Ben Edelman

Featured Research

Browse Facebook, and you wouldn't expect Facebook's advertisers to learn who you are. After all, Facebook's privacy policy and blog posts promise not to share user data with advertisers except when users grant specific permission.

But in my testing, Facebook's actual practices exactly contradict Facebook's promises. Merely clicking an advertiser's ad reveals to the advertiser the user's Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user's activity on Facebook, including name, photos, friends, and more.

Advertisers buying display ads from Sony's Crackle.com rightly and reasonably expect that users can see the ads. But that's not always the case. In today's posting, I present three recent examples of Crackle partners loading the Crackle site invisibly, largely via 1x1 IFRAMEs. I then tabulate observations preserved by my automation, demonstrating that Crackle's tainted traffic has continued for more than a year. I conclude by flagging implications for traffic measurement and ad pricing, and by suggesting what Crackle should do to clean up this mess.

For more than a decade, aggressive website registrants have been engaged in 'typosquatting' -- the intentional registration of misspellings of popular website addresses. Uses for the diverted traffic have evolved over time, ranging from hosting sexually-explicit content to phishing. Several countermeasures have been implemented, including outlawing the practice and developing policies for resolving disputes. Despite these efforts, typosquatting remains rife.

But just how prevalent is typosquatting today, and why is it so pervasive? Tyler Moore and I set out to answer exactly these questions. In Measuring the Perpetrators and Funders of Typosquatting (appearing at the Financial Cryptography conference), we estimate that at least 938,000 typosquatting domains target the top 3,264 .com sites, and we crawl more than 285,000 of these domains to analyze their revenue sources.

I present screenshots and screen-capture videos demonstrating that even after a user specifically chooses to "disable" the Google Toolbar, and even after the Google Toolbar disappears from view, Google Toolbar continues tracking users' web browsing -- including the specific sites visited, pages browsed, and searches conducted. I then critique Google's installation -- which lets users activate these transmissions in a single click, while ceasing the transmissions is much harder. I compare Google's current notice/consent process to Google's 2004 version, finding important declines in both the presentation and substance of disclosures.

When users install the Upromise toolbar, Upromise admits collecting "non-personally identifiable information" about users' online activities. But Upromise actually transmits detailed information -- not just page-views and searches, but email addresses and even full credit card numbers, expiration dates, and CVV2 codes. Upromise copies card numbers out of users' encrypted (HTTPS) browsing, but Upromise retransmits card numbers in plain text -- making it all too easy for others to gain access.

Google Click Fraud Inflates Conversion Rates and Tricks Advertisers into Overpaying

In today's post, I show click fraud with a twist. Like standard click fraud, this infraction completely fakes clicks -- charging advertisers for clicks that didn't actually occur. But this click fraud is carefully targeted -- faking a click to the victim advertiser when the user is already at that advertiser's site. Thus, standard efforts to measure conversion rates classify this traffic as legitimate and valuable -- tricking advertisers into raising their bids and paying even more, when they should be demanding refunds.

This scam targets Google advertisers -- who pay Google's high prices in expectation of receiving high-quality traffic, but instead suffer this unwanted ruse. The traffic comes through a lengthy chain -- fully seven partners passing the traffic from the underlying spyware through to Google. Closest to Google is InfoSpace, whose pattern of dubious traffic I chronicle in special detail.

Google Still Charging Advertisers for Conversion-Inflation Traffic from WhenU Spyware

In February and May 2009, I reported Google paying WhenU spyware to cover selected sites with those sites' own Google PPC ads. These bogus placements perpetrate a practice I call "conversion inflation": They let Google claim credit for purchases that would have happened anyway -- overstating Google's effectiveness and leading advertisers to overbid and overpay for Google traffic.

Google admitted the impropriety of these placements -- even offering a credit to RCN, the advertiser I featured in May, though denying refund requests from other affected advertisers. But, remarkably, Google and its partners have restarted these placements. Today I post the proof -- screenshots, video, and packet log records prepared just this week.

