Benjamin
Edelman Benjamin
Edelman
[ home | bio | publications
| media coverage | presentations
]
[ email | site search | archives ]
[
request project updates | 
]
New and Notable
Large-Scale Cookie-Stuffing at Eshop600.co.uk
January 30, 2012 - Permalink - with Wesley Brandi
We present a cookie-stuffer notable for the volume of his attack and his attempts at obfuscation.
Continued: Screenshot; encoded and decoded JavaScript; implications for merchants.
Advertising Disclosures in Online Apartment Search
January 25, 2012 - Permalink - with Paul Kominers
A decade ago, the FTC reminded search engines of their duty to label advertisements as such. Most general-purpose search engines now do so (though they're sometimes less than forthright). But practices at specialized search engines often fall far short.
In today's posting, Paul Kominers and I examine leading online apartment search services and evaluate the disclosures associated with their paid listings. We find paid placement and paid inclusion listings at each site, but disclosures range from limited to nonexistent. Where disclosures exist, they are largely hidden behind multiple intermediate pages, effectively invisible to most users. We propose specific ways these sites could improve their disclosures, and we flag their duties under existing law.
Google Tying Google Plus and Many More
January 12, 2012 - Permalink
Google's new "Google Search Plus Your World" service favors Google Plus results at the expense of more popular social networks like Facebook and Twitter. These changes have prompted widespread concern, and rightly so. But in fact Google's dubious tying tactics extend well beyond Google Plus. I show Google using tying to favor all manner of its services, including using tying to force others to submit to Google's will even in areas where Google is not yet dominant.
Revisiting Search Bias at Google
November 11, 2011 - Permalink
Last week Joshua Wright posted a critique of my January 2011 Measuring Bias in 'Organic' Web Search (with Ben Lockwood). In this piece, I offer a brief response.
Continued: Why search bias matters; consumer harm; Google's market power.
Understanding the Purposes – and Weaknesses – of Online-to-Offline Discounting
October 26, 2011 - Permalink
Daily deals sites often promise discounts exceeding 50% -- mobilizing millions of consumers spending billions of dollars. Yet this model faces growing resistance, particularly from merchants concerned that "deals" offers are unprofitable. The natural question: When and how are large discounts sustainable?
Deals services seem to envision delivering new customers who return paying full price, yet they've done little to demonstrate that return visits actually occur. And there's reason to doubt whether customers enticed by a discount will actually return to pay full price. I explore the implications, including the requirements for a profitable discounting model grounded in price discrimination rather than full-price return visits.
Advertisers' Missing Perspective in the Google Antitrust Hearing
September 20, 2011 - Permalink
This week's Senate Antitrust Subcommittee hearing promises to investigate persistent allegations of Google abusing its market power. In these discussions, it's crucial to remember whose spending fuels Google's monopoly: advertisers. Google is far from generous to advertisers -- burdening them with high pricing, harsh terms, and various restrictions that primarily serve Google's interests. In this piece, I review worrisome practices regulators should investigate and, in due course, seek to prevent.
Continued: Specific practices; advertiser harm; what to do now.
Implications of Google's Pharmacy Debacle
August 26, 2011 - Permalink
A DOJ investigation of Google's pharmaceutical advertising practices yielded a $500 million forfeiture and an admission of wrongdoing. More than that, the resulting documents prove Google's knowledge of, and participation in, advertising practices Google knew to be unlawful. I explore the implications for other controversial conduct that remains widespread despite Google's promise to take action. From deceptive ads to trademark, copyright, and more, Google's claims of innocence are increasingly difficult to believe.
Continued: Google's admissions; how Google assisted the unlawful conduct; Google's profit motive.
Online Discount Vouchers - Letter-Writing Tool
August 2, 2011 - Permalink - with Paul Kominers and Xiaoxiao Wu
Following up on my recent article about consumer protection problems in discount voucher sales, I've posted a letter-writing tool to help consumers resolve their voucher problems. From expiration to cashback to day-of-week, time-of-day, and unexpected terms added after purchase, there are quite a few ways consumers can end up dissatisfied with the discount vouchers they buy. Many voucher services offer refunds only if consumers complain vigorously. Our tool helps consumers write concise but persuasive letters, including drawing on applicable state law where appropriate.
