Category: affiliate marketing

Affiliate marketing, cost-per-action, and other performance-based payments.

Posted on

180 Talks a Big Talk, but Doesn’t Deliver updated February 4, 2005

The anti-spyware community has been abuzz all weekend with the news of spyware company 180solutions joining the Consortium of Anti-Spyware Technology (COAST). From the 180solutions press release:

“180solutions, a provider of search marketing solutions, today announced it has become a developer member of … COAST. … By working with COAST and complying with its strict Code of Ethics, standards and guidelines, 180solutions aligns itself with the organization’s governing companies, … PestPatrol, … Webroot. … “180solutions has passed a lengthy and rigorous review process demonstrating their commitment to develop and distribute spyware-free applications,” said Trey Barnes, executive director of COAST.”

Some specific worries:

Substantive conflict of commitment

COAST members PestPatrol and Webroot currently detect and remove 180 software. So these companies are (rightly!) telling their users that 180solutions software should be removed from users’ computers.

At the same time, according to 180’s press release, 180solutions is “releasing versions of its applications that have been reviewed and evaluated by COAST.” This press release, COAST’s “review” of 180 software, and COAST’s acceptance of 180 into its consortium can only be taken to constitute a COAST endorsement of 180. That’s a clear conflict with COAST members simultaneously recommending that users remove 180 software.

Then there’s the conflict of interest that inevitably arises whenever an anti-spyware company declares an alleged spyware provider to be legitimate. Users buying a vendor’s anti-spyware software think they’re buying that vendor’s best efforts to identify and remove software users don’t want. When the vendor instead accepts funds from a software provider, one making the kind of software that the vendor is supposed to be removing, users can’t help but wonder whose interests the vendor has in mind. To my mind, the better strategy is for anti-spyware vendors to refuse partnerships with any company making software that might colorably be claimed to be spyware. (See Xblock’s statement of policy.)

I don’t want to overstate the problem. So far, PestPatrol and Webroot still detect and remove 180 software. 180 isn’t listed on COAST’s Members page. And COAST members don’t directly receive the money 180 pays COAST.

But the latent problems remains: For a fee, COAST is certifying controversial providers of allegedly-unwanted software, dramatically complicating the role and duties of COAST and its members. COAST staff are providing favorable quotes in 180 press releases. Who can users trust?

180solutions installation practices are outrageous and unethical

180’s endorsement by COAST is particularly puzzling and particularly worrisome due to 180’s many bad business practices. Indeed, in my testing, 180’s installation practices remain among the worst in the industry. The details:

I have personally observed (and preserved in video recordings) more than two dozen instances of 180 software installed through security holes. (Example video.) Just yesterday, I browsed the Innovations of Wrestling site (iowrestling.com, proceed at your own risk), where viewing the site’s privacy policy invoked a security exploit installing more than a dozen unwanted programs, 180solutions software included. (Note that iowrestling’s installations are at least partially random, so it’s hard to replicate this result. But I kept a video and packet log of my findings.)

Even when 180 installers do request consent to install, the disclosure is often quite misleading. For example, I previously documented Kiwi Alpha installing 180, first mentioning 180 at page 16 of a 54-page license agreement. With 180’s installation warning buried in such a long text, ordinary users are unlikely to learn that Kiwi gives them 180. Certainly users don’t grant knowing consent to the installation.

180’s web site claims “no hiding,” but 180 uses a variety of tricks to make its software harder to find and remove. 180 sometimes uses randomized filenames which make its files unusually difficult to locate. 180 also installs itself into multiple directories — sometimes c:Program Files180solutions (or similar), but sometimes into the root of c:Program Files and sometimes directly into a user’s Windows directory. If uses do manage to find and delete some 180 files, another 180 program often pops up to request reinstallation. If these tricks don’t constitute hiding, I don’t know what does.

180’s controversial installation practices are not mere anomalies. I’ve observed these, and others like them, for months on end. Even 180solutions’ director of marketing sees the problem. See Seattle Post-Intelligencer article, reporting his admission that “n-Case could get bundled with other free software programs without the company’s knowledge [which] could lead to the n-Case software fastening to individual’s computers without their knowledge.”

How did 180 get into this mess? It seems 180 hasn’t been careful in choosing who they partner with. In fact, they recruit distributors (as well as advertisers) by unsolicited commercial email. See 20+ examples.

Interestingly, in its recent press release, 180 does not claim to have stopped these controversial practices. If 180 did make such a claim, I’d be able to disprove it easily — there are so many sources of 180 software installed without notice and consent. Instead, 180 claims only that they are working on a “transition” to improved business practices.