Post-transaction marketers Webloyalty, Vertrue, and Affinion have attracted criticism for solicitations that tend to deceive consumers. They typically feature recurring billing programs that promise a savings or discount, but actually charge users on an ongoing basis. They promote these services while customers are finishing the checkout process at trusted e-commerce sites -- a time when few users expect unrelated offers from third parties. Furthermore, they obtain consumers' credit card numbers from partner sites -- so a user may enter a billing relationship and face credit card charges without providing a card number to the company that posts the charges.

Higlights of my Statement for the Record: I argue that the timing, placement, and format of post-transaction offers deceptively suggest that the offers are part of the checkout process. (3) I suggest that automatic transfer of consumers’ payment information removes a key warning that customers are incurring a financial obligation. (3-4) I examine disclosures and find them inadequate to cure the deception resulting from the substance, format, and context of the offers. (5) I point out that credit card network rules disallow key post-transaction marketing practices, and I suggest that credit card networks enforce these rules. (6-7) I suggests that low usage rates support an inference of deception, and I provide an empirical strategy to estimate usage rates from publicly-available sources. (7)

I offer five rights to protect advertisers from increasingly powerful ad networks -- avoiding fraudulent charges for services not rendered, guaranteeing data portability so advertisers get the best possible value, and assuring price transparency so advertisers know what they're buying. I explain the need for these rights by presenting specific practices causing particular concern.

How Google and Its Partners Inflate Measured Conversion Rates and Increase Advertisers' Costs

With its lofty "Software Principles" and its "do no evil" mantra, Google might seem the last company likely to partner with spyware or adware vendors. But in today's article, I show Google doing exactly that.

Consumers certainly suffer from the sneaky software Google supports. But the clearest victims are advertisers, for these placements systematically charge advertisers for traffic the advertisers would otherwise have received for free.

When a user searches for one company, may a search engine show ads for a direct competitor instead? A natural libertarian instinct might reply yes, sure, do whatever you want. In this brief piece, I push back on that idea, offering reasons why such ads are improper.

I then analyze Utah's HB450, which would prohibit certain deceptive online advertising. I consider the bill's effects, and I explain why I support its approach.

Yahoo's Right Media ad marketplace features widespread ads exactly designed to deceive. I present ten examples of these deceptive ads, and I critique their unwelcome characteristics. To estimate the prevalence of deceptive tactics, I examine Right Media's own analysis ad characteristics -- finding that by Right Media's own admission, deceptive ads total 35% or more of Right Media's advertising inventory.

Google's JotSpot service posts sensitive user data, despite specific promises to the contrary in JotSpot's privacy policy. JotSpot even allows this information to be indexed by Google's search crawlers. JotSpot's postings are, by all indications, accidental. But in the context of a series of similar slip-ups, these postings raise questions about the efficacy of Google's model of hosted applications.

Affiliate marketer Hydra Network claims to be tough on fraud. Hydra says it "guards against compliance problems from every angle" to assure that ad placements are "safe[,] secure [and] profitable." Furthermore, Hydra claims to provide "tough affiliate pre-screening and policing to assure quality."

Despite Hydra's claims, my observations reveal major room for improvement. On fully 1,343 occasions, my AutoTester has seen Hydra affiliates receiving traffic from spyware or adware. Today I'm posting ten examples -- ten different Hydra affiliates using five different spyware/adware programs to claim commissions from Hydra's top merchants.

Not all CPA fraud requires placing (or using) spyware or adware on a user's PC. In today's article, I show three examples of affiliates cheating CPA merchants using only a web browser -- without any special software on users' PCs. In particular, I show affiliates running invisible IFRAMEs, hidden portions of banner ads, and redirects loaded through signature icons in forum discussions. In each instance, affiliate claim commissions they did not earn.

This month and last, my AutoTester observed more than two dozen different affiliates cheating VistaPrint through spyware pop-ups -- in each instance, using "self-targeting" to claim affiliate commission on traffic VistaPrint would otherwise have received for free. In today's article, I offer six examples of these observations -- as well as some musings on what VistaPrint might do to block these scams.

