BenEdelman.org

xx Mar 2010 12:00:00 GMT

Facebook Leaks Usernames, User IDs, and Personal Details to Advertisers

20 May 2010 12:00:00 GMT

Browse Facebook, and you wouldn't expect Facebook's advertisers to learn who you are. After all, Facebook's privacy policy and blog posts promise not to share user data with advertisers except when users grant specific permission.

But in my testing, Facebook's actual practices exactly contradict Facebook's promises. Merely clicking an advertiser's ad reveals to the advertiser the user's Facebook username or user ID. With default privacy settings, the advertiser can then see almost all of a user's activity on Facebook, including name, photos, friends, and more.

Sony's Crackle: Invisible Traffic Galore

27 Apr 2010 12:00:00 GMT

Advertisers buying display ads from Sony's Crackle.com rightly and reasonably expect that users can see the ads. But that's not always the case. In today's posting, I present three recent examples of Crackle partners loading the Crackle site invisibly, largely via 1x1 IFRAMEs. I then tabulate observations preserved by my automation, demonstrating that Crackle's tainted traffic has continued for more than a year. I conclude by flagging implications for traffic measurement and ad pricing, and by suggesting what Crackle should do to clean up this mess.

Measuring Typosquatting Perpetrators and Funders

17 Feb 2010 12:00:00 GMT

For more than a decade, aggressive website registrants have been engaged in 'typosquatting' -- the intentional registration of misspellings of popular website addresses. Uses for the diverted traffic have evolved over time, ranging from hosting sexually-explicit content to phishing. Several countermeasures have been implemented, including outlawing the practice and developing policies for resolving disputes. Despite these efforts, typosquatting remains rife.

But just how prevalent is typosquatting today, and why is it so pervasive? Tyler Moore and I set out to answer exactly these questions. In Measuring the Perpetrators and Funders of Typosquatting (appearing at the Financial Cryptography conference), we estimate that at least 938,000 typosquatting domains target the top 3,264 .com sites, and we crawl more than 285,000 of these domains to analyze their revenue sources.

Our full posting: Measuring the Perpetrators and Funders of Typosquatting and web appendix.

Google Toolbar Tracks Browsing Even After Users Choose "Disable"

26 Jan 2010 12:00:00 GMT

I present screenshots and screen-capture videos demonstrating that even after a user specifically chooses to "disable" the Google Toolbar, and even after the Google Toolbar disappears from view, Google Toolbar continues tracking users' web browsing -- including the specific sites visited, pages browsed, and searches conducted. I then critique Google's installation -- which lets users activate these transmissions in a single click, while ceasing the transmissions is much harder. I compare Google's current notice/consent process to Google's 2004 version, finding important decline in both presentation and clarity.

Upromise Savings -- At What Cost?

21 Jan 2010 12:00:00 GMT

When users install the Upromise toolbar, Upromise admits collecting "non-personally identifiable information" about users' online activities. But Upromise actually transmits detailed information -- not just page-views and searches, but email addresses and even full credit card numbers, expiration dates, and CVV2 codes. Upromise copies card numbers out of users' encrypted (HTTPS) browsing, but Upromise retransmits card numbers in plain text -- making it all too easy for others to gain access.

Google Click Fraud Inflates Conversion Rates and Tricks Advertisers into Overpaying

12 Jan 2010 12:00:00 GMT

In today's post, I show click fraud with a twist. Like standard click fraud, this infraction completely fakes clicks -- charging advertisers for clicks that didn't actually occur. But this click fraud is carefully targeted -- faking a click to the victim advertiser when the user is already at that advertiser's site. Thus, standard efforts to measure conversion rates classify this traffic as legitimate and valuable -- tricking advertisers into raising their bids and paying even more, when they should be demanding refunds.

Google Still Charging Advertisers for Conversion-Inflation Traffic from WhenU Spyware

5 Jan 2010 12:00:00 GMT

In February and May 2009, I reported Google paying WhenU spyware to cover selected sites with those sites' own Google PPC ads. These bogus placements perpetrate a practice I call "conversion inflation": They let Google claim credit for purchases that would have happened anyway -- overstating Google's effectiveness and leading advertisers to overbid and overpay for Google traffic. Google admitted the impropriety of these placements -- even offering a credit to RCN, the advertiser I featured in May, though denying refund requests from other affected advertisers. But, remarkably, Google and its partners have restarted these placements. Today I post the proof -- screenshots, video, and packet log records prepared just this week.