Give it a try:
Discount Voucher Problems - Letter-Writing Tool
Consumer Protection in Online Discount Voucher Sales
June 14, 2011 - Permalink - with Paul Kominers
We evaluate five areas where online discount voucher services -- Groupon and similar sites -- risk falling afoul of applicable consumer protection law. We present applicable laws from selected states and evaluate compliance by voucher services and their affiliated merchants. We examine voucher services' attempts to limit their liability, and we explain why consumers and regulators should find current practices insufficient.
Continued: Specific legal requirements; vendors' practices; assessing responsibility.
Revisiting Unlawful Advertisements at Google
May 18, 2011 - Permalink
Last week, Google's 10-Q disclosed a $500 million charge for, the Wall Street Journal revealed, Google's sale of advertising to online pharmacies that break US laws. Kudos to the Department of Justice for holding Google accountable for these unlawful advertisements. But in fact there are numerous other categories where Google also shows, and has long shown, widespread deceptive advertisements. From "free" ringtones that aren't, to spyware/adware bundlers, to dubious mortgage modification schemes, deceptive ads are all too widespread. Google could and should do more to prevent these schemes and to avoid doing business with such advertisers.
February 22, 2011 - Permalink
In a forthcoming paper, I'll survey the problem of search bias -- search engines granting preferred placement and/or terms to their own links or to others' links chosen for improper purposes. Today I'd like to focus on remedies -- what tactics a dominant search engine ought not employ due to their detrimental effects on competition, and how prohibiting those tactics would help assure fair competition in search and related businesses.
In Accusing Microsoft, Google Doth Protest Too Much
February 3, 2011 - Permalink
Google this week sparked a media uproar by alleging that Microsoft Bing "copies" Google results. But is that actually the best characterization of what happened? In fact Google's engineers intentionally clicked bogus listings they had previously inserted into Google's results, and they did this on computers where they had specifically authorized Microsoft to examine their browsing in order to improve Bing.
Strikingly, Google's own Matt Cutts previously endorsed the use of Toolbar and similar data to improve search results -- calling this approach "a good idea." And Google's own Toolbar Privacy Policy allows Google to perform the same analysis Bing used. So I don't have much sympathy for Google's allegations of impropriety. Quite the contrary: With Bing's small market share, this data is important in improving Bing search results and building a viable competitor to Google's dominant search offering.
Measuring Bias in "Organic" Web Search
January 19, 2011 - Permalink - with Benjamin Lockwood
By comparing results between leading search engines, we identify patterns in their algorithmic search listings. We find that each search engine favors its own services in that each search engine links to its own services more often than other search engines do so. But some search engines promote their own services significantly more than others. We examine patterns in these differences, and we flag keywords where the problem is particularly widespread.
Even excluding "rich results" (whereby search engines feature their own images, videos, maps, etc.), we find that Google's algorithmic search results link to Google's own services more than three times as often as other search engines link to Google's services.
For selected keywords, biased results advance search engines' interests at users' expense: We demonstrate that lower-ranked listings for other sites sometimes manage to obtain more clicks than Google and Yahoo's own-site listings, even when Google and Yahoo put their own links first.
Continued: Methodology; analysis; policy implications.
Knowing Certain Trademark Ads Were Confusing, Google Sold Them Anyway -- for $100+ Million
November 30, 2010 - Permalink
Recently-released documents reveal Google's careful testing of consumer confusion resulting from certain uses of trademarks in advertisements. Google carefully measured consumers' understanding of trademark-triggered ads -- only to decide to loosen its policy when estimates revealed an opportunity $100 million to $1 billion of incremental annual revenue.
Continued: Documents and quotes.
Hard-Coding Bias in Google "Algorithmic" Search Results
November 15, 2010 - Permalink
I present categories of searches for which available evidence indicates Google has "hard-coded" its own links to appear at the top of algorithmic search results, and I offer a methodology for detecting certain kinds of tampering by comparing Google results for similar searches. I compare Google's hard-coded results with Google's public statements and promises, including a dozen denials but at least one admission. I conclude by analyzing the impact of Google's tampering on users and competition, and by proposing principles to block Google's bias.