At the last minute, the hearing was cancelled, and I won't be able to testify at the rescheduled session. Rather than let my draft written statement languish unread, I'm taking this opportunity to post the prepared testimony I had planned to offer last month.

A little-noticed Google AdWords API Terms & Conditions restriction substantially hinders advertisers' efforts to use multiple providers -- prohibiting software vendors from using Google's API to help advertisers copy AdWords campaigns to competing platforms. This provision hinders competition between sponsored search providers -- creating an unnecessary and artificial barrier to advertisers easily copying their ads elsewhere.

Running Out of Numbers? The Impending Scarcity of IPv4 Addresses and What To Do About It

The Internet's current numbering system is nearing exhaustion: The Internet's primary communications protocol, "IP" (more precisely, IPv4) allows only a finite set of computer numbers ("IP addresses"), and central authorities will soon exhaust the supply.

An alternative IP standard, IPv6, would dramatically increase Internet address capacity. But network incentives impede transition to v6. For example, a device with only a v6 address cannot directly retrieve most web sites because most web sites have only v4 addresses. Consider the undesirability of owning the world's first fax machine (no one to communicate with); to date, v6 has suffered a similar problem, with the additional challenge that existing IPv4 systems boast widespread usage (making an upgrade to v6 appear particularly unnecessary). Furthermore, v4-v6 translation systems are limited at best -- allowing v6-only computers to receive some kinds of v4 content, but often failing to support proprietary or nonstandard systems such as VoIP, videoconferencing, multiplayer video games, and custom software.

With these substantial disincentives and limitations hindering v6 transition, v6 deployment has been slow. It seems continued use of IPv4 will remain necessary for the foreseeable future -- even after central authorities have no more v4 addresses to give out. Today I'm posting an initial analysis of market mechanisms to reallocate existing v4 addresses and facilitate v4's continued use. In particular, I consider the possible effects of paid transfers of v4 addresses. I emphasize rules to ameliorate the worst effects of v4 scarcity, while preserving the core principles of existing regulation and avoiding major negative externalities.

Zango often touts its so-called "content economy" -- purportedly providing users access to media in exchange for accepting Zango's popup ads. But Zango's media library is nothing to celebrate. Today I report my recent examinations. I show:

Six and a half months ago, I reported a variety of bad practices at Coupons.com. Key among my concerns: Coupons.com stored data in deceptive filenames and registry entries designed to look like part of Windows -- with names like c:\windows\WindowsShellOld.Manifest.1 and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Style . Furthermore, Coupons.com failed to remove these files upon a user's specific request.

Because Coupons.com is certified by TRUSTe Trusted Download, I reported these behaviors through TRUSTe's Watchdog form. TRUSTe investigated and last month declared success, claiming that "Coupons, Inc. rolled out ... [a] new version of the software ... that writes only one registry key placed in a typical location, named in an appropriate manner." Nonetheless, my tests indicate exactly the opposite -- including all the same deceptive filenames and registry keys I previously identified. Furthermore, my tests indicate that all these files are left behind even after a user performs an uninstall.

In Optimal Deterrence when Judgment-Proof Agents are Paid in Arrears - with an Application to Online Advertising Fraud, I introduce an alternative method of fraud prevention for certain online advertising systems. By delaying payments, a merchant or network differentially harms bad affiliates (who rightly worry they may get caught) without unduly harming good affiliates (who know they'll get paid, and who receive a bonus in compensation for the delay). With a suitable delay, a merchant or network can deter many bad affiliates while retaining the good.

I examine anti-spyware software from C-NetMedia. I show deceptive advertising for C-Net's products, including product names, ad text, and web site designs that falsely suggest affiliation with security industry leaders. I examine C-Net's use of many disjoint product names -- preventing consumers from easily learning more about C-Net, its reputation, and its practices. I analyze C-Net's high-pressure sales tactics, including false positives, which overstate the urgency of paying for an upgraded version.

Want to know what a given customer has purchased from Sears? It's surprisingly easy to find out. In this article, I demonstrate how Sears reveals customers' major purchases to anyone who asks -- notwithstanding Sears' stated privacy policy.

