The Online Ad Scams Every Marketer Should Watch Out For

The Online Ad Scams Every Marketer Should Watch Out For. HBR Online. October 13, 2015.

Imagine you run a retail store and hire a leafleteer to distribute handbills to attract new customers. You might assess her effectiveness by counting the number of customers who arrived carrying her handbill and, perhaps, presenting it for a discount. But suppose you realized the leafleteer was standing just outside your store’s front door, giving handbills to everyone on their way in. The measured “effectiveness” would be a ruse, merely counting customers who would have come in anyway. You’d be furious and would fire her in an instant. Fortunately, that wouldn’t actually be needed: anticipating being found out, few leafleteers would attempt such a scheme.

In online advertising, a variety of equally brazen ruses drain advertisers’ budgets — but usually it’s more difficult for advertisers to notice them. I’ve been writing about this problem since 2004, and doing my best to help advertisers avoid it.

In this piece for HBR Online, I survey these problems in a variety of types of online advertising — then try to offer solutions.

Risk, Information, and Incentives in Online Affiliate Marketing

Edelman, Benjamin, and Wesley Brandi. “Risk, Information, and Incentives in Online Affiliate Marketing.” Journal of Marketing Research (JMR) 52, no. 1 (February 2015): 1-12. (Lead Article.)

We examine online affiliate marketing programs in which merchants oversee thousands of affiliates they have never met. Some merchants hire outside specialists to set and enforce policies for affiliates, while other merchants ask their ordinary marketing staff to perform these functions. For clear violations of applicable rules, we find that outside specialists are most effective at excluding the responsible affiliates, which we interpret as a benefit of specialization. However, in-house staff are more successful at identifying and excluding affiliates whose practices are viewed as “borderline” (albeit still contrary to merchants’ interests), foregoing the efficiencies of specialization in favor of the better incentives of a company’s staff. We consider the implications for marketing of online affiliate programs and for online marketing more generally.

Pitfalls and Fraud in Online Advertising Metrics: What Makes Advertisers Vulnerable to Cheaters, and How They Can Protect Themselves

Edelman, Benjamin. “Pitfalls and Fraud in Online Advertising Metrics: What Makes Advertisers Vulnerable to Cheaters, and How They Can Protect Themselves.” Journal of Advertising Research 54, no. 2 (June 2014): 127-132.

How does online advertising become less effective than advertisers expect and less effective than measurements indicate? The current research explores problems that result, in part, from malfeasance by outside perpetrators who overstate their efforts to increase their measured performance. In parallel, similar vulnerabilities result from mistaken analysis of cause and effect–errors that have become more fundamental as advertisers target their advertisements with greater precision. In the paper that follows, the author attempts to identify the circumstances that make advertisers most vulnerable, notes adjusted contract structures that offer some protections, and explores the origins of the problems in participants’ incentives and in legal rules.

Aspira Networks Charging Merchants for Traffic That’s Otherwise Free

Affiliate marketing is supposed to be low-risk for merchants: in theory, merchants only pay affiliates when a user makes a purchase. Specifically, an affiliate should earn a commission only if 1) the user browses the affiliate’s site, 2) the user clicks the affiliate’s specially-coded link to the merchant, and 3) the user makes a purchase from the merchant. But rogue affiliates find ways to bypass these requirements — be it cookie-stuffing, adware popups, typosquatting, or network-based traffic interception. In this piece, I show Delaware-based Aspira Networks approach: configuring its partners’ networks so that if a user makes a purchase from a targeted merchant’s site, the merchant has to pay Aspira an affiliate commission — even though Aspira did nothing to cause or encourage the user’s purchase.

The method is straightforward. Aspira partners with network operators to monitor and reroute users’ browsing. If a user requests a targeted merchant, Aspira intercedes — redirecting the user to an "finder" page, through an affiliate click link, then back to the merchant. The affiliate redirect causes merchants to conclude, mistakenly, that Aspira caused users’ subsequent purchases.

See examples of Aspira’s redirects in action, targeting the following merchants:
   GoDaddy – video, packet log
   Home Depot – video, packet log
   Travelocity – video, packet log

In testing, I found that Aspira targets roughly a quarter of large mainstream US affiliate merchants. I found Aspira systematically using CJ publisher account 3965551. In testing, I did not find Aspira currently targeting merchants using LinkShare, though an early Aspira investor pitch (dated August 2009 in metadata) indicates that Aspira has worked with LinkShare as well as Google Affiliate Network.

Merchants have no reason to pay for Aspira’s traffic. Though affiliate network reports may attribute sales to Aspira, Aspira does not actuallycause additional or incremental purchases. Rather, these are purchases that merchants would have received anyway. Aspira tells prospective merchants that they will "sell more products" by working with Aspira, but I see no evidence to support that claim. Quite the contrary, in fact; in my testing, Aspira did not genuinely promote any merchants. Aspira claimed commission only after a user had already reached a merchant’s site.

Notably, Aspira’s networks violate longstanding and broadly-applicable network policies. For example, the Commission Junction Publisher Service Agreement indicates that commission is only due for "clicks through links" (provision 3.a). Aspira’s automatic redirects entail no genuine user "click" on any link; there’s an automatic redirect but not an actual click. Other CJ rules disallow "transactions … not in good faith" including all manner of automatic and nonincremental leads (provision 1.d.ii). Here too, Aspira falls short.

In August 2011, Zhang et al. uncovered Paxfire similarly redirecting users through affiliate links. Under litigation pressure and media scrutiny, Paxfire found itself banned from Commission Junction, LinkShare, and Google Affiliate Network. I suggest the same resolution for Aspira.

Aspira’s site focuses on public installations (coffee-shops and the like) where, in principle, one might imagine that network access was made available by payments from Aspira. But I found Aspira redirecting traffic from an ordinary office served by Indiana ISP Smithville Communications. So far as I know, Smithville never notified its customers that it would be monitoring their communications, redirecting them through affiliate links, or sharing their browsing activity with Aspira. (Smithville’s privacy policy makes no mention of Aspira or sending users’ browsing to third parties.) Nor did Smithville offer customers a discount for allowing Smithville and Aspira to monitor and redirect their browsing. Other users report (and criticize) similar redirects when using standard residential and commercial ISPs Access Media 3, Arvig, and OnShore Networks.

Aspira’s site gives little detail about its revenue from redirecting users through affiliate links. Partner Cash4trafik says "typical operators have realized historically …. about $1.00 – $10.00 per subscriber per year." Notice that revenue must be shared among affiliate networks, Aspira, Cash4traffik, and ISPs — so if an ISP gets $5, the others might take another $15 along the way. Indeed, early Aspira financial projections — posted to the web and readily found by web search — indicate that Aspira planned to retain a 40% to 67% share of affiliate commissions.

Meanwhile, Aspira’s financial projections show a particularly brazen attempt to claim payments despite minimal effort. As of 2010, Aspira projected 2013 revenue climbing to $63 million with expense reportedly to stay below $7 million. Business plans are often overly optimistic, but an 89% profit margin is difficult to reconcile with genuine efforts to find incremental customers. In contrast, it’s wholly consistent with the practice I observed in which Aspira claims commission without any expense to find or attract users.

Whatever the benefits to Aspira and its partners, the effect on merchants is clearly negative: Aspira causes extra advertising expense without providing incremental purchases. Affiliate merchants should reject Aspira’s approach, save their marketing budgets for publishers with genuine incremental value, and encourage Aspira to shift to other activities.

Thanks to Thomas Rice for bringing this practice to my attention and facilitating my collection of proof of Aspira’s practices.

Blinkx Adware Revisited: Installation and Operation

My January 2014 "Darker Side of Blinkx" explored Blinkx’s adware business and other controversial practices. The posting prompted significant interest, but unexpectedly much of the subsequent discussion focused on why I did the work rather than Blinkx’s actual practices. With this piece, I further examine of Blinkx’s adware, deceptive installations, and other tactics that harm both users and advertisers.

In remarks last week, Blinkx attributed Zango’s downfall to "lax oversight of rogue partners." In today’s article, I show similar problems among Blinkx’s installations. I begin with deceptive installation of Blinkx adware when users request a (nonexistent) Flappy Bird game — an abusive bait-and-switch installation that burdens a user with half a dozen different adware programs yet never provides the promised game. I then show similarly deceptive installation of Blinkx adware when users request a (nonexistent) Snapchat app for Windows. I compare these practices to FTC requirements and evaluate Blinkx’s defenses. I then to demonstrate Blinkx that adware undermines HTTPS security by collecting and retransmitting users’ seemingly-secure browsing activity, as well as showing deceptive advertisements that targeted web sites would never allow along with numerous ad-fraud popups that charge merchants for traffic they would otherwise receive for free. I then find Blinkx adware loading Google ads in pop-ups, which specifically violates Google ad placement rules. I conclude with recommendations and next steps.

Note that this article examines only Blinkx’s ex-Zango adware business — not its ex-AdOn traffic brokering or its various other activities.

Deceptive Installation: Fake Flappy Bird App Installs Blinkx Adware

Softdlspro claims to offer a 'Flappy Birds Game Download.' The bundle provides myriad adware including Blinkx adware, but no Flappy Birds. Softdlspro claims to offer a "Flappy Birds Game Download." The bundle provides myriad adware including Blinkx adware, but no Flappy Birds.

Deceptive Fast Media Converter installation solicitation pretends to be a Flash Player update.  It installs Blinkx adware (and more). Deceptive Fast Media Converter installation solicitation pretends to be a Flash Player update. It installs Blinkx adware (and more).

Deceptive Super Backup installation puts the Next button above disclosures, and makes no mention of any popups or any advertising at all.Deceptive Super Backup installation puts the Next button above disclosures, and makes no mention of any popups or any advertising at all.

A decade after the dawn of adware, one might ask why users agree to install programs that slow their computers, reduce their privacy, and bombard them with pop-up ads. A close look at Blinkx installs is instructive: Often, users aren’t fairly told what they’re getting. Though FTC rules call for clear disclosure of key effects, in prominent text outside a license agreement, Blinkx and its partners often omit these statements. That omission isn’t just an occasional error — it’s a common characteristic of many Blinkx installations. Yet the omission is no great surprise: If Blinkx and its partners fairly told users what they’d be getting, most users would decline. The following sections show installations with this problem (among others).

On February 10, 2014, Flappy Bird creator Dong Nguyen withdrew his popular game from Apple and Google’s app stores. In response, users went to search engines to try to get the game. Users searching on Google often saw ads that promoted a Softdlspro page that purported to offer "Flappy Bird Game Downloads" but actually had no such thing. Through this process, unfortunate users received Blinkx adware.

In the top screenshot at right and in a first video, I demonstrate that a search for "flappy birds" took users to a Softdlspro download page. In a second video, I then show that this Softdlspro bundle bombards users with an onslaught of adware. In my testing, a user who attempts to install this game is asked to install Fast Media Converter adware (video at 2:42), Program Starter (3:51), Yahoo Toolbar (3:55), Gamevance/Trafficvance ArcadeParlor adware, "Clean Water Action Reminder" from We-Care (a browser plug-in that monitors users’ browsing and claims affiliate commission on users’ purchases) (4:02), SLOW-PCfighter (which purports to offer computer repair) (4:03), and Super Backup (4:08).

