Who Profits from Security Holes? updated November 24, 2004

I’ve written before about unwanted software installed on users’ computers via security holes. For example, in July I mentioned that 180solutions software was being installed through Internet Explorer vulnerabilities. (See also 1, 2, 3) More recently, researchers Andrew Clover and Eric Howes (among others: 1, 2) have described increasing amounts of unwanted software being installed through security holes.

Malware installed through a single security exploit

How bad is this problem? How much junk can get installed on a user’s PC by merely visiting a single site? I set out to see for myself — by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still — with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn’t consent to their installation on my PC.

In my testing, at least the following programs were installed through the security hole exploit: 180solutions, BlazeFind, BookedSpace, CashBack by BargainBuddy, ClickSpring, CoolWebSearch, DyFuca, Hoost, IBIS Toolbar, ISTbar, Power Scan, SideFind, TIB Browser, WebRebates (a TopMoxie distributor), WinAD, and WindUpdates. (All programs are as detected by Ad-Aware.) I have reason to believe that numerous additional programs were also installed but were not detected by Ad-Aware.

See a video of the installations. The partial screen-shot at left shows some of the new directories created by the security exploit.

Other symptoms of the infection included unwanted toolbars, new desktop icons (including sexually-explicit icons), replacement desktop wallpaper (“warning! you’re in danger! all you do with computer is stored forever in your hard disk … still there and could broke your life!” (s.i.c.)), extra popup ads, nonstandard error pages upon host-not-found and page-not-found error conditions, unrequested additions to my HOSTS file, a new browser home page, and sites added to my browser’s Trusted Sites zone.

I’ve been running similar tests on a daily basis for some time. Not shown in the video and screen-shot above, but installed in some of my other tests: Ebates Moe Money Maker, EliteToolBar, XXXtoolbar, and Your Site Bar.

Installation of 180solutions software through security holes is particularly notable because 180 specifically denies that such installations occur. 180’s “privacy pledge” claims that 180 software is “permission based” and is “programs are only downloaded with user consent and opt-in.” These claims are false as to the installation occuring in the video linked above, and as to other installations I have personally observed. Furthermore, 180’s separate claim of “no hiding” is false when 180 software is installed into nonstandard directories (i.e. into C:Windows rather than a designated folder within Program Files) and when 180 software is installed with a nonstandard name (i.e. sais.exe) rather than a name pertaining to 180’s corporate name or product names.

What’s particularly remarkable about these exploits is that the bad actors here aren’t working for free. Quite the contrary, they’re clearly expecting payment from the makers of the software installed, payments usually calculated on a per-install basis. (For example, see a 2003 message from 180solutions staff offering $0.07 per installation.) By reviewing my network logs, I can see the specific “partner” IDs associated with the installations. If the installers want to get paid, they must have provided accurate payment details (address, bank account number, etc.) to the makers of the programs listed above. So it should be unusually straightforward to track down who’s behind the exploits — just follow the money trail. I’m working on passing on this information to suitable authorities.

Note that the latest version of Internet Explorer, as patched by Windows XP Service Pack 2, is not vulnerable to the installations shown in my video and discussed above.

Cookie-Stuffing Targeting Major Affiliate Merchants

Certain affiliate web sites use pop-ups, pop-unders, IFRAMEs, JavaScript, and other methods to claim affiliate commissions on users purchases from affiliate merchants, even if users do not click on affiliates’ links to the merchants. This page documents selected affiliates using these practices and selected merchants suffering from these practices.

Overview & Summary

Affiliate tracking systems are intended to pay commissions to independent web sites (“affiliates”) when users click through these sites’ links to affiliate merchants. Merchants are not intended to pay commission when users merely visit affiliates’ sites. Instead, commission ordinarily only becomes payable in the event that a user 1) visits an affiliate’s site, 2) clicks through an affiliate link to a merchant, and 3) makes a purchase from that merchant.

However, some affiliates use “cookie-stuffing” methods to cause affiliate merchants’ tracking systems to conclude that a user has clicked through a tracking link (and to pay commissions accordingly) even if the user has not actually clicked through any such link. If the user subsequently makes a purchase from that merchant — immediately, or within the “return days” period specified by the merchant’s affiliate program — the affiliate then receives a commission on the user’s purchase.

