikely to be motivated to make purchases from SAHS-participating merchants. So it’s unclear what benefit SAHS can offer merchants under these circumstances.

Notwithstanding the problems with SAHS’s business, affiliate networks encourage merchants to make payments to SAHS by listing SAHS as an affiliate in good standing, inviting SAHS staff to conferences, and occasionally even giving awards to SAHS. Whether through these network actions or based on merchants’ own failure to diligently investigate, merchants bear the brunt of SAHS’s bad actions — paying out commissions SAHS has not properly earned under stated affiliate network rules.

Users also suffer from SAHS. As a result of the ill-gotten payments paid to SAHS by merchants, SAHS receives funds with which it can and does purchase additional installations from its software distribution partners (including the nonconsensual and tricky installations shown above). Payments from Dell (and other targeted merchants) ultimately help to fund the infection of more users — slowing down more users’ PCs, making more users’ PCs unreliable, and pouring fuel onto the spyware problem. To the extent that affected users respond by buying new PCs, Dell perhaps benefits indirectly — but I gather Dell does not aspire to fund such infections.

SAHS may claim that users benefit from its presence, even if its initial installation was improper. After all, SAHS claims affiliate commissions based on users’ purchases, and SAHS stands ready to refund a share of these commissions to the responsible users. But from the perspective of users who received SAHS without meaningful disclosures, SAHS’s offer is of dubious value. Where a program arrives unrequested, users’ fears of identity theft or fraud will (rightly!) discourage them from providing the personal information necessary to receive a payment (name, address, etc.). SAHS may be offering users legitimate actual payments — but when SAHS’s installation was nonconsensual in the first place, users have no easy way to distinguish SAHS’s offer from a phishing attempt or other scam. Without payment details, SAHS will simply retain users’ funds — giving users no benefit for the unrequested intrusion on their PCs, but giving SAHS extra profits.

This is an unfortunate situation — but it’s not hopeless. Dell, Buy.com, and other affected merchants need not continue to help fund this mess. LinkShare and Commission Junction need not continue to pass money to SAHS from unwitting merchants, nor need they continue taking 30% cuts for themselves. Stay tuned.

Update (September 13): News coverage discusses the problem of SAHS retaining commissions for users who never requested SAHS and never even registered for rebates. CJ claims that they have not confirmed “SAHS performing redirects on unregistered users,” but admits that this would be a “major violation.” I have provided CJ with screenshot and video proof, showing SAHS doing exactly that.

Microsoft to Buy Claria? updated July 12, 2005

Today’s New York Times reports Microsoft “in talks” to buy Claria. Leading commentators think it’s a bad idea (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11). I agree.

I first heard this rumor several weeks back, but I laughed it off as too crazy to be taken seriously. What could Claria offer Microsoft? Most obvious is Claria’s large installed base — reportedly some 40-million PCs. But Claria’s installation practices are troubled — tricking users with ads that look like Windows dialog boxes, on kids sites, touting features Claria knows users don’t need (like clock-synchronizers already built into current versions of Windows). And in Claria’s oft-installed bundle with Kazaa, Claria’s long license lacks section headings, making it exceptionally hard for users to figure out what Claria does or to reasonably assess Claria’s terms. (These problems remain, seven months after I first reported them.) Microsoft wouldn’t want installations obtained through such poor practices.

Claria could also offer Microsoft substantial data about users’ surfing habits. A November 2003 eWeek article reported that Claria’s then-12.1 terabyte database was already the seventh largest in the world — bigger than Federal Express, and rivaling Amazon and Kmart. Claria recently told Release 1.0 its database is now 120 terabytes, the fifth-largest commercial Oracle database in the world. All very interesting, and perhaps troubling to those who worry about illicit use of such detailed data. But why would Microsoft invite this unnecessary privacy firestorm?

Claria could offer Microsoft its experience at advertisement targeting. But Claria’s targeting seems surprisingly simple: If a user goes to one car rental site, show an ad for another, whether in a pop-up, a delayed pop-under, or perhaps some subsequent banner ad placed via Claria’s new BehaviorLink program. Microsoft could design a similar system of its own in a matter of months, for far less than the $500 million it would reportedly cost to buy Claria.

Claria does have some interesting patents, a few making surprisingly broad claims as to software and advertisement delivery. But I’m not sure these patents are actually valid. If Microsoft wanted to implement client-side advertisement targeting, the more natural approach would be a design-around that didn’t infringe Claria’s design. Building it themselves avoids taint from Claria’s bad name, bad history, and bad installation practices.

Microsoft’s role as an operating system vendor and anti-spyware developer raises additional worries in buying Claria. Programs like Claria’s damage the Windows experience — bombarding users with annoying pop-ups, not to mention slowing boot time, adding complexity, and risking extra crashes. If Microsoft buys Claria, it would face practical difficulty in continuing to criticize, detect, and remove similar programs from others.

The Times says Microsoft’s Ballmer wants to be “more aggressive” in pursuing Google. But an aggressive strategy need not ignore business ethics — even if Google’s current distributors and partners are less than praiseworthy (1, 2). So I’m surprised that Ballmer reportedly personally approved negotiations with Claria. That said, others within Microsoft apparently oppose the acquisition, and negotiations are reportedly “on the verge” of breaking off. Cooler heads prevail, or so it seems.

It’s worth noting that no one from Microsoft or Claria has officially confirmed the negotiations. Techdirt and SiliconBeat claim this is all just a rumor. I have somewhat more faith in the Times’ reporting procedures; I’d like to think their editors wouldn’t run the story without confirmation from reasonable sources. Alex Eckelberry of Sunbelt offers what seems to me the most natural explanation: Microsoft leaked this story on purpose, as a “trial balloon” to test public response.

Microsoft AntiSpyware now recommends that users "ignore" Claria's presence on their PCs.Update (July 1): A Dozleng.com post reports that Microsoft’s AntiSpyware Beta now recommends that users “ignore” Claria. To confirm this result, I downloaded Claria’s DashBar and Precision Time products, then installed MSAS, all on a fresh virtual PC that hadn’t previously run any of these programs. MSAS’s recommendation and default action was “Ignore.” (See screenshot at right.) In contrast, when last I ran MSAS on a PC with Claria software installed, MSAS recommended removing these same programs. This is exactly the kind of conflict of interest I worried about three paragraphs above — but I didn’t anticipate how quickly this problem would come into effect.

Update (July 8): Apparently Microsoft’s “Ignore” recommendation doesn’t reflect special treatment for Claria in anticipation of an acquisition. Instead, Microsoft recommends “Ignore” for a variety of dubious “adware” programs. Sunbelt reports that Microsoft downgraded Claria to “Ignore” on March 31 — far before acquisition talks reportedly began. A comment from Webroot’s Richard Stiennon claims that Microsoft recently recommended ignoring 180solutions, and Sunbelt adds that Microsoft also recommends ignoring WebHancer and Ezula. My subsequent testing indicates that there are plenty of other “Ignore” programs still to be uncovered. (More on this in the future.)