Continued: Screenshots; methodology; proposed regulatory response; analogues in other industries.
A Closer Look at Google's Advertisement Labels
November 10, 2010 - Permalink
The FTC has called for "clear and conspicuous disclosures" in advertisement labels at search engines, and the FTC specifically emphasized the need for "terms and a format that are easy for consumers to understand." Unfortunately, Google's new advertisement labels fail this test: Google's "Ads" label is the smallest text on the page, far too easily overlooked. (Indeed, as I show in the image at left, the "Ads" label substantially fits within an "o" in "Google.") Meanwhile, Google now merges algorithmic and advertisement results merged within a single set of listings; Google's "Help" explanations are inaccurate; and Google uses inconsistent labels mere inches apart within search results, as well as across services.
Continued: Details of these shortfalls; screenshots and comparisons; proposed alternatives.
Labels and Disclosures in Search Advertising
November 9, 2010 - Permalink
Search engines have long labeled their advertisements with labels like "Sponsored links", "Sponsored results", and "Sponsored sites." Do users actually know that these labels are intended to convey that the listings are paid advertisements? In a draft paper we're posting today, Duncan Gilchrist and I try to find out.
"Sponsored Links" or "Advertisements"?: Measuring Labeling Alternatives in Internet Search Engines
In an online experiment, we measure users' interactions with search engines, both in standard configurations and in modified versions with improved labels identifying search engine advertisements. In particular, for a random subset of users, we change "sponsored link" labels to instead read "paid advertisement." We find that users receiving the “paid advertisement” label click 25% to 33% fewer advertisements and correctly report that they click fewer advertisements, controlling for the number of advertisements they actually click. Results are most pronounced for commercial searches, and for users with low income, low education, and little online experience.
We consider our findings particularly timely in light of Google's change, just last week, to label many of its advertisements as "Ads." On one view, "Ads"” is an improvement – probably easier for unsophisticated consumers to understand. Yet it’s a strikingly tiny label – the smallest text anywhere in Google’s search results, and about a quarter as many pixels as the corresponding disclosure on other search engines. As our paper points out, FTC litigation has systematically sought the label “Paid Advertisement, and we still think that’s the better choice.
Tying Google Affiliate Network
September 28, 2010 - Permalink
In one of the few areas of Internet advertising where Google is not dominant – indeed, where just three years ago Google had no offering at all – Google now uses tying to climb towards a position of dominance. Thanks to Google’s dominance in web search, Google offers preferred placement and superior terms to the advertisers who agree to use Google Affiliate Network (GAN). Competing affiliate networks cannot match these benefits, and Google's bundling strategy threatens to grant Google a position of power in yet another online advertising market.
In today's piece, I identify the specific benefits Google grants to affiliate merchants who agree to use GAN -- including exclusive use of image ads, placement above AdWords advertisers, and fees payable only if a user makes a purchase. I explain why it is improper for Google to bundle these benefits with Google's dominant search service, and I compare Google's tactics in this area to Google's strategy in promoting other services.
Facebook Leaks Usernames, User IDs, and Personal Details to Advertisers
May 20, 2010 - Updated May 26, 2010 - Permalink
Browse Facebook, and you wouldn't expect Facebook's advertisers to learn who you are. After all, Facebook's privacy policy and blog posts promise not to share user data with advertisers except when users grant specific permission.
But in my testing, Facebook's actual practices exactly contradict Facebook's promises. Merely clicking an advertiser's ad reveals to the advertiser the user's Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user's activity on Facebook, including name, photos, friends, and more.
Sony's Crackle: Invisible Traffic Galore
April 27, 2010 - Permalink
Advertisers buying display ads from Sony's Crackle.com rightly and reasonably expect that users can see the ads. But that's not always the case. In today's posting, I present three recent examples of Crackle partners loading the Crackle site invisibly, largely via 1x1 IFRAMEs. I then tabulate observations preserved by my automation, demonstrating that Crackle's tainted traffic has continued for more than a year. I conclude by flagging implications for traffic measurement and ad pricing, and by suggesting what Crackle should do to clean up this mess.