This page presents the incentives that have allowed cookie-stuffing to continue, and captures selected examples of cookie-stuffing. See also the Affiliate Fraud Information Lookup, reporting of the number of observations Wesley Brandi and I have gathered in ongoing high-volume tests for cookie-stuffing.

Groups Affected by Cookie-Stuffing

Affiliate Networks Benefit from Cookie-Stuffing

Affiliate merchants ordinarily pay their affiliate networks a percentage of all affiliate revenues passing through the network. For example, Commission Junction’s public pricing list reports that CJ charges a merchant 30% of all amounts to be paid to affiliates. (In other words, if a merchant sells $1,000,000 of merchandise and pays a 5% affiliate commission, then it must pay $50,000 of commission to its affiliates. It must further pay 30% of $50,000, or $15,000, to Commission Junction.) As a result, in the first instance, affiliate networks benefit from cookie-stuffing. Such cookie-stuffing increases the total volume of sales flowing through affiliate networks, and increases the affiliate commissions on which, for example, CJ can charge a 30% fee.

Set against this short-run incentive is the long-term problem that if affiliate networks fall greatly in value to merchants, or if affiliate networks are perceived to facilitate fraud, then merchants may no longer be willing to pay affiliate commissions and affiliate network fees. But in the short run, affiliate networks benefit from more money flowing through their networks.

To date, affiliate networks have failed to aggressively pursue, stop, and punish those affiliates using cookie-stuffing. Indeed, LinkShare has repeatedly granted a $15,000 award to affiliates later found to be using cookie-stuffing. In each instance LinkShare subsequently withdrew the award after pressure from affiliates, merchants, and others. (See MediaPost coverage.) LinkShare’s repeated awards to affiliates using cookie-stuffing reveal that this technique extends to large affiliates and to well-regarded affiliates.

That said, affiliate networks’ black-letter rules generally officially prohibit cookie-stufing. For example, Commission Junction’s Publisher Service Agreement states that an affiliate publisher “may earn financial compensation … for transactions … made from such publisher’s web site … through a click made by a visitor … through an Internet connection (link) to a web site.” In all the examples set out below, no such click occurred, and therefore no commission is fairly earned given the limitations set out in the PSA.

Affiliate Merchants Suffer from Cookie-Stuffing

Affiliate merchants suffer financially from cookie-stuffing. Cookie-stuffing causes merchants to pay commissions that, according to program rules, they need not pay. Cookie-stuffing also causes merchants to pay commissions to the wrong affiliates — to affiliates who never caused an actual user click-through — which is likely to reduce the quality and effort of affiliates participating in the merchant’s program.

Cookie-Stuffers Profit from Cookie-Stuffing

Cookie-stuffing apparently proves profitable for those who do it. Suppose an affiliate ordinarily has a 10% click-through rate from its site to its merchants. The affiliate ordinarily receives affiliate commission only if a purchase is made by one of the 10% of users who clicks through the affiliate’s link. In contrast, by cookie-stuffing, the affiliate can claim commissions from any purchases made by the entire 100% of the affiliate’s visitors.

Rule-Following Affiliates Suffer from Cookie-Stuffing

Rule-following affiliates suffer from cookie-stuffing. For one, rule-following affiliates’ cookies may be overwritten by cookie-stuffers. Suppose a user clicks to affiliate site A, a rule-follower not using cookie-stuffing, and clicks through A’s link to a given merchant. The next day, the user visits affiliate site B, a rule-breaker using cookie-stuffing as to the same merchant site. Using cookie-stuffing, site B sets an affiliate tracking cookie that overwrites A’s cookie. If the user subsequently makes a purchase from the merchant, the affiliate commission will be paid to B, not A.

Rule-following affiliates also suffer from cookie-stuffing because cookie-stuffing encourages merchants to cut their commission rates. Without cookie-stuffing, merchants would be paying commissions on fewer orders. At least some merchants would likely then choose to increase commission paid on each order.

Specific Examples of Cookie-Stuffing

This section links to my research and testing, showing cookie-stuffing targeting major affiliate merchants. In initial reporting, I have focused on cookie-stuffing targeting merchants CJ designates as “featured” and on merchants who participate in discussion fora on ABestWeb.

The table below gives “clear-cut” examples of cookie-stuffing — affiliate HTML code that clearly shows intention to set affiliate cookies without a user clicking through any affiliate link.

