Category: advertising fraud

Advertising fraud, overcharging advertisers, and related concerns

Posted on

Intermediaries’ Role in the Spyware Mess updated May 28, 2005

When unwanted programs (“spyware” and others) sneak onto users’ computers, their main goal is often to show extra ads, typically pop-ups. If a vendor’s program steals users’ credit card numbers or social security numbers, the vendor will get in real trouble. But, historically, software vendors have been able to show extra ads with impunity.

Where do these ads come from? What companies are willing to support the advertising software that users so despise? It turns out some of the world’s biggest companies are advertising in this way. In 2003, I posted a list of some of Gator’s then-biggest advertisers, work that PC Pitstop updated in 2003 (using Claria’s S1 filing). More recently, I’ve posted a list of substantially all eXact advertising advertisers. More to come.

These advertisers aren’t working in a vacuum. To the contrary, many of their ads appear through spyware only thanks to major ad intermediaries that facilitate and track those placements, and that assist in the associated payments.

Are ad intermediaries responsible when their ads are shown by software installed improperly? Marquette law professor Eric Goldman thinks not. But the New York Attorney General’s office has repeatedly suggested they might be. My take: Advertiser and intermediary liability is an interesting question of law, well beyond my aspirations for this brief piece. But where ad intermediaries purport to certify or stand behind the quality of the venues where their ads are shown, I’m not receptive to their claims that they can’t do what they’ve promised. Where ad intermediaries merely count advertisement clicks without even claiming to assure traffic quality, the case for blaming intermediaries for improper use of their tracking links may be somewhat weaker (though still cognizable).

One fact about which there is no reasonable dispute: Spyware would be far less profitable — and there would be far less of it trying to sneak onto users’ PCs — if big advertisers weren’t advertising this way and if big ad intermediaries weren’t helping to facilitate such advertisements.

An Initial Example: Atlas DMT Assisting with Expedia Ads Shown by 180solutions


An Expedia ad shown by 180solutions, via Atlas DMT tracking.An Expedia ad shown by 180solutions, via Atlas DMT tracking

The many relationships in spyware advertising can be quite complicated, all the more so because advertising and payment structures take so many forms. But let me start with a relatively straightforward example: When users visit aa.com (American Airlines) on PCs with advertising software from 180solutions, 180 may show a popup of Expedia’s web site. See inset image at right.

Expedia
(advertiser)
viewers
Atlas DMT
(intermediary)
viewers
  180solutions  

Traffic Flow

Although 180 could show the Expedia site directly, traffic more typically passes through intermediaries like, in this case, aQuantive’s Atlas DMT. In particular, 180 invokes the Atlas tracking link http://expedia.click-url.com/ go/www18epd0600005172ave/ direct/01, which then redirects users to the specified page at Expedia. So users reach Expedia through Atlas, as shown in the diagram at right.

Ads are placed through intermediaries for a variety of reasons. Sometimes intermediaries help to broker the deal — making connections between advertisers and venues where ads can be shown. Some advertisers might not want to do business with 180solutions directly — maybe they haven’t heard of 180, or have heard only bad things; but doing business with Atlas seems reasonable thanks to Atlas’s better reputation. Or perhaps Atlas adds accountability: An advertiser might not trust 180’s record-keeping, but the advertiser might feel confident that Atlas will accurately count how many times each ad was shown. Intermediaries can also provide efficient and centralized payment, reducing administrative costs. Whatever the reason, ads tend to flow through intermediaries — and so intermediaries like Atlas are well-equipped to stop such ads from appearing, if they care to do so.

Of course this Expedia/Atlas example is but one of many. See e.g. a more detailed example I posted in July 2004, showing a 180solutions ad for Hawaiian Airlines ad, also served by Atlas, substantially covering the Delta.com site.

A Case Study: Advertising Intermediaries Supporting 180solutions

Beyond the Expedia ad shown above, I’ve also been looking at all 180’s other ads, along with examining where these ads come from.

For those interested in advertisers supporting unwanted software, 180solutions is a natural place to start. 180solutions is often installed with no consent at all (videos: 1, 2), via misleading promises at kids sites, in poorly-disclosed bundles, and otherwise without appropriate notice and consent — so ads shown by 180 are presumptively unwanted. Meanwhile, my testing confirms that 180solutions tracks what web sites users visit — rightly earning the name “spyware” since 180 installations can be nonconsensual. 180 also attracts attention for its large installed base and substantial venture funding. Crucially, 180’s self-serve advertising sales system, MetricsDirect, lets anyone hire 180 to show a given ad URL when users visit URLs with a given keyword — without so much as speaking to a 180 representative. In combination, these factors make 180 among the worst offenders at showing problematic ads: Bad actors can use 180 to show advertisers’ sites to millions of users, without meaningful scrutiny by 180 and, thanks to ad intermediaries’ tracking systems, sometimes even without advertisers’ knowledge.