Measuring Typosquatting Perpetrators and Funders
February 17, 2010 - Permalink - with Tyler Moore
For more than a decade, aggressive website registrants have been engaged in 'typosquatting' -- the intentional registration of misspellings of popular website addresses. Uses for the diverted traffic have evolved over time, ranging from hosting sexually-explicit content to phishing. Several countermeasures have been implemented, including outlawing the practice and developing policies for resolving disputes. Despite these efforts, typosquatting remains rife.
But just how prevalent is typosquatting today, and why is it so pervasive? Tyler Moore and I set out to answer exactly these questions. In Measuring the Perpetrators and Funders of Typosquatting (appearing at the Financial Cryptography conference), we estimate that at least 938,000 typosquatting domains target the top 3,264 .com sites, and we crawl more than 285,000 of these domains to analyze their revenue sources.
Our full posting: Measuring the Perpetrators and Funders of Typosquatting and web appendix.
Google Toolbar Tracks Browsing Even After Users Choose "Disable"
January 26, 2010 - Permalink
I present screenshots and screen-capture videos demonstrating that even after a user specifically chooses to "disable" the Google Toolbar, and even after the Google Toolbar disappears from view, Google Toolbar continues tracking users' web browsing -- including the specific sites visited, pages browsed, and searches conducted. I then critique Google's installation -- which lets users activate these transmissions in a single click, while ceasing the transmissions is much harder. I compare Google's current notice/consent process to Google's 2004 version, finding important declines in both the presentation and substance of disclosures.
Continued: Screenshot and video proof; transmission logs; disclosure screenshots and analysis.
Upromise Savings -- At What Cost?
January 21, 2010 - Updated, January 25, 2010 - Permalink
When users install the Upromise toolbar, Upromise admits collecting "non-personally identifiable information" about users' online activities. But Upromise actually transmits detailed information -- not just page-views and searches, but email addresses and even full credit card numbers, expiration dates, and CVV2 codes. Upromise copies card numbers out of users' encrypted (HTTPS) browsing, but Upromise retransmits card numbers in plain text -- making it all too easy for others to gain access.
Continued: Specific transmissions; promises broken; what Upromise should do.
Google Click Fraud Inflates Conversion Rates and Tricks Advertisers into Overpaying
January 12, 2010 - Permalink
In today's post, I show click fraud with a twist. Like standard click fraud, this infraction completely fakes clicks -- charging advertisers for clicks that didn't actually occur. But this click fraud is carefully targeted -- faking a click to the victim advertiser when the user is already at that advertiser's site. Thus, standard efforts to measure conversion rates classify this traffic as legitimate and valuable -- tricking advertisers into raising their bids and paying even more, when they should be demanding refunds.
This scam targets Google advertisers -- who pay Google's high prices in expectation of receiving high-quality traffic, but instead suffer this unwanted ruse. The traffic comes through a lengthy chain -- fully seven partners passing the traffic from the underlying spyware through to Google. Closest to Google is InfoSpace, whose pattern of dubious traffic I chronicle in special detail.
Continued: The offending placements; video and packet log proof; what Google should do.
Google Still Charging Advertisers for Conversion-Inflation Traffic from WhenU Spyware
January 5, 2010 - Permalink
In February and May 2009, I reported Google paying WhenU spyware to cover selected sites with those sites' own Google PPC ads. These bogus placements perpetrate a practice I call "conversion inflation": They let Google claim credit for purchases that would have happened anyway -- overstating Google's effectiveness and leading advertisers to overbid and overpay for Google traffic.
Google admitted the impropriety of these placements -- even offering a credit to RCN, the advertiser I featured in May, though denying refund requests from other affected advertisers. But, remarkably, Google and its partners have restarted these placements. Today I post the proof -- screenshots, video, and packet log records prepared just this week.
Deception in Post-Transaction Marketing
November 19, 2009 - Updated, December 5, 2009 - Permalink
Post-transaction marketers Webloyalty, Vertrue, and Affinion have attracted criticism for solicitations that tend to deceive consumers. They typically feature recurring billing programs that promise a savings or discount, but actually charge users on an ongoing basis. They promote these services while customers are finishing the checkout process at trusted e-commerce sites -- a time when few users expect unrelated offers from third parties. Furthermore, they obtain consumers' credit card numbers from partner sites -- so a user may enter a billing relationship and face credit card charges without providing a card number to the company that posts the charges.