MerchantCookie-Stuffing AffiliateDateNotes
Amazon (an independent merchant)Avxf (qufrho-20)10/6/08Broken IMG loaded within forum page. Details and video.
Amazon (an independent merchant)consumernow.com (jumpondealscom)11/6/04Obfuscation via a redirect. Details and video.
Amazon (an independent merchant)Bannertracker-script2/27/12JavaScript invisibly inserted into multiple independent sites via web server hacking. 200+ affiliate IDs in use. Details.
Amazon (an independent merchant) Imgwithsmiles 5/2/12Flash-based stuffing syndicated through Google AdSense display ad network. 49+ affiliate IDs in use. Details.
Argos (a CJ Advertiser)Eshop600 (3910892) 1/30/12Encoded JavaScript and invisible IMG. 26 cookies stuffed at once. Details.
Barnes & Noble (a CJ Featured BFAST Advertiser)dailyedeals.com (BFAST 26682568)11/4/04Misleading JavaScript comments. Details and video.
Buy.com (a CJ Advertiser)Couponcodesmall (2705091) 10/5/08Invisible IFRAME. Details and video.
Cooking.com (a LS Selected Merchant)dailyedeals.com (FZOkC4w7rNM)11/6/04Misleading JavaScript comments. Details and video.
Crucial.com (a CJ Featured Vantage Advertiser)dailyedeals.com (340672)11/2/04Details and video.
Dell (a LS Selected Merchant)jumpondeals.com (HAHu6s1Hzp4)11/5/04Obfuscation via a redirect. Details and video.
Dentalplans (an ABestWeb CJ merchant)consumernow.com (517038)11/6/04Obfuscation via a redirect. Details and video.
Drugstore.com (a LS Selected Merchant)dailyedeals.com (FZOkC4w7rNM)11/6/04Misleading JavaScript comments. Details and video.
Eastwood (an ABestWeb CJ merchant)aboutdiscounts.com (1311826)11/4/04SCRIPT after /HTML. Details and video.
eVitamins (an ABestWeb CJ merchant)couponvine.com (465743)11/4/04 Two-step JavaScript. Details and video.
Folica (a CJ merchant)ahugedeal.us (568228)11/8/04 Details and video.
Folica (a CJ merchant)ahugedeal.com (568228)10/25/05 Still occurring with same affiliate ID, 11+ months after prior reporting. Obfuscation via a redirect. Details and video.
FunToCollect (an ABestWeb CJ merchant)specialoffers.com (306244)11/6/04Obfuscation via a redirect. Details and video.
Globat (a CJ merchant)coupon-monkey.com (1446676)11/8/04/CLICK loaded in IMG tag. Details and video. Note: Coupon-monkey claims cookie-stuffing was accidental. Details.
HostGator (an independent merchant)Avxf (dsplcmnt01)10/6/08Broken IMG loaded within forum page. Details and video.
HSN (a CJ Featured BFAST Advertiser)coupons-coupon-codes.com (BFAST 38772000)11/4/04Obfuscation via external JavaScript and redirect. Details and video.
iPowerWeb (a CJ BFAST merchant)bids2buy.com (1525933)11/6/04Details and video.
Irv’s Luggage (an ABestWeb CJ merchant)edealinfo.com (600263)11/4/04IFRAME. Details and video.
JCWhitney (an ABestWeb CJ merchant)consumernow.com (517038)11/6/04Obfuscation via a redirect. Details and video.
LaptopsforLess (an ABestWeb CJ merchant)find-coupon.com (1525933)11/4/04Popup. Details and video.
Match.com (a CJ Featured Vantage Advertiser)asmartcoupon.com (1515738)11/4/04/CLICK loaded in IMG tags. Details and video.
MLB.COM (a CJ Featured Vantage Advertiser)edealinfo.com (600263)11/4/04IFRAME. Details and video.
Napster (a CJ front-page Featured Advertiser) coupons-online-coupon.com (1167113)11/4/04Popup. Details and video.
Netzero (a CJ Featured Vantage Advertiser)consumernow.com (517038)11/4/04Obfuscation via a redirect. Details and video.
Orbitz (a LS Selected merchant)thewinnersclub.net (HAHu6s1Hzp4)11/8/04Obfuscation via a redirect. Details and video.
Oreck (an ABestWeb CJ merchant)1couponstop.com (517038)11/4/04Obfuscation via a redirect. Details and video.
Overstock.com (an ABestWeb LS merchant)dailyedeals.com (FZOkC4w7rNM)11/5/04Misleading JavaScript comments. Details and video.
PetcareCentral (an ABestWeb CJ merchant)aboutdiscounts.com (276460)11/4/04SCRIPT after /HTML. Details and video.
Priceline (a CJ BFAST merchant)findsavings.com (40001021)11/7/04Details and video.
RapidSatellite (an ABestWeb CJ merchant)smartqpon.com (979227)11/4/04Details and video. Details and video.
Relaxtheback.com (a LS Selected Merchant)office-coupons-online.com (g/KOq4zlIIk)11/6/04 Details and video.
Shoes.com (an ABestWeb CJ merchant)ultimatecoupons.com / webbuyingguide.com (1417434)11/4/04Cookie tracking of popunder triggering. Details and video.
ShopNBC (a CJ Featured BFAST Advertiser)ultimatecoupons.com / webbuyingguide.com (BFAST 38954339)11/4/04IFRAME. Details and video.
SkinStore.com (a CJ BFAST merchant)discount-coupons-online.com (568228)11/6/04Details and video.
Spafinder.com (a LS Merchant)ultimatecoupons.com / webbuyingguide.com (OEu024dtHXs)11/6/04JavaScript URL variable. Details and video.
Toshiba (a CJ front-page Featured Advertiser)consumernow.com (517038)11/4/04Obfuscation via a redirect. Details and video.
TigerDirect.com (an ABestWeb CJ BFAST merchant)findsavings.com (39104038)11/5/04Details and video.
Travelocity (a CJ BFAST Selected merchant)xpcoupons.com (40031581)11/8/04IFRAME. Placed after /BODY. Details and video.