These odd recommendations demonstrate the misguidedness of Microsoft’s “Ignore” classification. I know of no PC technician who advises users to ignore infection with any of these programs, which give users extra ads without anything offering substantial in return. If Bill Gates sought to clean up a friend’s PC, I bet he’d want all these programs gone. Competing anti-spyware programs all recommend removal. Yet somehow Microsoft’s AntiSpyware app sees no problem.

Has Microsoft given in to vendors’ threats? Or forgotten how badly “adware” damages the Windows experience (ultimately encouraging users to switch to other platforms)? I’ve previously been impressed with Microsoft’s AntiSpyware offering; I’ve often used it and often recommended it to others. But screw-ups like this call Microsoft’s judgment into question. During this sensitive period, with Microsoft unwilling to deny the continued Claria acquisition rumors, Microsoft should be especially careful to put users’ interests first. Instead, Microsoft’s recommendations cater to the interests of the advertising industry. I’m not impressed.

Microsoft’s recently-published response to questions about Claria defends Microsoft’s treatment as the result of ordinary application of Microsoft’s usual criteria, without any special exceptiosn. Perhaps. But if this Microsoft’s criteria say to ignore a program known to be installed through fake-user interface ads on kids sites, showing a EULA only after installation, with a broken uninstaller, then Microsoft’s criteria leave a lot to be desired.

Update (July 12): ClickZ reports that Microsoft has ended acquisition talks with Claria.

What Passes for “Consent” at 180solutions

180solutions today announced its plan to show its users “notification” popups describing some of 180’s practices — thereby, in 180’s view, obtaining users’ “informed consent.” In principle, a re-opt-in might let 180 obtain users’ consent even where initial installations had somehow failed to do so. But 180’s notification message is so flawed and so duplicitous that it can’t offer the legitimacy 180 purportedly seeks. For one, 180’s notification screen makes numerous false statements. Also, 180’s notification is presented in a way that fails to obtain any notion of “consent.” Meanwhile, even 180’s new installs don’t obtain meaningful informed consent.

A Close Look at 180’s “Notifications”


180 Notification Screenshot180 Notification Screenshot

A reporter yesterday sent me a screenshot of 180’s planned notification. I see at least seven problems with the screen’s text:

1. 180’s notification screen fails to affirmatively state what 180 does — its popups or its privacy effects. 180’s first two sentences disclose that something called “180search Assistant” is installed, and that it will show “ads.” But nowhere does 180 disclose that the ads appear in popups — an advertising format known to be particularly objectionable, and therefore particularly important to bring to users’ attention if users are to offer genuine consent. In addition, nowhere does 180 disclose the important privacy effects of installing 180 software — that 180 will track what web sites users visit, and send much of this information to its servers. The importance of these omissions can’t be overstated: If 180 fails to disclose what users are purportedly accepting, no valid “consent” can result.

2. 180 claims to “giv[e] you free access to search tools, software and entertainment sites.” This claim is false, in that for many users 180 provides no such thing. Consider a user who receives 180 software without notice or consent. 180 might allow access to special entertainment sites that are otherwise unavailable. But this ability is of no benefit if users don’t know they have 180, didn’t ask for 180, aren’t told what special sites they can access, and in any event don’t want to access such sites.

3. 180 claims to show “approximately 2-3 highly targeted ads per day.” This claim is false, in that many users will receive many more ads per day. Perhaps an average user gets only a few ads per day, when averaging includes all the users who don’t use their PCs on many days, or who don’t use their web browsers. But in even limited web browsing, I consistently receive far more than three 180 ads per day.

4. 180 inexplicably claims that “user consent is required before 180search Assistant can be installed.” This claim is absolutely false. 180 is often installed without any consent at all. See videos on my site (1, 2, 3) (dozens more on file). 180’s own staff have repeatedly admitted that nonconsensual installations occur (1, 2, 3, 4). After these many admissions, I don’t understand how 180 can now argue that users have “consent[ed]” to its installation. Indeed, the entire premise of 180’s re-notification program is to make up for prior nonconsensual installations!

5. 180 claims that “all 180search Assistant ads are labeled…” This is false. As 180 staff have previously admitted, advertisements with redirects erase 180’s ad labeling.

6. 180 claims that “the user must be 18 or over to download.” Again, false. In fact, 180 software is widely offered on kids sites, where users are unlikely to be over 18. (Example.) Some 180’s installations mention a requirement of user age, but this provision is typically exceptionally hard to find. For example, in one screensaver I tested today, the user-age provision was on page 18 of 180’s license, in the next-to-last paragraph, captioned “Miscellaneous.” (Screenshot.)

7. 180 concludes by claiming that “You can easily remove the 180search Assistant … using ‘Add or Remove Programs'” False. The removal isn’t “easy,” for at least two reasons.

i. Finding 180 is surprisingly difficult. 180 often places its entry in tricky locations within the alphabetical Add/Remove listing — like under “U” for “Uninstall 180search Assistant,” rather than a more natural “1” for “180search Assistant.” Users cannot reasonably be expected to look under “U” in search of 180’s entry. On a new PC with a short Add/Remove list, users will still typically find 180’s entry. But on a long and crowded Add/Remove list, on a typical heavily-used PC, it’s anything but “easy” to find 180.

ii. 180 discourages removals using various false and misleading statements. See my prior analysis, finding numerous dubious claims in 180’s uninstall procedure, as well as confusing window design that further discourages removal. For example, 180 falsely claims that removing its software “will disable any Zango-based applications” — even when no such applications have been installed.

Combining these factors, 180’s uninstall procedure is not properly characterized as “easy.” 180 does know how to make “easy” procedures: When 180’s software is installed with one click (or even with zero!), the procedure is remarkably simple. But 180 has taken affirmative steps to make removal harder.

Problems with 180’s Notification Procedure: Failing to Request or Obtain Consent

180’s press release claims that its new notification screens will “ensure each user … has provided informed consent.” I disagree. As I look at 180’s notification text, 180’s notification actually won’t obtain any consent at all.

As a threshold matter, 180’s notifications apparently will be shown in ordinary Internet Explorer popup windows. Seeing these popups, typical users will seek to close them as quickly as possible — finding them irrelevant, unwanted, and annoying. The ordinary IE presentation format is not conducive to obtaining consent. It’s certainly not well-equipped to get the “informed consent” 180 purports to seek.

Most seriously, 180’s notification text does not seek or require any manifestation of user agreement or approval. In fact, 180’s screen doesn’t say anything about consent: It doesn’t require users to click a button to indicate acceptance of 180’s terms; it doesn’t require users to click a button to keep 180 software on their PCs. Rather, 180’s software stays installed unless users figure out how to remove it. Failure to remove 180’s software certainly can’t be claimed to constitute “consent” to keep it installed. So where’s the “consent” in 180’s notifications?

If 180 really wants informed consent, it could do a lot better. Rather than write its notification screens in marketing-speak, full of euphemisms and half-truths, 180 could write its notification in the formal and calm language used in disclosures elsewhere. I’ll even give 180 a few free sentences. First, 180 should accurately describe its software:

“Your computer is running 180solutions advertising software. 180 will track what web sites you visit, and 180 will show you pop-up ads accordingly. On average, users receive several ads per day, but you may receive more or fewer, depending on how often you use your web browser and depending on what web sites you visit.”