But this isn’t the first time 180 has promised to clean up its act. In March 2004, 180’s CEO claimed 180’s “Zango” product — then the new replacement for the older n-CASE — would give users more information before installation. In an April interview, he attributed to the old n-CASE product “certain users … who are not sure where or how they got our software,” but said “the Zango product … is a means to improve that.” On at least these two occasions, 180 has pledged to improve its practices. Nearly a year later, 180 software often still gets installed without notice or consent. So we’re still waiting for the promised improvements. Meanwhile, 180 continues to benefit profit from its millions of ill-gotten installations.

180solutions advertising practices are outrageous and unethical

Beyond controversial installation methods, 180 also deserves criticism for its intrusive and allegedly-anticompetitive advertising practices.

180 covering Delta.com with Hawaiian Airlines web site180 covering Delta.com with Hawaiian Airlines web site

When 180 covers a web site with one of its competitors, 180 doesn’t just show a small popup ad (like, say, Claria — not that Claria’s practices deserve praise). Instead, 180 opens a new web browser showing the competitor’s site, generally covering substantially all of the targeted web site. A user who wants to stick with the site he had previously requested must affirmatively close the new window — taking an extra step due to 180’s intervention. What would we think of a telephone company that connects a user to Gateway when the user dials 1-800-Dell-4-Me, unless the user then presses some extra key to return to what he had requested initially? The real-world analogy makes it almost too easy to assess 180’s legitimacy: No telephone company could get away with such a scam, yet 180’s advertising practices have gone largely unchallenged.

Even more problematic are 180 ads targeted at competitors’ check-out pages. Sometimes 180 lets a user browse a merchant’s web site uninterrupted, but when the user reaches the page requesting order confirmation, 180 then covers the merchant’s site with a competitor — interrupting the user’s purchase. Again, the real-world analogy is straightforward. Suppose one retailer sent its sales employees into a competitor’s store, to invite users to take their business elsewhere as they waited in line to reach the checkout counter. The intruding employees would be arrested as trespassers.

Then there are the thousands of 180 ads that include affiliate codes. Some of 180’s ads cover a web site with a competitor reached through an affiliate link. Via these ads, companies find themselves promoted by 180, and find themselves directly or indirectly paying commissions to 180 — all despite never requesting that 180 advertise or promote them.

Even worse are the 180 ads that target a merchant with its own affiliate links. Here, merchants end up paying affiliate commissions where they’re not otherwise due. For example, when users reach merchants’ sites by clicking through non-affiliate links or by typing merchants’ domain names, 180 nonetheless intercedes by opening affiliate links to merchants’ sites. Whether shown in double windows, hidden windows, or on-screen decoys, 180’s affiliate links make merchants’ commission-tracking systems think resulting purchases resulted from 180’s promotional efforts. Unless merchants figure out that they’re being cheated — being asked to pay commissions not fairly earned — 180 and its advertisers receive commission payments for users’ purchases. (Details; example.)

There’s plenty more to criticize about 180. To this day, installations on zango.com let users install 180 software without so much as seeing 180’s license agreement. Even 180’s current uninstall procedures give far more information than 180 provides prior to installation. And Andrew Clover reported 180 code that deletes competitors’ programs from users’ disks.

COAST’s credibility on the line

180’s claims of planned improvement are essentially unverifiable. Since 180 admits to a mix of permissible and impermissible installations, its claims of improvement cannot be falsified by critiquing current behavior. Instead, whenever I or others show 180 software installed without proper notice and consent, 180 can say this is just a remnant of prior practices not yet cleaned up in “transition.” By the plain text of 180’s press release, we’ll have to wait at least 90 days to prove that 180 isn’t living up to its promises to COAST and to users.

Why would COAST sign onto this bargain? MediaPost reports 180 paying COST a membership fee as large as $10,000 per year, so that gives one clear explanation. Also, notwithstanding participation by PestPatrol and Webroot, COAST’s past is hardly uncontroversial. In 2003, Lavasoft (makers of Ad-Aware) decided to leave COAST, complaining that COAST’s focus on “revenue generation … reflect[s] badly on the entire anti-trackware industry.” Similarly, Spybot refused to join COAST due to participation by companies that were, in Spybot’s view, unethical.

COAST’s credibility is on the line. I don’t see endorsement of software providers as an appropriate part of COAST’s mission. But even if such work were appropriate, 180 deserves no such praise — its history of outrageous practices and its continued use of such practices mean it should be criticized, not granted an award or endorsement.

Update (February 4): Reporting “concern” at COAST’s certification program, Webroot resigned from COAST.

Update (February 7): Computer Associates (makers of PestPatrol) also resigned from COAST. However, a CA spokesperson defended COAST’s endorsement procedure, calling such endorsements “valuable.”

