False and Deceptive Display Ads at Yahoo’s Right Media

Yahoo’s Right Media ad marketplace features widespread ads exactly designed to deceive. I present ten examples of these deceptive ads, and I critique their unwelcome characteristics. To estimate the prevalence of deceptive tactics, I examine Right Media’s own analysis ad characteristics — finding that by Right Media’s own admission, deceptive ads total 35% or more of Right Media’s advertising inventory.

Details:

False and Deceptive Display Ads at Yahoo’s Right Media

Yahoo syndication fraud litigation

I served as cocounsel in class action litigation challenging Yahoo placing advertisers’ advertisements in low-quality locations such as adware, popups, and typo squatting, while charging advertisers high prices predicated on search advertising.  After motion practice denying Yahoo’s motion to dismiss, Yahoo agreed to cease certain of the practices at issue and allow advertisers to exclude themselves from certain low-quality advertising placements.

In re: Yahoo Litigation, No. 06-2737-CAS (C.D. Cal.)

Case docket including consolidated second amended class action complaint and settlement agreement

The Spyware – Click-Fraud Connection — and Yahoo’s Role Revisited

In August I reported a startling number of notorious spyware programs receiving payments, directly or indirectly, from Yahoo!’s pay-per-click (PPC) (Overture) search system. Yahoo pays numerous other companies to show these ads via syndication relationships. So when a spyware vendor can’t find advertisers to buy its ad inventory directly, the spyware vendor can show Yahoo ads instead. Every time a user clicks on such an ad, the advertiser must pay Yahoo. Then Yahoo pays a revenue share to the spyware vendor that showed the ad. My August article documented relationships between Yahoo and 180solutions, Claria, Direct Revenue, eXact Advertising, IBIS, and SideFind.

My August article covered “just a few of the … examples I have observed and recorded.” Since then, my Yahoo-spyware collection has grown dramatically. I now have many dozens of different examples of Yahoo pay-per-click ads shown within spyware.

My August examples demonstrate what I call “syndication fraud” — Yahoo placing advertisers’ ads into spyware programs, and charging advertisers for resulting clicks. But Yahoo’s spyware problems extend beyond improper syndication. In my August syndication fraud examples, an advertiser only pays Yahoo if a user clicks the advertiser’s ad. Not so for three of today’s examples. Here, spyware completely fakes a click — causing Yahoo to charge an advertiser a “pay-per-click” fee, even though no user actually clicked on any pay-per-click link. This is “click fraud.”

This document offer four fully-documented examples of improper ad displays (1, 2, 3, 4), including three separate examples showing click fraud. I then develop a taxonomy of the problem and suggest strategies for improvement.

The Pay-Per-Click Promise; The Click Fraud Threat

When advertisers buy pay-per-click advertising, they largely expect and intend to buy search engine advertising. If a user goes to Yahoo and types a search term, interested advertisers want their ads to be shown. Ads are supposed to be carefully targeted, i.e. to the specific keywords advertisers specify. And an advertiser is only supposed to pay Yahoo when a user actually clicks the advertiser’s ad.

Click fraud attacks these promises. In canonical click fraud, one advertiser repeatedly clicks a competitor’s ads — or hires others to do so, or builds a robot to do so. Deplete a competitor’s budget, and he’ll leave the advertisement auction. Then the first advertiser can win the advertising auction with a lower bid.

Advertisement syndication also creates a risk of click fraud. Suppose Yahoo contracts with some site X to show Yahoo’s ads. If a user clicks a Yahoo ad at X, Yahoo commits to pay X (say) half the advertiser’s payment to Yahoo. Then X has an incentive to click the Yahoo ads on its site — or to hire others to do so, or to build robots to do so.

Spyware syndication falls within the general problem of syndication-based click fraud. Suppose X, the Yahoo partner site, hires a spyware vendor to send users to its site and to make it appear as if those users clicked X’s Yahoo ads. Then advertisers will pay Yahoo, and Yahoo will pay X, even though users never actually clicked the ads.

The following three examples show specific instances of spyware-syndicated PPC click fraud. In each example, I present video, screenshot, and packet log proof of how spyware vendors and advertisement syndicators defraud Yahoo’s advertisers.

Click Fraud by 180solutions, Nbcsearch, and eXact Advertising – December 17, 2005

PPC advertisers
money viewers
Yahoo Overture
money viewers
eXactSearch
money viewers
Nbcsearch
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions

On a test PC with 180solutions (among other unwanted software) (widely installed without consent), I browsed Nashbar.com, a popular bicycling retailer. I received a popup that immediately forwarded traffic to a Yahoo Overture PPC link — faking a click on that link, and charging an advertiser as if a user had clicked on that link, even though I had not actually done so.

Reviewing my packet log, I see that traffic flowed as listed below.

http://tv.180solutions.com/showme.aspx?keyword=bicycle%2aparts+cycling+cycling…
http://popsearch.nbcsearch.com/metricsdomains.php?search=mountain+bike
http://ww3.exactsearch.net/red.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbkiRR…
http://ww3.exactsearch.net/click.php?mc=T%2FcbeGxGNus4%2F3AyiyVWsqV5cRprOptbki…
http://207.97.227.18/clk/?31303b313133343836343333352e39347e74696572313b3030
http://www22.overture.com/d/sr/?xargs=15KPjg149StpXyl%5FruNLbXU7Demw1X18j2tJ5w…
http://clickserve.cc-dt.com/link/click?lid=43000000005485843
http://www.sportsmansguide.com/affiliate/ccx.asp?url=http%3A%2F%2Fshop%2Esport…

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays eXact Advertising (eXactSearch), which pays Nbcsearch, which pays 180solutions.