The table below gives additional examples of cookie-stuffing. In these examples, I see insufficient basis to determine whether the affiliate intended to set affiliate cookies without a user clicking through any affiliate link. Nonetheless, that is the net effect of the examples linked below.

MerchantCookie-Stuffing AffiliateDateNotes
DentalPlans (an ABestWeb CJ merchant)savings-center.com11/4/04FRAME. Details and video.
FunToCollect (an ABestWeb CJ merchant)goodbazaar.com11/4/04FRAME with META tags. Details and video.
JCWhitney (an ABestWeb CJ merchant)a2zrewards.com11/4/04FRAME with META tags. Details and video.
Travelocity (a CJ BFAST merchant)couponmountain.com11/8/04Redirect with META tags, broken BACK button. Details and video.

Because LinkShare’s compliance and quality problems are already well-known (e.g. as described above, as to LinkShare’s repeated Titanium Award missteps), the listing above focuses primarily on Commission Junction merchants.

Last Updated: May 8, 2012

Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It

I’ve recently been looking at the unwanted software installed by Grokster (a peer-to-peer filesharing program). Eric Howes has documented Grokster’s exceptionally large bundle, which includes Claria, 411 Ferret/ActiveSearch, AdRoar, Altnet/BDE, BroadcastPC, Cydoor, Flashtrack, MyWay/Mybar, SearchLocate/SideBar, Topsearch, TVMedia, VX2/ABetterInternet, Browser Hijack, two different TopMoxie programs (branded by WebRebates), and several other programs not yet identified.

These programs, in combination, place a major burden on users’ computers: Loading and running so many extra tasks leaves less memory, less bandwidth, and less CPU time for whatever users actually want to do. My lab PCs are fast and well-maintained, but installing Grokster and its bundle makes them sluggish and hard to use. Worse, it’s hard to undo the damage Grokster and its partners cause: Eric also tracks, in unprecedented detail, how even the newest spyware removal applications can’t get rid of all the programs Grokster installs. It’s a mess, Eric’s site explains, and he’s surely right.

But as it turns out, the situation is even worse than Eric realized. As Eric explains, Grokster installs lots of junk if a user presses Accept. However, Grokster also installs software even if the user presses Cancel! That’s right: If a user has second thoughts after seeing the long license agreements, and if the user decides to press Cancel, Grokster’s installer nonetheless installs SearchLocate/SideBar and TVMedia. See the screen-shots below, taken from my video (WMV, 1MB) of the install process. (For best viewing, watch video in full-screen mode.)

C:\Program Files directory before Grokster installation begins.  Click to enlarge.   C:\Program Files folder before Grokster installation begins.
Sorted by date/time, ascending order. Latest entries:

Pressing Cancel in the Grokster installer.  Click to enlarge.   The Grokster installer. I press the Cancel button.