180 would accompany this text with an image showing a representative pop-up ad.

Next, 180 would proceed to explain how its software got installed, and what users can do to keep it or to remove it:

“180 software may have been installed on your computer with your consent or with consent of another user of your computer. 180 may have become installed without consent. You may elect to keep 180 software on your PC, or you may choose to remove it without penalty.”

Finally, 180 would include a one-click button to uninstall its software immediately, along with another button that indicates users’ consent to keep 180 installed.

If 180 included notice of this form — unbiased truthful sentences, that fairly and frankly disclose 180’s true effects — users might be able to make an informed decision to keep 180’s software. But where 180’s “disclosure” is loaded with euphemisms and falsehoods, offering only a convoluted uninstall procedure, it’s hard to say 180 has obtained “informed consent.”

180’s New Installation Stubs: Half-Truths and Omissions

180’s press release claims that its new “technology enhancements” will make it “harder” for 180 software to be installed “covert[ly].” Perhaps. But what happened to the standard of “informed consent” (so prominent earlier in 180’s press release)? 180’s change in wording — from “informed consent” to avoiding “covert” installations — may be surprisingly important. I agree that 180’s new installation procedure isn’t covert. But neither does it yield informed consent.

180 stub installer - initial screen - failing to mention that 180's ads are pop-ups, failing to mention privacy effects 180 Stub Installer – Main Screen

180 installer screen covers license agreementInstaller Covers & Obscures License Agreement

180 installer -- second screen if  users initially decline.  Pressing "Resume" causes installation to proceed immediately, without any further opportunity to review 180's license or to decline installation. Secondary Installer Screen – If User Initially Declines

My understanding is that the “enhancement” at issue is a stub installer like that shown at right. 180’s distribution partners currently distribute a full copy of 180 software. But in the future, apparently they’ll only distribute a stub. Currently, 180’s partners are asked to obtain consumer consent for the installation of 180 software; under the new approach, 180 itself will obtain consent. If properly implemented, this approach might prevent many wrongful installations. Unfortunately, I’ve seen little sign that 180 has designed this system in a way that obtains meaningful consent.

Last week I was testing a security hole exploit which installed more than a dozen programs on my test PC without any notice or consent. Among the unrequested screens appearing on my test PC was the image shown at right (top). This first screen apparently seeks my consent to install 180 — but like the 180 notification described in the preceding sections, nowhere does this screen explain 180’s relevant characteristics and effects. The screen mentions “180search Assistant” and “2-3 advertiser referrals” — but nowhere does it mention that 180’s “referrals” are actually pop-up ads. The screen says that referrals will be “based … on … websites you visit,” but it fails to disclose that website visit data will also be sent to 180’s servers. So the screen fails to mention the relevant facts users need to know in order to grant informed consent.

180’s stub installer does mention an external license, available via a blue link from within the stub. I clicked the link and received the image shown in the second screen at right. Notice the web browser showing 180’s license — in a small window, requiring eight screens to view in full. Worse, although I had clicked the “Terms and Conditions” link to request the license, 180’s large stub installer still largely covered the license. It was extraordinarily hard to read the license, even when I maximized the license to fill the rest of the screen, because roughly half of each line of text was covered by the stub window. (Notice that the license window is “active” (blue title bar highlighting) while the stub “Setup” window is “inactive” (grey).) This is not a one-time fluke; to the contrary, the stub consistently remains on top of the license (and all other windows), contrary to Windows standards. Savvy users may realize they can move the stub out of the way by dragging its title bar. But the ordinary windows Minimize button is missing from the stub’s window, eliminating the easiest way to hide that screen.

On one test PC, I pressed “Finish” in the stub, and 180 installed immediately.

On another test PC, I mimicked the choice of a user who didn’t want 180. I pressed “Cancel” in the stub, and I was then shown the third screen at right. This window claims that “without [180], [a user] may lose access to free games, music, toolbars, and other downloads.” This statement may be accurate as to some installations, but in the security exploit I received last week, I had requested no games, music, toolbars, or other download — so there could be no loss of access in the way the dialog box claimed. This statement was therefore false, as applied to me.

Consider a user who presses “Cancel” in the first screen, but then decides to give 180 a second chance on the strength of the second dialog. When the user presses “Resume” in the second box, the user has not yet accepted 180’s license agreement — probably failing to read it initially (since the user decided to press Cancel, not wanting 180) and certainly failing to accept it. Nonetheless, 180 immediately installs, without offering any further opportunity for a user to access the license or to decline installation. So in 180’s view, the “Resume” button in the second box actually means “I accept the license linked from the prior box but not available on this screen.” That’s a tall order — certainly not what the box plainly says, or what typical users will expect to occur if they press Resume.

Here too, 180 could do much better. 180 could provide a clear description of its effects, using ordinary terms (“pop-up ads”) users can readily understand. 180 could present its installation request with appropriate branding — colors, logo, font, and other characteristics that match 180’s other marketing material. 180 could present its license in a way users can readily read. And 180 could refuse to install when user consent is at best ambiguous (“resume”).

180 is promoting this “stub” installation procedure as a solution to nonconsensual installs. If all 180’s distributors switch to this new installation method, perhaps fewer distributors will be able to infect users in complete silence. But the stub’s tricky text and poor disclosures mean users will still receive 180 software without being fairly told what it is and what it will do to their computers. That’s a far cry from the “informed consent” 180’s press release promises.

More on Google’s Role: Syndicated Ads Shown Through Ill-Gotten Third-Party Toolbars

I’ve previously written about two different ways that Google gets involved in distributing and funding spyware: Allowing Blogspot to be used to foist spyware through tricky ActiveX popups and paying fees to AdSense sites who in turn buy pop-ups through 180solutions (such that revenue ultimately flows from advertiser to Google to AdSense site to 180solutions).

Many of Blogspot’s ActiveX popups have disappeared since my February article, and Google promises to put a check on AdSense popups too. But Google’s role goes much further: Through syndication relationships, Google provides ads to multiple web toolbar operators, including to toolbars installed on users’ PCs without notice or consent. Google pays these toolbar companies for the ads they show — thereby supporting and funding their operations.

Google’s Rules and Policies

Google repeatedly tells its advertisers that their ads will appear only on Google’s “high-quality” partner sites.

What does “high-quality” mean? Google doesn’t say. But last year Google published a set of “Software Principles” for advertising programs — calling for improved notice and consent before advertising software becomes installed. A basic notion of “high-quality” sites is that they don’t solicit traffic through software violating Google’s Software Principles, and that they also don’t make or distribute such software. My sense is that an advertising channel cannot be considered “high-quality” if it is predicated on installing software onto users’ PCs without their consent or without their informed consent.