In this posting, I present key primary source documents (internal company emails and analyses and reports from victim consumers) as well as outside analyses (a Senate staff report and testimony from hearing witnesses including my own statement for the record).
Higlights of my Statement for the Record: I argue that the timing, placement, and format of post-transaction offers deceptively suggest that the offers are part of the checkout process. (3) I suggest that automatic transfer of consumers’ payment information removes a key warning that customers are incurring a financial obligation. (3-4) I examine disclosures and find them inadequate to cure the deception resulting from the substance, format, and context of the offers. (5) I point out that credit card network rules disallow key post-transaction marketing practices, and I suggest that credit card networks enforce these rules. (6-7) I suggests that low usage rates support an inference of deception, and I provide an empirical strategy to estimate usage rates from publicly-available sources. (7)
Full article: Deception in Post-Transaction Marketing.
My subsequent Payment Card Network Rules Prohibit Aggressive Post-Transaction Tactics cites, quotes, and analyzes relevant rules -- finding that existing card network requirements disallow key post-transaction marketing practices.
Towards a Bill of Rights for Online Advertisers
September 21, 2009 - Permalink
I offer five rights to protect advertisers from increasingly powerful ad networks -- avoiding fraudulent charges for services not rendered, guaranteeing data portability so advertisers get the best possible value, and assuring price transparency so advertisers know what they're buying. I explain the need for these rights by presenting specific practices causing particular concern.
Continued: Five rights; their urgency; their benefits.
How Google and Its Partners Inflate Measured Conversion Rates and Increase Advertisers' Costs
May 13, 2009 - Permalink
With its lofty "Software Principles" and its "do no evil" mantra, Google might seem the last company likely to partner with spyware or adware vendors. But in today's article, I show Google doing exactly that.
Consumers certainly suffer from the sneaky software Google supports. But the clearest victims are advertisers, for these placements systematically charge advertisers for traffic the advertisers would otherwise have received for free.
Continued: Specific examples; videos, screenshots, and packet logs; a way forward.
March 9, 2009 - Permalink
When a user searches for one company, may a search engine show ads for a direct competitor instead? A natural libertarian instinct might reply yes, sure, do whatever you want. In this brief piece, I push back on that idea, offering reasons why such ads are improper.
I then analyze Utah's HB450, which would prohibit certain deceptive online advertising. I consider the bill's effects, and I explain why I support its approach.
Continued: Confusing ads; ineffective disclosures; how state regulation can help.
False and Deceptive Display Ads at Yahoo's Right Media
January 14, 2009 - Permalink
Yahoo's Right Media ad marketplace features widespread ads exactly designed to deceive. I present ten examples of these deceptive ads, and I critique their unwelcome characteristics. To estimate the prevalence of deceptive tactics, I examine Right Media's own analysis ad characteristics -- finding that by Right Media's own admission, deceptive ads total 35% or more of Right Media's advertising inventory.
Continued: False and Deceptive Display Ads at Yahoo's Right Media.
Privacy Lapse at Google JotSpot
October 30, 2008 - Permalink
Google's JotSpot service posts sensitive user data, despite specific promises to the contrary in JotSpot's privacy policy. JotSpot even allows this information to be indexed by Google's search crawlers. JotSpot's postings are, by all indications, accidental. But in the context of a series of similar slip-ups, these postings raise questions about the efficacy of Google's model of hosted applications.
Hydra Media's Pop-Up Problem -- Ten Examples
October 14, 2008 - Permalink
Affiliate marketer Hydra Network claims to be tough on fraud. Hydra says it "guards against compliance problems from every angle" to assure that ad placements are "safe[,] secure [and] profitable." Furthermore, Hydra claims to provide "tough affiliate pre-screening and policing to assure quality."
Despite Hydra's claims, my observations reveal major room for improvement. On fully 1,343 occasions, my AutoTester has seen Hydra affiliates receiving traffic from spyware or adware. Today I'm posting ten examples -- ten different Hydra affiliates using five different spyware/adware programs to claim commissions from Hydra's top merchants.