Earlier this month, I found that 180solutions tracks a total of 510,211 keywords within the URLs users visit. In my testing, 157,083 of these keywords are actively targeted with ads. A total of 88,388 distinct ads target these keywords. (As expected, many ads target more than one keyword. I measure “distinct ads” based on use of distinct ad URLs.)

Of these 88,388 ads, many pass through well-known intermediaries which serve to facilitate relationships between advertisers and 180; to track views, clicks, or purchases; and/or to track orcoordinate facilitate payment. The listing below gives a summary of the number of ads (of these 88,388) found to be actively loading content from the specified intermediaries. The listing reports only intermediaries associated with 500 or more different 180solutions ads.

Advertising intermediary
     # ads
Traditional banner ad networks / tracking services
Atlas DMT (aQuantive) (NASDAQ: AQNT)
2,666
Adteractive
2,231
DoubleClick (NASDAQ: DCLK)
1,352
FastClick (NASDAQ: FSTC)
513
Affiliate networks
ClickBank
1,054
Commission Junction (including BeFree) (ValueClick) (NASDAQ: VCLK)   
686
Syndicated search engine advertising
Google (NASDAQ: GOOG)
4,678

See disclosure as to Advertising.com (AOL).

Update: I’ve been asked for details about the “actively loading content from” criteria that governs inclusion in the table above. My scripts check for content loaded from an intermediary by looking for redirects, for loading an intermediary’s content in a FRAME or IFRAME, or for use of JavaScript to load arbitrary code from an intermediary. Most of the listed intermediaries primarily use the redirects and FRAME/IFRAME methods. But Google AdSense sites typically use JavaScript to load Google’s inline ads in a JavaScript-created subwindow. What all these practices have in common is that they actually show substantial content from the ad intermediary — not merely (for example) a small text link to an affiliate network.

Do Ad Intermediaries Intend to Support 180?

Multiple advertising intermediaries (and some big advertisers) have recently written to me to tell me that they “can’t” track how ads are being shown using their networks and systems. They apparently consider it impossible to track all their ads — so they think they shouldn’t be blamed if they fail, i.e. if their ads are shown through software installed improperly on users’ PCs.

I emphatically disagree. The task is definitely doable. I know because I’ve already done it.

advertisers
money viewers
ad intermediaries
(e.g. Commission Junction)
money viewers
independent intermediaries
(e.g. Top3offers)
money viewers
spyware
(e.g. 180solutions)

Flow of Traffic and Payments

Ad intermediaries are correct that the design of spyware and similar systems makes their traditional enforcement procedures ineffective. Historically, if an ad intermediary noticed that some client or site was showing its ads in a way the intermediary didn’t like, the intermediary could simply cancel the corresponding entity’s contract and withhold payments to that entity or refuse future business from that entity.

180solutions’ design (and others like it) wreaks havoc on this simple enforcement model. Many of 180’s ads are placed by 180 advertisers, acting in their own names, in general without disclosing that the resulting traffic will be shown in 180solutions pop-ups. For example, Top3offers.com pays 180solutions to show Top3offers URLs when users visit certain keywords pertaining to online dating. Top3offers then sends such traffic to Yahoo Personals via a Commission Junction tracking link, ultimately receiving payments for leads or signups. Yahoo and CJ did not request that Top3offers take any such action — and if they search their advertiser databases for 180solutions, they won’t find a match, because the underlying account is in the name of Top3offers, not 180. And of course Top3offers is just one of hundreds — thousands? — of middle-men using similar methods. (See e.g. ten specific examples I posted in detail last year — complete with packet logs, videos, etc.)

So it’s insufficient for ad intermediaries to merely search their databases for the names of known wrongdoers. Rather, rigorous enforcement requires examining actions, not just names. Savvy intermediaries need an enforcement system that monitors ads at trouble spots like 180solutions, that flags suspect ads shown there, and that does not naively assume that bad actors will be truthful in their statements to ad intermediaries. Conveniently, that’s precisely how my ad-tracking robot works — that’s precisely how I generated the table above.

This CJ/Top3offers example is just one of many, and of course facts vary across types of ad intermediaries. Because affiliate networks like Commission Junction generally pay commissions only when users make purchases, they tend to be particularly indiscriminate as to who can place such links and earn such commissions — operating under the mistaken assumption that if a user made a purchase, the traffic must have been legitimate. (They ignore the risk that the ad was improperly shown to the user, without appropriate prior consent.) Indeed, despite CJ having ended its direct relationship with 180, 180’s advertisers (the “independent intermediaries” in the diagram above) continue to run CJ links — apparently in the expectation of continuing to receive payment, i.e. because CJ won’t catch them. If CJ can’t identify and block this traffic, then CJ still earns its commissions on such traffic — so paradoxically CJ still profits from the activities of 180 and its advertisers.