Ask Jeeves and Its Ill-Gotten Toolbars

I’ve previously shown that Ask Jeeves’ toolbars sometimes install without asking for permission (additional videos on file). Other Jeeves toolbars install in effective stealth or otherwise without informed consent. Some examples:

  • The AJ toolbar bundled with the iMesh P2P program is disclosed only at page 27 of iMesh’s 56 page license. Users who manage to locate this paragraph are likely to face some difficulty in understanding it; the text largely uses euphemisms in place of the word “toolbar” to describe AJ’s software. (Until recently, the license didn’t use the word “toolbar” at all.) See also analysis by SearchEngineWatch.
  • Kazaa has long bundled AJ’s MySearch toolbar (though a recent revision to Kazaa seems to have replaced it with a competing toolbar). Historically, AJ’s inclusion has been prominently disclosed in the Kazaa installer. But users wanting to learn more about AJ have had no reasonable way to find details or even to read AJ’s license: Kazaa oddly placed the AJ license agreement at page 32 of a document puzzlingly labeled “Altnet License Agreement” (without mention of AJ).
  • When Ask Jeeves promotes its toolbars in banner advertising, it again fails to obtain the kind of consent that Google seeks. AJ advertises on kids sites, using euphemisms in place of plain language, and showing pictures of smiley faces rather than pictures of its advertising toolbar. AJ’s installation does not affirmatively show a license agreement providing more detailed terms. On 800×600 screens (such as many older PCs), AJ even fails to show a properly-labeled link to a license or to mention the word “toolbar” in on-screen text prior to installation..

So even if a user has an AJ toolbar, the user may not want it, may not know how it arrived, and may not have granted meaningful consent (if any consent at all). These various behaviors seem to constitute multiple violations of Google’s Software Principles — among others, installation without any consent at all, as well as failure to provide appropriate “upfront disclosure.”

    PPC advertisers    
money viewers
Google AdWords
money viewers
Ask Jeeves

How Funds flow from advertisers to Ask Jeeves

Notwithstanding the tricky installation methods used by these Ask Jeeves toolbars, AJ’s revenues ultimately largely come from Google: Enter a search term into an AJ toolbar, and most of the resulting ads are Google AdWords ads. AJ’s recent 10-Q says AJ gets 74% of its total revenues from Google. With AJ’s 2005 Q1 revenue at $94.9 million, Google apparently pays AJ approximately $278 million per year. Fees flow from advertiser to Google to AJ, as shown at right.

Google’s relationship with Ask Jeeves is widely publicized: Google issued a press release announcing its relationship with AJ, and Google’s main AdWords page even shows AJ’s logo. But Google’s statements to advertisers fail to mention the possibility that AJ will send advertisers traffic that was obtained from toolbars installed without proper notice and consent or, in some instances, any notice or consent at all.

Of course, Google’s relationships with toolbar makers doesn’t stop with Ask Jeeves. Google ads end up shown through other distribution channels with even worse installation practices.

How Google Supports IBIS WebSearch


I’ve long watched the IBIS WebSearch toolbar and its troubled installation practices. I’ve often seen IBIS installed through security holes with no notice or consent. (Multiple additional videos on file.) I’ve also posted documentation of IBIS installed in tricky bundles with minimal notice. I’ve even seen IBIS offered in repeated ActiveX popups that tell users “you must click yes to continue” if users initially refuse installation. Other IBIS ActiveX popups offer a defective license link; clicking the license yields no license. (Video proof on file.)

These practices seem to violate almost every one of Google’s Software Principles. Google says to let users decline an unwanted installation, to give users upfront disclosure of major program functions, to clearly disclose changes to browser configuration, and only to come bundled with other programs meeting these rules. But my records show IBIS failing to meet each of these requirements.

 PPC advertisers 
money viewers
   Google AdWords   
money viewers
Go2Net
money viewers
IBIS WebSearch

How Funds flow from advertisers to IBIS WebSearch

Notwithstanding these apparent violations of Google’s Software Principles, IBIS shows many Google ads, seemingly receiving payment for such displays. Run a search in IBIS, and the ads often match Google ads. See screenshot at left. See also a video showing a search conducted through the IBIS WebSearch toolbar, a click on an ad, and the immediate creation of Go2Net and Google cookies. (Note that Google ads typically fill the entire screen of an 800×600 web browser.)

Click on a WebSearch ad, and traffic flows from WebSearch to Go2Net to Google to advertiser. Payment flows in the opposite direction. See diagram at right.

Using a network monitor (“packet sniffer”), I recorded the raw traffic that occurred when I clicked on the Orbitz ad shown above. In particular, my browser retrieved the URLs listed below. See also the full packet log of the associated transmissions, showing the full parameters of all redirects.

http://www.websearch.com/xfb_redir.aspx?CP=
http://clickit.go2net.com/search?pos=1&ppos=1&plnks=5&query=car+rental
http://clickit.go2net.com/search/id?pos=1&ppos=1&plnks=5&query=car+rental
http://www.google.com/url?sa=l&q=http://www.orbitz.com/App/DisplayCarSearch&ai=
http://www.google.com/url?q=http://www.orbitz.com/&ai=
http://www.orbitz.com/App/DisplayCarSearch?semsource=goog&semkeyword=car+rental

Google’s listing of ad partners confirms that Google ads can be shown by InfoSpace, owner of Go2Net. Note that InfoSpace is a publicly-traded company (NASDAQ: INSP).

The example above shows an Orbitz ad being shown by IBIS WebSearch. In my testing, Orbitz often advertises through programs often called spyware. (Examples: Orbitz ads shown by Claria/Gator, eXact Advertising and Hotbar.) But because IBIS WebSearch syndicates and shows many Google ads for many keywords, IBIS shows ads even for advertisers who otherwise refuse to do business with spyware firms. Indeed, thanks to syndication from Google, IBIS even shows (and receives payment for showing) ads from firms that have filed suit against makers of such software. For example, I have captured proof of IBIS showing Google AdWords ads from the Hertz, LL Bean, and the New York Times, each of which has taken a stand against unwanted advertising software by suing Claria.

Enforcement Challenges

Google’s Software Principles document concludes by noting that “Responsible … advertisers can work to prevent [undesirable software] by avoiding these types of business relationships [those violating the principles set out above], even if … through intermediaries.” This is surely good advice. But Google’s far-reaching relationships with Ask Jeeves, IBIS, and others indicate that Google’s actions fall short of Google’s own recommendations to others.

Most of Google’s AdWords partners are probably highly trustworthy — unlikely to show ads except in the ways that Google intends and permits. But where Google’s partners have partners of their own (as InfoSpace/Go2Net does in WebSearch), enforcement is likely to be more difficult and accountability lacking. Google could eliminate this problem by prohibiting its partners from syndicating Google ads on to further partners of their own — though such a rule would narrow the network showing Google sites and thereby reduce Google’s revenues. Google’s existing partners may also have contractual rights to distribute Google ads to partners; AJ’s 10-Q comments that AJ “display[s] paid listings from Google on … many of the third-party sites in our network” (page 18).

My testing of Go2Net/WebSearch was made particularly difficult by the fact that the Google ads at issue apparently occur only on nights and weekends. During the business day, I have observed that WebSearch generally shows ads from other sources, not from Google. This type of change tends to undermine and confuse casual efforts at testing and enforcement.