All these payments are predicated on a user purportedly clicking an ad — but in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud.

Click Fraud by 180solutions, Nbcsearch, and Ditto.com – March 2, 2006

PPC advertisers (i.e. SmartBargains)
money viewers
Yahoo Overture
money viewers
Ditto.com
money viewers
Nbcsearch
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions

On a test PC with 180solutions (among other unwanted software) (widely installed without consent), I browsed SmartBargains.com, a popular discount retailer. I received a popup that, in its title bar, indicated that it came from 180solutions. Mere seconds later, I was redirected to a duplicate window of SmartBargains.

Reviewing my packet log, I see that traffic flowed as listed below.

http://tv.180solutions.com/showme.aspx?keyword=%2esmartbargains%2ecom+smart+…
http://popsearch.nbcsearch.com/metricsdomains.php?search=smartbargains.com
http://ww2.ditto.com/red.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRRrZ…
http://ww2.ditto.com/click.php?mc=T%2FgSdHBNM%2Bg2%2B3AyiyVWsqV5cRprOptbkiRR…
http://agentq.ditto.com/click.clk?pid=708811&ss=smartbargains.com&advname=sm…
http://www24.overture.com/d/sr/?xargs=15KPjg1%2DpSgJXyl%5FruNLbXU6TFhUBPycz2…
http://www.smartbargains.com/default.aspx?aid=47&tid=82136

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays Ditto.com, which pays Nbcsearch, which pays 180solutions.

All these payments are predicated on a user purportedly clicking an ad — but in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud.

This example also shows what I call “self-targeted traffic.” Notice that the net effect of this click fraud is to show the user the site the user had requested — but to show that site also in a second (“double”) window. Since users end up at the requested site, users may not notice that anything is wrong. But from an advertiser’s perspective, something is very wrong: This process asks SmartBargains to pay Yahoo Overture PPC fees for SmartBargains’ own organic traffic — a lousy deal, since Yahoo Overture is providing SmartBargains with no new leads and no genuine value.

Click Fraud by Look2me/Ad-w-a-r-e, Improvingyourlooks.com, and Two Unknown Parties – April 1, 2006

PPC advertisers (e.g. lasikcookeye.com)
money viewers
Yahoo Overture
money viewers
64.14.206.59
money viewers
improvingyourlooks.com
money viewers
12.129.178.27
money viewers
Look2me / Ad-w-a-r-e

The money trail – how funds flow from advertisers to Yahoo Overture to Look2me / Ad-w-a-r-e

On a test PC with Look2me/Ad-w-a-r-e (among other unwanted software) (installed without my consent), I received a popup that redirected me to and through a Yahoo Overture PPC link. The popup ultimately showed me the lasikcookeye.com site even though I had showed no prior interest in eye problems or eye surgery. Reviewing my packet log, I see that traffic flowed as listed below:

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://64.194.221.33/cgi-bin/KeywordV2?query=4047&ID={…}
http://12.129.178.27/redir?aid=1006&cid=162&xargs=ZmlkPTUxJmtleT1sYX…
http://search.improvingyourlooks.com/index.html?red=1&q=lasik%20eye%20su…
http://search.improvingyourlooks.com/?1143930576
http://64.14.206.59/cgi-bin/feedred?c=2188&p=2068&q=lasik%20eye%20surgery&de…
http://www10.overture.com/d/sr/?xargs=15KPjg17hS%2DZXyl%5FruNLbXU6TFhUBQxd7t…
http://www.lasikcookeye.com/

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays the operators of the server at 64.14.206.59, which pays improvingyourlooks.com, which pays 12.129.178.27, which pays Ad-w-a-r-e.

All these payments are predicated on a user purportedly clicking an ad — except that in fact no such click ever occurred. Because advertisers are charged for pay-per-click “clicks” without any such click actually taking place, this is an example of click fraud. Furthermore, because my prior activity gave no sign of any interest in eye care, this popup sends the advertiser untargeted traffic — also contrary to Yahoo’s representations to advertisers.

Advertiser Lasikcookeye is the victim of these practices and the victim of this click fraud. Lasikcookeye contracted with Yahoo to buy pay-per-click ads shown at Yahoo.com when users performed relevant searches. Lasikcookeye intended (and reasonably expected) that its ad would be shown to appropriate users, and that it would only be charged if a user saw the ad, found it appealing, and specifically chose to click on it. Instead, Lasikcookeye here was charged for a “click” that never took place, and for its site being shown to a user who never asked to see it. Furthermore, Lasikcookeye’s site was shown in a popup, an advertising format users are known to dislike, which risks damaging Lasikcookeye’s good name.

Unlabeled PPC Links Inserted into Third Party Web Sites – by Qklinkserver.com / Srch-results.com, Searchdistribution.net, and Intermix’s Sirsearch – April 2, 2006

The circled link was inserted into the nytimes.com site by Qlinkserver.  Clicking the link sends traffic to Yahoo Overture PPC and on to an advertiser. The circled link was inserted into the nytimes.com site by Qklinkserver, without the Times’ consent. Clicking the link sends traffic to Yahoo Overture PPC and on to an advertiser.