How Google Gets Involved

PPC advertisers
money viewers
   Google (AdWords)   
money viewers
AdSense sites
money viewers
180solutions

Flow of Traffic and Payments via Google

Google’s relationship with 180 proceeds in the convoluted path shown at right. Pay-per-click advertisers pay Google to show their ads on Google’s AdSense partner sites. Some AdSense members then pay 180 to show the members’ sites via 180solutions popups, such that funding ultimately flows as shown at right: From pay-per-click advertiser to Google to AdSense member site to 180solutions. (Example.)

Google’s relationship with 180 merits special discussion for at least two reasons. First, where other intermediaries often withhold from making claims about the quality of the sites they track or serve, Google tells its advertisers that sites showing Google ads are “high-quality” and “reviewed and monitored according to … rigorous standards.” Furthermore, Google’s AdSense Program Policies provide that AdSense ads may not be displayed in pop-ups or via client software (like 180).

Second, notwithstanding Google’s statements about the quality of sites in its network, Google’s relationship with 180 is surprisingly large: Of the 88,388 current 180solutions ads, some 4,678 (5%+) include Google AdSense ads, making Google the most prevalent source of funding for web sites advertising with 180solutions (at least when measured by the methods set out above).

Despite the “quality” claims in Google’s statements to its advertisers, it is unclear what steps Google takes to enforce its stated rules. I sent an inquiry to Google staff two weeks ago, but I have not yet received a response.

That Google AdSense members promote their sites through pop-ups like 180’s is entirely foreseeable. Indeed, Google apparently foresaw this problem when it included AdSense policy text to specifically forbid this practice. Now that the problem is observed and now that it turns out to be substantial, will Google enforce its existing rule?

Update: In a blog entry responding to this piece, Eric Goldman concludes “nothing about traffic to AdSense sites sourced by adware vendors runs contrary to Google’s stated policies.” Perhaps I haven’t explained (what I view to be) the violation sufficiently clearly. So let me try again. First, AdSense Program Policies require that “No Google ad … may be displayed on any … pop-ups” — seemingly violated when 180 shows pop-ups of sites that include AdSense ads. Second, AdSense’s Terms and Conditions provide as follows (emphasis added):

“5. Prohibited Uses. You shall not, and shall not authorize or encourage any third party to … (vi) directly or indirectly accessAds … through or fromany software application.

My example shows behavior that seems to exactly match the prohibited activity: An AdSense site hires 180 (surely “authoriz[ation]” and “encourage[ment]” within the meaning of the rule) to show the AdSense site, including showing (and thereby “access[ing]”) the site’s AdSense ads, as a result of the 180 software application observing the user viewing certain targeted sites. To me, the inconsistency between this practice and the stated rule seems abundantly clear.

Methodology, Enhancements, and Future Work

For those interested in my methodology: I’ve previously written about how to learn what ads 180 shows when users visit certain sites. The results above are derived from this list of ad URLs by processing with a robot that looks at the contents of each ad URL, attempting to determine and classify any ad networks or other intermediaries forwarding users to other advertising elsewhere.

Because my robots are imperfect, my methods tend to undercount the number of ads actually coming from each ad intermediary. My robots can track and analyze most standard HTML, including server-side redirects, client-side redirects, frames, iframes, and even basic JavaScript. But encoded JavaScript and certain other tricks currently serve to stop my robots from successfully and fully analyzing all ads.

In the coming weeks I’ll be posting more specific data — perhaps a listing of specific ads shown through unwanted software on users’ PCs, passing through some or all of the ad intermediaries listed above; perhaps videos and packets logs examining particular examples in detail. Interested readers should feel free to send suggestions and requests. Note that my March 2005 eXact Advertising testing reported the intermediaries associated with most of eXact’s current ads.

Where Do We Go From Here?

At a recent NAI Spyware conference, advertising executives reportedly discussed “creating robot-like technology to follow … advertisement[s].” They’re on the right track — but it’s unfortunate that they’re still just “discussing” rather than actively moving forward with the work. If I can do the analysis above — using just my ordinary cablemodem, some VB scripts running within Microsoft Access, and a single spare PC in my lab — then surely NAI’s members can do a lot better.

NAI members like aQuantive and DoubleClick are currently placing and tracking thousands of ads that are helping to fund the unwanted software plaguing users’ PCs. The time for talking has long since ended.

Disclosure: I serve as a consultant to AOL on certain matters related to spyware. If AOL’s Advertising.com ads had been sufficiently frequent to meet the criteria for inclusion in the table, I would have included them. However, in fact AOL / Advertising.com serve/track/support substantially less than 500 ads shown by 180solutions, therefore not calling for inclusion in the table. This calculation is based on 180solutions ads as they stood before I sent AOL any report as to its Advertising.com ads being shown by or through 180solutions. To the extent that AOL’s numbers are below those of other ad intermediaries, I attribute this to AOL’s March 2005 decision to stop doing business with all adware companies.