Tough enforcement is particularly difficult due to the large amount of money at issue. Ask Jeeves’ relationship with Google has grown to hundreds of millions of dollars per year. Yet my documentation of AJ’s installation practices demonstrates that some AJ traffic to Google comes from AJ toolbars installed without consent or installed without consent that meets Google’s standards. With huge money on the line, will Google terminate its relationship with AJ, as its Principles seem to require (“avoid… these types of business relationships”)? The wrongful installations cannot immediately be undone — it’s hard (though probably not impossible) to determine exactly which AJ toolbar installations lacked consent or lacked the kind of consent Google calls for. But it seems clear that AJ’s practices don’t live up to Google’s standards. What will Google do now?

Intermediaries’ Role in the Spyware Mess updated May 28, 2005

When unwanted programs (“spyware” and others) sneak onto users’ computers, their main goal is often to show extra ads, typically pop-ups. If a vendor’s program steals users’ credit card numbers or social security numbers, the vendor will get in real trouble. But, historically, software vendors have been able to show extra ads with impunity.

Where do these ads come from? What companies are willing to support the advertising software that users so despise? It turns out some of the world’s biggest companies are advertising in this way. In 2003, I posted a list of some of Gator’s then-biggest advertisers, work that PC Pitstop updated in 2003 (using Claria’s S1 filing). More recently, I’ve posted a list of substantially all eXact advertising advertisers. More to come.

These advertisers aren’t working in a vacuum. To the contrary, many of their ads appear through spyware only thanks to major ad intermediaries that facilitate and track those placements, and that assist in the associated payments.

Are ad intermediaries responsible when their ads are shown by software installed improperly? Marquette law professor Eric Goldman thinks not. But the New York Attorney General’s office has repeatedly suggested they might be. My take: Advertiser and intermediary liability is an interesting question of law, well beyond my aspirations for this brief piece. But where ad intermediaries purport to certify or stand behind the quality of the venues where their ads are shown, I’m not receptive to their claims that they can’t do what they’ve promised. Where ad intermediaries merely count advertisement clicks without even claiming to assure traffic quality, the case for blaming intermediaries for improper use of their tracking links may be somewhat weaker (though still cognizable).

One fact about which there is no reasonable dispute: Spyware would be far less profitable — and there would be far less of it trying to sneak onto users’ PCs — if big advertisers weren’t advertising this way and if big ad intermediaries weren’t helping to facilitate such advertisements.

An Initial Example: Atlas DMT Assisting with Expedia Ads Shown by 180solutions


An Expedia ad shown by 180solutions, via Atlas DMT tracking.An Expedia ad shown by 180solutions, via Atlas DMT tracking

The many relationships in spyware advertising can be quite complicated, all the more so because advertising and payment structures take so many forms. But let me start with a relatively straightforward example: When users visit aa.com (American Airlines) on PCs with advertising software from 180solutions, 180 may show a popup of Expedia’s web site. See inset image at right.

Expedia
(advertiser)
viewers
Atlas DMT
(intermediary)
viewers
  180solutions  

Traffic Flow

Although 180 could show the Expedia site directly, traffic more typically passes through intermediaries like, in this case, aQuantive’s Atlas DMT. In particular, 180 invokes the Atlas tracking link http://expedia.click-url.com/ go/www18epd0600005172ave/ direct/01, which then redirects users to the specified page at Expedia. So users reach Expedia through Atlas, as shown in the diagram at right.

Ads are placed through intermediaries for a variety of reasons. Sometimes intermediaries help to broker the deal — making connections between advertisers and venues where ads can be shown. Some advertisers might not want to do business with 180solutions directly — maybe they haven’t heard of 180, or have heard only bad things; but doing business with Atlas seems reasonable thanks to Atlas’s better reputation. Or perhaps Atlas adds accountability: An advertiser might not trust 180’s record-keeping, but the advertiser might feel confident that Atlas will accurately count how many times each ad was shown. Intermediaries can also provide efficient and centralized payment, reducing administrative costs. Whatever the reason, ads tend to flow through intermediaries — and so intermediaries like Atlas are well-equipped to stop such ads from appearing, if they care to do so.

Of course this Expedia/Atlas example is but one of many. See e.g. a more detailed example I posted in July 2004, showing a 180solutions ad for Hawaiian Airlines ad, also served by Atlas, substantially covering the Delta.com site.

A Case Study: Advertising Intermediaries Supporting 180solutions

Beyond the Expedia ad shown above, I’ve also been looking at all 180’s other ads, along with examining where these ads come from.

For those interested in advertisers supporting unwanted software, 180solutions is a natural place to start. 180solutions is often installed with no consent at all (videos: 1, 2), via misleading promises at kids sites, in poorly-disclosed bundles, and otherwise without appropriate notice and consent — so ads shown by 180 are presumptively unwanted. Meanwhile, my testing confirms that 180solutions tracks what web sites users visit — rightly earning the name “spyware” since 180 installations can be nonconsensual. 180 also attracts attention for its large installed base and substantial venture funding. Crucially, 180’s self-serve advertising sales system, MetricsDirect, lets anyone hire 180 to show a given ad URL when users visit URLs with a given keyword — without so much as speaking to a 180 representative. In combination, these factors make 180 among the worst offenders at showing problematic ads: Bad actors can use 180 to show advertisers’ sites to millions of users, without meaningful scrutiny by 180 and, thanks to ad intermediaries’ tracking systems, sometimes even without advertisers’ knowledge.

Earlier this month, I found that 180solutions tracks a total of 510,211 keywords within the URLs users visit. In my testing, 157,083 of these keywords are actively targeted with ads. A total of 88,388 distinct ads target these keywords. (As expected, many ads target more than one keyword. I measure “distinct ads” based on use of distinct ad URLs.)

Of these 88,388 ads, many pass through well-known intermediaries which serve to facilitate relationships between advertisers and 180; to track views, clicks, or purchases; and/or to track orcoordinate facilitate payment. The listing below gives a summary of the number of ads (of these 88,388) found to be actively loading content from the specified intermediaries. The listing reports only intermediaries associated with 500 or more different 180solutions ads.

Advertising intermediary
     # ads
Traditional banner ad networks / tracking services
Atlas DMT (aQuantive) (NASDAQ: AQNT)
2,666
Adteractive
2,231
DoubleClick (NASDAQ: DCLK)
1,352
FastClick (NASDAQ: FSTC)
513
Affiliate networks
ClickBank
1,054
Commission Junction (including BeFree) (ValueClick) (NASDAQ: VCLK)   
686
Syndicated search engine advertising
Google (NASDAQ: GOOG)
4,678

See disclosure as to Advertising.com (AOL).

Update: I’ve been asked for details about the “actively loading content from” criteria that governs inclusion in the table above. My scripts check for content loaded from an intermediary by looking for redirects, for loading an intermediary’s content in a FRAME or IFRAME, or for use of JavaScript to load arbitrary code from an intermediary. Most of the listed intermediaries primarily use the redirects and FRAME/IFRAME methods. But Google AdSense sites typically use JavaScript to load Google’s inline ads in a JavaScript-created subwindow. What all these practices have in common is that they actually show substantial content from the ad intermediary — not merely (for example) a small text link to an affiliate network.