PPC advertisers (e.g. shop.com)
money viewers
Yahoo Overture
money viewers
Intermix Sirsearch
money viewers
Searchdistribution.net
money viewers
Qklinkserver.com / Srch-results.com

The money trail – how funds flow from advertisers to Yahoo Overture to Qklinkserver

On a test PC with Qklinkserver (among other unwanted software) (installed without my consent), I observed numerous extraneous hyperlinks inserted into third parties’ sites. Checking these same sites on ordinary uninfected PCs, I received no such links. See e.g. the partial screenshot at right, showing an extra hyperlink inserted into the lead article listed on the New York Times site.

Clicking that extra New York Times link yielded traffic to a Yahoo Overture PPC link and on to a Yahoo Overture advertiser (here, shop.com). Reviewing my packet log, I see that traffic flowed as listed below:

http://www.qklinkserver.com/lm/rtl4.asp?si=20057&k=prime%20minister
http://search1.srch-results.com/search.asp
http://partnernet.searchdistribution.net/go3.aspx?encr=1&nv_click=9JT5m1b…
http://www.sirsearch.com/click.cfm?rurl=http%3a%2f%2fwww10.overture.com%2…
http://www10.overture.com/d/sr/?xargs=15KPjg1%5F5SjJXyl%5FruNLbXU6TFhUBPz…
http://www.shop.com/op/aprod-~Prime+Minister+Print?ost=prime+minister&sou…

See also full packet log, annotated screenshots, and video.

As shown in the diagram at right, the net effect of these practices is that advertisers pay Yahoo, then Yahoo pays Intermix (Sirsearch), then Intermix pays Searchdistribution.net which pays Qklinkserver.com / Srch-results.com.

As shown in the inset image above-right, Qklinkserver.com inserts links into other sites without any on-screen indication that the links come from Qklinkserver, not from the requested sites. Users seeing such links might reasonably think they reflect editorial selection by the requested sites (i.e. New York Times editors picking an appropriate link), when in fact the links merely point to whichever advertisers bid highest at Yahoo.

Note that traffic passes through Intermix’s Sirsearch servers. This is not Intermix’s first involvement with spyware, nor Intermix’s first involvement with Yahoo in the context of spyware. During the New York Attorney General’s summer 2005 investigation of Intermix for improper installation of advertising software onto users’ computers, a NYAG investigator reported that more than 10% of Intermix’s revenues came from Yahoo. The investigator further commented that the NYAG was “not ruling out … going after … Overture” for its role in funding Intermix. My findings here suggest that Intermix’s relationship with Yahoo and Intermix’s funding of spyware may extend beyond what was previously known.

I have tested the Qklinkserver advertising software at length. Of the links I have received from Qklinkserver, every single one ultimately passes through Yahoo Overture. As best I can tell, Yahoo Overture is the sole source of funding for Qklinkserver. (Compare: Yahoo Overture funding 31% of Claria, per Claria’s 2003 SEC S1.)

Understanding the Problem

I see six distinct problems with the Yahoo practices and partners at issue.

  • Click fraud. Through these improper ad displays, Yahoo charges advertisers for “clicks” that didn’t actually occur. This violates the core premise of pay-per-click advertising, i.e. that an advertiser only pays if a user affirmatively shows interest in the advertiser’s ad. Yahoo promises: “Pay only when a customer clicks on your listing.” But that’s just not true here. Instead, through click fraud, advertisers are asked to pay for spyware-delivered traffic, whether or not users actually click.
  • Untargeted traffic. Premium prices for PPC advertising reflect, in part, the extreme targeting of PPC leads: PPC ads are only supposed to be shown to users actively searching for the specified product, service, or term. Yahoo promises: “Advertise only to customers who are already interested in your products or services.” That’s also untrue in some of my examples. in fact spyware-delivered PPC results show Yahoo PPC ads to users with no interest in advertisers’ products or services.
  • Self-targeting traffic. Spyware-delivered PPC ads often target advertisers with their own ads. For example, in August I reported a user browsing the Dell site, then receiving spyware-delivered Yahoo PPC advertising promising “up to 1/3 off” if a user clicked a prominent link. But clicking that link didn’t actually provide any discounts or savings beyond Dell’s usual prices. However, each time a user clicked the link, Dell had to pay Yahoo a PPC advertising fee that I estimate at $3.30. That’s a bad deal for Dell: These users were already at Dell’s site, and there’s no reason why Dell should pay Yahoo or a spyware vendor just to keep them there. Same for self-targeting of SmartBargains, reported above.
  • Failure to label sponsored links as such. Through spyware syndication, Yahoo PPC ads often appear on users’ screens without appropriate labeling. When unlabeled ads appear in or adjacent to search engine results, these ads risk violating the FTC‘s 2002 instructions for advertising disclosures at search engines. See my prior SideFind example, where SideFind justifies bona fide search results with Yahoo PPC ads, without labeling Yahoo’s ads as such. Unlabeled ads also prevent users from understanding the nature of the linked content: For example, recall my Qklinkserver example. Seeing unlabeled text links inserted into ordinary web pages, users reasonably expect that such links were chosen by the sites users were visiting, when in fact such links were unilaterally inserted by unrelated spyware installed without user consent.
  • Low-quality traffic. Advertisers pay Yahoo a premium to reach desirable users at Yahoo.com — sophisticated users, users who are actively engaged in search. In contrast, spyware sends advertisers low-quality users, including users who are less likely to make a purchase. This traffic is not worth the premium price Yahoo charges. Consider: 180solutions sells popups for as little as $0.015 (one and a half cents) per ad display. In contrast, Yahoo charges a minimum of $0.10 — more than six times as much. Yahoo harms advertisers when Yahoo charges advertisers its premium prices for ads ultimately shown through low-quality low-cost channels like 180solutions.
  • Unethical spyware-sourced traffic. Industry norms, litigation, and instructions from policy makers (1, 2) all tell advertisers to keep their ads out of spyware. Discomfort with spyware reflects concerns about installation methods (misleading and nonconsensual installations), privacy effects, other harms to consumers, and harms to other web sites. For these and other reasons, many advertisers make a serious good-faith effort to stay away from spyware. These same advertisers also buy PPC ads from Yahoo — a standard, reasonable practice for anyone buying online advertising. Unfortunately, these Yahoo PPC ad purchases inevitably and automatically put advertisers into notorious spyware, including the programs reported above. By allowing these improper ad placements, Yahoo endangers its advertisers’ good names, and risks putting them in violation of best practices and policy-makers’ guidance.