Disclosure: I serve as a consultant to certain merchants concerned about fraudulent activities by 180solutions and its advertisers. I have advised certain attorneys and merchants concerned about 180solutions activities and practices.

Posted on

Video: eBates Installed through Security Holes

I’ve long been a fan of online shopping site Ebates. Sign up for their service, visit their web site, click through their special links to merchants (including merchants as distinguished as Dell, Expedia, IBM, and L.L. Bean), and earn a small cash back, generally a few percent of your purchase.

But another side of Ebates’ business has become controversial: Ebates uses a software download called “Moe Money Maker” (MMM) to automatically claim merchants’ affiliate commissions, then pay users rebates — even if users don’t visit Ebates’ web site, and even if users don’t click through Ebates’ special links.

Why the controversy? I see at least two worries:

1) Aggressive software installations.

  • Partial screen-shot taken from video of Ebates installation through a security hole, without any notice or consent.Partial screen-shot taken from video of Ebates installation through a security hole, without any notice or consent.

    Users visiting ebates.com can receive MMM software merely by filling out a form and failing to uncheck the “I would like to download MMM” checkbox (checked by default).

  • Users downloading certain third-party programs (screen-savers and the like) receive MMM as part of the bundle — disclosed, in my testing, but often with a long license in a small box, such that many users don’t fully understand what they’re getting.
  • Most troublingly, there have been persistent allegations of Ebates installed without any notice or consent whatsoever. I had always discounted these allegations until I saw the proof for myself earlier last month. See video of Ebates MMM installed through security holes.

2) Claiming affiliate commissions that would otherwise accrue to other affiliates. Many web sites receive affiliate commissions when users make purchases through special links to merchants’ web sites. (See e.g. Lawrence Lessig‘s “Get It Here” page.) Network rules (Commission Junction , Linkshare) prohibit Ebates from interceding in these transactions; instead, the independent web sites are to receive the commissions for purchases through their links. But Ebates’ software sometimes claims commissions anyway — specifically contrary to applicable rules. These behaviors have been alleged and reported for years, and recently documented in a series of videos (videos of particular interest. Apple, Cooking.com, Diamonds International, JJill, Lillian Vernon, Sharper Image, Sony). If Ebates’ prohibited interventions were only temporary, they would be easy to sweep away as mere malfunctions. But when problems continue for years, to Ebates’ direct financial benefit and to others’ detriment, the behavior becomes harder to disregard.

Meanwhile, Ebates has inspired copy-cat programs with similar business models but even more controversial execution. I’ve recently made literally scores of videos of eXactAdvertising‘s CashBack by BargainBuddy installed through security holes, and also of TopRebates/WebRebates installed through security holes — always without any notice or consent whatsoever. These programs remain participants in the Commission Junction and LinkShare networks — presumably receiving commissions from these networks and their many merchants (CashBack merchants, TopRebates merchants). I’m surprised that so many merchants continue to do business with these software providers — including so many big merchants, who in other contexts would never consider partnering with software installed without notice and consent.

I think the core problem here is skewed incentives. Affiliate networks (CJ and LinkShare) have no financial incentive to limit Ebates’ operation. Instead, the more commissions claimed by Ebates, the more money flows through the networks — letting the networks charge fees of their own. In principle we might expect merchants to refuse to pay commissions not fairly earned — but merchants’ affiliate managers sometimes have secondary motives too. In particular, affiliate managers tend to get bonuses when their affiliate programs grow, which surely makes them particularly hesitant to turn away the large transaction volume brought by MMM’s automatic commission system. That’s not to say some merchants don’t knowingly and intentionally participate in Ebates — some merchants understand that they’ll be paying Ebates a commission on users’ purchases even when users type in merchants’ web addresses directly, and some merchants don’t mind paying these fees. But on the whole I worry that Ebates isn’t doing much good for many merchants, even as its software comes to be installed on more and users’ PCs, with or without their consent.

The Ebates Money trail: users -> merchants -> affiliate networks -> Ebates -> Ebates distributorsThe Ebates Money trail: users -> merchants -> affiliate networks -> Ebates -> Ebates distributors

For users who share my continued interest in following the money trail, the diagram at right summarizes Ebates’ complicated business model. Users make purchases from merchants, causing merchants to pay affiliate commissions (via affiliate networks such as LinkShare and Commission Junction) to Ebates. Ebates in turn pays commissions to those who cause its software to be installed, including those installers who install Ebates’ software through security holes, without notice or consent.