Payment Card Network Rules Prohibit Aggressive Post-Transaction Tactics

5 Dec 2009 12:00:00 GMT

Post-transaction marketers crucially rely on automatic transfer of consumers' payment card numbers -- copying a customer's credit card number from a merchant (where the consumer intentionally made a purchase) to a post-transaction marketer's membership club (which typically attracts a consumer's attention with a deceptive offer promising illusory savings). Copying credit card numbers raises numerous concerns, as detailed in my Statement for the Record last month. Crucially, it also violates applicable credit card network rules, which specifically prohibit merchants from copying card numbers. In today's post, I cite, quote, and analyze relevant rules. I also present letters I recently sent to leading card networks, urging them to enforce their existing rules.

Deception in Post-Transaction Marketing

19 Nov 2009 12:00:00 GMT

Post-transaction marketers have attracted criticism for solicitations that tend to deceive consumers. Offers often promise a savings or discount while actually charging customers on an ongoing basis. Offers often appear while customers are finishing the checkout process at trusted e-commerce sites -- a time when few users expect unrelated offers from third parties. Furthermore, post-transaction marketers obtain consumers' credit card numbers from partner sites (without consumers providing their card numbers to the companies that actually post charges). I summarize and post key documents recently released by the US Senate Commerce Committee, as well as reports from victims, an analysis by Committee staff, and recommendations from witness testimony (including my own).

Towards a Bill of Rights for Online Advertisers

21 Sep 2009 12:00:00 GMT

I offer five rights to protect advertisers from increasingly powerful ad networks -- avoiding fraudulent charges for services not rendered, guaranteeing data portability so advertisers get the best possible value, and assuring price transparency so advertisers know what they're buying. I explain the need for these rights by presenting specific practices causing particular concern.

How Google and Its Partners Inflate Measured Conversion Rates and Increase Advertisers' Costs

13 May 2009 12:00:00 GMT

I present four examples of Google and its partners interceding to grab users already on (or headed for) advertisers' sites -- spyware/adware popups, tricky toolbars, typosquatting, and Chrome browser autocomplete. In each instance, Google charges advertisers for pay-per-click traffic they would have otherwise received for free.

In Support of Utah's HB450

9 Mar 2009 12:00:00 GMT

I analyze Utah's HB450, which would prohibit certain deceptive online advertising. I consider the bill's effects, and I explain why I support its approach.

False and Deceptive Display Ads at Yahoo's Right Media

14 Jan 2009 12:00:00 GMT

Yahoo's Right Media ad marketplace features widespread ads exactly designed to deceive. I present ten examples of these deceptive ads, and I critique their unwelcome characteristics. To estimate the prevalence of deceptive tactics, I examine Right Media's own analysis ad characteristics -- finding that by Right Media's own admission, deceptive ads total 35% or more of Right Media's advertising inventory.

Privacy Lapse at Google JotSpot

30 Oct 2008 12:00:00 GMT

Google's JotSpot service posts sensitive user data, despite specific promises to the contrary in JotSpot's privacy policy. JotSpot even allows this information to be indexed by Google's search crawlers. JotSpot's postings are, by all indications, accidental. But in the context of a series of similar slip-ups, this error raises questions about the efficacy of Google's model of hosted applications.

Hydra Media's Pop-Up Problem -- Ten Examples

14 Oct 2008 12:00:00 GMT

Affiliate marketer Hydra Network claims to be tough on fraud. But my AutoTester has seen Hydra affiliates receiving traffic from spyware or adware on fully 1,343 occasions. Today I'm posting ten examples -- ten different Hydra affiliates using five different spyware/adware programs to claim commissions from Hydra's top merchants.

CPA Advertising Fraud: Forced Clicks and Invisible Windows

7 Oct 2008 12:00:00 GMT

Not all CPA fraud requires placing (or using) spyware or adware on a user's PC. In today's article, I show three examples of affiliates cheating CPA merchants using only a web browser -- without any special software on users' PCs. In particular, I show affiliates running invisible IFRAMEs, hidden portions of banner ads, and redirects loaded through signature icons in forum discussions. In each instance, affiliate claim commissions they did not earn.

Auditing Spyware Advertising Fraud: Wasted Spending at VistaPrint

30 Sep 2008 12:00:00 GMT

This month and last, my AutoTester observed more than two dozen different affiliates cheating VistaPrint through spyware pop-ups -- in each instance, using "self-targeting" to claim affiliate commission on traffic VistaPrint would otherwise have received for free. In today's article, I offer six examples of these observations -- as well as some musings on what VistaPrint might do to block these scams.