Each of these problems is serious in its own right. But the examples at hand, in my current and prior reporting, inevitably combine several such problems — making them particularly troubling. The table below attempts to summarize my findings, as to the specific examples reported above and previously.

Click Fraud Untargeted traffic Self-targeting traffic Failure to label sponsored links as such Low-quality traffic Unethical spyware-sourced traffic Software sometimes installed without any user consent
180solutions / Nbcsearch / eXact (December 2005) x n/a* x x x
180solutions / Nbcsearch / Ditto (March 2006) x x n/a* x x x
Look2me / Ad-w-a-r-e / Improvingyourlooks (April 2006) x x n/a* x x x
Qklinkserver / Srch-results / Searchdistribution / Intermix SirSearch (April 2006) x x x x
Claria (August 2005) x x x
eXact Advertising (August 2005) x x x x
Direct Revenue / InfoSpace (August 2005) x x x x x
180solutions / InfoSpace (September 2005) x x x
IBIS / InfoSpace (June 2005) x x x
SurfSideKick / TrafficEngine (September 2005) x x x x x
Hotbar (November 2005) x x x x x

* – These examples entail click fraud — with nothing shown to a user before a PPC ad was invoked, and hence no opportunity for improper ad labeling.

An empty box should not be taken to be an endorsement of a vendor’s practices, or an indication that that vendor does not perform the specified practice. For example, although I have not chosen to post an example of eXact Advertising harming merchants via self-targeting, I have observed such self-targeting.

Yahoo’s Click Fraud and Syndication Fraud in Context

Many others have alleged click fraud at Yahoo. (1, 2, 3) But others generally infer click fraud based on otherwise-inexplicable entries in their web server log files — traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user). In contrast, my proof of click fraud is direct: As documented and linked above, I have captured click fraud on video and in packet logs. Yahoo may argue about advertisers’ inferences in other instances, i.e. disputing that advertisers have really found click fraud. But it’s far harder to deny the click fraud shown in my examples.

In the examples I show above and previously, Yahoo’s problem results from bad partners within its network. Yahoo syndicates ads to numerous partners, many of whom syndicate ads to others, some of whom then syndicate ads still further. The net effect is that Yahoo does not know who it’s dealing with, and therefore cannot exercise meaningful supervision over how its ads are displayed. I consider this a bad idea — bad business, bad for quality, bad for accountability. But Yahoo need not listen to me. Instead, consider instructions from New York Attorney General staff member Ken Dreifach: “Advertisers and marketers must be wary of fraud or deceptive practices committed by their affiliates, even [affiliates] that they have no working relationships with.” (Quote from MediaPost, summarizing Dreifach’s remarks.)

Yahoo’s “Whack-A-Mole” Problem

The many bad partners in Yahoo’s network make fraud particularly hard to block: When Yahoo terminates one fraudster, that fraudster’s partners find another way to continue operations.

Notice that the first and second examples (above) both show click fraud that originates with 180solutions and Nbcsearch. Yet Nbcsearch’s relationship with Yahoo Overture differs between these two examples: In the first, Nbcsearch gets ads from eXactSearch which gets ads from Yahoo; in the second, Nbcsearch instead gets Yahoo ads from Ditto.com. My testing suggests that Yahoo may have terminated the former ad channel at some point after my December testing. But Nbcsearch’s efforts to defraud Yahoo advertisers were not stymied by Yahoo’s possible termination of the first channel; Nbcsearch was able to find a new channel, i.e. Ditto.com, by which to continue to perform click fraud.

Yahoo’s enforcement difficulties are also borne out in its unsuccessful attempts to sever ties with 180solutions and Direct Revenue. After I highlighted these vendors in my August report, it seems Yahoo attempted to terminate its relationships with them. Yet 180 continued not just to show Yahoo ads, but also to perform click fraud, as documented in the first two examples above. Furthermore, as recently as February 2006, I have continued to see Direct Revenue serving popups that ultimately show Yahoo PPC ads. So even when Yahoo seeks to sever relationships with a partner as well-known as 180solutions or Direct Revenue, it seems Yahoo is unable to do so.

What Comes Next

After my August report, Yahoo terminated several of the specific wrongdoers I identified. I expect and hope that Yahoo will respond similarly to the findings reported here. If I learn of such a response, or if I receive any other relevant communication from Yahoo, I will update this page accordingly.

But it is not a sustainable approach for me to perform occasional public audits for Yahoo. These reports are infrequent, hardly sufficient to protect advertisers from ongoing fraud. Furthermore, these reports are merely illustrative — giving a few examples of a broad class of problems, but reporting only a small proportion of the fraud of which I am aware.