More: Full video and packet log proof.
CPA Advertising Fraud: Forced Clicks and Invisible Windows
October 7, 2008 - Permalink
Not all CPA fraud requires placing (or using) spyware or adware on a user's PC. In today's article, I show three examples of affiliates cheating CPA merchants using only a web browser -- without any special software on users' PCs. In particular, I show affiliates running invisible IFRAMEs, hidden portions of banner ads, and redirects loaded through signature icons in forum discussions. In each instance, affiliate claim commissions they did not earn.
More: Videos and packet logs; detection and defenses.
Auditing Spyware Advertising Fraud: Wasted Spending at VistaPrint
September 30, 2008 - Permalink
This month and last, my AutoTester observed more than two dozen different affiliates cheating VistaPrint through spyware pop-ups -- in each instance, using "self-targeting" to claim affiliate commission on traffic VistaPrint would otherwise have received for free. In today's article, I offer six examples of these observations -- as well as some musings on what VistaPrint might do to block these scams.
Competition among Sponsored Search Services
July 11, 2008 - Permalink
Last month I was asked to testify to the United States House of Representatives Committee on the Judiciary Task Force on Competition Policy and Antitrust Laws about competition among paid search providers, particularly the proposed Google-Yahoo partnership.
At the last minute, the hearing was cancelled, and I won't be able to testify at the rescheduled session. Rather than let my draft written statement languish unread, I'm taking this opportunity to post the prepared testimony I had planned to offer last month.
More: My prior testimony about the Senate Counter Spy Act.
PPC Platform Competition and Google's "May Not Copy" Restriction
June 27, 2008 - Permalink
A little-noticed Google AdWords API Terms & Conditions restriction substantially hinders advertisers' efforts to use multiple providers -- prohibiting software vendors from using Google's API to help advertisers copy AdWords campaigns to competing platforms. This provision hinders competition between sponsored search providers -- creating an unnecessary and artificial barrier to advertisers easily copying their ads elsewhere.
Running Out of Numbers? The Impending Scarcity of IPv4 Addresses and What To Do About It
June 6, 2008 - Permalink
The Internet's current numbering system is nearing exhaustion: The Internet's primary communications protocol, "IP" (more precisely, IPv4) allows only a finite set of computer numbers ("IP addresses"), and central authorities will soon exhaust the supply.
An alternative IP standard, IPv6, would dramatically increase Internet address capacity. But network incentives impede transition to v6. For example, a device with only a v6 address cannot directly retrieve most web sites because most web sites have only v4 addresses. Consider the undesirability of owning the world's first fax machine (no one to communicate with); to date, v6 has suffered a similar problem, with the additional challenge that existing IPv4 systems boast widespread usage (making an upgrade to v6 appear particularly unnecessary). Furthermore, v4-v6 translation systems are limited at best -- allowing v6-only computers to receive some kinds of v4 content, but often failing to support proprietary or nonstandard systems such as VoIP, videoconferencing, multiplayer video games, and custom software.
With these substantial disincentives and limitations hindering v6 transition, v6 deployment has been slow. It seems continued use of IPv4 will remain necessary for the foreseeable future -- even after central authorities have no more v4 addresses to give out. Today I'm posting an initial analysis of market mechanisms to reallocate existing v4 addresses and facilitate v4's continued use. In particular, I consider the possible effects of paid transfers of v4 addresses. I emphasize rules to ameliorate the worst effects of v4 scarcity, while preserving the core principles of existing regulation and avoiding major negative externalities.
My draft:
Running Out of Numbers? The Impending Scarcity of IP Addresses and What To Do About It
Debunking Zango's "Content Economy"
May 28, 2008 - Permalink
Zango often touts its so-called "content economy" -- purportedly providing users access to media in exchange for accepting Zango's popup ads. But Zango's media library is nothing to celebrate. Today I report my recent examinations. I show:
Continued: My findings; screenshots and examples; legal implications.