     

C:\Program Files directory after Grokster installation is cancelled.  Click to enlarge.   C:\Program Files folder after Grokster installation terminates.
Sorted by date/time, ascending order. Latest entries:

Notice new entries at the bottom of hte list: SearchLocate and TV Media.  These directories and their contents were created, after I pressed the Cancel button in the Grokster installer.

Equally outrageous are the extraordinarily lengthy license agreements Grokster and its partners ask users to accept. First comes a Claria license agreement that takes, by my count, 120 distinct screens (119 presses of the page-down key) to view in full. As shown in the Grokster installer, Claria’s license has grown to an incredible 6,645 words. So Claria’s current license is 43% longer than the US constitution — before we count the nine separate web pages Claria’s license references, some of them quite lengthy, but which Claria nonetheless claims are “incorporated by reference.” Furthermore, Claria’s license is growing rapidly: When I prepared screen-shots of Claria’s license, as shown by Kazaa in June 2004, the license was 5,541 words long. If Claria’s license continues to grow by 20% every four months, it will be 11,500 words long in October 2005, and 34,300 words long in October 2007. Maybe Claria’s lawyers get paid by the word.

And it gets worse: Grokster installs other programs, with their own licenses, and Grokster shows these many licenses en masse in a subsequent screen. These licenses appear in a text box that, for whatever reason, doesn’t let me to copy its text to the clipboard. So I can’t know the precise word count of the licenses in this second box. But I do know it took 278 page-downs to view the entire license.

That makes a total of 398 page-downs for any user who wants to know what lies in store upon installing Grokster. 398!


This past week, the US House of Representatives passed two bills that purport to address the spyware problem. Would they do anything about Grokster’s outrageous activities?

Goodlatte‘s H.R.4661 prohibits unauthorized software installation — but only under specific, narrow circumstances. I can’t immediately say that SearchLocate/SideBar and TVMedia are used in furtherance of a Federal criminal offense, so Sec.2.(a) is inapplicable. And I can’t say that the programs intentionally obtain or transmit personal information with the intent to defraud, injure, or cause damage. Surely the programs’ authors would deny any such intent. So Sec.2.(b) is inapt too. Looks like Goodlatte’s bill wouldn’t help.

Bono‘s H.R. 2929 does prohibit the unauthorized software installation. Sec.2.(a)(4)(A) specifically bans installing software when a user declines installation. Score one for the good guys.

But suppose Grokster ended the truly outrageous installation of software even when users press Cancel, instead installing its bundle only when users press Accept. (Grokster will more than likely make this change after reading my article.) Then Grokster would be, I fear, substantially compliant with H.R.2929.

For 2929’s purposes, it doesn’t matter that Grokster installs so much software that it essentially ruins even an above-average PC. The bill’s Sec.3. approves of the installation of fifteen programs, or a hundred and fifteen, so long as the user is first shown a single notice that warns “This program will collect information about Web pages you access and will use that information to display advertising on your computer. Do you accept?’ Or, thanks to a recent revision to the bill, the installer can show some other text, so long as it is “substantially similar,” but even if it is more complicated, more confusing, or harder to understand.

I worry that Grokster can and will include the brief disclosure 2929 specifies, or an alternative text that makes the installation sound even more unobjectionable. Then all too many users will be tricked into accepting Grokster’s massive software bundle, and they will find their PCs grind to a halt under the load Grokster and its partners impose. Users will be running Bono-certified software, 100% compliant with relevant law (should Bono’s bill in fact become law). But their computers will be nearly useless nonetheless.

If I were revising Bono’s bill, I’d seek to tighten its requirements. I certainly wouldn’t permit watered-down “substantially similar” disclosures. I’d also prohibit the installation of a bundle of software, where the user requested only a single program, if that bundle has significant adverse effects on the speed and reliability of a typical computer, and if that bundle has no substantial relationship to the software the user initially requested. For bundled programs that show advertising, I’d require that the installation provide a sample of each kind of advertisement to be shown, and I’d require that the installation disclose the typical frequency of ad displays. In short, there are lots of creative ways to tighten the language, so that programs can’t satisfy the bill’s requirements while continuing to trick users into unwanted installations.