This Softdlspro "Flappy Bird" bundle appears to install two different programs with Blinkx adware. First, Softdlspro touts Fast Media Converter, which installs Blinkx ex-Zango adware. I credit that the FMC site and EULA give no immediate indication that FMC installs Blinkx adware. But taken as whole, the installation leaves litle doubt. Relevant factors: FMC retrieves configuration files and advertisements from URLs that match standard ex-Zango patterns. FMC’s pop-up ads match the longstanding Zango format including the same user-interface and delivery methods. (Examples: FMC popups defraud Amazon by claiming commission on Amazon’s organic traffic. FMC popups claim a "New Version Available" and use the Chrome name and logo. FMC popups claim "your Video Player has a faster version available" and use the Internet Explorer name and logo. FMC popups claim "Outdated Browser Detected" and repeatedly use the Internet Explorer name and logo.) In addition, the FMC installer downloads component EXEs from, which is Ignition Installer run by Verti Group, a Blinkx subsidiary.

Second, Softdlspro’s "Flappy Bird" touts Super Backup which is also monetized by Blinkx. Super Backup more readily discloses the link to Blinkx: Its Privacy Policy (visible in the video at 4:17) describes the program’s advertising component as "LeadImpact Software," and its Terms of Use say the same thing. Furthermore, LeadImpact’s privacy policy says LeadImpact comes from Pinball Corp, and LeadImpact’s DNS servers are also within Notably, Blinkx’s 2010 annual report lists Pinball as a wholly-owned subsidiary. LinkedIn statements are in accord: Tony Gozzo describes his employer as "the Leadimpact division" of Blinkx, and Ramon Navarro says he works for "Leadimpact – a division of Blinkx."

The Softdlspro "Flappy Bird" bundle is deceptive for multiple reasons. For one, it never provides the game the user requested and the offer purports to provide. Any associated "consent" to receive adware is therefore ill-gotten; as Softdlspro didn’t hold up its end of the bargain.

Furthermore, the Softdlspro offers are less than forthright. Consider the Fast Media Converter solicitation that appears in the video at 2:42 and in the second screenshot at right. (In general this is a freestanding offer — it appears on its own web page, separate from the Softdlspro install window, so users can and do receive this offer from other sources. That said, the Softdlspro installer systematically opens this web page, so users in the fake Flappy Birds install sequence are bound to see this pitch too.) The FMC offer reads "An update to Adobe Flash Player is available," prominently references "Adobe Flash Player 12", and uses the distinctive Adobe logo. But the software at issue is not provided by, or in any way affiliated with, Adobe. Indeed, Fast Media Converter has no genuine connection to Adobe Flash Player, and FMC uses the Adobe name, logo, and trademark only to appear familiar and legitimate. Users may be induced to install software because they are told it will "update" software they genuinely want on their computers. But when Blinkx and its distributors falsely claim to provide updates to unrelated software, any user’s "agreement" is ill-gotten and invalid.

FMC’s disclosures are also cause for concern. FMC mentions advertisements in a single clause midway through its installation disclosure (third paragraph, next-to-last sentence) — a place where users are unlikely to notice. Furthermore, the disclosure is vague: FMC "is ad-supported software and displays advertisements during your web browsing experience." Missing from this disclosure are the two key facts FMC needs to convey to users before asking them to accept the adware: First, that ads appear in pop-ups, a format users are known to dislike. Second, that the adware tracks users’ browsing in detail and at all times. Such disclosures are required to alert users to the material consequences of the installation, and such disclosures are specifically required under longstanding FTC rules. See analysis below.

In some respects, the Super Backup installation is even more deceptive. For the on-screen display, see the video at 4:08 and the third screenshot at right. Prominent on-screen disclosures are placed above the oversized green "Next" button. But these disclosures only mention innocuous features about a program launcher. (These features are associated with Program Starter, a bundler that solicits a series of further installations.)

  • Blinkx’s Super Backup is mentioned in a format that invites users to overlook what they are purportedly accepting. The disclosure is in grey type on a grey background (text color RGB 128 128 128 against 224 224 224, whereas black on white would be the higher-contrast 0 0 0 on 255 255 255).
  • The disclosure is at the far bottom of the window, outside the natural flow of a user’s review from top to bottom. Indeed, a user reading the window from top to bottom would have already have reached (and perhaps clicked) the Next button before reaching the disclosure.
  • The Next button does not solicit a clear manifestation of assent. To obtain meaningful permission to install, Biinkx and its partners would need a label like "I accept" or "I agree."
  • Worst of all, the disclosure says nothing at all about advertising. It only mentions backup functions: "makes backup easy with intelligent system scans…" A user reading this description would conclude that Super Backup provides backup with no advertising at all. But in fact Super Backup uses the ex-Zango adware engine to present users with popup ads.

These Super Backup practices fall short of legal requirements, including the duty to disclose material effects outside the license agreement. See analysis below.

Deceptive Installation: Fake Snapchat App Installs Blinkx Adware

Soft1d claims to offer a Snapchat download. The bundle actually provides myriad adware but no Snapchat app.Soft1d claims to offer a Snapchat download. The bundle actually provides myriad adware including Blinkx adware, but no Snapchat app.

In February 2014, I used Google to search for a Snapchat app from a Windows PC. Sophisticated users may know that there is no such app — Snapchat is for phones only. But in my testing (preserved in video), my request yielded a Soft1d page ad touting an app purportedly entitled "Snapchat." I clicked Download Now (0:10), ran the resulting installer, and ultimately received no Snapchat app — but I did receive numerous adware including adware funded by Blinkx ads. Specifically, the bundle included Program Starter (1:40), a deceptive Fast Media Converter "Update to Adobe Flash Player" solicitation (1:49), Yahoo Toolbar (3:40), Savings Bull (3:42), Gamevance/Trafficvance Arcade Parlor adware (3:43), "Clean Water Action Reminder" from We-Care (3:48), and SLOW-PCfighter (3:50).

These installations are deceptive for the same reasons detailed in the preceding section.

Chris Boyd of ThreatTrack Labs critiqued this same installation in a posting dated November 19, 2013. Yet the same practices continued three months later in February 2014. To my knowledge, these practices are ongoing.

Blinkx might like to write off these practices as rogue affiliates or subaffiliates. Such a response would be ironic after Blinkx attributed Zango’s downfall to "lax oversight of rogue partners." Most importantly, these installations are the norm and not the exception: When I find a distributor asking users to install Blinkx adware, the distribution has defects like these as often as not.

Blinkx says users who receive its adware are "getting utility for free in exchange for being served ads." Blinkx further claims "the user experience is explicit and clear" and "the installation process is unambiguous." Blinkx even touts a "25 point evaluation check list" for every app it considers as a distributor for its adware. But the installations speak for themselve; whatever Blinkx is doing, it’s not enough. The fact is, Blinkx’s distributors are pushing its adware through deception — claiming to be "Update to Adobe Flash," promising apps like Flappy Bird and Snapchat that they don’t even provide, and failing to disclose key effects in the way the FTC requires.

Relevant FTC Requirements

The FTC Act bans "unfair or deceptive acts or practices in or affecting commerce" (15 USC 45). Cases interpret the prohibition on "deceptive" practices to disallow conduct that is "likely to mislead" (Gill , 71 F.Supp.2d at 1037, citing Southwest Sunsites, Inc. v. FTC, 785 F.2d 1431, 1436 (9th Cir. 1986)). In litigation evaluating a FTC complaint, a court examines a defendant’s representation to determine whether the "net impression" is likely to mislead reasonable consumers. See FTC v., LLC , 453 F.3d 1196, 1200 (9th Cir. 2006). Notably, it is not a sufficient defense for a defendant merely to disclose the truth somewhere. FTC. v is on point: "A solicitation may be likely to mislead by virtue of the net impression it creates even though the solicitation also contains truthful disclosures” (emphasis added). See also Removatron Int’l Corp., 884 F.2d at 1497 (examining the "common-sense net impression" of an allegedly deceptive advertisement).

Caselaw on "unfair" advertising takes an equally dim view of Blinkx’s tactics. The FTC’s Policy Statement on Unfairness disallows behavior that causes or is likely to cause substantial consumer injury that a consumer could not reasonably avoid, and is not outweighed by the benefit to consumers. Blinkx might argue that users can avoid its adware by declining installation solicitations. But the vague, unclear, and otherwise-deceptive installation disclosures make it difficult for a reasonable user to understand what they are asked to accept and to recognize the importance of declining. Meanwhile, in the examples I presented, Blinkx adware fails to offer a single benefit to consumers. Indeed, Blinkx and its partners never provide the promised benefits (e.g. the Flappy Birds game or Snapchat app), so users receive only the detriment of extra advertising and tracking, without the promised benefit. The failure to provide the promised benefit is an exceptionally clear case of lack of countervailing benefit.

Squarely on point, the FTC has long held that adware may only be installed after providing a clear and conspicuous notice of key effects. For example, in 2008 testimony, Eileen Harrington (FTC Deputy Director of the Bureau of Consumer Protection) described the FTC’s view of appropriate practices for adware vendors. Specifically, Harrington stated that "buried disclosures … are not sufficient." She continued: "burying material information in an End User License Agreement will not shield [an adware] purveyor from Section 5 liability."

Despite Director Harrington’s statement of applicable requirements, these examples indicate that Blinkx and its distributors are disclosing key practices at most in license agreements, not in prominent on-screen text. In this crucial respect, Blinkx’s practices are exactly contrary to Harrington’s statement of the FTC’s longstanding generally-applicable requirements for adware.

Critiquing Blinkx’s Response to Deceptive Installations

In its response to my January article, Blinkx argues that "Ad supported … options are valid, recognized and accepted alternatives for packaging and distributing premium content." Blinkx goes on to compare its adware to the Google Chrome web browser, noting that both show ads and that there is nothing inherently wrong with showing ads. ("Chrome is itself ad-supported software distributed by Google.") Blinkx even compares itself to "mainstream publishers, such as and," which also show advertising and sometimes popups. But this misses the concern completely. Google Chrome shows ads in the program window, when it is in use, and at no other times. MSNBC shows ads when a user visits its site, but at no other time. Blinkx adware is quite different: It runs at all times; it tracks users’ browsing and sends users’ activities to Blinkx servers; and it shows frequent popup ads. This could hardly be more different than mainstream web advertising. Moreover, my piece did not criticize ad-supported software in general. Rather, I criticized deficient disclosures that give users no clear statement of what they are (purportedly) accepting. The absence of informative disclosures leads users to "accept" software that, unbeknownst to them, is actually adware they would never have agreed to receive, had they been aware of its true effects.

Blinkx then argues that whatever installation problems occurred, they are not its responsibility. For example, I presented an unauthorized Google Chrome package that (contrary to Google’s Chrome Terms of Service) included Youdownloaders code which installed Desktop Weather Alerts which is Blinkx adware. To this, Blinkx argued that "Youdownloaders is a third party distributor and is neither blinkx nor a blinkx affiliate." But I never claimed Youdownloaders had a direct relationship with Blinkx. The best description of Youdownloaders is a Blinkx subaffiliate: By all indications, Blinkx pays Desktop Weather Alerts to place Blinkx adware on users’ computers, and then Desktop Weather Alerts in turn pays Youdownloaders. But this chain of relationships in no way relieves Blinkx of responsibility for the underlying installation practices. Indeed, in 2006 litigation against Zango (the very company that created the adware here at issue), the FTC noted that Zango acted "through affiliates and sub-affiliates." Reinforcing the importance of this business structure, the FTC repeated that phrase six separate times in five paragraphs. Similarly, the FTC’s 2007 order specifically indicated that its obligations apply both to Zango and to any intermediaries Zango chooses to use: In five separate paragraphs, the order repeats that its obligations apply to Zango directly and also to acts "through any person, corporation, subsidiary, division, affiliate, or other device." Moreover, the FTC further noted that, at best, Zango had failed to adequately supervise its affiliates and their subaffiliates when acting on Zango’s behalf: "Respondents knew or should have known that there was widespread failure by their affiliates and sub-affiliates to provide adequate notice of their adware and obtain consumer consent to its installation." In such circumstances, the FTC found that Zango was liable for the actions of its affiliates and subaffiliates. The same principle applies to Blinkx.