Coupons.com and TRUSTe: Lots of Talk, Too Little Action
March 18, 2008 - Updated, March 20, 2008 - Permalink
Six and a half months ago, I reported a variety of bad practices at Coupons.com. Key among my concerns: Coupons.com stored data in deceptive filenames and registry entries designed to look like part of Windows -- with names like c:\windows\WindowsShellOld.Manifest.1 and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Style . Furthermore, Coupons.com failed to remove these files upon a user's specific request.
Because Coupons.com is certified by TRUSTe Trusted Download, I reported these behaviors through TRUSTe's Watchdog form. TRUSTe investigated and last month declared success, claiming that "Coupons, Inc. rolled out ... [a] new version of the software ... that writes only one registry key placed in a typical location, named in an appropriate manner." Nonetheless, my tests indicate exactly the opposite -- including all the same deceptive filenames and registry keys I previously identified. Furthermore, my tests indicate that all these files are left behind even after a user performs an uninstall.
Continued: My findings; video proof; other violations.
Delaying Payment to Deter Online Advertising Fraud
March 10, 2008 - Permalink
In Optimal Deterrence when Judgment-Proof Agents are Paid in Arrears - with an Application to Online Advertising Fraud, I introduce an alternative method of fraud prevention for certain online advertising systems. By delaying payments, a merchant or network differentially harms bad affiliates (who rightly worry they may get caught) without unduly harming good affiliates (who know they'll get paid, and who receive a bonus in compensation for the delay). With a suitable delay, a merchant or network can deter many bad affiliates while retaining the good.
Continued: Details on my approach, including initial data on merchants' and networks' current payment terms.
Critiquing C-NetMedia's Anti-Spyware Offerings and Advertising Practices
February 14, 2008 - Permalink
I examine anti-spyware software from C-NetMedia. I show deceptive advertising for C-Net's products, including product names, ad text, and web site designs that falsely suggest affiliation with security industry leaders. I examine C-Net's use of many disjoint product names -- preventing consumers from easily learning more about C-Net, its reputation, and its practices. I analyze C-Net's high-pressure sales tactics, including false positives, which overstate the urgency of paying for an upgraded version.
Sears Exposes Customer Purchase History in Violation of Its Privacy Policy
January 4, 2008 - Permalink
Want to know what a given customer has purchased from Sears? It's surprisingly easy to find out. In this article, I demonstrate how Sears reveals customers' major purchases to anyone who asks -- notwithstanding Sears' stated privacy policy.
The Sears "Community" Installation of ComScore
January 1, 2008 - Permalink
Late last month, Benjamin Googins (a senior researcher in the Anti-Spyware unit at Computer Associates) critiqued a ComScore installation performed by Sears' "Sears Holdings Community" ("My SHC Community" or "SHC"). After reviewing the installation sequence, Ben concluded that the installation offered "very little mention of software or tracking" and otherwise fell short of CA and industry standards. I agree.
I write today to add my own critique. I begin by presenting the entire installation sequence in screenshots and video. I then explain why the limited notice provided falls far short of the standards the FTC has established. Finally, I show that Sears' claims of adequate notice are demonstrably false.
Continued: Installation screenshots & video; limited notice; FTC standards; false claims from Sears.
August 28, 2007 - Updated, September 24, 2007 - Permalink
To print coupons from Coupons.com, users must install Coupons.com's coupon-printing software. Unbeknownst to users, Coupons.com's software disguises its key files as part of Windows -- with deceptive names like c:\windows\uccspecc.sys and c:\windows\WindowsShellOld.Manifest. Furthermore, Coupons.com leaves these misnamed files on disk even if a user uninstalls Coupons.com software -- making it particularly hard for users to fully rid themselves of Coupons.com.
Meanwhile, Coupons.com is remarkably lax with the ID number it assigns to each user. Without any meaningful statement in its privacy policy, Coupons.com prints a user ID on each coupon. Furthermore, the design of Coupons.com's coupon-printing software lets any web site (even sites with no relationship to Coupons.com) access and retrieve users' Coupons.com user IDs. Finally, Coupons.com's Veri-fi system lets any interested person check which coupons a given user has printed -- potentially revealing significant information about the users' purchasing interests.
Continued: Specific practices; deceptive files and registry entries; privacy policy violations.