Instead, 2929 takes a narrower approach — admittedly stopping a class of outrageous behaviors, but letting all too many continue. Given the bill’s preemption of tougher state laws, this is legislation that, far from stopping spyware, in many respects makes the spyware problem worse.

Can we count on the Senate to close the loopholes in the bills as passed? News coverage suggests that these bills are a done deal already. And Congress has enacted weak legislation before (e.g. CAN-SPAM). So I’m not holding my breath.

California’s Toothless Spyware Law

Yesterday Governor Schwarzenegger signed into law SB 1436 (“Computer Spyware”), a California bill that speaks to certain programs installed on users’ computers. The bill admittedly speaks to programs that trick users, harm users, and take advantage of users. So why don’t I support it?

SB1436 prohibits a number of activities. It bans, for example, transmitting computer viruses from a users’ computers (22947.3(a)(1)), using a computer as part of a denial of service attack ((a)(3)), and presenting an option to decline installation of software when selecting that option will in fact cause software to be installed nonetheless ((c)(1)). These are surely bad actions. But they’re all prohibited under existing law — fraud, unfair trade practice, computer fraud and abuse act, etc. When investigators, lawyers, and researchers have tracked down bad actors using these methods in the past, they’ve proceeded with suit, with considerable success. (See e.g. Melissa virus writer’s jail sentence.) So we don’t need SB1436 to address these outrageous activities.


A Claria drive-by download prompt -- allowing the user to press 'Yes' and have software installed, without first seeing Claria's license agreement.A Claria drive-by download prompt — allowing the user to press ‘Yes’ and have software installed, without first seeing Claria’s license agreement.

In contrast, SB1436 fails to speak to the truly controversial activities — many of them arguably “borderline” — that have actually been used by major players in the spyware space, whose installed user counts now reach into the tens of millions. Consider Claria’s 5,500 word license agreement. As presented in Kazaa’s installer (screenshots), Claria’s license is 20% longer than the US Constitution, and it requires 56 on-screen pages to view in full. Or, consider Claria’s drive-by installer (screenshot), where a user can press “Yes” without ever even seeing Claria’s license. More recently, Claria’s drive-bys have begun to show users the Claria license — but only after the user presses Yes, and only after the software is installed! What should we make of such installation practices? Has a user really “accepted” Claria’s software when the user receives unhelpful, confusing, and/or untimely disclosures? Even if the user is a minor? Even if the user mistakenly thought Claria’s software was necessary to view the web page that triggered the drive-by? Some courts may think that pressing “Yes” indicates assent — no matter the circumstances, no matter how one-sided the terms presented, and for that matter even if the terms weren’t actually presented (but were merely linked to). But I don’t think that’s a necessary conclusion, given the length and presentation of the supposed agreement.

SB1436 had an opportunity to address these deceptive installation tactics by clarifying standards for notice and consent. Indeed, the first draft of SB1436 (dated February 19, 2004) addressed Claria’s tactics directly: “‘Spyware’ means an executable program that automatically … transmits to the provider … data regarding computer usage, including … which Internet sites are or have been visited by a user” — exactly what Claria does. The February draft went on to set out various requirements and disclosure duties, even including a minimum font size for disclosure. That’s not to say the February bill was perfect — certainly there was more fine-tuning to be done. But it sought to establish disclosure duties for all companies transmitting information about users’ online browsing — not just a few outrageous outliers who send viruses.

Unfortunately, SB1436’s initial comprehensive approach somehow got lost between the February draft and the August revisions. A recent RedHerring article claims the bill was “gutted” by “the well-heeled and influential online advertising lobby.” Claria’s chief privacy officer recently stated that he had “met with the staffs of members who have proposed legislation” — though not mentioning any special efforts to modify the bill. Whatever Claria’s role, even a quick reading shows that the revised bill won’t affect Claria’s current practices.

Meanwhile, Claria gets to go on record not only supporting the law, but perhaps even complying with it from its first day in effect. Claria can now claim the implicit endorsement of California law: After all, if California passed a spyware law, and Claria complies, then (the logic goes) Claria must be a legitimate business that consumers and advertisers should happily do business with. But the truth is not so simple: Claria’s deceptive installation methods continue, tricking tens of millions of users into receiving Claria software without truly understanding what they’re getting into.