Relatedly, Blinkx argues that even the conduct of Weather Alerts is not Blinkx’s responsibility because "blinkx does not own Weather Notifications." But Blinkx admits two sentences later that it "does maintain a commercial relationship with Weather Notifications, where the Company provides the monetization engine for this application and others like it." Indeed, link Zango, Blinkx has numerous distributors who place its adware onto users’ computers. Zango has historically arranged its partnerships so that its affiliates all used the same name — all installing, at one time, "Zango" adware. Blinkx has now structured its affairs somewhat differently — causing affiliate Weather Notifications to distribute adware with one set of names (including Desktop Weather Alerts) while other affiliates distribute Blinkx adware under other names (such as Fast Media Converter and various others). But the chosen names are irrelevant. Notice Blinkx’s crucial roles: Like Zango, Blinkx provides the adware engine that monitors users’ behavior, targets ads, and displays ads. Furthermore, like Zango, Blinkx sells the ad inventory to advertisers, including receiving advertisers’ requests about which popups to show when users visit which pages and search for which keywords. Consistent with prior litigation and longstanding principles of agency, these efforts make Blinkx responsible for the associated adware. Introducing more product names serves primarily to reduce accountability by making it harder for users to figure out whose adware they are actually running, what company made the adware engine, or who to complain to. But multiple product names do not reduce Blinkx’s responsibility for the underlying practices.

Blinkx and its defenders took issue with a portion of my January article that said certain adware "is part of Blinkx" when the adware is distributed by a third party. But under the FTC’s articulated standards and caselaw, Blinkx is responsible when adware shows ads sold by Blinkx, when Blinkx makes the adware engine that presents the ad, and indeed when the entire advertising delivery system uses Blinkx (ex-Zango) code. In each of the examples I presented previously and above, Blinkx plays these roles. That Blinkx chooses to label its software with the names of third parties such as Weather Alerts and others, rather than under its own name, is of little import to users. Notably, these distinctions are also of no consequence to the FTC, as discussed above.

Blinkx further suggests that Google may even have authorized Youdownloaders to redistribute Chrome and to bundle Chrome with multiple adware programs: "It is quite likely that Youdownloaders may have a commercial relationship with Google" allowing the redistribution I flagged. I emphatically disagree. For one, Google’s Software Principles rules confirm that Google takes a dim view of deceptive bundling: Google requires "upfront disclosure" including "clearly and conspicuously" explaining key functions and advertising, which is missing in the examples above. Google also requires "keeping good company" which requires "not allow[ing] products to be bundled with applications that do not meet these guidelines." But the bundles at issue include numerous deceptive adware programs. Furthermore, I know of no instance where Google has ever allowed Chrome or any other Google software to be bundled with any adware or other software showing popup ads. Blinkx says it is "quite likely" that Google authorized the installation I flagged. I believe it’s far more likely that Youdownloaders acted without authorization and, indeed, contrary to the Terms of Service that bind every copy of Chrome.

Blinkx consultant E.J. Hilbert purports to have evaluated Blinkx’s practices in search of improprieties. But in describing his methodology, Hilbert says "I have spoken with the Blinkx" staff and managers. Interviews are unlikely to uncover the problems I flagged previously and above. Specifically, Blinkx staff and managers have every reason not to know — and not to want to know — how their affiliates and subaffiliates are getting Blinkx adware onto users’ computers. Nor are Blinkx business records likely to reveal the actions of affiliates and, especially, subaffiliates. The better methodology for investigating such installations is to test live installations on the web, as I did in preparing the installation videos previously and above. Hilbert’s statement gives no indication that he did so.

Hilbert then says that Blinkx’s risk is reduced because "A lot of what blinkx does is … revenue sharing" which he says "takes that ability to hide out of the practice." I disagree that revenue sharing offers important benefits for the practices at issue. Even if Blinkx pays its distributors and affiliates through revenue sharing, and even if affiliates pay subaffiliates by revenue sharing, the affiliates and subaffiliates still have every incentive to place Blinkx adware on users’ computers without proper disclosure and consent. Revenue sharing in no way dulls the incentive for deceptive installations.

The Applicability and Importance of Zango’s 2007 FTC Consent Order

Blinkx argues at length that Zango’s 2007 FTC consent order does not bind Blinkx. Broadly, Blinkx contends that it "purchase[d] select ex-Zango assets" and that the FTC settlement obligations did not flow with that purchase. A Blinkx attorney even contacted the FTC to seek the FTC’s view. Based on the facts the attorney provided, the attorney reported that an FTC representative stated that he "believes that the Zango consent order might no longer be active or enforceable [on Blinkx] in light on Zango’s bankruptcy."

I see three reasons why these FTC staff remarks offer Blinkx limited protection. First, as discussed above, the FTC has long held that "buried disclosures" are not sufficient. Zango settlement or not, Blinkx is bound by generally-applicable law, and Blinkx and its partners are using exactly the "buried disclosures" that the FTC has criticized, disallowed, and even brought suit to prevent.

Second, there is good reason to doubt that Blinkx only acquired "select assets" from Zango. In 2009, Zango then-CTO Ken Smith was surprised to see news articles saying that Blinkx acquired "only ten percent" of Zango’s assets, which prompted him to write a piece unambiguously entitled "Blinkx acquired 100% of Zango’s assets." Smith continued: "[T]he banks have nothing left of Zango’s which they can sell. Blinkx owns it all." Indeed, Blinkx clearly received the ex-Zango client-side software (adware), the server-side software (receiving information about users’ browsing and selecting and sending ads), the mechanism used to sell the ads (including receiving advertisers’ requests and offers, and collecting payment), Zango’s contractual relationships with advertisers, and Zango’s installed base (computers with Zango adware, which continued showing ads for years). Blinkx’s admittedly "hired select ex-Zango staff." Blinkx also retained Zango’s headquarters at 136th Place SE Bellevue WA. Apropos of Smith’s message, one might ask: What assets of Zango did Blinkx not acquire? If in fact Blinkx acquired the entire Zango adware business, or substantially all of it, the FTC consent order may well follow the acquisition — as the FTC has repeatedly and successfully argued in other matters.

Third, as Blinkx’s attorney explains in detail, FTC staff specifically refused to offer any official or binding endorsement of Blinkx’s practices — making their informal oral comments non-binding and by all indications not intended for reproduction or redistribution. That’s entirely appropriate, as the FTC is in no position to judge Blinkx’s practices based solely on supposed facts provided by Blinkx; any evaluation would require that the FTC perform its own investigation of Blinkx’s practices and Blinkx’s relationship to Zango. Pending such an evaluation, it’s too soon to say how the FTC would view Blinkx’s activities.

In a further attempt to distance itself from Zango and Zango’s consent order, Blinkx argues that "current practices bear no relation to the ex-Zango practices that led to FTC action in 2006." In this regard, I urge rereading the FTC’s complaint. In relevant part (emphasis added):

10. In numerous instances, Respondents, through affiliates and sub-affiliates acting on behalf and for the benefit of Respondents, bundled Respondents’ adware with purportedly free software programs (hereinafter “lureware”), including without limitation Internet browser upgrades, utilities, screen savers, games, peer-to-peer file sharing, and/or entertainment content. Respondents, through affiliates and sub-affiliates, generally represented the lureware as being free.

11. When installing the lureware, consumers often have been unaware that Respondents’ adware would also be installed because that fact was not adequately disclosed to them. In some instances, no reference to Respondents’ adware was made on the website offering the lureware or in the install windows. In other instances, information regarding Respondents’ adware was available only by clicking on inconspicuous hyperlinks contained in the install windows or in lengthy terms and conditions regarding the lureware. Because the lureware often was bundled with several different programs , the existence and information about the effects of Respondents’ adware could only be ascertained, if at all, by clicking through multiple inconspicuous hyperlinks. …

13. Respondents knew or should have known that there was widespread failure by their affiliates and sub-affiliates to provide adequate notice of their adware and obtain consumer consent to its installation. …

The preceding examples demonstrate substantially the same problems — "lureware" distributed "through affiliates and subaffiliates acting on behalf and for the benefit of" Blinkx, with "information regarding [Blinkx’s] adware available only by clicking on inconspicuous hyperlinks." Though seven years old, the FTC’s complaint remains a fine summary of the installation practices at issue. Even if the 2007 consent order does not bind Blinkx, the same concerns — and the FTC’s generally-applicable principles — make Blinkx’s current practices deficient.

Monitoring and Retransmitting Users’ Otherwise-Secure Activities

Blinkx adware observes users’ browsing on all web sites, including sites that employ HTTPS encryption to protect users’ activities from outside examination and interference. Because Blinkx adware runs on users’ computers, HTTPS over-the-wire encryption offers no protection against Blinkx adware examining users’ behavior.

In addition, Blinkx retransmits portions of users’ behavior in cleartext. For one, as users browse, Blinkx sends messages to its control server — obfuscated but by all indications unencrypted. In the excerpted packet log below, see the transmission highlighted in blue, showing the HTTP POST parameter with name epostdata. (Historically, Zango transmitted user activity in clear text in an otherwise-similar method. Example with the relevant transmission marked in yellow.)

Blinkx then also often sends users’ activity details to advertisers. At this stage, the information is neither encrypted nor obfuscated.

For example, in February 2014, I logged in to Google (activating Google’s encryption of all communications between my computer and, then ran a Google search for "cheap flights." A moment later, Blinkx adware opened a popunder to an advertiser, sending the advertiser the HTTP querystring parameter "FpSub=cheap*flights" (red highlighting below). That transmission exactly revealed the term I had specified in my Google search just seconds earlier, even though my communications with Google were encrypted by HTTPS. See a screen-capture video (confirming the search and encryption) and the unexcerpted packet log (showing the excerpt in context).

POST /showme.aspx?ver= HTTP/1.1…
252f0FDMrd4Dmt7Kx%252furspSkRzIIARn5QIYTWnvB17Z9l300IiZXVztaget rfwQpF2Ye11Ghzl1jB8A1NrKLSuK5azFl12D8Pb

HTTP/1.1 200 OK…
ad_url: <input id=ad_url name=ad_url value=;FpSub=cheap*flights><br> …

GET /?FpAffiliate=Zango&FpSub=cheap*flights HTTP/1.1 …
HTTP/1.1 200 OK …

Google goes to great lengths to keep users’ searches confidential, including devoting additional server capacity and electricity to the required encryption. Blinkx defeats those efforts by interceding at the user’s computer and retransmitting a portion of users’ search terms unencrypted, in plaintext. Blinkx’s interception and retransmission allows users’ activities to be observed by anyone along the way, including by other users of the same wifi hotspot.