Late last month, Benjamin Googins (a senior researcher in the Anti-Spyware unit at Computer Associates) critiqued a ComScore installation performed by Sears' "Sears Holdings Community" ("My SHC Community" or "SHC"). After reviewing the installation sequence, Ben concluded that the installation offered "very little mention of software or tracking" and otherwise fell short of CA and industry standards. I agree.

I write today to add my own critique. I begin by presenting the entire installation sequence in screenshots and video. I then explain why the limited notice provided falls far short of the standards the FTC has established. Finally, I show that Sears' claims of adequate notice are demonstrably false.

To print coupons from Coupons.com, users must install Coupons.com's coupon-printing software. Unbeknownst to users, Coupons.com's software disguises its key files as part of Windows -- with deceptive names like c:\windows\uccspecc.sys and c:\windows\WindowsShellOld.Manifest. Furthermore, Coupons.com leaves these misnamed files on disk even if a user uninstalls Coupons.com software -- making it particularly hard for users to fully rid themselves of Coupons.com.

Meanwhile, Coupons.com is remarkably lax with the ID number it assigns to each user. Without any meaningful statement in its privacy policy, Coupons.com prints a user ID on each coupon. Furthermore, the design of Coupons.com's coupon-printing software lets any web site (even sites with no relationship to Coupons.com) access and retrieve users' Coupons.com user IDs. Finally, Coupons.com's Veri-fi system lets any interested person check which coupons a given user has printed -- potentially revealing significant information about the users' purchasing interests.

Last November, Zango and the FTC announced a settlement of the FTC's investigation of Zango's practices. Among the key requirements: Zango agreed to install only after "clearly and prominently disclos[ing] the material terms [of its software] prior to the display of, and separate from, any [EULA]." Zango further agreed to label each of its ads with a �clear[] and prominent[]� marking as to the source of the ad, as well as a hyperlink to removal and complaint procedures.

Some of Zango's installations do some of what the settlement requires. But others don't. Today I'm posting Zango Practices Violating Zango's Recent Settlement with the FTC. In a series of screenshots, I show widespread Zango installations with no disclosure outside of a EULA. I also present numerous Zango ads appearing with no labeling at all.

Flush with cash from its recent IPO, ComScore might be expected to exert unmatched care in the distribution of its tracking software. But my tests indicate otherwise. In today's article, I describe multiple recent ComScore RelevantKnowledge installations that occur without user consent. I provide video proof of one such installation.

Spyware programs continue to claim commissions on merchants' organic traffic. When users simply type in a site's address and make a purchase, merchants shouldn't have to pay an affiliate commission. But spyware programs often monitor what web sites users visit, and when they sees users browse a targeted merchant, they often pop open an affiliate link to that merchant. If a user then makes a purchase, the merchant pays the affiliate a commission -- even though the affiliate did nothing whatsoever to facilitate or encourage the sale.

In today's article, I show six examples of spyware programs using these methods to cheat Blockbuster and Netflix. As usual, I offer screenshots, videos, and annotated packet logs to confirm what occurred.

Earlier this year, I wrote a program I call the "Automatic Spyware Advertising Tester" ("AutoTester"). On a set of virtual machines infected with a variety of spyware, the AutoTester browses a set of test scenarios -- viewing web pages, running searches, and even adding items to shopping carts at retailers' sites. The AutoTester keeps a full log of what happens -- a video of what pop-ups appear, and a packet log of what network transmissions occur. If the AutoTester observes any improper traffic (such as an unexpected and unrequested affiliate link), it records that event in a log file, and it tags the video and packet log accordingly.

Some sites use cheap spyware traffic to inflate their traffic statistics. Unfortunately, traffic measurements mistakenly assume users arrive at sites because they actually wanted to go there, without considering the possibility that some visits are involuntary. So a slew of cheap spyware-delivered popups can cause a site to be reported to be more popular than it really is.