A better spyware bill would address the subtleties of Claria’s methods — would address lengthy, confusing licenses, and licenses shown only after supposed consent. Interestingly, some of the pending federal legislation speaks to disclosure requirements for programs like Claria. The federal bills are far from perfect. But they at least seek to address the harms, like Claria, that actually plague millions of users day in and day out. More on the proposed federal legislation next month.

Pick-Pocket Pop-Ups

I’ve been writing for months — years! — about unwanted programs, installed on users’ PCs, that show users extra pop-up ads. There’s been lots to write about: The actual ads shown (WhenU’s and Gator’s), whether users grant meaningful consent (especially in the face of lengthy licenses), privacy (and possible privacy violations), and online marketing methods (like search engine spamming) sometimes used by companies in this space.

Today I present research about another problem, quite distinct from pop-ups: Programs that tamper with affiliate commissions. Call them stealware, thiefware, or even “pick-pocket pop-ups” (a term recently coined by Kenn Cukier), but their core method is surprisingly simple: Stealware companies join the affiliate networks that merchants operate — networks intended to pay commissions to independent web sites that recommend the merchants to their visitors. Then when users browse to targeted merchants’ sites, the stealware programs jump into action, causing merchants’ tracking systems to think users reached the merchants thanks to the stealware programs’ efforts.

Stealware raises several major policy concerns. For one, merchants risk throwing away money — paying commissions when none are due, increasing their costs, and ultimately raising prices for everyone. For another, legitimate affiliates lose commissions when stealware programs overwrite their tracking codes with stealware programs’ own codes. Finally, stealware puts affiliate networks (like LinkShare and Commission Junction) in a truly odd position: If the networks enforce their rules and remove stealware programs from their networks, then the networks shrink and receive smaller payments from merchants.

I’ve begun my research in this field with a particular program that I believe to be the largest and most prevalent of those that specifically seek to add and replace affiliate commissions: Like Gator and WhenU, Zango (from 180solutions / MetricsDirect) monitors users’ activities and sometimes shows popup ads (though 180’s ads are particularly large, often covering the entire browser window). But the real news is that Zango frequently sets and replaces affiliate tracking codes — as to some 300+ major merchants, using at least 49 different affiliate accounts and scores of redirect servers.

Much of Zango’s affiliate code replacement lacks any on-screen display. As a result, ordinary users (not to mention merchants’ testing staff) are unlikely to notice what’s going on. Where possible, I’ve captured Zango’s behavior with screenshots and videos. As to the rest, I’ve used my trusty network monitor to inspect the raw transmissions passing over my Ethernet wire.

Details:

The Effect of 180solutions on Affiliate Commissions and Merchants

What Advertisers Use WhenU?



Advertisers Using WhenU

Ever wonder who advertises on WhenU? A few reporters have tried to figure this out but have been stymied: Few companies care to talk about their use of Claria or WhenU. (WSJ [paid registration required], BusinessWeek).

So I thought I’d put together a list of all of WhenU’s current advertisers — all the companies showing graphical ads (not just sponsored link text) on WhenU’s system. There are 234 distinct advertisers, by my count. The biggest advertisers (by advertisement count) are Priceline (51 ads), J.P. Morgan Chase (43), Casino On Net (37), Verizon (28), Orexis (24). Major advertisement categories:

Gambling, Betting and Bingo 327 advertisements 49 advertisers
Loans 263 advertisements 35 advertisers
Travel 213 advertisements 21 advertisers

Further down the list, 102 ads for insurance, 99 for sexual health (mostly Viagra and similar products) and even some ads for online psychics and online cigarette sales.

All the details, and thousands of advertisement thumbnails, are in:

Advertisers Using WhenU

Utah Spyware Control Act On Hold updated July 7, 2004

Today brought closing arguments in WhenU.com, Inc., v. The State of Utah.

After closing arguments, Judge Fratto granted WhenU’s Motion for Preliminary Injunction, enjoining current enforcement of the Spyware Control Act. Ruling from the bench, Judge Fratto stated that he was not persuaded that WhenU had satisfied the requirements of showing a substantial likelihood of prevailing on the merits of its constitutional challenge as to the spyware provisions of the Act, but that WhenU had satisfied such showing regarding the context-triggered pop-up ads provision. Nonetheless, Judge Fratto enjoined enforcement of the act in its entirety. See transcript of ruling.

For my perspective on the factual portion of the hearing, June 10-11, see Report from WhenU v Utah.