The FTC has previously filed suit against companies whose desktop software revealed communications through broadly similar design flaws. In 2010, I reported college savings service Upromise transmitting users’ activity in cleartext, even when sites used HTTPS to attempt to keep that information confidential. In response, the FTC brought a complaint against Upromise. In count 1, the FTC expressed concern that Upromise collected "information consumers provided in secure sessions when interacting with third-party websites." To my knowledge, Blinkx’s data collection is a notch less aggressive than Upromise: Upromise collected credit card numbers, social security numbers, and more, whereas in my testing Blinkx largely collects and retransmits search terms and domain names. But the same principle holds, and the plain language of the FTC’s complaint indicates well-justified concern at client-side software collecting (and insecurely retransmitting) information that users had transmitted with the benefit of encryption.

Incidentally, the green highlighting above shows that when Cheapoair receives traffic from Blinkx, it labels the traffic as coming from "Zango." Consistent with my longstanding experience, this indicates that Cheapoair, an ex-Zango advertiser, was automatically transferred to Blinkx.

Deceptive Popup Ads

Blinkx adware presents a deceptive ad falsely claiming 'You have been personally selected for todays annual anonymous survey.' Blinkx adware presents a deceptive ad falsely claiming "You have been personally selected for todays annual anonymous survey" (s.i.c.).

Blinkx adware presents a deceptive ad falsely claiming a user's browser needs updating. Blinkx adware presents a deceptive ad falsely claiming a user’s browser needs updating.

Once installed, Blinkx adware shows deceptive ads. For example, in testing on March 10, 2014, Desktop Weather Alerts used the Blinkx adware engine to present a Consumerslifestyledaily .com popup claiming "You have been personally selected for todays annual anonymous survey" (s.i.c.). See top screenshot at right. Because Blinkx told Consumerslifestyledaily .com the domain name of the site I had been viewing, the popup mentioned the name of that site — making the popup look more like a genuine part of the site, even though the site had nothing to do with the popup and indeed is a victim of the popup’s ability to divert and distract its users. Moreover, far from conducting a bona fide survey, the questions actually lead only to a page that attempts to sell the user skincare products and electronic cigarettes — claiming "Your price: $0.00" but adding significant shipping charges.

Similarly, in testing on March 9, Blinkx adware delivered a popup claiming "Outdated Browser Detected" (screenshots: 1, 2). The popup used the distinctive Internet Explorer logo and even delivered an installer called Internet_Explorer_Setup.exe. Despite the "Internet Explorer" label, the popup attempted to install an adware bundle, not Internet Explorer. Moreover, the popup falsely claimed "You are currently using Internet Explorer 7 which is now outdated," when in fact I was browsing using Windows 8 which came with Internet Explorer 10.

In critiquing Fast Media Converter’s installation of Blinkx adware above, I noted its deceptive ads: claiming a "New Version Available" and using the Chrome name and logo, claiming "your Video Player has a faster version available" and using the Internet Explorer name and logo, and claiming "Outdated Browser Detected" and repeatedly using the Internet Explorer name and logo.

Only because of Blinkx are these advertisers able to interrupt users’ browsing to display their deceptive offers. Consider: I received these popups while browsing well-known trusted sites that would never accept such deceptive advertising. But Blinkx has no such standards.

Defrauding Affiliate Merchants (this section co-authored with Wesley Brandi)

Blinkx and a rogue affiliate charge for traffic it would otherwise receive for free. Blinkx and a rogue affiliate charge for traffic it would otherwise receive for free.

My January posting flagged Blinkx defrauding affiliate merchants by loading popups that promote the very merchants users are already visiting — thereby claiming commission on users that the merchants had already reached via other methods. I noted that these practices can be difficult for merchants to detect: Standard measurement systems report a high volume of sales, hence seemingly-effective ad campaigns, and the measurement systems fail to alert merchants that this is traffic they would otherwise receive without charge.

To demonstrate the scope of the problem, Wesley and I today post ten more examples showing widespread affiliate fraud.

These incidents weren’t hard to find: Wesley and I built automation that runs many adware programs (not just Blinkx) to protect our advertiser and ad network clients. Our automation found all these examples (and plenty more) in one 12-hour run. Indeed, in the course of a typical month, we regularly alert our clients to a dozen rogue affiliates using Blinkx adware, making Blinkx adware among the most frequent sources of prohibited affiliate traffic draining our clients’ budgets.

# Date Traffic origin Intermediary domains Network Victim merchant Notes Details
1 April 4, 2014 Blinkx adware Statsad, Bdpromocodes Tradedoubler Expedia UK Referer faking screenshot, packet log
2 April 4, 2014 Blinkx adware Trackmyads Zanox   screenshot, packet log
3 April 4, 2014 Blinkx adware Tradedoubler   screenshot, packet log
4 April 4, 2014 Blinkx adware Dblol, Skyseek Zanox   screenshot, packet log
5 April 4, 2014 Blinkx adware Commission Junction Avis   screenshot, packet log
6 April 4, 2014 Blinkx adware Trackmyads, Thequickcoupon Commission Junction Thewalkingcompany Referer faking screenshot, packet log
7 April 4, 2014 Blinkx adware Adssend, Eh86, Moreniche Commission Junction VItamin Shoppe   screenshot, packet log
8 April 4, 2014 Blinkx adware LinkConnector RingCentral   screenshot, packet log
9 April 4, 2014 Blinkx adware Fluxhub Digital River Nuance   screenshot, packet log
10 April 4, 2014 Blinkx adware Sale-reviews LinkShare BH Cosmetics Decoy popup and invisible (1×1) IFRAME screenshot, packet log

In response to my evidence of Blinkx and an affiliate improperly claiming commission on traffic Walmart would otherwise receive for free, Blinkx responded that it "specifically prohibits the kind of activity" I presented. But a contract provision is only the beginning. Whatever prohibition may be written in Blinkx’s contracts, we see no sign of Blinkx taking steps to enforce that rule. It would be easy for Blinkx to check whether a Blinkx advertiser is in fact an affiliate and, if so, what network the affiliate is using and what merchant the affiliate is promoting — it could simply load the advertiser’s ad and check for any affiliate link(s). If the affiliate is using a network that has banned adware popups, or promoting a network that has banned adware popups, Blinkx could immediately eject that advertiser. Blinkx could also ban any advertiser that is promoting the same merchant the user is already viewing. Blinkx says it is "always possib[le for an affiliate to] circumvent[] any technical measures that may be put in place" — but there’s no sign that Blinkx has actually established these or other suitable measures. My first article about Zango (then "180solutions") in 2004 focused on exactly these affiliate frauds, and these practices have continued apace ever since.

Breaking Google’s Rules by Displaying Ads in Popups

Google rules specifically disallow placing Google ads into adware and pop-ups. For example, Google’s AdSense rules specifically disallow "[a]ds in a software application" and "[p]lacing ads in pop-up windows." I understand that Google’s rules for other search syndicators are broadly similar, although those agreements are not ordinarily available to the public.

Contrary to Google’s rules, Blinkx and its advertisers often load Google advertisements in popup ads. These popups cover other companies’ sites and interrupt users’ browsing. The effects on advertisers are particularly negative: Advertisers pay full price for a Google click that is supposed to be top-quality, but they receive the inferior quality and brand tarnishment of placement in a pop-up ad.

Blinkx presents Google ads in an adware popup. Blinkx presents Google ads in an adware popup.

PPC advertisers (e.g.
money viewers
money viewers
money viewers
money viewers

The money trail – how funds flow from advertisers to Google to Blinkx adware.

For example, in testing last month, other adware (installed in a bundle along with Blinkx) opened a popup that presented a supposed survey from (This page was deceptive for other reasons that I won’t explore here.) Blinkx noticed that traffic and opened a popup to with a supposed user search term ("q=") parameter referencing "websurvey." Eboom then presented a page of Google ads, with four oversized Google ads and no other content visible in the window. I clicked the first ad and was taken through a Google pay-per-click link to the advertiser, By all indications, Snapsurveys paid a pay-per-click advertising fee for my visit. Screen-capture video and packet log.

One might ask why Google would allow a partner like Eboom, which buys traffic from adware like Blinkx. But Google does not work with Eboom directly. Rather, the packet log reveals Eboom using Blucora/InfoSpace (an aggregator of subsyndicators) to access Google’s advertising network. I’ve repeatedly flagged tainted InfoSpace traffic, including deceptive toolbars and multiple adware applications. In 2010, I summarized and consolidated my prior findings about InfoSpace, concluding that "InfoSpace hardly appears a sensible partner for Google and the advertisers who entrust Google to manage their spending." I stand by that conclusion. Indeed, I’ve recently collected ample additional evidence, including proof of InfoSpace sending Google various traffic from other adware beyond Blinkx and through numerous brokers beyond Eboom. (I’ll post other examples when time permits.)

The complexity of the relationship — traffic flowing from Blinkx to Eboom to InfoSpace to Google to advertisers — reveals why advertisers and even Google struggle to put an end to these practices. Yet the complexity is of Google’s own creation, resulting from Google’s decision to let InfoSpace subsyndicate Google’s ads to other partners Google fails to rigorously supervise. Importantly, Google engineers could detect such placements through suitable automation. By 2005, I had already built a crawler to inventory Zango (then 180solutions) advertisements and to determine the ad networks funding Zango. With a similar crawler today, Google could readily identify sites that impermissibly buy traffic from Blinkx — then eject all such sites from the Google syndication network.

Next Steps

I previously suggested that Blinkx disclose its revenue from adware, as distinguished from its other lines of business. My rationale: Of the adware vendors known (from their statements and investor statements) to have received venture capital funding, many or most have ceased operations, and in several instances publicly-available documents indicate that investors received little or no return of capital (not to mention profit). Meanwhile, industry experts widely report that Blinkx is importantly reliant on adware: For example, in a blog comment in March 2014, Zango ex-CTO Ken Smith remarked that "It was my understanding that for a while, the majority of their money was being made off the Zango technology and audience." (Smith also noted that only "recently" did Blinkx disable the last of the Zango adware clients — entirely consistent with the test installations in my lab.)

In a particularly spirited section of its reply, Blinkx declined to provide the revenue apportionment I suggested. Rather, Blinkx said it "places equal importance on all of its product lines and acquisitions." I credit Blinkx’s argument that it "is under no obligation to expend resources and energy to detail information beyond its regulatory requirements." Yet my suggestion has an undeniable appeal. If adware is in fact small, then Blinkx could address investors’ concerns by showing the size of this business. Conversely, failure to provide such proof reinforces my suspicion — and Ken’s! — that adware is and has been a significant revenue source for Blinkx. Meanwhile, Blinkx’s approach also strengthens the inference that adware is significant: If adware were not important to Blinkx, shrewd managers would have elected to discard this controversial business years ago.

Meanwhile, I’ve gotten back in touch with other computer security researchers who have found other deceptive installations of Blinkx adware. We used to write articles about adware weekly, but we’ve subsequently largely moved on to other things, and it takes a while to resuscitate the prior spirit of testing and exposition. Nonetheless, I expect more reports from others in due course.

Looking at Blinkx’s practices as a while, it is striking to see Blinkx paying distributors to put its adware on users’ computers without the hard-fought protections the FTC previously demanded of Zango. Seven years ago, Zango promised to cease these practices, and it paid a multi-million dollar fine to disgorge a portion of its ill-gotten gains. Facing equally brazen conduct continuing after that consent order, the FTC should demand even more far-reaching remedies here.

My testing of Blinkx ex-Zango adware began in 2004 with unpaid writing on my web site, and has grown to include paid and unpaid work for advertisers, ad networks, publishers, investors, and regulators. However, none of these requested or funded this article or any portion of the research presented in this article.