Yahoo recently announced its support (as a founding sponsor) of TRUSTe‘s forthcoming Trusted Download Program. The Trusted Download program intends to certify advertising software — so advertisers can confidently buy ads from such programs. I have a variety of concerns about the program — including that its standards may be too lax, that it will face exceptional difficulties in performing meaningful enforcement, and that I don’t know that any “adware” deserves a certification or endorsement. But even if Trusted Download were fully operational and working as expected, it would not have identified or prevented the problems described in this article. At best, Trusted Download would tell Yahoo that it may work with whatever adware vendors earn TRUSTe’s certification. But Yahoo’s problem isn’t uncertainty about which adware vendors are good. Instead, Yahoo’s problem is that, time and time again, it finds itself working with (and its advertisers defrauded by) notorious “adware” vendors — vendors Yahoo has already resolved to avoid (e.g. 180solutions, Direct Revenue), or vendors that wouldn’t come close to passing any ethics test (e.g. Qklinkserver, Look2me/Ad-w-a-r-e). Trusted Download doesn’t and won’t monitor advertisement syndication; Trusted Download won’t and can’t prevent these bad Yahoo PPC syndication relationships.

I see two basic strategies for Yahoo. Yahoo could try to limit its exposure to fraud, i.e. by scaling back its partner network, by more thoroughly vetting its partners, and by prohibiting its partners from further resyndicating Yahoo’s ads. Alternatively, Yahoo could try to detect fraud more thoroughly and more quickly, i.e. by implementing aggressive and robust testing methods to find more examples like those above, and like the dozens more examples I have on file. I tend to think both strategies are appropriate; in combination, they might serve to blunt this growing problem. But merely ignoring the issue is not a reasonable option; Yahoo’s advertisers pay top dollar for Yahoo PPC ads, and they deserve better.

Yahoo cannot expect these fraudulent techniques to disappear. Yahoo is an attractive target for fraudsters due to Yahoo’s high advertising charges and Yahoo’s high payments to partners. As spyware vendors find other revenue sources increasingly difficult (i.e. because advertisers do not want to buy spyware-delivered advertising), spyware vendors are likely to continue to turn to more complex advertising channels such as PPC, which are more amenable to fraud due to their reduced transparency and increased complexity. Yahoo, like other PPC services, needs to anticipate and block this growing problem.

Similar issues confront Google — though, in my testing, more often through bad syndication and less often through click fraud. I’ll cover Google’s problems in a future piece. Meanwhile, see my prior articles about Google and spyware: 1, 2.

How Yahoo Funds Spyware updated September 5, 2005

Yahoo’s Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo’s network of advertisers. When users run searches at yahoo.com, Yahoo’s advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn’t just show advertisers’ ads on yahoo.com; Yahoo also distributes advertisers’ ads to Yahoo’s various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers’ ads to be shown by advertising software installed on users’ PCs — software typically known as spyware or adware. In my testing, Yahoo’s funding of spyware is widespread and prevalent — an important source of revenue for many spyware programs installed on millions of users’ PCs. Were it not for Yahoo’s funding of these programs, the programs would be far less profitable — and there would be fewer such programs trying to sneak onto users’ PCs.

Yahoo’s funding of spyware is not unique. I’ve recently written about Google’s funding of similar bad actors (1, 2). Earlier this year, FindWhat disclosed related problems, admitting that terminating its dubious distributors would reduce revenues by at least 5%. But in my hands-on testing of various spyware-infected PCs, I find that I receive Yahoo-syndicated ads more frequently than I receive such ads from any other single PPC network.

This article proceeds in three parts. First, I show examples of Yahoo ads supporting Claria, eXact Advertising, Direct Revenue, 180solutions, and various others; I also review the objectionable practices of each of these vendors. (Numerous additional examples on file.) Second, I review Yahoo’s disclosures to advertisers — finding that Yahoo has failed to tell advertisers about its controversial syndication partners, even in general terms. I conclude with recommendations to Yahoo (and other PPC search engines that allow syndication), as to how to put an end to this mess and avoid such problems in the future.

Claria (Gator / GAIN): SearchScout Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase.  Shown after activating the popunder. A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase. Shown after activating the popunder.

A Yahoo Overture popunder, delivered by Claria, showing sponsored results for A Yahoo Overture popunder, delivered by Claria, showing sponsored results for “computer” when users visit Dell.com. Shown after activating the popunder and right-clicking the ad to show its destination.

    PPC advertisers (i.e. Dell)    
money viewers
Yahoo Overture
money viewers
Claria (Gator / GAIN)

The money trail – how funds flow from advertisers to Yahoo Overture to Claria.

Likely Yahoo’s largest single advertising software syndicator, Claria shows Yahoo Overture pay-per-click ads in popunders triggered by users’ web browsing.

Before showing Yahoo ads, Claria software must first become installed on users’ computers. Claria’s installation often proceeds without meaningful user consent. For example, Claria often gets installed through software bundles — where a user seeks one program but gets Claria too. Historically, Claria’s bundles have featured lengthy license agreements (as long as 5,900+ words and 63 on-screen pages), broken license formatting (missing line breaks, making section headings hard to find), and substantively unreasonable terms (including restrictions on how users can remove Claria software). Claria also promotes its software through banner ads — including ads on kids sites, claiming to fix computer clocks or improve computer security, showing a license only after installation has begun and cannot be cancelled. Some Claria uninstallers don’t work — leading users in circles rather than actually removing Claria software.