Posted on

180 Talks a Big Talk, but Doesn’t Deliver updated February 4, 2005

The anti-spyware community has been abuzz all weekend with the news of spyware company 180solutions joining the Consortium of Anti-Spyware Technology (COAST). From the 180solutions press release:

“180solutions, a provider of search marketing solutions, today announced it has become a developer member of … COAST. … By working with COAST and complying with its strict Code of Ethics, standards and guidelines, 180solutions aligns itself with the organization’s governing companies, … PestPatrol, … Webroot. … “180solutions has passed a lengthy and rigorous review process demonstrating their commitment to develop and distribute spyware-free applications,” said Trey Barnes, executive director of COAST.”

Some specific worries:

Substantive conflict of commitment

COAST members PestPatrol and Webroot currently detect and remove 180 software. So these companies are (rightly!) telling their users that 180solutions software should be removed from users’ computers.

At the same time, according to 180’s press release, 180solutions is “releasing versions of its applications that have been reviewed and evaluated by COAST.” This press release, COAST’s “review” of 180 software, and COAST’s acceptance of 180 into its consortium can only be taken to constitute a COAST endorsement of 180. That’s a clear conflict with COAST members simultaneously recommending that users remove 180 software.

Then there’s the conflict of interest that inevitably arises whenever an anti-spyware company declares an alleged spyware provider to be legitimate. Users buying a vendor’s anti-spyware software think they’re buying that vendor’s best efforts to identify and remove software users don’t want. When the vendor instead accepts funds from a software provider, one making the kind of software that the vendor is supposed to be removing, users can’t help but wonder whose interests the vendor has in mind. To my mind, the better strategy is for anti-spyware vendors to refuse partnerships with any company making software that might colorably be claimed to be spyware. (See Xblock’s statement of policy.)

I don’t want to overstate the problem. So far, PestPatrol and Webroot still detect and remove 180 software. 180 isn’t listed on COAST’s Members page. And COAST members don’t directly receive the money 180 pays COAST.

But the latent problems remains: For a fee, COAST is certifying controversial providers of allegedly-unwanted software, dramatically complicating the role and duties of COAST and its members. COAST staff are providing favorable quotes in 180 press releases. Who can users trust?

180solutions installation practices are outrageous and unethical

180’s endorsement by COAST is particularly puzzling and particularly worrisome due to 180’s many bad business practices. Indeed, in my testing, 180’s installation practices remain among the worst in the industry. The details:

I have personally observed (and preserved in video recordings) more than two dozen instances of 180 software installed through security holes. (Example video.) Just yesterday, I browsed the Innovations of Wrestling site (iowrestling.com, proceed at your own risk), where viewing the site’s privacy policy invoked a security exploit installing more than a dozen unwanted programs, 180solutions software included. (Note that iowrestling’s installations are at least partially random, so it’s hard to replicate this result. But I kept a video and packet log of my findings.)

Even when 180 installers do request consent to install, the disclosure is often quite misleading. For example, I previously documented Kiwi Alpha installing 180, first mentioning 180 at page 16 of a 54-page license agreement. With 180’s installation warning buried in such a long text, ordinary users are unlikely to learn that Kiwi gives them 180. Certainly users don’t grant knowing consent to the installation.

180’s web site claims “no hiding,” but 180 uses a variety of tricks to make its software harder to find and remove. 180 sometimes uses randomized filenames which make its files unusually difficult to locate. 180 also installs itself into multiple directories — sometimes c:Program Files180solutions (or similar), but sometimes into the root of c:Program Files and sometimes directly into a user’s Windows directory. If uses do manage to find and delete some 180 files, another 180 program often pops up to request reinstallation. If these tricks don’t constitute hiding, I don’t know what does.

180’s controversial installation practices are not mere anomalies. I’ve observed these, and others like them, for months on end. Even 180solutions’ director of marketing sees the problem. See Seattle Post-Intelligencer article, reporting his admission that “n-Case could get bundled with other free software programs without the company’s knowledge [which] could lead to the n-Case software fastening to individual’s computers without their knowledge.”

How did 180 get into this mess? It seems 180 hasn’t been careful in choosing who they partner with. In fact, they recruit distributors (as well as advertisers) by unsolicited commercial email. See 20+ examples.

Interestingly, in its recent press release, 180 does not claim to have stopped these controversial practices. If 180 did make such a claim, I’d be able to disprove it easily — there are so many sources of 180 software installed without notice and consent. Instead, 180 claims only that they are working on a “transition” to improved business practices.

But this isn’t the first time 180 has promised to clean up its act. In March 2004, 180’s CEO claimed 180’s “Zango” product — then the new replacement for the older n-CASE — would give users more information before installation. In an April interview, he attributed to the old n-CASE product “certain users … who are not sure where or how they got our software,” but said “the Zango product … is a means to improve that.” On at least these two occasions, 180 has pledged to improve its practices. Nearly a year later, 180 software often still gets installed without notice or consent. So we’re still waiting for the promised improvements. Meanwhile, 180 continues to benefit profit from its millions of ill-gotten installations.