The Darker Side of Blinkx

Video and advertising conglomerate Blinkx tells investors its "strong performance" results from "strategic initiatives" and "expanding demand, content, and audiences." Indeed, Blinkx recently climbed past a $1.2 billion valuation. At first glance, it sounds like a great business. But looking more carefully, I see reason for grave doubts.

My concerns result in large part from the longstanding practices of two of Blinkx’s key acquisitions, Zango and AdOn. But concerns extend even to Blinkx’s namesake video site. In the following sections, I address each in turn. Specifically, I show ex-Zango adware still sneaking onto users’ computers and still defrauding advertisers. I show the ex-AdOn traffic broker still sending invisible, popup, and other tainted traffic. I show Blinkx’ namesake site,, leading users through a maze of low-content pages, while charging advertisers for video ads systematically not visible to users.

The Legacy Zango (Adware) Business

In April 2009, Blinkx acquired a portion of Zango, a notorious adware vendor known for products that at various times included 180 Search Assistant, ePipo, Hotbar, Media Gateway, MossySky, n-Case, Pinball, Seekmo, SpamBlockerUtility, and more. Zango was best known for its deceptive and even nonconsensual installations — in write-ups from 2004 to 2008, I showed Zango installing through security exploits (even after design updates purportedly preventing such installations by supposed rogue partners), targeting kids and using misleading statements, euphemisms, and material omissions, installing via deceptive ActiveX popups, These and other practices attracted FTC attention, and in a November 2006 settlement, Zango promised to cease deceptive installations as well as provide corrective disclosures and pay a $3 million penalty.

Few users would affirmatively request adware that shows extra pop-ups, so Blinkx and its distributors use deceptive tactics to sneak adware onto users’ computers. In a representative example, I ran a Google search for "Chrome" (Google’s well-known web browser), clicked an ad, and ended up at — a site that bundles Chrome with third-party advertising software. (The Youdownloaders footer states "The installers are compliant with the original software manufacturer’s policies and terms & conditions" though it seems this claim is untrue: Chrome Terms of Service section 5.3 disallows copying and redistributing Chrome; 8.6 disallows use of Google’s trademarks in a way that is likely to cause confusion; 9.3 disallows transfer of rights in Chrome.) In my testing, the Youdownloaders installer presented offers for five different adware programs and other third-party applications, among them Weather Alerts from Installation video.

I consider the Youdownloaders installation deceptive for at least four reasons: 1) A user’s request for free Chrome software is not a proper circumstance to tout adware. The user gets absolutely nothing in exchange for supposed "agreement" to receive the adware; Chrome is easily and widely available for free, without adware. It is particularly one-sided to install five separate adware apps — taking advantage of users who do not understand what they are asked to accept (including kids, non-native speakers, and those in a hurry). 2) On the Weather Alerts page of the installation, on-screen statements mention nothing of pop-up ads or, indeed, any advertising at all. In contrast, the FTC’s settlement with Zango requires that disclosure of advertising practices be "clear and prominent," "unavoidable," and separate from any license agreement — requirements not satisfied here. 3) The Youdownloaders user interface leads users to think that the bundled installations are compulsory. For example, the "decline" button (which lets a user reject each adware app) appears without the distinctive shape, outline, color, or font of an ordinary Windows button. 4) Users are asked to accept an objectively unreasonable volume of agreements and contracts, which in my testing include at least 14 different documents totaling 37,564 words (8.5 times the length of the US Constitution).

Tellingly, Blinkx takes considerable steps to distance itself from these deceptive practices. For example, nothing on Blinkx’s site indicates that Weather Alerts is a Blinkx app or shows Blinkx ads. The site offers no name or address, even on its Contact Us form. Weather Alerts comes from a company called Local Weather LLC, an alter ego of Weather Notifications LLC, both of Minneapolis MN, with no stated affiliation with Blinkx. Weather Notifications’ listed address is a one-bedroom one-bathroom apartment — hardly a standard corporate office. Nonetheless, multiple factors indicate to me that Desktop Weather Alerts is delivers a version of Zango adware. For one, Desktop Weather Alerts popups use the distinctive format long associated with Zango, including the distinctive browser buttons at top-left, as well as distinctive format of the advertisement label at bottom-left. Similarly, many sections of the license agreement and privacy policy are copied verbatim from longstanding Zango terms. Within the Weather Alerts EXE, strings reference 180search Assistant (a prior Zango product name) as well as 180client and various control systems long associated with Zango’s ad-targeting system. Similarly, when Weather Alerts delivers ads, its ad-delivery communications use a distinctive proprietary HTTP syntax both for request (to showme.aspx, with a HTTP POST parameter of epostdata= providing encoded ad context) and response (a series of HTML FORM elements, most importantly an INPUT NAME=ad_url to indicate the popup to open). I have seen this syntax (and its predecessors) in Zango apps for roughly a decade, but I have never seen this syntax used by any advertising delivered by other adware vendors or other companies. Moreover, when a Blinkx contractor previously contacted a security vendor to request whitelist treatment of its adware, the Blinkx representative said "The client is Blinkx … Your engine … was flagging their installer package SWA as SevereWeatherAlerts…" (emphasis added). Notice the Blinkx representative indicating that SWA (another Local Weather program, virtually identical save for domain name and product name) is "their" app, necessarily referring to Blinkx. Finally, in a February 2014 presentation, Blinkx CEO Brian Mukherjee included the distinctive Local Weather icon (present throughout the LW app and in LW’s installation solicitations) as part of the "Blinkx Ecosystem" — further confirming the link between LW and Blinkx. Taken together, these factors give good reason to conclude that Local Weather is applications are powered by Blinkx and part of the Blinkx network. Furthermore, in my testing Blinkx is the sole source of advertising for Weather Alerts — meaning that Blinkx’s payments are Weather Alerts’ primary source of revenue and primary reason for existence. (Additions made February 13, 2014, shown in grey highlighting.)

Blinkx/Zango software continues to defraud affiliate merchants. Blinkx/Zango software continues to defraud affiliate merchants.

Meanwhile, Zango-delivered advertising remains a major cause of concern. Zango’s core advertising product remains the browser popup — a disruptive form of advertising unpopular with most users and also unpopular with most mainstream advertisers. Notably, Zango’s popups perpetrate various advertising fraud, most notably ‘lead stealing" affiliate windows that cover merchant sites with their own affiliate links. If the user purchases through either window, the Zango advertiser gets paid a commission — despite doing nothing to genuinely cause or encourage the user’s purchase. (Indeed, the popup interrupts the user and thereby somewhat discourages a purchase.) At right, I show a current example: In testing of January 19, 2014, Blinkx/Zango sees a user browsing Walmart, then opens a popup to Blinkx/LeadImpact (server lipixeltrack) which redirects to LinkShare affiliate ORsWWZomRM8 and on to Walmart. Packet log proof. Thus, Walmart ends up having to pay an affiliate commission on traffic it already had — a breach of Walmart’s affiliate rules and broadly the same as the practice for which two eBay affiliates last year pled guilty. I’ve reported Zango software used for this same scheme since June 2004. As shown at right and in other recent examples, Zango remains distinctively useful to rogue affiliates perpetrating these schemes. These rogue affiliates pay Blinkx to show the popups that set the scheme in motion — and I see no sign that Blinkx has done anything to block this practice.

Rather than put a stop to these practices, Blinkx largely attempts to distance itself from Zango’s legacy business. For one, Blinkx is less than forthright as to what exactly it purchased. In Blinkx’s 2010 financial report, the first formal investor statement to discuss the acquisition, Blinkx never uses the word "Zango" or otherwise indicates the specific company or assets that Blinkx acquired. Rather, Blinkx describes the purchase as "certain net assets from a consortium of financial institutions to facilitate the growth of the video search and advertising businesses." If a reader didn’t already know what Blinkx had bought, this vague statement would do nothing to assist.

Even when Blinkx discusses the Zango acquisition, it is less than forthcoming. UK news publication The Register quotes an unnamed Blinkx spokeswoman saying that Blinkx "purchased some technical assets from the bank [that foreclosed on Zango] including some IP and hardware, which constituted about 10 per cent of Zango’s total assets." Here too, readers are left to wonder what assets are actually at issue. A natural interpretation of the quote is that Blinkx purchased trademarks, domain names, or patents plus general-purpose servers — all consistent with shutting the controversial Zango business. But in fact my testing reveals the opposite: Blinkx continues to run key aspects of Zango’s business: legacy Zango installations continue to function as usual and continue to show ads, and Blinkx continues to solicit new installations via the same methods, programs, and partners that Zango previously used. Furthermore, key Zango staff joined Blinkx, facilitating the continuation of the Zango business. Consider Val Sanford, previously a Vice President at Zango; her LinkedIn profile confirms that she stayed with Blinkx for three years after the acquisition. I struggle to reconcile these observations with the claim that Blinkx only purchased 10% of Zango or that the purchase was limited to "IP and hardware." Furthermore, ex-Zango CTO Ken Smith contemporaneously disputed the 10% claim, insisting that "Blinkx acquired fully 100% of Zango’s assets."

Blinkx has been equally circumspect as to the size of the ex-Zango business. In Blinkx’ 2010 financial report, Blinkx nowhere tells investors the revenue or profit resulting from Zango’s business. Rather, Blinkx insists "It is not practical to determine the financial effect of the purchased net assets…. The Group’s core products and those purchased have been integrated and the operations merged such that it is not practical to determine the portion of the result that specifically relates to these assets.” I find this statement puzzling. The ex-Zango business is logically freestanding — for example, separate relationships with the partners who install the adware on users’ computers. I see no proper reason why the results of the ex-Zango business could not be reported separately. Investors might reasonably want to know how much of Blinkx’s business comes from the controversial ex-Zango activities.

Indeed, Blinkx’s investor statements make no mention whatsoever of Zango, adware, pop-ups, or browser plug-ins of any kind in any annual reports, presentations, or other public disclosures. (I downloaded all such documents from Blinkx’ Financial Results page and ran full-text search, finding no matches.) As best I can tell, Blinkx also failed to mention these endeavors in conference calls or other official public communications. In a December 2013 conference call, Jefferies analyst David Reynolds asked Blinkx about its top sources of traffic/supply, and management refused to answer — in sharp contrast to other firms that disclose their largest and most significant relationships.

In March-April 2012, many ex-Zango staff left Blinkx en masse. Many ended up at Verti Technology Group, a company specializing in adware distribution. Myriad factors indicate that Blinkx controls Verti: 1) According to LinkedIn, Verti has eight current employees of which five are former employees of Zango, Pinball, and/or Blinkx. Other recent Verti employees include Val Sanford, who moved from Zango to Blinkx to Verti. 2) Blinkx’s Twitter account: Blinkx follows just nineteen users including Blinkx’s founder, various of its acquisitions (including Prime Visibility / AdOn and Rhythm New Media), and several of their staff. Blinkx follows Verti’s primary account as well as the personal account of a Verti manager. 3) Washington Secretaty of State filings indicate that Verti’s president is Colm Doyle (then Directory of Technology at Blinkx, though he subsequently returned to HP Autonomy) and secretary, treasurer, and chairman is Erin Laye (Director of Project Management at Blinkx). Doyle and Laye’s links to Blinkx were suppressed somewhat in that both, at formation, specified their home addresses instead of their Blinkx office. 4) Whois links several Verti domains to Blinkx nameservers. (Details on file.) Taken together, these facts suggest that Blinkx attempted to move a controversial business line to a subsidiary which the public is less likely to recognize as part of Blinkx.