Report from WhenU v Utah updated June 13, 2004

In April I mentioned WhenU’s suit against the state of Utah, challenging Utah’s recent Spyware Control Act. Oral argument took place yesterday and today as to WhenU’s motion for preliminary injunction.

Consistent with case filings, WhenU claimed that the company cannot reliably determine which users are in Utah and which are elsewhere. However, documents presented in the hearing showed that WhenU offers its advertisers the service of showing their ads only in particular locations, including in particular states.

Counsel for the state of Utah also asked WhenU’s CEO about WhenU’s display of advertising for online gambling and for online liquor sales. My testing demonstrated that WhenU shows such ads in Utah, but longstanding Utah law is thought to prohibit these ads. So WhenU will have to develop — arguably, already should have developed! — systems to avoid showing these ads in Utah. WhenU has criticized the Spyware Control Act, claiming that compliance would be difficult and costly. But WhenU must satisfy Utah’s gambling and liquor laws independent of the Spyware Control Act. So much for the purportedly high burden of Utah’s spyware regulation.

In my own oral testimony, I explained the methods of installation and operation of spyware. In one notable section, I showed videos of WhenU software installed via drive-by downloads with defective license agreements, such that even when a user requested to view WhenU’s license agreement, the license was not available.

Details in WhenU.com, Inc., v. The State of Utah – Case Documents. The hearing will conclude on June 22, 2004, and the Court’s decision is expected thereafter.

Dell’s Spyware Puzzle updated June 9, 2004


Dell Ad Displayed using ClariaDell Ad Displayed using Claria

Lots of companies have a puzzling relationship with spyware. For example, a recent eWeek article pointed out the complexities in Yahoo!’s relationship with Claria: My research of last year found that yahoo.com is the the single most targeted domain of the many thousands Claria targets with its context-triggered popups. More recently, Yahoo! released a toolbar that uninstalls Claria software. These facts suggest that Yahoo! would dislike Claria and would actively oppose Claria’s activities. Nonetheless, Yahoo! remains a major supplier to Claria (via Yahoo!’s Overture sponsored link service, which reportedly provides 30% of Claria’s revenue, per Claria’s S-1 filing).

Even more puzzling, Dell both suffers from spyware and receives web traffic from Claria’s advertising services. In recent comments to the FTC (PDF page 70), Dell’s Maureen Cushman reported that spyware is Dell’s “number one call driver” as of late 2003, and that spyware is responsible for as much as 12% of calls to Dell tech support.

Nonetheless, my testing shows that Dell UK ads run on the Claria ad network. See the ad shown at right (among several other ads also from Dell UK), which I received while viewing the IBM.COM site. My further testing indicates that Claria shows several Dell UK ads when users visit the sites listed below (perhaps among others). (Note that users might have to visit particular parts of the sites listed here — i.e. the computers section of amazon.co.uk, not just other parts of the Amazon site.)

ebay.co.uk
hp.com
msn.co.uk
apple.com
amazon.co.uk
ibm.com
kelkoo.co.uk
bt.com
pricerunner.com
dabs.com
dealtime.co.uk
johnlewis.com
dooyoo.co.uk
comet.co.uk
ebuyer.com
pcworld.co.uk
dixons.co.uk
acer.co.uk
abrexa.co.uk
sony.co.uk
simply.co.uk
priceguideuk.com
toxiclemon.co.uk
packardbell.co.uk
microwarehouse.co.uk
evesham.com
toshiba.co.uk
cclcomputers.co.uk
morgancomputers.co.uk
timecomputers.com
sony-cp.com
europc.co.uk
empiredirect.co.uk

Dell staff tell me that the ads were unauthorized, placed by an affiliate without Dell’s permission. My inspection of the ads (and their link destinations) is consistent with this claim. But my inspection of Claria configuration files further suggests that the ads ran on the Claria network since at least February 6, 2004 — some four months ago. Why didn’t Dell notice this problem until I brought it to their attention?

If this is just a glitch, what procedures could Dell (and other companies) implement to make sure their ads are placed through only authorized channels? I’d be honored to work with interested advertisers to think through the possibilities for automatic or scheduled monitoring, testing, etc.

A note on my research methods: In May-June 2003, I offered a Gator real-time testing service that reported, on request, which ads (if any) targeted a given web site. I have subsequently disabled this site, so it provides only archived data. But I can still provide current Gator targeting data upon request. Interested readers, please get in touch by email.