July 31, 2007 - Permalink
Last November, Zango and the FTC announced a settlement of the FTC's investigation of Zango's practices. Among the key requirements: Zango agreed to install only after "clearly and prominently disclos[ing] the material terms [of its software] prior to the display of, and separate from, any [EULA]." Zango further agreed to label each of its ads with a “clear[] and prominent[]” marking as to the source of the ad, as well as a hyperlink to removal and complaint procedures.
Some of Zango's installations do some of what the settlement requires. But others don't. Today I'm posting Zango Practices Violating Zango's Recent Settlement with the FTC. In a series of screenshots, I show widespread Zango installations with no disclosure outside of a EULA. I also present numerous Zango ads appearing with no labeling at all.
ComScore Doesn't Always Get Consent
June 29, 2007 - Updated, July 26, 2007 - Permalink
Flush with cash from its recent IPO, ComScore might be expected to exert unmatched care in the distribution of its tracking software. But my tests indicate otherwise. In today's article, I describe multiple recent ComScore RelevantKnowledge installations that occur without user consent. I provide video proof of one such installation.
Continued: Specific incidents of nonconsensual installations; TRUSTe certification.
Spyware Still Cheating Merchants and Legitimate Affiliates
May 21, 2007 - Permalink
Spyware programs continue to claim commissions on merchants' organic traffic. When users simply type in a site's address and make a purchase, merchants shouldn't have to pay an affiliate commission. But spyware programs often monitor what web sites users visit, and when they sees users browse a targeted merchant, they often pop open an affiliate link to that merchant. If a user then makes a purchase, the merchant pays the affiliate a commission -- even though the affiliate did nothing whatsoever to facilitate or encourage the sale.
In today's article, I show six examples of spyware programs using these methods to cheat Blockbuster and Netflix. As usual, I offer screenshots, videos, and annotated packet logs to confirm what occurred.
Continued: Specific examples; responsible affiliates and ad networks; revenue and cost implications.
Introducing the Automatic Spyware Advertising Tester
May 21, 2007 - Permalink
Earlier this year, I wrote a program I call the "Automatic Spyware Advertising Tester" ("AutoTester"). On a set of virtual machines infected with a variety of spyware, the AutoTester browses a set of test scenarios -- viewing web pages, running searches, and even adding items to shopping carts at retailers' sites. The AutoTester keeps a full log of what happens -- a video of what pop-ups appear, and a packet log of what network transmissions occur. If the AutoTester observes any improper traffic (such as an unexpected and unrequested affiliate link), it records that event in a log file, and it tags the video and packet log accordingly.
Continued: Capabilities; benefits; future reports.
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts
May 7, 2007 - Permalink
Some sites use cheap spyware traffic to inflate their traffic statistics. Unfortunately, traffic measurements mistakenly assume users arrive at sites because they actually wanted to go there, without considering the possibility that some visits are involuntary. So a slew of cheap spyware-delivered popups can cause a site to be reported to be more popular than it really is.
Forced visits harm investors (who risk overpaying for a site based on inflated measures of popularity), advertisers (who overpay for ad space), and consumers (whose spyware infections are funded in part from forced visit payments)
That said, it's possible to detect sites using spyware to inflate their traffic counts: Just install some spyware on a test PC, and watch what ads are displayed. My article gives the details.
Advertising Through Spyware -- After Promising To Stop
March 14, 2007 - Permalink
In January, the New York Attorney General announced an important step in the fight against spyware: Holding advertisers accountable for their payments to spyware vendors. In Assurances of Discontinuance, Cingular (now part of AT&T), Priceline, and Travelocity each agreed to cease use of spyware -- to require all marketing partners not to use advertising software that installs without disclosures and consent, that fails to label ads, or that fails to offer an easy procedure to uninstall. These requirements apply to ads purchased directly by Cingular, Priceline, and Travelocity, as well as to all marketing partners acting on their behalf.
Unfortunately, both Cingular and Travelocity have failed to sever their ties with spyware vendors. Today I post six examples showing Cingular and Travelocity both continuing to receive spyware-originating traffic, including traffic from some of the web's most notorious and most widespread spyware
For older postings, see site archives.