Forced visits harm investors (who risk overpaying for a site based on inflated measures of popularity), advertisers (who overpay for ad space), and consumers (whose spyware infections are funded in part from forced visit payments)

That said, it's possible to detect sites using spyware to inflate their traffic counts: Just install some spyware on a test PC, and watch what ads are displayed. My article gives the details.

A Cingular ad injected into Google by Fullcontext spyware - February 17, 2007

In January, the New York Attorney General announced an important step in the fight against spyware: Holding advertisers accountable for their payments to spyware vendors. In Assurances of Discontinuance, Cingular (now part of AT&T), Priceline, and Travelocity each agreed to cease use of spyware -- to require all marketing partners not to use advertising software that installs without disclosures and consent, that fails to label ads, or that fails to offer an easy procedure to uninstall. These requirements apply to ads purchased directly by Cingular, Priceline, and Travelocity, as well as to all marketing partners acting on their behalf.

Unfortunately, both Cingular and Travelocity have failed to sever their ties with spyware vendors. Today I post six examples showing Cingular and Travelocity both continuing to receive spyware-originating traffic, including traffic from some of the web's most notorious and most widespread spyware

Bad Practices Continue at Zango, Notwithstanding Proposed FTC Settlement and Zango's Claims

Earlier this month, the FTC announced the proposed settlement of its investigation into Zango, makers of advertising software widely installed onto users' computers without their consent or without their informed consent (among other bad practices). I commend the proposed settlement's core terms. But I don't think Zango is actually complying with the proposed settlement's requirements. Nor does compliance appear to be likely in the near future.

In today's joint piece with Eric Howes, I present numerous specific examples of violations -- along with appropriate screenshot and video proof showing the prohibited practices.

I recently had the honor of serving as an expert witness in The People of the State of California v. Intermix Media, Inc., litigation brought by the City Attorney of Los Angeles against Intermix. Though Intermix is better known for creating MySpace, Intermix also made spyware that, among other effects, can become installed on users' computers without their consent.

On Monday the parties announced a settlement under which Intermix will pay total monetary relief of $300,000. Intermix will also assure that third parties cease continued distribution of its software, among other injunctive relief. These penalties are in addition to Intermix's 2005 $7.5 million settlement with the New York Attorney General.

In the course of this matter, I had occasion to examine my records of past Intermix installations. I also conducted new research to demonstrate how Intermix installations used to procede -- what notice (if any) was provided, and what consent (if any) was obtained. To my surprise, I also found evidence of ongoing installations -- despite Intermix's promise of having "permanently discontinue[d]" this business a year and a half ago..

Last year I documented Ask toolbars installing without consent as well as installing by targeting kids. Ask staff admitted both practices are unacceptable, and Ask promised to make them stop. Unfortunately, Ask has not succeeded.

In Current Practices of IAC/Ask Toolbars, I report notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask's prior promises. I document yet another installation of Ask's toolbar that occurs without user notice or consent. I point out why Ask's toolbar is inherently objectionable -- especially its rearrangement of users' browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask's practices with its staff's promises and with governing law -- especially "deceptive door opener" FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.

Read Google's voluminous Adwords Content Policy, and you'd think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can't advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising -- like selling products that are actually free, or promising their services are "completely free" when they actually carry substantial recurring charges. For example, the ad at right claims to offer "100% complimentary" and "free" ringtones, when actually the site promotes a services that costs approximately $120 per year.

In False and Deceptive Pay-Per-Click Ads, I show more than 30 different advertisers' ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word "free"), or that make claims that are simply false. I then analyze the legal and ethical principles that might require search engines to remove these ads. Finally, I offer a mechanism for interested users to submit other false or deceptive ads they find.

When a stranger promises "you can trust me," most people know to be extra vigilant. What conclusion should users draw when a web site touts a seal proclaiming its trustworthiness? Some sites that are widely regarded as extremely trustworthy present such seals. But those same seals feature prominently on sites that seek to scam users -- whether through spyware infections, spam, or other unsavory practices.