180solutions advertising practices are outrageous and unethical

Beyond controversial installation methods, 180 also deserves criticism for its intrusive and allegedly-anticompetitive advertising practices.

180 covering Delta.com with Hawaiian Airlines web site180 covering Delta.com with Hawaiian Airlines web site

When 180 covers a web site with one of its competitors, 180 doesn’t just show a small popup ad (like, say, Claria — not that Claria’s practices deserve praise). Instead, 180 opens a new web browser showing the competitor’s site, generally covering substantially all of the targeted web site. A user who wants to stick with the site he had previously requested must affirmatively close the new window — taking an extra step due to 180’s intervention. What would we think of a telephone company that connects a user to Gateway when the user dials 1-800-Dell-4-Me, unless the user then presses some extra key to return to what he had requested initially? The real-world analogy makes it almost too easy to assess 180’s legitimacy: No telephone company could get away with such a scam, yet 180’s advertising practices have gone largely unchallenged.

Even more problematic are 180 ads targeted at competitors’ check-out pages. Sometimes 180 lets a user browse a merchant’s web site uninterrupted, but when the user reaches the page requesting order confirmation, 180 then covers the merchant’s site with a competitor — interrupting the user’s purchase. Again, the real-world analogy is straightforward. Suppose one retailer sent its sales employees into a competitor’s store, to invite users to take their business elsewhere as they waited in line to reach the checkout counter. The intruding employees would be arrested as trespassers.

Then there are the thousands of 180 ads that include affiliate codes. Some of 180’s ads cover a web site with a competitor reached through an affiliate link. Via these ads, companies find themselves promoted by 180, and find themselves directly or indirectly paying commissions to 180 — all despite never requesting that 180 advertise or promote them.

Even worse are the 180 ads that target a merchant with its own affiliate links. Here, merchants end up paying affiliate commissions where they’re not otherwise due. For example, when users reach merchants’ sites by clicking through non-affiliate links or by typing merchants’ domain names, 180 nonetheless intercedes by opening affiliate links to merchants’ sites. Whether shown in double windows, hidden windows, or on-screen decoys, 180’s affiliate links make merchants’ commission-tracking systems think resulting purchases resulted from 180’s promotional efforts. Unless merchants figure out that they’re being cheated — being asked to pay commissions not fairly earned — 180 and its advertisers receive commission payments for users’ purchases. (Details; example.)

There’s plenty more to criticize about 180. To this day, installations on zango.com let users install 180 software without so much as seeing 180’s license agreement. Even 180’s current uninstall procedures give far more information than 180 provides prior to installation. And Andrew Clover reported 180 code that deletes competitors’ programs from users’ disks.

COAST’s credibility on the line

180’s claims of planned improvement are essentially unverifiable. Since 180 admits to a mix of permissible and impermissible installations, its claims of improvement cannot be falsified by critiquing current behavior. Instead, whenever I or others show 180 software installed without proper notice and consent, 180 can say this is just a remnant of prior practices not yet cleaned up in “transition.” By the plain text of 180’s press release, we’ll have to wait at least 90 days to prove that 180 isn’t living up to its promises to COAST and to users.

Why would COAST sign onto this bargain? MediaPost reports 180 paying COST a membership fee as large as $10,000 per year, so that gives one clear explanation. Also, notwithstanding participation by PestPatrol and Webroot, COAST’s past is hardly uncontroversial. In 2003, Lavasoft (makers of Ad-Aware) decided to leave COAST, complaining that COAST’s focus on “revenue generation … reflect[s] badly on the entire anti-trackware industry.” Similarly, Spybot refused to join COAST due to participation by companies that were, in Spybot’s view, unethical.

COAST’s credibility is on the line. I don’t see endorsement of software providers as an appropriate part of COAST’s mission. But even if such work were appropriate, 180 deserves no such praise — its history of outrageous practices and its continued use of such practices mean it should be criticized, not granted an award or endorsement.

Update (February 4): Reporting “concern” at COAST’s certification program, Webroot resigned from COAST.

Update (February 7): Computer Associates (makers of PestPatrol) also resigned from COAST. However, a CA spokesperson defended COAST’s endorsement procedure, calling such endorsements “valuable.”

Disclosure: I serve as a consultant to certain merchants concerned about fraudulent activities by 180solutions and its advertisers. I have advised certain attorneys and merchants concerned about 180solutions activities and practices.

Posted on

Cookie-Stuffing Targeting Major Affiliate Merchants

Certain affiliate web sites use pop-ups, pop-unders, IFRAMEs, JavaScript, and other methods to claim affiliate commissions on users purchases from affiliate merchants, even if users do not click on affiliates’ links to the merchants. This page documents selected affiliates using these practices and selected merchants suffering from these practices.