Competition among Sponsored Search Services

11 Jul 2008 12:00:00 GMT

Last month I was invited to Congress about competition among paid search providers, particularly Google's proposed purchase of susbtantial advertising inventory from Yahoo. At the last minute, the hearing was cancelled, and I won't be able to testify at the rescheduled session. But I'm posting the prepared testimony I had planned to offer last month.

PPC Platform Competition and Google's "May Not Copy" Restriction

27 Jun 2008 12:00:00 GMT

A little-noticed Google AdWords API Terms and Conditions restriction substantially hinders advertisers' efforts to use multiple providers -- prohibiting software vendors from using Google's API to help advertisers copy AdWords campaigns to competing platforms. I present the restriction, analyze its effects, and critique the defense Google offers.

Running Out of Numbers? The Impending Scarcity of IPv4 Addresses and What To Do About It

6 Jun 2008 12:00:00 GMT

The Internet's current IPv4 numbering system is nearing exhaustion, and transition incentives hinder rapid v6 deployment. In that context, I present market mechanisms to reallocate existing v4 addresses and facilitate continued use of v4. In particular, I consider the possible effects of paid transfers of v4 addresses. I emphasize rules to ameliorate the worst effects of v4 scarcity, while preserving the core principles of existing regulation and avoiding major negative externalities.

Debunking Zango's "Content Economy"

28 May 2008 12:00:00 GMT

I examine Zango's media library. I find widespread copyrighted videos presented without any indication of license from the corresponding rights-holders. I also find widespread sexually-explicit material, including prominent explicit material nowhere labeled as such.

Coupons.com and TRUSTe: Lots of Talk, Too Little Action

18 Mar 2008 12:00:00 GMT

Coupons.com continues to use deceptive filenames and registry keys that falsely indicate they're part of Windows -- some 6+ months after I uncovered this practice. Although TRUSTe last month announced that Coupons.com had stopped these practices, my tests indicate exactly the contrary. Furthermore, I show other ongoing violations by Coupons.com -- including incomplete uninstall and executable code left behind after an uninstall.

Delaying Payment to Deter Online Advertising Fraud

10 Mar 2008 12:00:00 GMT

I introduce an alternative method of fraud prevention for certain online advertising systems. By delaying payments, a merchant or network differentially harms bad affiliates (who rightly worry they may get caught) without unduly harming good affiliates (who know they'll get paid, and who receive a bonus in compensation for the delay). With a suitable delay, a merchant or network can deter many bad affiliates while retaining the good.

Critiquing C-NetMedia's Anti-Spyware Offerings and Advertising Practices

14 Feb 2008 12:00:00 GMT

I examine anti-spyware software from C-NetMedia. I show deceptive advertising for C-Net's products, including product names, ad text, and web site designs that falsely suggest affiliation with security industry leaders. I examine C-Net's use of many disjoint product names -- preventing consumers from easily learning more about C-Net, its reputation, and its practices. I analyze C-Net's high-pressure sales tactics, including false positives, which overstate the urgency of paying for an upgraded version.

Sears Exposes Customer Purchase History in Violation of Its Privacy Policy

4 Jan 2008 12:00:00 GMT

I show that Sears' ManageMyHome site provides detailed customer purchase data without effective security measures.

The Sears "Community" Installation of ComScore

1 Jan 2008 12:00:00 GMT

I critique a Sears installation of ComScore software without meaningful notice or consent. I present the entire installation sequence in screenshots and video, then explain why the limited notice falls far short of applicable FTC standards. I also show that Sears' claims of adequate notice are demonstrably false.

A Closer Look at Coupons.com

28 Aug 2007 12:00:00 GMT

I examine software from Coupons.com. Key findings: Coupons.com disguises some of its key files to make them look like they're part of Windows. These files stay on disk even if a user requests removal of Coupons.com. Coupons.com prints a user ID on each coupon, without any meaningful disclosure in its privacy policy. Any web site can use simple JavaScript to retrieve a user's Coupons.com user ID. Given a user ID, any person can check whether a user has printed a given coupon -- revealing sensitive information about users' purchasing interests.

Zango's Compliance Problems

31 Jul 2007 12:00:00 GMT

Despite Zango's 2006 settlement with the FTC, Zango continues behaviors exactly contrary to what the settlement specifies -- including installations lacking out-of-EULA disclosure of Zango's material terms, and including unlabeled ads that don't tell users why the ads appeared or how to make them stop. I document these and other troubling behaviors in a series of screenshots and videos.

ComScore Doesn't Always Get Consent

29 Jun 2007 12:00:00 GMT

I describe multiple recent ComScore RelevantKnowledge installations that occur without user consent. I provide video proof of one such installation. I compare these installations with applicable law and with TRUSTe Trusted Download rules.