Claria’s core business is showing pop-up ads specifically purchased by advertisers. (See my 2003 listings, including well-known advertisers. See also PC Pitstop listing based on Claria 2003 disclosures.) But Claria also shows popunders of Yahoo Overture sponsored links. Search for “computer repair” at any major search engine, and Claria adds a popunder giving Yahoo Overture ads for that same term. Sponsored link popunders also target specific web sites. Visiting Dell often yields a Claria popunder of Yahoo Overture ads for “computer.”

Claria’s provision of Yahoo Overture sponsored links raises clear questions of business benefit for affected advertisers. In the second screenshot at right, the user was already at the Dell.com site. (Indeed, Dell might have just paid several dollars to reach that user, via a pay-per-click ad at Yahoo, Google, or elsewhere.) Claria’s popunder risks drawing the user’s attention away from Dell — but if the user then clicks on the prominent Dell ad in Claria’s Overture listing, Dell has to pay again for the same user who was already at the Dell site. Why pay Yahoo and Claria to get the user back, when it was they who took the user from Dell in the first place?

Claria’s provision of Yahoo Overture sponsored links also presents ethical concerns. Many advertisers dislike Claria’s practices — including its aggressive methods of becoming installed on users’ PCs, its serious effects on privacy, and its harm to computer performance. Indeed, when I previously revealed that, through another channel, Dell was advertising with Claria in mid 2004, Dell staff sought to distance Dell from Claria, commenting “[T]oday we do not do business with anyone like Claria.” But despite Dell’s stated dislike of Claria, Dell does help fund Claria when Dell purchases pay-per-click ads from Yahoo: Payment flows from Dell to Yahoo to Claria, as shown in the diagram at right. Same for thousands of other Yahoo Overture advertisers.

In the future, Claria purports to plan to shut down its popup business. That’s a move I applaud — it’s been a bad business from the start. But at present Claria still serves lots of popups — including Yahoo Overture popunders as frequently as every few minutes. These ads are big money: Claria’s 2003 SEC S1 discloses receiving $31 million from Yahoo in 2003 alone — despite a relationship only in place for 9 months of that year. Annualizing the payment and taking account of the dramatic increase in pay-per-click fees, Yahoo might now be paying Claria $50 million or more per year. (It’s hard to know for sure because Claria hasn’t filed more recent financial disclosures, and Yahoo doesn’t include this level of detail in its financial reports.)

eXact Advertising – Popups and Sidebars of Yahoo Sponsored Links

A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results. A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results.

  PPC advertisers
money viewers
   Yahoo Overture   
money viewers
eXact Advertising

The money trail – how funds flow from advertisers to Yahoo Overture to eXact Advertising.

Claria claims to always install with consent — however tricky or ill-gotten, per my testing and documentation. But other Yahoo Overture syndicators can’t even make this claim. On dozens of occasions, I have observed and recorded software from eXact Advertising installed through security holes, with no notice or consent. (Some examples: 1, 2.) I’ve also seen eXact installed by tricky popups claiming to be required to view sexually-explicit videos, and by unrequested popups claiming to offer “browser enhancements.” Others have reported eXact bundled by P2P-distributed videos purporting to offer child pornography, and even by instant messenger worms. In short, when a user has software from eXact, the user is unlikely to have granted meaningful informed consent to the installation, and the user may not have granted any consent at all. Reporters tell me that eXact claims to have fixed these problems, but that’s just not true: I’ve received nonconsensual installations of eXact software this very week. Videos on file.

Despite its poor installation practices, eXact receives Overture sponsored links, shows these advertisements to users, and presumably is paid by Yahoo for doing so.

See screenshot at right, showing an eXact auto-opening sidebar that appeared as I ran a search at Google. The sidebar shows Yahoo Overture links, and clicking a link sends users to Overture and on to the advertiser (without passing through any other search intermediary). Notice the Overture reference in the browser status bar as I hold my mouse over a sponsored link.

To typical users, the eXact-delivered Yahoo Overture sidebar appears to be an integrated part of search results — presumably delivered by Google (or whatever other search engine the user had requested). Notice the absence of any distinctive branding, logo, disclosure, or other identification that the sidebar comes from eXact and Overture. To find such a disclosure, a user must scroll to the bottom of the sidebar. Even there, the disclosure is truncated and hard to read. Screenshot.

eXact’s BullsEye service also shows sponsored link listings in freestanding windows. Here too, results are obtained from Yahoo Overture. Screenshot.

Direct Revenue – Popups and Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
Direct Revenue

The money trail – how funds flow from advertisers to Yahoo Overture to Direct Revenue.

Direct Revenue installations are at least as poor as eXact. I have numerous videos on file showing DR installed without consent (one such video on my public site). DR also uses various other tricky methods to get installed — like tricky popups, bundles, etc. But DR is perhaps worse than other advertising software in its unusual difficulty of removal (requiring downloading a special uninstaller from DR’s web site). DR is also unusual in its ability to disable and delete other software on a user’s PC.

Despite these troubling practices, DR also shows Yahoo Overture ads. See e.g. the example ad at right. The searchblazer results appeared when I browsed to Dell.com. Notice Direct Revenue’s “Aurora” branding in the upper-left corner and title bar. Although the ad’s body lacks any Direct Revenue branding or logo, the ad was loaded from the search.offeroptimizer.com server, a server under DR’s control. (Offeroptimizer.com is a well-known DR domain.) Furthermore, clicking on a sponsored link within the ad caused traffic that first passed through search.offeroptimizer.com en route to Overture. In short, this ad is not a rogue advertiser buying traffic from Direct Revenue. Rather, these sponsored links were specifically placed by Direct Revenue itself.