Do Ad Intermediaries Intend to Support 180?

Multiple advertising intermediaries (and some big advertisers) have recently written to me to tell me that they “can’t” track how ads are being shown using their networks and systems. They apparently consider it impossible to track all their ads — so they think they shouldn’t be blamed if they fail, i.e. if their ads are shown through software installed improperly on users’ PCs.

I emphatically disagree. The task is definitely doable. I know because I’ve already done it.

advertisers
money viewers
ad intermediaries
(e.g. Commission Junction)
money viewers
independent intermediaries
(e.g. Top3offers)
money viewers
spyware
(e.g. 180solutions)

Flow of Traffic and Payments

Ad intermediaries are correct that the design of spyware and similar systems makes their traditional enforcement procedures ineffective. Historically, if an ad intermediary noticed that some client or site was showing its ads in a way the intermediary didn’t like, the intermediary could simply cancel the corresponding entity’s contract and withhold payments to that entity or refuse future business from that entity.

180solutions’ design (and others like it) wreaks havoc on this simple enforcement model. Many of 180’s ads are placed by 180 advertisers, acting in their own names, in general without disclosing that the resulting traffic will be shown in 180solutions pop-ups. For example, Top3offers.com pays 180solutions to show Top3offers URLs when users visit certain keywords pertaining to online dating. Top3offers then sends such traffic to Yahoo Personals via a Commission Junction tracking link, ultimately receiving payments for leads or signups. Yahoo and CJ did not request that Top3offers take any such action — and if they search their advertiser databases for 180solutions, they won’t find a match, because the underlying account is in the name of Top3offers, not 180. And of course Top3offers is just one of hundreds — thousands? — of middle-men using similar methods. (See e.g. ten specific examples I posted in detail last year — complete with packet logs, videos, etc.)

So it’s insufficient for ad intermediaries to merely search their databases for the names of known wrongdoers. Rather, rigorous enforcement requires examining actions, not just names. Savvy intermediaries need an enforcement system that monitors ads at trouble spots like 180solutions, that flags suspect ads shown there, and that does not naively assume that bad actors will be truthful in their statements to ad intermediaries. Conveniently, that’s precisely how my ad-tracking robot works — that’s precisely how I generated the table above.

This CJ/Top3offers example is just one of many, and of course facts vary across types of ad intermediaries. Because affiliate networks like Commission Junction generally pay commissions only when users make purchases, they tend to be particularly indiscriminate as to who can place such links and earn such commissions — operating under the mistaken assumption that if a user made a purchase, the traffic must have been legitimate. (They ignore the risk that the ad was improperly shown to the user, without appropriate prior consent.) Indeed, despite CJ having ended its direct relationship with 180, 180’s advertisers (the “independent intermediaries” in the diagram above) continue to run CJ links — apparently in the expectation of continuing to receive payment, i.e. because CJ won’t catch them. If CJ can’t identify and block this traffic, then CJ still earns its commissions on such traffic — so paradoxically CJ still profits from the activities of 180 and its advertisers.

How Google Gets Involved

PPC advertisers
money viewers
   Google (AdWords)   
money viewers
AdSense sites
money viewers
180solutions

Flow of Traffic and Payments via Google

Google’s relationship with 180 proceeds in the convoluted path shown at right. Pay-per-click advertisers pay Google to show their ads on Google’s AdSense partner sites. Some AdSense members then pay 180 to show the members’ sites via 180solutions popups, such that funding ultimately flows as shown at right: From pay-per-click advertiser to Google to AdSense member site to 180solutions. (Example.)

Google’s relationship with 180 merits special discussion for at least two reasons. First, where other intermediaries often withhold from making claims about the quality of the sites they track or serve, Google tells its advertisers that sites showing Google ads are “high-quality” and “reviewed and monitored according to … rigorous standards.” Furthermore, Google’s AdSense Program Policies provide that AdSense ads may not be displayed in pop-ups or via client software (like 180).

Second, notwithstanding Google’s statements about the quality of sites in its network, Google’s relationship with 180 is surprisingly large: Of the 88,388 current 180solutions ads, some 4,678 (5%+) include Google AdSense ads, making Google the most prevalent source of funding for web sites advertising with 180solutions (at least when measured by the methods set out above).

Despite the “quality” claims in Google’s statements to its advertisers, it is unclear what steps Google takes to enforce its stated rules. I sent an inquiry to Google staff two weeks ago, but I have not yet received a response.

That Google AdSense members promote their sites through pop-ups like 180’s is entirely foreseeable. Indeed, Google apparently foresaw this problem when it included AdSense policy text to specifically forbid this practice. Now that the problem is observed and now that it turns out to be substantial, will Google enforce its existing rule?

Update: In a blog entry responding to this piece, Eric Goldman concludes “nothing about traffic to AdSense sites sourced by adware vendors runs contrary to Google’s stated policies.” Perhaps I haven’t explained (what I view to be) the violation sufficiently clearly. So let me try again. First, AdSense Program Policies require that “No Google ad … may be displayed on any … pop-ups” — seemingly violated when 180 shows pop-ups of sites that include AdSense ads. Second, AdSense’s Terms and Conditions provide as follows (emphasis added):

“5. Prohibited Uses. You shall not, and shall not authorize or encourage any third party to … (vi) directly or indirectly accessAds … through or fromany software application.

My example shows behavior that seems to exactly match the prohibited activity: An AdSense site hires 180 (surely “authoriz[ation]” and “encourage[ment]” within the meaning of the rule) to show the AdSense site, including showing (and thereby “access[ing]”) the site’s AdSense ads, as a result of the 180 software application observing the user viewing certain targeted sites. To me, the inconsistency between this practice and the stated rule seems abundantly clear.

Methodology, Enhancements, and Future Work

For those interested in my methodology: I’ve previously written about how to learn what ads 180 shows when users visit certain sites. The results above are derived from this list of ad URLs by processing with a robot that looks at the contents of each ad URL, attempting to determine and classify any ad networks or other intermediaries forwarding users to other advertising elsewhere.

Because my robots are imperfect, my methods tend to undercount the number of ads actually coming from each ad intermediary. My robots can track and analyze most standard HTML, including server-side redirects, client-side redirects, frames, iframes, and even basic JavaScript. But encoded JavaScript and certain other tricks currently serve to stop my robots from successfully and fully analyzing all ads.

In the coming weeks I’ll be posting more specific data — perhaps a listing of specific ads shown through unwanted software on users’ PCs, passing through some or all of the ad intermediaries listed above; perhaps videos and packets logs examining particular examples in detail. Interested readers should feel free to send suggestions and requests. Note that my March 2005 eXact Advertising testing reported the intermediaries associated with most of eXact’s current ads.

Where Do We Go From Here?

At a recent NAI Spyware conference, advertising executives reportedly discussed “creating robot-like technology to follow … advertisement[s].” They’re on the right track — but it’s unfortunate that they’re still just “discussing” rather than actively moving forward with the work. If I can do the analysis above — using just my ordinary cablemodem, some VB scripts running within Microsoft Access, and a single spare PC in my lab — then surely NAI’s members can do a lot better.