Overview & Summary

Affiliate tracking systems are intended to pay commissions to independent web sites (“affiliates”) when users click through these sites’ links to affiliate merchants. Merchants are not intended to pay commission when users merely visit affiliates’ sites. Instead, commission ordinarily only becomes payable in the event that a user 1) visits an affiliate’s site, 2) clicks through an affiliate link to a merchant, and 3) makes a purchase from that merchant.

However, some affiliates use “cookie-stuffing” methods to cause affiliate merchants’ tracking systems to conclude that a user has clicked through a tracking link (and to pay commissions accordingly) even if the user has not actually clicked through any such link. If the user subsequently makes a purchase from that merchant — immediately, or within the “return days” period specified by the merchant’s affiliate program — the affiliate then receives a commission on the user’s purchase.

This page presents the incentives that have allowed cookie-stuffing to continue, and captures selected examples of cookie-stuffing. See also the Affiliate Fraud Information Lookup, reporting of the number of observations Wesley Brandi and I have gathered in ongoing high-volume tests for cookie-stuffing.

Groups Affected by Cookie-Stuffing

Affiliate Networks Benefit from Cookie-Stuffing

Affiliate merchants ordinarily pay their affiliate networks a percentage of all affiliate revenues passing through the network. For example, Commission Junction’s public pricing list reports that CJ charges a merchant 30% of all amounts to be paid to affiliates. (In other words, if a merchant sells $1,000,000 of merchandise and pays a 5% affiliate commission, then it must pay $50,000 of commission to its affiliates. It must further pay 30% of $50,000, or $15,000, to Commission Junction.) As a result, in the first instance, affiliate networks benefit from cookie-stuffing. Such cookie-stuffing increases the total volume of sales flowing through affiliate networks, and increases the affiliate commissions on which, for example, CJ can charge a 30% fee.

Set against this short-run incentive is the long-term problem that if affiliate networks fall greatly in value to merchants, or if affiliate networks are perceived to facilitate fraud, then merchants may no longer be willing to pay affiliate commissions and affiliate network fees. But in the short run, affiliate networks benefit from more money flowing through their networks.

To date, affiliate networks have failed to aggressively pursue, stop, and punish those affiliates using cookie-stuffing. Indeed, LinkShare has repeatedly granted a $15,000 award to affiliates later found to be using cookie-stuffing. In each instance LinkShare subsequently withdrew the award after pressure from affiliates, merchants, and others. (See MediaPost coverage.) LinkShare’s repeated awards to affiliates using cookie-stuffing reveal that this technique extends to large affiliates and to well-regarded affiliates.

That said, affiliate networks’ black-letter rules generally officially prohibit cookie-stufing. For example, Commission Junction’s Publisher Service Agreement states that an affiliate publisher “may earn financial compensation … for transactions … made from such publisher’s web site … through a click made by a visitor … through an Internet connection (link) to a web site.” In all the examples set out below, no such click occurred, and therefore no commission is fairly earned given the limitations set out in the PSA.

Affiliate Merchants Suffer from Cookie-Stuffing

Affiliate merchants suffer financially from cookie-stuffing. Cookie-stuffing causes merchants to pay commissions that, according to program rules, they need not pay. Cookie-stuffing also causes merchants to pay commissions to the wrong affiliates — to affiliates who never caused an actual user click-through — which is likely to reduce the quality and effort of affiliates participating in the merchant’s program.

Cookie-Stuffers Profit from Cookie-Stuffing

Cookie-stuffing apparently proves profitable for those who do it. Suppose an affiliate ordinarily has a 10% click-through rate from its site to its merchants. The affiliate ordinarily receives affiliate commission only if a purchase is made by one of the 10% of users who clicks through the affiliate’s link. In contrast, by cookie-stuffing, the affiliate can claim commissions from any purchases made by the entire 100% of the affiliate’s visitors.

Rule-Following Affiliates Suffer from Cookie-Stuffing

Rule-following affiliates suffer from cookie-stuffing. For one, rule-following affiliates’ cookies may be overwritten by cookie-stuffers. Suppose a user clicks to affiliate site A, a rule-follower not using cookie-stuffing, and clicks through A’s link to a given merchant. The next day, the user visits affiliate site B, a rule-breaker using cookie-stuffing as to the same merchant site. Using cookie-stuffing, site B sets an affiliate tracking cookie that overwrites A’s cookie. If the user subsequently makes a purchase from the merchant, the affiliate commission will be paid to B, not A.

Rule-following affiliates also suffer from cookie-stuffing because cookie-stuffing encourages merchants to cut their commission rates. Without cookie-stuffing, merchants would be paying commissions on fewer orders. At least some merchants would likely then choose to increase commission paid on each order.