When I clicked on the first sponsored link shown at right, traffic flowed as listed below. See also full packet log.

http://xadsj.offeroptimizer.com/c/click.php?c=48685&s=5261&…
http://msxml.infospace.com/_1_B2HUEF099WI63__dirrev.feed.pu1/…
http://www10.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278&LID=230157&…

As indicated in the diagram at right and in the traffic flow above, Yahoo Overture syndicates its ads to InfoSpace, and InfoSpace in turn syndicates these ads to Direct Revenue. This series of relationships makes it particularly hard for Yahoo Overture to know where its advertisers’ ads will appear: Yahoo must count on InfoSpace to assure the quality, ethics, and compliance of InfoSpace’s partners.

This is not the first instance of InfoSpace partners with questionable practices. In June I documented Google ads syndicated to the IBIS Toolbar (also known to become installed without consent). Like Overture ads passing through InfoSpace en route to Direct Revenue, these Google ads were passed from Google InfoSpace to IBIS.

As in the Claria examples above, Direct Revenue syndications of Yahoo Overture ads often ask advertisers to pay for visitors already at their sites. In the example above, Dell was targeted by a list of sponsored links that places Dell in both of the top two positions. If a user clicks on one of these links, Dell pays Yahoo (and ultimately Direct Revenue) for a user who was already at the Dell site. Screenshot.

180solutions – Popups of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popup delivered by 180solutions.

  PPC advertisers (i.e. Driverloans)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions.

When I first posted this piece, I included no mention of 180solutions. My rationale: They’ve been involved in so many widely-publicized spyware scandals — from installing without consent, to installing with euphemisms (but no EULA) at kids sites, to installing at child porn sites — that undisclosed syndication of Yahoo Overture ads seemed like the least of their problems. Perhaps that’s right. But multiple readers asked me whether 180 wasn’t involved also, and why 180 wasn’t included in my write-up. So make no mistake about it: 180 shows Yahoo Overture ads too.

The screenshot at right shows a popup of Yahoo Overture ads delivered by 180solutions. In testing, I click on the ad, and traffic flows to InfoSpace, then to Overture, then to the advertiser. See traffic log below, and full packet log. See also a video of this click, showing the cookies created as a result of the click.

http://searchresults.180searchassistant.com/clicks.php?p==…
http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/…
http://www10.overture.com/d/sr/?xargs=…
http://www.driverloans.com/app/2p1a?x=seoyahoo:value

Other Advertising Software Installed Improperly – Showing Yahoo Sponsored Links

Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, targeting type-ins to Dell with Dell sponsored links. Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, showing Dell sponsored links in response to type-in requests for the Dell.com site.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
81.201.104.136
money viewers
trafficengine.net
money viewers
SideFind

The money trail – how funds flow from advertisers to Yahoo Overture to SideFind.

Claria, eXact Advertising, Direct Revenue, and 180solutions are all relatively well-known programs — each installed on millions (or tens of millions) of PCs, and each backed by major investors. But Yahoo also helps to fund vendors who are far less well-known.

Earlier this summer, in the course of documenting Google funding IBIS, I also prepared detailed proof showing how Yahoo ads get syndicated to IBIS too. Video and packet logs on file.

Just this past week, I happened to test a computer infected with a variety of unwanted software (a few disclosed in license agreements; most not). I observed that traffic was sent to Yahoo from both “Slotchbar” (an unrequested toolbar added to my test PC’s browser without my consent) and “SideFind” (an auto-opening browser sidebar, also installed without consent). I have video and packet logs on file, showing these nonconsensual installations as well as their syndication of PPC advertisements from Yahoo Overture. The screenshot at right shows the auto-activating SideFind sidebar, targeting a type-in request for Dell with various sponsored links, largely pointing back to Dell.

These are just a few of the additional examples I have observed and recorded.

In some instances, Yahoo’s dealings with these smaller spyware vendors entail traffic passing through multiple levels of intermediaries. For example, when SideFind sends traffic to Yahoo Overture, the traffic passes through trafficengine.net and then through an unnamed server at IP address 81.201.104.136 (reportedly operated by Copernic/Inktomi) before reaching Overture. See diagram at right, traffic log below, and full packet log.

http://www.sidefind.com/ist/scripts/log_clicks.php?account_id=…
http://feeds.trafficengine.net/click.ashx?key=computers…
http://81.201.104.136/fast-cgi/bsc?context=redir…
http://www6.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278…

In principle, these many levels of intermediation might make it especially hard for Yahoo to know where traffic begins. However, Yahoo ultimately has a direct relationship with some final source who sends the traffic to Yahoo. (In this example, Yahoo has a direct relationship with the operators of the 81.201.104.136 server.) So Yahoo can require that that final source take steps to keep Yahoo’s ads out of spyware. Furthermore, syndicated traffic often includes a HTTP Referer header that gives the name of the originating site. For example, in the Sidefind packet log, Yahoo’s servers receive a HTTP Referer header bearing the domain name sidefind.com, making it easy for Overture to see where traffic began. With its servers specifically receiving the name and URL of the traffic’s source, Yahoo cannot claim not to know where its ads are being shown.

Yahoo’s Failure to Disclose

If Yahoo’s advertisers were fairly advised of Yahoo’s plan to syndicate their ads to spyware programs, Yahoo might claim to be acting solely as their agent; perhaps advertisers want to buy advertising from Claria, eXact, DR, 180, and other such vendors. But in fact Yahoo fails to tell advertisers what will occur — so Yahoo’s syndication of advertisers’ ads cannot be claimed to occur with advertisers’ authorization.