NAI members like aQuantive and DoubleClick are currently placing and tracking thousands of ads that are helping to fund the unwanted software plaguing users’ PCs. The time for talking has long since ended.

Disclosure: I serve as a consultant to AOL on certain matters related to spyware. If AOL’s Advertising.com ads had been sufficiently frequent to meet the criteria for inclusion in the table, I would have included them. However, in fact AOL / Advertising.com serve/track/support substantially less than 500 ads shown by 180solutions, therefore not calling for inclusion in the table. This calculation is based on 180solutions ads as they stood before I sent AOL any report as to its Advertising.com ads being shown by or through 180solutions. To the extent that AOL’s numbers are below those of other ad intermediaries, I attribute this to AOL’s March 2005 decision to stop doing business with all adware companies.

What’s So Hot About Hotbar? updated May 19, 2005

Last week Sunbelt announced that Hotbar sent Sunbelt a Cease and Desist letter, apparently demanding that Sunbelt stop detecting Hotbar software and offering users an option to remove it. I immediately updated my Threats page. But then I started wondering: How does Hotbar get onto users’ PCs? And what does Hotbar do once installed?

My new Hotbar Installs via Banner Ads at Kids Sites shows a variety of unsavory Hotbar practices: Promoting Hotbar advertising software at sites targeting kids, using banners with smiley faces but without mention of ads. Failing to affirmatively show a license agreement, and burying advertising terms so many screens into the license and below such counterintuitively-labeled section headings that users cannot reasonably find the key provisions. First affirmatively mentioning advertising on a screen that offers no Cancel button for users to decline the installation. And ultimately bombarding users with ads in pop-ups, web browser toolbars, Windows Explorer toolbars, auto-opening sidebars, and even desktop icons.

Meanwhile, Hotbar’s C&D indicates that their software is no longer detected by Microsoft Anti-Spyware, Lavasoft Ad-Aware, or McAfee. Why not? Consider Microsoft’s policy statement: “Windows AntiSpyware (Beta) alerts the user to the presence of any automatic pop-up advertising appearing outside the context of the program they are currently using.” This certainly describes Hotbar’s pop-up ads. Yet somehow Hotbar has caused — convinced? persuaded? threatened? — Microsoft not to detect their program.

Of course Hotbar is not the only party to blame. Hotbar’s ads arrive at kids sites through ads syndicated by Fastclick (NASDAQ: FSTC). As a publicly-traded company, surely Fastclick could find a better business than foisting advertising software onto unsuspecting kids.


I’ve recently received a copy of the Cease and Desist letter (PDF) Hotbar sent to Sunbelt. Sunbelt says they’ll be responding shortly, and I’m looking forward to reading their response. Meanwhile, some inaccuracies in the letter are so egregious that I feel obliged to note them immediately.

Hotbar claims to provide its users with “explicit explanations” of its services, and Hotbar therefore claims that users “provide … full conscious consent to each and every aspect of Hotbar software.” That’s not what I’ve seen when I’ve tested Hotbar. Rather, I have observed Hotbar install without even mentioning the word “ads” until a screen at which users aren’t given a “cancel” button. And nowhere does Hotbar affirmatively show users any mention of its numerous forms of ads (pop-ups, pop-unders, toolbar ads, auto-opening sidebars, and even desktop icons). To say Hotbar users “consent to each and every aspect” is truly a puzzling misstatement of the facts — that’s not what I’ve observed, nor is it what I’ve chronicled in screenshots and videos.

Hotbar then claims that Sunbelt “misrepresent[s]” Hotbar when it calls “Hotbar” adware. I don’t get it. How else is Sunbelt supposed to describe a program that tracks users’ online activities and shows ads, including pop-up ads? If Claria is adware — and even Claria says it is! — then surely Hotbar is properly called adware too. Perhaps reasonable people could disagree about the propriety of calling Hotbar spyware. But “adware”? No.

Telling the Truth about Installation Tactics

Installation practices occupied center stage at last week’s CNET Download.com‘s anti-spyware conference. Many of the companies whose installation practices I’ve criticized attempted to defend those practices or deflect attention from them. But their explanations and excuses don’t stand up to critical examination.

Does Claria Target Kids? Take Two…

At the CNET conference, I showed my slides of Claria’s misleading ads on kids sites. The audience seemed to think the slides are pretty damning: Claria shows an ad that looks like a Windows dialog box, though it’s not; Claria offers a clock-synchronizing program (which Windows XP users don’t need); Claria installs software with just two clicks; and Claria doesn’t show a license until after the user accepts the installation. All this, on sites targeted at kids — sites with privacy policies that say so, in case the cartoon graphics, simple language, and underlying content (often cartoon video games) weren’t clear enough.

Claria’s CEO, Jeff McFadden, responded in part by claiming that the Ezone site (the example I focused on) isn’t really targeted at kids:

“… There’s a second thing that was mentioned, that this is a kids site. I’m not sure what homework was done on this, because there’s an IDC report that says that online gaming sites, the average age of people who visit those sites is 29. I don’t know if anyone has done a demographic study of this particular site. I was shocked to find that even the Neopets web site that my daughters at home use quite frequently has a very large constituency of housewives that use the site. So we do not ‘target’ kids sites. … ”

conference archive, session 2 recording (MP3), from 1:05:00 to 1:12:38 (excerpt – WindowsMedia), in response to my question at 55:50 to 57:50 (excerpt). See also panelists’ responses at 57:50 to 1:05:00 (excerpt).

IDC may be right that the average age of gaming site visitors is 29. But I doubt demographics are similar at cartoon video game sites like Ezone. With titles like “Beetle Junior” and “Turtle Bay,” it’s hard to think the sites could retain a major adult audience.

What would it take to convince Jeff that the Ezone site really does cater to kids, and that it isn’t an appropriate place to solicit new installations of Claria’s advertising software? Last month I posted several other examples of Claria ads on (what I claim to be) kids sites — not just Ezone, but also a site called Fingertime Games (“lunar mouse house,” “junk food jack” and other games). Today I’m adding one more, which I think is even more clearly targeted at kids. For starters, the site is called Kidzpage — its very name a play on “kids.” Its title bar and “welcome” text both say it’s “for children.” Its advertisement pitch specifically says it’s “for kids and adults … family and students … school-aged children along with the ‘grown-ups’ who supervise them.” It’s linked from Yahooligans (Yahoo for kids). Can anyone seriously dispute that users obtained at such a site will include kids who didn’t know what they were getting, and who couldn’t reasonably consent?

A Claria ad within a site catering to kids.  Note cartoon-style graphics and lettering.  Note "for children" within title bar.

Beyond targeting kids, there’s plenty more wrong with this Claria installation method. See my earlier write-up for discussion of fake-user-interface, unneeded programs, and failure to show a license until after installation occurs. See also Eric Howes‘s Adware Installations of 2005, showing other Claria installations with similar shortcomings.