Today I'm posting Adverse Selection in Online "Trust" Authorities, an empirical look at the best-known certification authority, TRUSTe. I cross-reference TRUSTe's ratings with the findings of SiteAdvisor -- where robots check web site downloads for spyware, and submit single-use addresses into email forms to check for spam, among other automated and manual tests. Of course SiteAdvisor data isn't perfect either, but if SiteAdvisor says a site is bad news, while TRUSTe gives it a seal, most users are likely to side with SiteAdvisor.

My key finding: Sites certified by TRUSTe are more than twice as likely to be untrustworthy as a random sampling of popular sites. The relative hazards of TRUSTe-certified sites hold even when analysis controls for site attributes and for site complexity.

Today I'm posting Cookies Detected by Anti-Spyware Programs: The Current Status, reporting the results of hands-on testing of various anti-spyware programs, as to 50 different advertising cookies. I've found some striking results -- cookies from plenty of major advertising networks flagged as harmful "spy cookies" by leading anti-spyware programs. But other networks, including Google, are not detected at all.

What to make of this mess? Why are some cookies detected and others ignored? And why detect cookies in the first place? My article suggests some answers. I also report the raw data -- which specific programs detect which specific cookies. I even provide a calculator by which advertisers' partners and affiliates can estimate their revenue losses from cookie deletion.

For years, I and others have observed Vonage ads shown by spyware. In its litigation against Intermix, the New York Attorney General specifically documented Vonage's ads appearing in Intermix KeenValue pop-ups. BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 -- a remarkable $110 for each customer referral. In 2005 the Associated Press even managed to discuss Vonage's spyware advertising with Vonage CEO Jeffrey Citron. Citron claimed Vonage does "do[es] everything we can" to keep its ads out of spyware -- but in my testing, Vonage's supposed best efforts aren't nearly good enough.

A Vonage ad injected into the Google site, without Google's permission.

Today I post a dozen recent examples of Vonage ads appearing in spyware. I present the "usual" spyware-delivered pop-ups -- distributed by vendors like Direct Revenue and Targetsaver. But I also show some Vonage placements that are even more outrageous. I show spyware vendors injecting Vonage ads into others' web sites without permission from those sites, as in the Google thumbnail at right. Google doesn't sell ads like that shown in the thumbnail -- not to anyone, for any price. But through spyware, Vonage ads appear there nonetheless. At least as pernicious, other spyware actually replaces web sites' ads with ads for Vonage -- reducing those sites' revenues for Vonage's benefit.

A sexually-explicit ad served unrequestedby ZenoTecnico spyware.

Most spyware pop-ups show users material they don't want. If I request the British Airways site, I probably want to book with them, not with some other booking service. After all, if I had wanted to comparison shop, I would have gone to a comparison shopping site. So a spyware-delivered Travelocity pop-up is likely to be an unwelcome intrusion on my screen.

But spyware intrusions can be worse than annoyances. Consider the problem of unrequested sexually-explicit pop-ups. Shown to adults, they're unwanted at best. Shown to kids, they can be affirmatively harmful.

In today's piece, I present several examples of spyware-delivered ads that show sexually-explicit materials, without a user previously requesting any such materials. As usual, I have screenshot and packet log proof, along with video where helpful -- all modified to obscure sexually-explicit areas.

For the last 8 months, I've been following ads from Global-Store, Inqwire, Venus123, and various others -- all sites operated by Hula Direct. They're engaged in a troubling scheme: They buy popups and popunders from various notorious spyware vendors. They show numerous banner ads in "banner farms" without substantial bona fide content. They show advertisers' ads (and charge advertisers for those ad displays) without the advertisers' specific permission. They even reload advertisers' ads to rack up extra fees.

In January I bemoaned the sorry state of search engine results for "screensavers." I pointed out that most "screensavers" ads lead to sites I can't recommend, and I criticized search engines for their failure to enforce higher standards. But this problem goes well beyond that single keyword and that single genre of sites.

Today SiteAdvisor's Hannah Rosenbaum and I released The Safety of Internet Search Engines. We obtain top search engine keywords from authoritative sources like Google Zeitgeist. We extract top organic and sponsored search engine results for those keywords. Then we evaluate site safety, using SiteAdvisor's assessments of spyware, spam, scams, and other Internet menaces.