The Legacy AdOn Business

In November 2011, Blinkx acquired Prime Visibility Media Group, best known for the business previously known as AdOn Network and MyGeek. I have critiqued AdOn’s traffic repeatedly: AdOn first caught my eye when it boasted of relationships with 180solutions/Zango and Direct Revenue. New York Attorney General litigation documents later revealed that AdOn distributed more than 130,000 copies of notorious Direct Revenue spyware. I later repeatedly reported AdOn facilitating affiliate fraud, inflating sites’ traffic stats, showing unrequested sexually-explicit images, and intermediating traffic that led to Google click fraud.

Similar problems continue. For example, in a February 2013 report for a client, I found a botnet sending click fraud traffic through AdOn’s server en route to advertisers. In an August 2013 report for a different client, I found invisible IFRAMEs sending traffic to AdOn’s and servers, again en route to advertisers. Note also the deceptive use of Microsoft’s Bing trademark — falsely suggesting that this tainted traffic is in some way authorized by or affiliated with Bing, when in fact the traffic comes from AdOn’s partners. Moreover, the traffic was entirely random and untargeted — keywords suggested literally at random, entirely unrelated to any aspect of user interests. In other instances, I found AdOn receiving traffic directly from Zango adware. All told, I reported 20+ distinct sequences of tainted AdOn traffic to clients during 2013. AdOn’s low-quality traffic is ongoing: Advertisers buying from AdOn receive invisible traffic, adware/malware-originating traffic, and other tainted traffic that sophisticated advertisers do not want.

An AdOn staff member touts multiple incriminating characteristics of AdOn traffic. An AdOn staff member touts multiple incriminating characteristics of AdOn traffic.

Industry sources confirm my concern. For example, a June 2013 Ad Week article quotes one publisher calling AdOn "just about the worst" at providing low-quality traffic, while another flags "crazy traffic patterns." In subsequent finger-pointing as to tainted traffic to OneScreen sites, OneScreen blamed a partner, Touchstorm, for working with AdOn — wasting no words to explain why buying from AdOn is undesirable. Even intentional AdOn customers report disappointing quality: In comments on a posting by Gauher Chaudhry, AdOn advertisers call AdOn "the reason I stopped doing any PPV [pay-per-view] … this is bot traffic", "junk", and "really smell[s] like fake traffic." Of 31 comments in this thread, not one praised AdOn traffic quality.

Recent statements from AdOn employees confirm undesirable characteristics of AdOn traffic. Matthew Papke’s LinkedIn page lists him as Director of Contextual Ads at AdOn. But his page previously described AdOn’s offering as "pop traffic" — admitting undesirable non-user-requested pop-up inventory. His page called the traffic "install based" — indicating that the traffic comes not from genuine web pages, but from adware installed on users’ computers. See screenshot at right. All of these statements have been removed from the current version of Matthew’s page.

Problems at Low-Quality Traffic, Low-Quality Content, and Invisible Ads

Alexa reports a sharp jump in Blinkx traffic in late 2013. Alexa reports a sharp jump in Blinkx traffic in late 2013.

Alexa reports a sharp jump in Blinkx traffic in late 2013. Zango adware caused my computer to display this page from the Blinkx site, full-screen and without standard window controls.

Blinkx’s namesake service is the video site Historically, this site has been a bit of an also-ran — it’s certainly no YouTube! But Alexa reports a striking jump in Blinkx popularity as of late 2013: Blinkx’s traffic jumped from rank of roughly 15,000 worldwide to, at peak, rank of approximately 3,000. What could explain such a sudden jump?

In my automated and manual testing of Zango adware, I’ve recently begun to see Zango forcing users to visit the Blinkx site. The screenshot at right gives an example. My test computer displayed Blinkx full-screen, without title bar, address bar, or standard window buttons to close or minimize. See also a partial packet log, wherein the Blinkx site attributes this traffic to Mossysky ("domain=mossysky"), one of the Zango brand names. It’s a strikingly intrusive display — no wonder users are complaining, about their computers being unusable due to Blinkx’s unwanted intrusion. See e.g. a December 2013 Mozilla forum post reporting "my computer has been taken over by malware, half the links are inaccessible because of hovering links to Blinkx," and a critique and screenshot showing an example of these hovering links. On a Microsoft support forum, one user reports Internet Explorer automatically "opening … numerous BLINKX websites" — as many as "20 websites open at one time, all Blinkx related."

Moreover, Alexa’s analysis of Blinkx visitor origins confirms the anomalies in this traffic. Of the top ten sites sending traffic to Blinkx, according to Alexa, six are Blinkx servers, largely used to forward and redirect traffic (,,,,, and See Alexa’s Site Info for at heading "Where do’s visitors come from?"

Strikingly, Zango began sending traffic to Blinkx during the winter 2013 holiday season — a time of year when ad prices are unusually high. Zango’s popups of Blinkx seem to have ended as suddenly as they began — consistent with Blinkx wanting extra traffic and ad revenue when ad prices are high, but concluding that continuing this practice at length risks excessive scrutiny from both consumers and advertisers.

Meanwhile, examining, I’m struck by the lack of useful content. I used the Google search to find the parts of the Blinkx site that, according to Google, are most popular. I was directed to, where the page title says users can "Watch full episodes of TV shows online." I clicked "60 Minutes" and received a page correctly profiling the excellence of that show ("the granddaddy of news magazines"). But when I clicked to watch one of the listed episodes, I found nothing of the kind: Requesting "The Death and Life of Asheboro, Stealing History, The Face of the Franchise," I was told to "click here to watch on" — but the link actually took me to a 1:33 minute home video of a dog lying on the floor, "Husky Says No to Kennel", syndicated from YouTube, entirely unrelated to the top-quality 60 Minutes content I had requested. (Screen-capture video.) It was a poor experience — not the kind of content likely to cause users to favor Blinkx’s service. I tried several other shows supposedly available — The Colbert Report, The Daily Show with Jon Stewart, Family Guy, and more — and never received any of the listed content.

In parallel, the Blinkx site simultaneously perpetrated a remarkable scheme against advertisers: On the video index page for each TV show, video advertising was triggered to play as I exited each page by clicking to view the supposed video content. Because the supposed content opened in a new tab, the prior tab remained active and could still host a video player with advertising. Of course the prior tab was necessarily out of visibility: Blinkx’s code had just commanded the opening of a new tab showing the new destination. But the video still played, and video advertisers were still billed. Screen-capture video.

Industry sources confirm concerns about Blinkx ad visibility. For example, a December 15, 2013 Ad Week piece reported Vindico analysis finding just 23% of Blinkx videos viewable (defined as just 50% of pixels visible for just one second). By Vindico’s analysis, an advertiser buying video ads from Blinkx suffers three ads entirely invisible for every ad visible even by that low standard — a remarkably poor rate of visibility. In contrast, mainstream video sites like CBS and MSN enjoyed viewability rates two to four times higher.

Putting the Pieces Together

  Q3 ’13 Headcount ’13 Revenue ($mm) revenue / headcount ($k)
Tremor 287 $148 $517
YuMe 357* $157 $440
RocketFuel 552 $240 $434
Criteo 452 $240 $532
Blinkx 265** $246*** $927

* Q3 ’13 headcount not available. 357 is 2012 year-end. S&M spend up ~50% in 2013. Adjusted revenue/headcount is $293k
** Q3 ’13 headcount not available. 265 is 2012 year-end. S&M spend up ~15% in 2013. Adjusted revenue/headcount is $803k.
*** 2013 revenue estimate based on Bloomberg consensus estimates

Comparing Blinkx’s revenues to competitors, I am struck by Blinkx’s apparent outsized success. See the table at right, finding Blinkx producing roughly twice as much revenue per employee as online video/display ad networks and advertising technology companies which have recently made public offerings. Looking at Blinkx’s sites and services, one doesn’t get the sense that Blinkx’s service is twice as good, or its employees twice as productive, as the other companies listed. So why does Blinkx earn twice as much revenue per employee? One natural hypothesis is that Blinkx is in a significantly different business. While other services make significant payments to publishers for use of their video content, my browsing of revealed no distinctive content obviously licensed from high-quality high-cost publishers. I would not be surprised to see outsized short-term profits in adware, forced-visit traffic, and other black-hat practices of the sort used by some of the companies Blinkx has acquired. But neither are these practices likely to be sustainable in the long run.

Reviewing Blinkx’s statements to investors, I was struck by the opacity. How exactly does Blinkx make money? How much comes from the legacy Zango and AdOn businesses that consumers and advertisers pointedly disfavor? Why are so many of Blinkx’s metrics out of line with competitors? The investor statements raise many questions but offer few answers. I submit that Blinkx is carefully withholding this information because the company has much to hide. If I traded in the companies I write about (I don’t!), I’d be short Blinkx.

This article draws in part on research I prepared for a client that sought to know more about Blinkx’s historic and current practices. At my request, the client agreed to let me include portions of that research in this publicly-available posting. My work for that client yielded a portion of the research presented in this article, though I also conducted significant additional research and drew on prior work dating back to 2004. My agreement with the client did not oblige me to circulate my findings as an article or in any other way; to my knowledge, the client’s primary interest was in learning more about Blinkx ‘s business, not in assuring that I tell others. By agreement with the client, I am not permitted to reveal its name, but I can indicate that the client is two US investment firms and that I performed the research during December 2013 to January 2014. The client tells me that it did not change its position on Blinkx after reading my article. (Disclosure updated and expanded on February 4-5, 2014.)

I thank Eric Howes, Principal Lab Researcher at ThreatTrack Security, and Matthew Mesa, Threat Researcher at ThreatTrack Security, for insight on current Blinkx installations.

Services for Advertisers – Avoiding Waste and Improving Accountability

In the course of my research on spyware/adware, typosquatting, popups, and other controversial online practices, I have developed the ability to identify practices that overcharge online advertisers. I report my observations to select advertisers and top networks in order to assist them in improving the cost-effectiveness of their advertising including by flagging improper ad placements, rejecting unjustified charges, and avoiding untrustworthy partners. This page summarizes the kinds of practices I uncover and presents representative examples drawn from my publications:

Services for Advertisers – Avoiding Waste and Improving Accountability

Measuring and Managing Online Affiliate Fraud with Wesley Brandi

Affiliate programs vary dramatically in their incidence of fraud. In some merchants’ affiliate programs, rogue affiliates fill the ranks of high-earners. Yet other similarly-sized merchants have little or no fraud. Why the difference?

In Information and Incentives in Online Affiliate Marketing, Wesley Brandi and I examine the impact of varying merchant management decisions. Some merchants hire specialist outside advisors (“outsourced program managers” or OPM’s) to set and enforce program rules. Others ask affiliate network staff to make these decisions. Still others handle these tasks internally.

A merchant’s choice of management structure has significant implications for both the information available to decision-makers and the incentives that motivate those decision-makers. Outside advisors tend to have better information: An OPM sees problems and trends across its many clients. A network is even better positioned — enjoying direct access to log files, custom reports, and problems reported by all merchants in the network. That said, outside advisors usually suffer clear incentive problems. Most notably, networks are usually paid in proportion to a merchant’s affiliate channel spending, so networks have a significant incentive to encourage merchants to accept even undesirable affiliates. In contrast, incentives for merchants’ staff are typically more closely aligned with the merchant’s objectives. For example, many in-house affiliate managers have stock, options, or bonus that depend on company profitability. And working in a company builds intrinsic motivation and loyalty. In short, there are some reasons to think outsourced specialists will yield superior results, but other reasons to favor in-house staff.