Specific Examples of Cookie-Stuffing

This section links to my research and testing, showing cookie-stuffing targeting major affiliate merchants. In initial reporting, I have focused on cookie-stuffing targeting merchants CJ designates as “featured” and on merchants who participate in discussion fora on ABestWeb.

The table below gives “clear-cut” examples of cookie-stuffing — affiliate HTML code that clearly shows intention to set affiliate cookies without a user clicking through any affiliate link.

MerchantCookie-Stuffing AffiliateDateNotes
Amazon (an independent merchant)Avxf (qufrho-20)10/6/08Broken IMG loaded within forum page. Details and video.
Amazon (an independent merchant)consumernow.com (jumpondealscom)11/6/04Obfuscation via a redirect. Details and video.
Amazon (an independent merchant)Bannertracker-script2/27/12JavaScript invisibly inserted into multiple independent sites via web server hacking. 200+ affiliate IDs in use. Details.
Amazon (an independent merchant) Imgwithsmiles 5/2/12Flash-based stuffing syndicated through Google AdSense display ad network. 49+ affiliate IDs in use. Details.
Argos (a CJ Advertiser)Eshop600 (3910892) 1/30/12Encoded JavaScript and invisible IMG. 26 cookies stuffed at once. Details.
Barnes & Noble (a CJ Featured BFAST Advertiser)dailyedeals.com (BFAST 26682568)11/4/04Misleading JavaScript comments. Details and video.
Buy.com (a CJ Advertiser)Couponcodesmall (2705091) 10/5/08Invisible IFRAME. Details and video.
Cooking.com (a LS Selected Merchant)dailyedeals.com (FZOkC4w7rNM)11/6/04Misleading JavaScript comments. Details and video.
Crucial.com (a CJ Featured Vantage Advertiser)dailyedeals.com (340672)11/2/04Details and video.
Dell (a LS Selected Merchant)jumpondeals.com (HAHu6s1Hzp4)11/5/04Obfuscation via a redirect. Details and video.
Dentalplans (an ABestWeb CJ merchant)consumernow.com (517038)11/6/04Obfuscation via a redirect. Details and video.
Drugstore.com (a LS Selected Merchant)dailyedeals.com (FZOkC4w7rNM)11/6/04Misleading JavaScript comments. Details and video.
Eastwood (an ABestWeb CJ merchant)aboutdiscounts.com (1311826)11/4/04SCRIPT after /HTML. Details and video.
eVitamins (an ABestWeb CJ merchant)couponvine.com (465743)11/4/04 Two-step JavaScript. Details and video.
Folica (a CJ merchant)ahugedeal.us (568228)11/8/04 Details and video.
Folica (a CJ merchant)ahugedeal.com (568228)10/25/05 Still occurring with same affiliate ID, 11+ months after prior reporting. Obfuscation via a redirect. Details and video.
FunToCollect (an ABestWeb CJ merchant)specialoffers.com (306244)11/6/04Obfuscation via a redirect. Details and video.
Globat (a CJ merchant)coupon-monkey.com (1446676)11/8/04/CLICK loaded in IMG tag. Details and video. Note: Coupon-monkey claims cookie-stuffing was accidental. Details.
HostGator (an independent merchant)Avxf (dsplcmnt01)10/6/08Broken IMG loaded within forum page. Details and video.
HSN (a CJ Featured BFAST Advertiser)coupons-coupon-codes.com (BFAST 38772000)11/4/04Obfuscation via external JavaScript and redirect. Details and video.
iPowerWeb (a CJ BFAST merchant)bids2buy.com (1525933)11/6/04Details and video.
Irv’s Luggage (an ABestWeb CJ merchant)edealinfo.com (600263)11/4/04IFRAME. Details and video.
JCWhitney (an ABestWeb CJ merchant)consumernow.com (517038)11/6/04Obfuscation via a redirect. Details and video.
LaptopsforLess (an ABestWeb CJ merchant)find-coupon.com (1525933)11/4/04Popup. Details and video.
Match.com (a CJ Featured Vantage Advertiser)asmartcoupon.com (1515738)11/4/04/CLICK loaded in IMG tags. Details and video.
MLB.COM (a CJ Featured Vantage Advertiser)edealinfo.com (600263)11/4/04IFRAME. Details and video.
Napster (a CJ front-page Featured Advertiser) coupons-online-coupon.com (1167113)11/4/04Popup. Details and video.
Netzero (a CJ Featured Vantage Advertiser)consumernow.com (517038)11/4/04Obfuscation via a redirect. Details and video.
Orbitz (a LS Selected merchant)thewinnersclub.net (HAHu6s1Hzp4)11/8/04Obfuscation via a redirect. Details and video.
Oreck (an ABestWeb CJ merchant)1couponstop.com (517038)11/4/04Obfuscation via a redirect. Details and video.
Overstock.com (an ABestWeb LS merchant)dailyedeals.com (FZOkC4w7rNM)11/5/04Misleading JavaScript comments. Details and video.
PetcareCentral (an ABestWeb CJ merchant)aboutdiscounts.com (276460)11/4/04SCRIPT after /HTML. Details and video.
Priceline (a CJ BFAST merchant)findsavings.com (40001021)11/7/04Details and video.
RapidSatellite (an ABestWeb CJ merchant)smartqpon.com (979227)11/4/04Details and video. Details and video.
Relaxtheback.com (a LS Selected Merchant)office-coupons-online.com (g/KOq4zlIIk)11/6/04 Details and video.
Shoes.com (an ABestWeb CJ merchant)ultimatecoupons.com / webbuyingguide.com (1417434)11/4/04Cookie tracking of popunder triggering. Details and video.
ShopNBC (a CJ Featured BFAST Advertiser)ultimatecoupons.com / webbuyingguide.com (BFAST 38954339)11/4/04IFRAME. Details and video.
SkinStore.com (a CJ BFAST merchant)discount-coupons-online.com (568228)11/6/04Details and video.
Spafinder.com (a LS Merchant)ultimatecoupons.com / webbuyingguide.com (OEu024dtHXs)11/6/04JavaScript URL variable. Details and video.
Toshiba (a CJ front-page Featured Advertiser)consumernow.com (517038)11/4/04Obfuscation via a redirect. Details and video.
TigerDirect.com (an ABestWeb CJ BFAST merchant)findsavings.com (39104038)11/5/04Details and video.
Travelocity (a CJ BFAST Selected merchant)xpcoupons.com (40031581)11/8/04IFRAME. Placed after /BODY. Details and video.