A representative Google ad -- asking users to pay for software widely available elsewhere for free.

Our most notable result? Search engine ads are a risky business. Overall, across all keywords and search engines, 8.5% of sponsored results were "red" or "yellow" by SiteAdvisor's standards, versus only 3.1% of organic results. It's not unusual to see ads for notorious spyware vendors like Direct Revenue (as documented in my January piece); for sites that charge for software available elsewhere for free (like the ad shown at right, trying to charge $29 for Skype's free phone); and for spammers that send hundreds of mesages per week, if a user enters a single email address. These scams deceive and harm search engine users, and I'd like to see Google update its advertising editorial guidelines to prohibit such practices -- then enforce these rules with appropriate diligence.

Our article includes an abundance of data. I particularly enjoy this chart of Google site safety by individual keyword -- showing "free screensavers" as our single most dangerous search, with other notorious searches including "bearshare," "free music downloads," "winzip," and "kazaa." See also our charts of specific red and yellow sites found within search results.

This week's New York Attorney General suit against Direct Revenue included detailed documents, records, and emails that present Direct Revenue's strategy, intentions, and plans in great detail. I have obtained these documents, organized them, and posted raw files as well as brief summaries.

In August 2005, I posted half a dozen examples of what I call "syndication fraud" -- Yahoo placing advertisers' ads into spyware programs, and charging advertisers for resulting clicks. But Yahoo's spyware problems extend beyond mere syndication fraud. Today I post fresh examples where spyware completely fakes a click -- causing Yahoo to charge an advertiser a "pay-per-click" fee, even though no user actually clicked on any pay-per-click link. This is "click fraud."

Many others have alleged click fraud at Yahoo. (1, 2, 3) But others generally infer click fraud based on otherwise-inexplicable entries in their web server log files -- traffic clearly coming from competitors, from countries where advertisers do no business, or from particular users in excessive volume (i.e. many clicks from a single user). In contrast, my proof of click fraud is direct: I capture these click fraud examples in videos, screenshots, and packet logs that show exactly what happened, and that prove exactly who's responsible.

Despite widespread criticism of Direct Revenue's practices and of adware generally, some well-known companies continue to buy ads from Direct Revenue. I show example Direct Revenue ads from Citi, Netflix, T-Mobile, Travelocity, United, and Vonage, among others.

These days, few advertisers defend "adware" advertising. But the Interactive Travel Services Association is the rare exception. In policies that have been endorsed by 180solutions but criticized by consumers, ITSA endorses adware under strikingly vague and weak conditions.

After so much criticism of installation and operation practices of 180solutions, it's arguably surprising that big companies still advertise with 180. But they do. In a report (PDF) posted today, CDT describes the details. I've posted screenshots showing the specific ads CDT describes, as well as my own discussion analysis of these advertising practices.

In a series of 2005 press releases, 180solutions claimed its new "S3" installer technology would prevent nonconsensual installations of its advertising software. I always doubted this claim: 180's system seemed trivial to bypass.

In the video accompanying this article, I disprove 180's claim by showing a 180solutions distributor that bypasses 180's S3 notice screen. 180's notice screen does appear on screen -- but for less than half a second, at which point the distributor fakes a user's supposed assent to install 180. So users still receive 180's software without agreeing to run it.

Much of the computer security industry acts like spyware is immaculately conceived. Somehow it just appears on computers, we are led to believe, and supposedly all we can do is clean up the mess after it happens, rather than prevent it in the first place. I disagree.

As it turns out, search engine advertising is an important and substantial source of spyware infections. Users search for certain keywords -- "screensavers," for example -- in the misguided hope that search engines' quality standards will keep them safe. Instead, leading search engines sell advertising to the most notorious of spyware and "adware" vendors -- including firms like Direct Revenue and Claria.

Many affiliates violate applicable network and merchant rules. Some violations ultimately become well-known -- like ShopAtHomeSelect installing without consent and claiming commissions automatically, yielding Commission Junction's sensible ejection of SAHS from their network. (Though, oddly, it seems that LinkShare never took action against SAHS.) Other violations attract far less attention.