To separate these effects, we used crawlers to examine affiliate fraud at what we believe to be unprecedented scope. Our crawlers ran more than 2 million page-loads on a variety of computers and virtual computers, examining the relative susceptibility of all CJ, LinkShare, and Google Affiliate Network merchants (as of spring 2012) to adware, cookie-stuffing, typosquatting, and loyalty apps.

We found outside advisors best able to find “clear fraud” plainly prohibited by network rules, specifically adware and cookie-stuffing. But in-house staff did better at avoiding “grey area” practices such as typosquatting — schemes less plainly prohibited by network rules, yet still contrary to merchants’ interests. On balance, there are good reasons to favor each management approach. Our advice: A merchant choosing outsourced management should be sure to insist on borderline decisions always taken with the merchant’s interests at heart. A merchant managing its programs in-house should be careful to avoid known cheaters that a savvy specialist would more often exclude.

Our results clearly reveal that networks take actions that are less than optimal for merchants. It’s tempting to attribute this shortfall to malicious intent by networks, but the same outcome could result from networks simply putting their own interests first. Consider a network that receives undisputed proof that a given affiliate is cheating a given merchant. Should the network eject that affiliate from the entire network (and all affiliated merchants), or only from that single merchant’s program? The former helps dozens or hundreds of merchants, but with corresponding reduction to network revenues. No wonder many networks chose the latter. Similarly, when networks decide how much to invest in network quality — engineers, analysts, crawlers, and the like — their incentive to improve quality is tempered by both direct cost and foregone revenue.

Incidental to our analysis of management structure, we gathered significant data about the scope of affiliate fraud more generally. Some differences are stark: For example, Table 4 reports Google Affiliate Network merchants suffering, on average, less than half as much adware and cookie-stuffing as LinkShare merchants. I’ve been critical of Google on numerous issues. But when it comes to affiliate quality, GAN was impressive, and GAN’s high standards show clearly in our large-sample data. Note that our analysis precedes Google’s April 2013 announcement of GAN’s shutdown.

Our full analysis is under review by an academic journal.

(update: published as Edelman, Benjamin, and Wesley Brandi. “Risk, Information, and Incentives in Online Affiliate Marketing.” Journal of Marketing Research (JMR) 52, no. 1 (February 2015): 1-12. (Lead Article.)

The Ad Networks and Advertisers that Fund Ad Injectors with Wesley Brandi

Webcake adware inserts an AT&T ad into the YouTube site without permission from Google.Webcake adware inserts an AT&T ad into the YouTube site without permission from Google.

Ad injectors insert ads into others’ sites, without permission from those sites and without payment to those sites. In this article, we review the basic operation of ad injectors, then examine the ad networks, exchanges, and other intermediaries that broker the placement of advertising through injectors.

We also report which advertisers most often advertise through injectors. Whether through complexity, inattention, or indifference, these advertisers’ expenditures are ultimately the sole revenue source for injectors.

The Ad Networks and Advertisers that Fund Ad Injectors

IAC Toolbars and Traffic Arbitrage in 2013

Beginning in 2005, I flagged serious problems with IAC/ toolbars — including installations through security exploits and through bundles that nowhere sought user consent, installations targeting kids, rearranging users’ browsers to invite unintended searches, and showing a veritable onslaught of ads. IAC’s practices have changed in various respects, but the core remains as I previously described it: IAC’s search advertising business exists not to solve a genuine user need or provide users with genuine assistance, but to prey on users who — through inattention, inexperience, youth, or naivete — stumble into IAC’s properties.

Crucially, IAC remains substantially dependent on Google for monetization of IAC’s search services. A rigorous application of Google’s existing rules would put a stop to many of IAC’s practices, and sensible updated rules — following the stated objective of Google’s existing policies — would end much of the rest.

In this piece I examine current IAC toolbar installation practices (including targeting kids and soliciting installations when users are attempting to install security updates), the effects of IAC toolbars once installed (including excessive advertising and incomplete uninstall), and IAC’s search arbitrage business. I conclude by flagging advertisements with impermissibly large clickable areas (for both toolbars and search arbitrage), and I call on Google to put an end to Ask’s practices.

IAC Toolbar Installation

IAC’s search toolbar business is grounded in placing IAC toolbars on as many computers as possible. To that end, IAC offers 50+ different toolbars with a variety of branding — Webfetti ("free Facebook graphics"), Guffins ("virtual pet games"), religious toolbars of multiple forms (Know the Bible, Daily Bible Guide, Daily Jewish Guide), screensavers, games, and more. One might reasonably ask: Why would a user want such a toolbar?

IAC ad promises 'free online television' but actually merely links to material already on the web; promises an 'app' but actually provides a search toolbar. IAC ad promises "free online television" but actually merely links to material already on the web; promises an "app" but actually provides a search toolbar.

IAC ad solicits installations via 'virtual pet' ad distinctively catering to kids.IAC ad solicits installations via "virtual pet" ad distinctively catering to kids.

Other IAC Guffins ads specifically invite 'kids' to install. (Screenshot by iSpionage) Other IAC Guffins ads specifically invite "kids" to install. (Screenshot by iSpionage)

IAC Guffins offer features multiple animated cartoon images, distinctively catering to kids.

The Television Fanatic toolbar is instructive. IAC promotes this toolbar with search ads that promise "free online television" and "turn your computer into a TV watch full TV episode w free app." It sounds like an attractive deal — many users would relish the ability to watch free live broadcast television on an ordinary computer, and it would not be surprising if such a service required downloading some sort of desktop application or browser plug-in. But in fact Television Fanatic offers nothing of the sort. To the extent that Television Fanatic offers the "free online television" promised in the ad, it only links to ordinary video content already provided by others. (For example, I clicked the toolbar’s "ABC" link and was taken to — an ordinary ABC link equally available to users without Television Fanatic. That’s a far cry from IAC’s promise of special access to premium material.

Meanwhile, IAC’s Guffins toolbar distinctively targets kids. IAC promotes Guffins via search ads for terms like "virtual pet", and the resulting ad says Guffins offers "puppy, cats, bunny, dragons & more" which a user can "feed, play, [and] care for." The landing page features four animated animals with oversized faces and overstated features, distinctively attractive to children. Under COPPA factors or any intuitive analysis, IAC clearly targets kids. Indeed, ad tracking service iSpionage reports Guffins ads touting "Free Kids Games Download", "Free Kids Computer Games", "Play Kids Games Online", and more — explicitly inviting children to install Guffins. Of course kids are ill-equipped to evaluate IAC’s offer — less likely to notice IAC’s disclosures of an included toolbar, less likely to understand what a search toolbar even is, and less able to evaluate the wisdom of installing such a toolbar in exchange for games.

While IAC’s ads often promise an "app" (including as shown in the ad screenshots at right), IAC actually offers just toolbars — add-ins appearing within web browsers, not the freestanding applications that the ads suggest. That’s all the more deceptive: IAC enticed users with the promise of genuine distinct programs offering exceptional video content and rich gaming. Instead IAC provided browser plug-ins that claim valuable screen space whenever users browse the web. And far from providing exclusive content, IAC toolbars send users to material already on the web and driving traffic to IAC’s advertising displays (as detailed in the next section). That’s strikingly inferior.

IAC’s toolbar installation practices stack up unfavorably vis-a-vis applicable Google policies, industry standards, and regulatory requirements. Google’s Software Principles call for "Upfront disclosure" with no suggestion that an app may promise one thing in an initial solicitation, then something else in a subsequent landing page. (IAC is obliged to comply with Google’s rules because IAC toolbars show ads from Google, as discussed in the next section.) Meanwhile, the Anti-Spyware Coalition specifically flags installations targeting children, allowing bundling by affiliates, and modifying browser settings as risk factors making software a greater concern. Even decades-old FTC rules are on point, disallowing "deceptive door openers" that promise one thing at the outset (like IAC’s initial promise of "free online television") but later deliver something importantly different (a search toolbar).

Web searches reveal numerous user complaints about IAC toolbars. Consider search results for "televisionfanatic". A first result links to product’s official site. Second is a Sitejabber forum with 20 harsh reviews. (17 reviewers gave Television Fanatic just one star out of five, with comments systematically reporting surprise and annoyance at the toolbar’s presence.) The third result advises "How to uninstall a Television fanatic toolbar", and the fourth is multiple Yahoo Answers discussions including a user asking "Is television fanatic toolbar a virus?" and others repeatedly complaining about unintended installation. Clearly numerous users are dissatisfied with Television Fanatic.

So too for DailyBibleGuide. In a Q1 2011 earnings call, IAC CEO Greg Blatt touted the DailyBibleGuide toolbar as a new product IAC is particularly proud of. But a Google search results for "DailyBibleGuide" include a page advising "do not download Dailybiblestudy, Dailybibleguide, or Knowthebible extension." There and elsewhere, users seem surprised to receive IAC’s toolbars. Reading users’ complaints, it seems their confusion ultimately results from IAC’s decision to deliver bible trivia via a toolbar. After all, such material would more naturally be delivered via a web page, email newsletter, or perhaps RSS feed. IAC chose the odd strategy of toolbar-based delivery not because it was genuinely what users wanted, but because this is the format IAC can best monetize. No wonder users systematically end up disappointed.

By all indications, a huge number of users are running IAC toolbars. The IAC toolbars discussed in this section all send users to, a site users are unlikely to visit except if sent there by an IAC toolbar. Alexa reports that is the #41 most popular site in the US and #71 worldwide — more popular than Instagram, Flickr, Pandora, and Hulu.

Some of IAC’s browser configuration changes remain in place even if a user removes an IAC toolbar. I installed then uninstalled an IAC Television Fanatic toolbar and received a prompt instructing "Click here for help on resetting your home page and default search settings." The resulting page specified four different procedures totaling 16 steps — far more lengthy than the initial installation. I can see no proper reason why uninstall is so difficult. Indeed, IAC’s incomplete uninstall specifically violates Google’s October 2012 requirement that "During the uninstall process, users must be presented with a choice that gives them the option of returning their browser’s user settings to the previous settings." Google’s Software Principles are also on point, instructing that uninstall must be "easy" and must disable "all functions of the application" — whereas IAC’s automated installer does not undo all of IAC’s changes, and IAC’s manual 16-step process is the opposite of "easy."

The Special Problems of IAC Ask Toolbar Installed by Oracle’s Java Updates

Oracle Java security updates install Ask Toolbar by default, with just a single click in a multi-step installer. Java security update installs Ask Toolbar by default — a single click in a multi-step installer.

Ongoing Oracle Java updates also install the IAC Ask Toolbar. I discuss these installations in this separate section because they raise concerns somewhat different from the IAC toolbars discussed above. I see five key problems with Oracle Java updates that install IAC toolbars:

First, as Ed Bott noted last week, the "Install the Ask Toolbar" checkbox is prechecked, so users can install the Ask toolbar with a single click on the "Next" button. Accidental installations are particularly likely because the Ask installation prompt is step three of five-screen installation process. When installing myriad software updates, it’s easy to get into a routine of repeatedly clicking Next to finish the process as quickly as possible. But in this case, just clicking Next yields the installation of Ask’s toolbar.

Second, although the Ask installation prompt does not show a "focus" (a highlighted button designated as the default if a user presses enter), the Next button actually has focus. In testing, I found that pressing the enter or spacebar keys has the same effect as clicking "Next." Thus, a single press of either of the two largest keys on the keyboard, with nothing more, is interpreted as consent to install Ask. That’s much too low a bar — far from the affirmative indication of consent that Google rules and FTC caselaw call for.