The table below gives additional examples of cookie-stuffing. In these examples, I see insufficient basis to determine whether the affiliate intended to set affiliate cookies without a user clicking through any affiliate link. Nonetheless, that is the net effect of the examples linked below.

MerchantCookie-Stuffing AffiliateDateNotes
DentalPlans (an ABestWeb CJ merchant)savings-center.com11/4/04FRAME. Details and video.
FunToCollect (an ABestWeb CJ merchant)goodbazaar.com11/4/04FRAME with META tags. Details and video.
JCWhitney (an ABestWeb CJ merchant)a2zrewards.com11/4/04FRAME with META tags. Details and video.
Travelocity (a CJ BFAST merchant)couponmountain.com11/8/04Redirect with META tags, broken BACK button. Details and video.

Because LinkShare’s compliance and quality problems are already well-known (e.g. as described above, as to LinkShare’s repeated Titanium Award missteps), the listing above focuses primarily on Commission Junction merchants.

Last Updated: May 8, 2012

Posted on

Pick-Pocket Pop-Ups

I’ve been writing for months — years! — about unwanted programs, installed on users’ PCs, that show users extra pop-up ads. There’s been lots to write about: The actual ads shown (WhenU’s and Gator’s), whether users grant meaningful consent (especially in the face of lengthy licenses), privacy (and possible privacy violations), and online marketing methods (like search engine spamming) sometimes used by companies in this space.

Today I present research about another problem, quite distinct from pop-ups: Programs that tamper with affiliate commissions. Call them stealware, thiefware, or even “pick-pocket pop-ups” (a term recently coined by Kenn Cukier), but their core method is surprisingly simple: Stealware companies join the affiliate networks that merchants operate — networks intended to pay commissions to independent web sites that recommend the merchants to their visitors. Then when users browse to targeted merchants’ sites, the stealware programs jump into action, causing merchants’ tracking systems to think users reached the merchants thanks to the stealware programs’ efforts.

Stealware raises several major policy concerns. For one, merchants risk throwing away money — paying commissions when none are due, increasing their costs, and ultimately raising prices for everyone. For another, legitimate affiliates lose commissions when stealware programs overwrite their tracking codes with stealware programs’ own codes. Finally, stealware puts affiliate networks (like LinkShare and Commission Junction) in a truly odd position: If the networks enforce their rules and remove stealware programs from their networks, then the networks shrink and receive smaller payments from merchants.

I’ve begun my research in this field with a particular program that I believe to be the largest and most prevalent of those that specifically seek to add and replace affiliate commissions: Like Gator and WhenU, Zango (from 180solutions / MetricsDirect) monitors users’ activities and sometimes shows popup ads (though 180’s ads are particularly large, often covering the entire browser window). But the real news is that Zango frequently sets and replaces affiliate tracking codes — as to some 300+ major merchants, using at least 49 different affiliate accounts and scores of redirect servers.

Much of Zango’s affiliate code replacement lacks any on-screen display. As a result, ordinary users (not to mention merchants’ testing staff) are unlikely to notice what’s going on. Where possible, I’ve captured Zango’s behavior with screenshots and videos. As to the rest, I’ve used my trusty network monitor to inspect the raw transmissions passing over my Ethernet wire.

Details:

The Effect of 180solutions on Affiliate Commissions and Merchants