MyPoints buying traffic from Direct Revenue's "Best Offers Network."

Today I post examples of two well-known affiliates, CoolSavings and MyPoints, buying traffic from Direct Revenue. These affiliates are exceptionally prominent -- with big budgets, favorable press coverage, and even rosy case studies at major affiliate networks. But CoolSavings and MyPoints nonetheless use "adware" to grab merchants' traffic -- a prohibited practice I've previously observed from smaller affiliates, but never from affiliates of this size. It's surprising and, frankly, disappointing to see this behavior from affiliate leaders otherwise held in such high esteem.

I've previously covered a variety of misleading and/or nonconsensual installations by 180solutions. I've recorded numerous installations through exploits (1, 2, 3, 4, 5) -- without any user consent at all. I've found installations in poorly-disclosed bundles -- for example, disclosing 180's inclusion, but only if users happen to scroll to page 16 of a 54-page license. I've even documented deceptive installations at kids sites, where 180 installs without showing or mentioning a license agreement.

The Doll Idol site, which encourages users to install 180 software without a frank disclosure of 180's true effects.

180 has cleaned up some of these practices, but the core deception remains. 180 still installs its software in circumstances where reasonable users wouldn't expect to receive such software -- including web sites that substantially cater to kids. And users still aren't fairly told what they're slated to receive. 180 says that it shows "advertising," but no on-screen text warns users that these ads appear in much-hated pop-ups. 180 systematically downplays the privacy consequences of installing its software -- prominently telling users what the software won't do, but failing to disclose what the software does track and transmit. All told, users may have to press a button before 180 installs on their computer, but users can't reasonably be claimed to understand what they're purportedly accepting.

Much of the spyware problem results from users visiting sites that turn out to be untrustworthy or simply malevolent. I'm certainly not inclined to blame the victimized users -- it's hardly their fault that sites run security exploits, offer undisclosed advertising software, or show tricky EULAs that are dozens of pages long. But the resulting software ultimately ends up on users' computers because users browsed to sites that didn't pan out.

The SiteAdvisor plug-in, evaluating zango.com. Click for full-size screenshot, methodology, more examples, and comparisons with others' efforts.

How to fix this problem? In theory, it seems easy enough. First, someone needs to examine popular web sites, to figure out which are untrustworthy. Then users' computers need to automatically notify them -- warn them! -- before users reach untrustworthy sites. These aren't new ideas. Indeed, half a dozen vendors have tried such strategies in the past. But for various reasons, their efforts never solved the problem. (Details).

This month, a new company is announcing a system to protect users from untrustworthy web sites: SiteAdvisor. They've designed a set of robots -- automated web crawlers, virtual machines, and databases -- that have browsed hundreds of thousands of web sites. They've tracked which sites install spyware -- what files installed, what registry changes, what network traffic. And they've built a browser plug-in that provides automated notification of worrisome sites -- handy red balloons when users stray into risky areas, along with annotations on search result pages at leading search engines.

Late last month, Windows expert Mark Russinovich revealed Sony installing a rootkit to hide its "XCP" DRM (digital rights management) software as installed on users' PCs. The DRM software isn't something a typical user would want; the "rights" it manages are Sony's rights, i.e. by preventing users from making copies of Sony music. Notably, Sony didn't disclose its practices in its installer or even in its license agreement. At least as bad, Sony initially provided no uninstall for the rootkit, and when Sony added an uninstaller, the process was needlessly complicated, prone to crashing, and a security risk.

Having bungled this situation, Sony has recalled affected CDs and announced an exchange program to swap customers' affected CDs for XCP-free replacements. For savvy consumers who have followed this story, the exchange looks straightforward. But what about ordinary users, who don't read the technology press and aren't likely to learn their rights?

As it turns out, there's a clear solution: A self-updating messaging system already built into Sony's XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony's server. As Russinovich explained, usually Sony's server sends back a null response. But with small adjustments on Sony's end -- just changing the output of a single script on a Sony web server -- the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.