Ask Jeeves’ Problems: Non-consensual Installations, Semi-consensual Installations

Installation practices seem to be a question that IAC CEO Barry Diller doesn’t fully understand, or at least doesn’t care to talk about. In an earnings call last week, he said AJ “doesn’t have an issue with either spyware or adware.” But more than denying that AJ faces exposure here, Diller didn’t even want to discuss the matter. He continued: “It is an issue, obviously, but it is not our issue. And that’s that. Next question, please?”

Diller is right that the AJ toolbars aren’t either spyware or adware (as I use the terms). After all, the AJ toolbar doesn’t obviously collect much information about what users do (though I don’t fully understand all of AJ’s transmissions). And the AJ toolbar doesn’t show the annoying pop-ups common to most “adware.” (That said, AJ’s toolbar leads users to web pages with lots of PPC ads syndicated from Google. So if some AJ installations are wrongful, remember that Google revenues are ultimately funding AJ’s activities. Google staff tell me they’re “looking into it.”)

But Diller is wrong to so quickly conclude AJ has no problem here, merely because AJ doesn’t make spyware or adware. If AJ software is becoming installed through security holes w/ no notice or consent (it is), and if AJ is offering payments to those who perform these wrongful installations, AJ has a problem no matter how praiseworthy AJ’s software may be. Similarly, if AJ is installing without showing or even referencing a license, while using euphemisms that fail to properly disclose even the most general effects of the programs to be installed (again all true), AJ has a lot to improve. Same if the AJ license agreement is buried at page 48 of a license agreement users aren’t even shown unless they specifically request it (see Kazaa installer).

The basic legal theory — clearly articulated in the NYAG’s complaint against Intermix — is that users ought to control what software runs on their computers. So installations are only proper when they occur with user consent, after clear and straightforward disclosures. Omit the disclosures, or phrase them so euphemistically that users can’t reasonably understand, then the software installation becomes a trespass.

I don’t always agree with Marquette professor Eric Goldman. (In particular, I can’t agree with his calls for narrow liability for actions of distributors and advertisers. This seems like a recipe for unaccountability and for rewarding bad actors. Eric’s approach would encourage “adware” vendors to look the other way when their software is installed wrongfully, and would give a free pass to those who advertise through software installed improperly.) But interestingly Eric and I seem to see AJ the same way — the key question being whether AJ’s installation disclosure and consent is up to par.

180solutions Continues to Become Installed Without Any Consent At All

Representatives from 180solutions made the sensible decision not to claim, within the official CNET conference sessions, that their programs install only with consent. After all, I had screenshots and videos providing the contrary.

But in a video interview made mere minutes before, 180solutions COO Daniel Todd told Dow Jones Marketwatch that “180solutions does not install software on people’s computers without consent.” Only upon further pressing by the interviewer does Todd back-peddle, admitting that some 180 distributors install 180 software with “no consent” or without (what Todd considers) adequate consent.

So Todd admits that some 180 installs are nonconsensual. Yet 180’s web site continues to claim that its software is “permission based” and “only downloaded with user consent.”

Which one is right? My November and March videos show nonconsensual 180 installations in great detail. (I’ll post still more videos in the coming weeks, as to 180 as well as Direct Revenue, eXact Advertising, and many others.) So Todd’s ultimate admission is accurate. Not so for the “only … with … consent” promises on 180’s web site.

Todd later stated that 180 has 7,000 to 10,000 distributors. That’s a huge number — it underscores the practical difficulty of 180 performing meaningful oversight of what its distributors are doing. With so many installation “partners” and so little enforcement or quality control, 180 has created a monster. Who’s going to fix it, and when?

Direct Revenue Commission Skimming

In my final visit to the CNET Q&A microphone, I mentioned Direct Revenue “skimming off the top” — invoking affiliate commission links to claim commissions on purchases users were already making. I previously documented this same behavior by 180solutions — finding it surprisingly widespread, yet reportedly an easy way to make money. (Last year 180 told MSNBC that it made more than $100,000 from Dell in just one month in late 2003.)

Direct Revenue’s commission-skimming was relatively easy to spot — with telltale signs in users’ cookies folders, not to mention noticeable popunders and, as usual, clear records in packet sniffers. So I was pleased to learn that affiliate network Commission Junction has already noticed this scam and, reportedly, taken action. So perhaps there’s less need for me to post the various videos, screenshots, packet logs, and other proof I’ve been accumulating. Instead, I’ll soon be focusing on reporting DR advertisers — some shocking examples, like American Express ads continuing to target kids sites.

Does Jeeves Ask for Permission?

I continue my misleading installation series with a look at installation practices of Ask Jeeves. My new Ask Jeeves Toolbar Installs via Banner Ads at Kids Sites shows a misleading banner ad particularly likely to target kids. When users click on this banner, AJ neither shows nor references any license agreement. And AJ uses euphemisms like “accessible directly from your browser” rather than explicitly admitting that it will install a web browser toolbar.

But that’s not the worst of AJ’s practices. Over the past six months, I’ve captured a series of videos showing Ask Jeeves’ MyWay and MySearch software installed through security holes — without notice, disclosure, or consent. For example, in a video I made on March 12, I received more than a dozen different programs including the Ask Jeeves MySearch toolbar — without me ever requesting anything, and without me ever clicking “Yes” or “Accept” in any dialog box. Watch the video and see for yourself. Warning: The video is 16+ minutes long. Security exploit occurs at 6:00, and Ask Jeeves MySearch software is first seen at 15:50. In this same testing, I also received installation of 180solutions, multiple programs from eXact Advertising, the IBIS WebSearch toolbar, PeopleOnPage, ShopAtHomeSelect, SurfSideKick, WindUpdates, and many more. The underlying network transmissions show that the security exploit at issue was syndicated through the targetnet.com ad network — Mamma Media, publicly-traded on Nasdaq Small Cap.

I have other videos available upon request, including nonconsensual AJ installations dating back to November 2004. See also my November 2004 exploit video.

I’m surprised that Ask Jeeves allows these nonconsensual installations. Ask Jeeves is a publicly-traded company with a 10-digit valuation (slated to be acquired by InterActiveCorp for $1.85 billion). If Ask Jeeves staff made a serious effort to screen and supervise their distribution partners, they could prevent this kind of mess.


The biggest news last week was a lawsuit filed by the New York Attorney General’s office against Intermix Media, whose KeenValue, IncrediFind, and other programs show popup ads, add extra browser toolbars, and intercept error messages. These practices are objectionable in and of themselves, but the complaint focuses on the programs’ misleading installations. Sometimes the programs install with no notice at all, the complaint says, and sometimes only with hidden or misleading disclosures users are unlikely to notice or understand.

I have the sense that this suit is the first of many. There are certainly plenty of similar offenders, even big companies with major venture capital funding. I have often written about software from 180solutions, Direct Revenue, and eXact Advertising installing through security holes, practices I’ve continued to observe (including in the video linked above). And Claria’s tricky installations share many of the deceptive characteristics the AG attributes to Intermix, like hiding key terms in “lengthy, legalistic license agreements” and using “vague, incomplete” disclosure text. (See NYAG complaint (PDF), paragraph 9.) So I doubt the NY AG’s office would approve of the Ask Jeeves practices I’m documenting today, nor the other misleading tactics on my spyware installation methods index.