Third, in a piece posted today, Ed Bott finds Oracle and IAC intentionally delaying the installation of the Ask Toolbar by fully ten minutes. This delay undermines accountability, especially for sophisticated users. Consider a user who mistakenly clicks Next (or presses enter or spacebar) to install Ask Toolbar, but immediately realizes the mistake and seeks to clean his computer. The natural strategy is to visit Control Panel – Programs and Features to activate the Ask uninstaller. But a user who immediately checks that location will find no listing for the Ask Toolbar: The uninstaller does not appear until the Ask install finishes after the intentional ten minute delay. Of course even sophisticated users have no reason or ability to know about this delay. Instead, a sophisticated user would conclude that he somehow did not install Ask Toolbar after all — and only later will the user notice and, perhaps, proceed with uninstall. Half a decade ago I found WhenU adware engaged in similar intentional delay. Similarly, NYAG litigation documents revealed notorious spyware vendor Direct Revenue intentionally declining to show ads in the first day after its installation. (Direct Revenue staff said this delay would "reduce the correlation between the Morpheus download [which bundled Direct Revenue spyware] and why they are seeing [Direct Revenue’s popup] ads" — confusion that DR staff hoped would "creat[e] less of a path to what they [users] should uninstall.") Against this backdrop, it’s particularly surprising to see IAC and Oracle adopt this tactic.

Fourth, IAC makes changes beyond the scope of user consent and fails to revert these changes during uninstall. The Oracle/IAC installation solicitation seeks permission to install an add-on for IE, Chrome, and Firefox, but nowhere mentions changing address bar search or the default Chrome search provider. Yet the installer in fact makes all these changes, without ever seeking or receiving user consent. Conversely, uninstall inexplicably fails to restore these settings. As noted above, these incomplete uninstalls violate Google’s Software Principles requirement that an "easy" uninstall must disable "all functions of the application."

Finally, the Java update is only needed as a result of a serious security flaw in Java. It is troubling to see Oracle profit from this security flaw by using a security update as an opportunity to push users to install extra advertising software. Java’s many security problems make bundled installs all the worse: I’ve received a new Ask installation prompts with each of Java’s many security updates. (Ed Bott counts 11 over the last 18 months.) Even if the user had declined IAC’s offer on half a dozen prior requests, Oracle persists on asking — and a single slip-up, just one click or keystroke on the tenth request, will nonetheless deliver Ask’s toolbar.

A security update should never serve as an opportunity to push additional software. As Oracle knows all too well from its recent security problems, users urgently need software updates to fix serious vulnerabilities. By bundling advertising software with security updates, Oracle teaches users to distrust security updates, deterring users from installing updates from both Oracle and others. Meanwhile, by making the update process slower and more intrusive, Oracle reduces the likelihood that users will successfully patch their computers. Instead, Oracle should make the update process as quick and easy as possible — eliminating unnecessary steps and showing users that security updates are quick and trouble-free.

Toolbar Operations and Result Format

Once a user receives an IAC toolbar, a top-of-browser stripe appears in Internet Explorer and Firefox, and IAC also takes over default search, address bar search, and error handling. That’s an intrusive set of changes, and particularly undesirable in light of the poor quality of IAC’s search results.

If a user runs a search through an IAC toolbar or through a browser search function modified by IAC, the user receives Mywebsearch or results page with advertisements and search results syndicated from Google. The volume of advertisements is remarkable: On a 800×600 monitor, the entire first two screens of Mywebsearch results presented advertisements (screen one, screen two) — four large ads with a total of seven additional miniature ads contained within. The first algorithmic search result appears on the third on-screen page, where users are far less likely to see it. At, ads are even larger: fully seven advertisements appear above the first algorithmic result, and three more ads appear at page bottom — more than filling two 800×600 screens.

IAC obtains these advertisements and search results from Google, but IAC omits features Google proudly touts in other contexts. For example, Google claims that its maps, hotel reviews, and hotel price quotes benefit users and save users time — but inexplicably IAC Mywebsearch lacks these features, even though these features appear prominently and automatically for users who run the same search at Google. In short, a user viewing IAC results gets listings that are intentionally less useful — designed to serve IAC’s business interest in encouraging the user to click extra advertisements, with much less focus on providing the information that IAC and Google consider most useful.

The ad format at IAC Mywebsearch and makes it particularly likely that users will mistake IAC ads for algorithmic results. For one, IAC omits any distinctive background color to help users distinguish ads from algorithmic results. Furthermore, IAC’s voluminous ads exceed beyond the first screen of results for many searches. A user familiar with Google would expect ads to have a distinctive background color and would know that ads typically rarely completely fill a screen — so seeing no such background color and similar-format results continuing for two full screens, the user might well conclude that these are algorithmic listings rather than paid advertisements.

Traffic Arbitrage

IAC buys traffic from Google and other search engines. The resulting sequence is needlessly convoluted: A user runs a search at Google, clicks an IAC ad purporting to offer what the user requested], then receives an IAC landing page with the very same ads just seen at Google. For example, I searched for [800 number look up] at Google and clicked an Ask ad. The resulting Ask page allocated most of its the above-the-fold space to three of the same ads I had just seen at Google! This process provides zero value to the user — indeed, negative value, in that the extra click adds time and confusion. But IAC monetizes its site unusually aggressively — for example, regularly putting four ads at the top of the page, where Google sometimes puts none and never presents more than three. Of course these extra ads serve IAC’s interest: By pushing a fraction of users to click multiple ads, IAC can more than cover its costs of buying the traffic from Google in the first place.

Longstanding Google rules exactly prohibit IAC’s search arbitrage. Google’s AdWords Policy Center instructs that "Google AdWords doesn’t allow the promotion of websites that are designed for the sole or primary purpose of showing ads." Google continues: "One example of this kind of prohibited behavior is called arbitrage, where advertisers drive traffic to their websites at low cost and pay for that traffic by earning money from the ads placed on those websites"

Why isn’t Google enforcing its rules against arbitrage? An October 2012 Search Engine Land article quotes a reader who wrote to Google AdWords support, where a representative replied with unusual candor: "Since is considered a Google product, they are able to serve ads at the top of the page when the search query is found to be relevant to their ads." Of course is not actually "a Google product" — it’s a Google syndicator, showing Google ads in exchange for a revenue share, just like thousands of other sites. But with IAC reportedly Google’s biggest advertising customer, special privileges would be less than surprising. Meanwhile, Google lets IAC do Google’s dirty work — showing extra ads to gullible users — which could let Google collect additional ad revenue from those users’ clicks. Still, that’s no help to users (who get pulled into extra page-views and less useful pages with more advertisements) or advertisers (whose costs increase as a result). And once the public recognizes Google’s role in authorizing this scheme, selling all advertising, and funding the entirety of IAC’s activity, Google ends up looking at least as culpable as IAC.

Ads with Oversized Clickable Areas

IAC ad promises 'free online television' but actually merely links to material already on the web; promises an 'app' but actually provides a search toolbar. Contrary to standard industry practice and Google rules, IAC makes the entire ad — including domain name, ad text, and large whitespace — into a clickable link. Notice the large clickable area flagged in the red box.

IAC ad promises 'free online television' but actually merely links to material already on the web; promises an 'app' but actually provides a search toolbar. At Google, only the ad itself is clickable. Not the much smaller red box.

IAC’s ads also flout industry practice and Google rules as to the size of an ad’s clickable area. Both in arbitrage landing pages and in toolbar results, IAC’s search result pages expand the clickable area of each advertisement to fill the entire page width, sharply increasing the fraction of the page where a click will be interpreted as a request to visit the advertiser’s page.

See the screenshot at right. (To create the red-outlined box showing the shape of the clickable area, I clicked an empty section of the ad and began a brief drag, causing my browser to highlight the ad’s clickable area in red as shown in the screenshot.)

Ask is an outlier in converting whitespace around an ad into a clickable area. Every other link on landing pages — every link other than an advertisement — follows standard industry practice with only the words of the link being clickable, but not the surrounding whitespace. Indeed, at Google, Bing, and Yahoo, white space is never clickable. At Google and Bing, only ad titles are clickable, not ad domain names, or ad text. (See Google screenshot at right, showing the limited clickable area of a Google ad.) At Yahoo, only ad titles and domain names are clickable, not ad text or white space.

IAC has taken intentional action to expand its ads’ clickable area to cover all available width. As W3schools explains, "A block element is an element that takes up the full width available." To expand ad hyperlinks to fill the entire width, Ask tags each ad hyperlink with the CSS STYLE of display:block.

<a id="lindp" class="ptbs pl20 pr30 ptsp pxl" style="display:block;padding-bottom: 0px;" …

Google’s rules prohibit IAC’s expanded clickable areas. Google requires that "clicking on space surrounding an ad should not click the ad." Yet IAC nonetheless makes a clickable area out of the area surrounding each ad, extending all the way to the right column.

IAC’s expanded ads invite accidental clicks. Accidental clicks are particularly likely from the inexperienced users IAC systematically targets for toolbar installations, and also from users searching on tablets, phones, and other touch devices. These extra clicks waste users’ time and drive up advertisers’ costs — but every such click yields extra revenue for IAC and Google.

What Comes Next

Google should enforce its rules strictly. No doubt IAC can offer Google some short-term revenue via extra ad-clicks from unsophisticated or confused users. But this isn’t the kind of business Google aspires to, and Google’s public statements indicate no interest in such bottom-feeding. Indeed, a fair application of Google’s existing AdWords rules would disallow both IAC’s toolbar ads (using AdWords to solicit installations) and IAC’s search arbitrage ads (using AdWords to send users to IAC pages presenting syndicated AdWords ads). Meanwhile, numerous Google AdSense rules are also on point, including prohibiting encouraging accidental clicks, prohibiting site layout that pushes content below the fold, and limiting the number of ads per page. So too for Software Principles requiring up-front disclosure as well as "easy" and complete uninstall.

As a publicly-traded company, IAC should benefit from the oversight and guidance of its outside directors. But the New York Times commented in 2011 that "IAC’s board is filled with high-powered friends of Mr. Diller," calling into question the independence and effectiveness of IAC’s outside directors. Of particular note is Chelsea Clinton, who joined IAC’s board in September 2011. Ms. Clinton’s prior experience includes little obvious connection to Internet advertising or online business, suggesting that she might need to invest extra time to learn the details of IAC’s business. Yet she also has weighty commitments including ongoing doctoral studies, serving as an Assistant Vice Provost at NYU, and reporting as a special correspondent for the NBC Nightly News — calling into question the time she can devote to IAC matters. The Times questioned why IAC had brought in Ms. Clinton, concluding that "This is clearly an appointment made because of who she is, not what she has done." Indeed, Ms. Clinton’s background means she will be held to a particularly high standard: if she fails to stop IAC’s bad practices, the public may reasonably ask whether she has done her duty as an outside director.

Recent research from Goldman analyst Heath Terry flags investor concerns at IAC’s tactics. In a December 4, 2012 report, Terry downgraded IAC to sell due to vulnerability from Google policy changes. A January 9, 2013 follow-up noted IAC changing its uninstall practices to comply with Google policy as well as slowdown in arbitrage. Terry flags some important factors, and I share his bottom line that IAC’s search practices are unsustainable. But the real shoe has yet to drop. If Google is embarrassed at IAC’s actions — and it should be — Google is easily able to put an end to this mess.

I prepared a portion of this article at the request of a client that prefers not to be listed by name. The client kindly agreed to let me include that research in this publicly-available posting.