Yahoo’s marketing materials are silent on the risk of spyware syndication, even where Yahoo’s syndication relationships are large and longstanding (i.e. Claria). Within Yahoo’s marketing materials to solicit new advertisers, Yahoo’s “Publisher Network” page mentions various syndicators of Yahoo ads, but Yahoo fails to mention even a single “adware”-type program. Yahoo’s formal Advertiser Terms and Conditions doesn’t mention adware either, and this document discloses advertisement syndication only to say that Yahoo syndicates ads to “various third parties who may be authorized by Overture to make the Sponsored Listings Marketplace Results available as a link from, an add-on service to, or otherwise in connection with Third Party Products.” Yahoo defines these third-party products broadly, as “Web sites, content, applications and/or e-mails.” “Applications” alludes to spyware — but makes no mention of the specific nature of these applications, nor of the likelihood that these applications install by security exploits, trickery, or taking advantage of users’ naivete.

Only at Yahoo’s privacy page does Yahoo make specific mention of any of its advertising software syndicators. Even there, Yahoo mentions only Claria, and Yahoo calls Claria an “ad network” — without mention of its adware, its software download, and its substantial privacy consequences. Furthermore, Yahoo’s privacy page states only that Yahoo has a “relationship” with Claria — but says nothing about the nature or scope of that relationship, i.e. that Claria shows Yahoo Overture ads. In any event, advertisers are unlikely to look to a page about consumer privacy in order to learn where their ads will be shown.

Given the perceived importance and value of Yahoo’s pay-per-click advertising network, some advertisers might choose to advertise with Yahoo despite the blemish of Yahoo’s dealings with spyware companies. Others might decide not to advertiser with Yahoo at all, if advertising with Yahoo necessarily entails supporting spyware. But where Yahoo fails to disclose these relationships, advertisers are denied this choice.

What Yahoo Should Do

In my view, Yahoo — and other PPC networks facing similar problems — should begin by developing and distributing clear rules for who may syndicate their ads. Last year a Yahoo spokesperson told eWeek that “Overture screens its distribution partners to make sure they gain user permission before downloading software.” “Permission” may sound clear-cut, but in practice it’s a surprisingly imprecise concept. What about “permission” obtained under false pretenses — like promising to fix a user’s clock or to improve security, but actually adding advertising software? What about “permission” obtained from a user at a kids site? What about syndicators that buy traffic from advertising software installed without consent, but that don’t make such software of their own? PPC networks need rules that speak to these situations — presumably forbidding all these methods of trickery and deception.

After clarifying their stance on spyware syndicating their ads, PPC networks need to redouble their efforts at enforcement. Tellingly, even Yahoo’s “permission” standard is violated by the frequent nonconsensual installations of Direct Revenue and eXact Advertising (links above). Nonconsensual installations of these programs are well known to those who test and study spyware, and they’re frequently reported at spyware news sites like Spyware Warrior. PPC network staff need to become familiar with these basic industry sources and testing methods, and they need to enforce their rules accordingly.

At present, Yahoo has many PPC syndicators — apparently hundreds or thousands. (Yahoo does not disclose all its syndicators.) Finding all rogue syndicators may prove hard, especially if Yahoo’s syndicators have further partners of their own (as in the Direct Revenue / InfoSpace and SideFind examples, above). In this article, I’ve focused on a few large and well-known syndicators who rely on software installed on millions of PCs, but smaller players are often harder to find and identify. Nonetheless, I’ve found dozens of rogue PPC syndicators using only a single off-the-shelf PC in my lab. (See above.) With all their resources, big PPC networks (like Yahoo) can surely do far better.

Enforcement also needs to include real penalties for those who break the rules. Merely ejecting a rogue syndicator does not deter future violations: Others see that they can make money from PPC syndication through spyware, anticipating only a slap on the wrist when these practices are discovered. A better enforcement strategy would seek to recapture fees previously paid to rogue syndicators — then refund advertisers for ads shown improperly. If a PPC network adopted this strategy and sued its rogue syndicators where necessary, other rogues would be less anxious to follow.

Beyond advertiser backlash and consumer demand, PPC networks face regulatory pressure to avoid supporting spyware through PPC syndication. For example, in the course of their investigation of Intermix, staff of the New York Attorney General revealed that Yahoo contributed 10% of Intermix’s revenue. NYAG staff say they’re “not ruling out” litigation against Yahoo for funding Intermix. More recently, rumors indicate a possible NYAG investigation of Direct Revenue. Given Yahoo’s past support for Intermix, I wonder how NYAG will react to seeing Yahoo funding Direct Revenue too.

If a PPC network can’t or won’t eliminate rogue syndicators, it could at least grant advertisers the ability to opt out of particular unwanted syndications. Others have offered this suggestion on various occasions (e.g. Kraft seeking to avoid syndicating its ads to white supremacy groups), as to both Yahoo Overture and Google. Affiliate networks all offer this level of granularity — letting each affiliate merchant decide what affiliates may earn fees for promoting it. But to my knowledge, no major PPC search engine offers this level of advertiser control.

Ultimately, PPC syndication offers savvy PPC networks a valuable opportunity — a chance to lead industry efforts to stop the spread of unwanted advertising software. Earlier this week, Azoogle launched its new “MPORT” network with the promise of keeping the network entirely adware-free. With a bit of effort and a renewed commitment to stopping spyware, Yahoo could bring MPORT’s no-adware benefit to Overture advertisers too.