Ebates Terms & Conditions Allow Removing Other Programs

Finally, note that Ebates has joined the ranks of software providers who, in their EULAs, claim the right to remove other software programs. Ebates’ MMM Terms & Conditions demand:

“Ebates may disable or uninstall any other product or software tool that might interfere with the operability of the Moe Money Maker Software or otherwise preempt or render inoperative the Moe Money Maker Software … In installing the Moe Money Maker Software, you authorize Ebates to disable, uninstall, or delete any application or software that might, in Ebates’ opinion nullify its function.”

Ebates is right to worry that a user can only successfully run a single automatic commission-claiming program. But this license language allows Ebates to delete far more than competing commission programs. For example, if Ad-Aware removes MMM as spyware, thereby “interfering with the operability” of MMM, then the license purports to give Ebates the right to remove Ad-Aware.

Update (December 15): Ebates staff wrote to me to report that they have narrowed the clause quoted above. Ebates’ current Terms allow disabling only “shoping or discount software,” not general-purpose software removal tools like Ad-Aware. Ebates staff further note that they have never exercised the rights granted under the prior Terms text. However, Archive.org reports that Ebates’ Terms included the broad “any application or software” language as long ago as August 2003.

Thanks to Ian Lee, Internet Marketing Strategist & Affiliate Manager of ADS-Links.com, for recommendations on video production methods.

Posted on

Cookie-Stuffing Targeting Major Affiliate Merchants

Certain affiliate web sites use pop-ups, pop-unders, IFRAMEs, JavaScript, and other methods to claim affiliate commissions on users purchases from affiliate merchants, even if users do not click on affiliates’ links to the merchants. This page documents selected affiliates using these practices and selected merchants suffering from these practices.

Overview & Summary

Affiliate tracking systems are intended to pay commissions to independent web sites (“affiliates”) when users click through these sites’ links to affiliate merchants. Merchants are not intended to pay commission when users merely visit affiliates’ sites. Instead, commission ordinarily only becomes payable in the event that a user 1) visits an affiliate’s site, 2) clicks through an affiliate link to a merchant, and 3) makes a purchase from that merchant.

However, some affiliates use “cookie-stuffing” methods to cause affiliate merchants’ tracking systems to conclude that a user has clicked through a tracking link (and to pay commissions accordingly) even if the user has not actually clicked through any such link. If the user subsequently makes a purchase from that merchant — immediately, or within the “return days” period specified by the merchant’s affiliate program — the affiliate then receives a commission on the user’s purchase.

This page presents the incentives that have allowed cookie-stuffing to continue, and captures selected examples of cookie-stuffing. See also the Affiliate Fraud Information Lookup, reporting of the number of observations Wesley Brandi and I have gathered in ongoing high-volume tests for cookie-stuffing.

Groups Affected by Cookie-Stuffing

Affiliate Networks Benefit from Cookie-Stuffing

Affiliate merchants ordinarily pay their affiliate networks a percentage of all affiliate revenues passing through the network. For example, Commission Junction’s public pricing list reports that CJ charges a merchant 30% of all amounts to be paid to affiliates. (In other words, if a merchant sells $1,000,000 of merchandise and pays a 5% affiliate commission, then it must pay $50,000 of commission to its affiliates. It must further pay 30% of $50,000, or $15,000, to Commission Junction.) As a result, in the first instance, affiliate networks benefit from cookie-stuffing. Such cookie-stuffing increases the total volume of sales flowing through affiliate networks, and increases the affiliate commissions on which, for example, CJ can charge a 30% fee.

Set against this short-run incentive is the long-term problem that if affiliate networks fall greatly in value to merchants, or if affiliate networks are perceived to facilitate fraud, then merchants may no longer be willing to pay affiliate commissions and affiliate network fees. But in the short run, affiliate networks benefit from more money flowing through their networks.

To date, affiliate networks have failed to aggressively pursue, stop, and punish those affiliates using cookie-stuffing. Indeed, LinkShare has repeatedly granted a $15,000 award to affiliates later found to be using cookie-stuffing. In each instance LinkShare subsequently withdrew the award after pressure from affiliates, merchants, and others. (See MediaPost coverage.) LinkShare’s repeated awards to affiliates using cookie-stuffing reveal that this technique extends to large affiliates and to well-regarded affiliates.

That said, affiliate networks’ black-letter rules generally officially prohibit cookie-stufing. For example, Commission Junction’s Publisher Service Agreement states that an affiliate publisher “may earn financial compensation … for transactions … made from such publisher’s web site … through a click made by a visitor … through an Internet connection (link) to a web site.” In all the examples set out below, no such click occurred, and therefore no commission is fairly earned given the limitations set out in the PSA.

Affiliate Merchants Suffer from Cookie-Stuffing

Affiliate merchants suffer financially from cookie-stuffing. Cookie-stuffing causes merchants to pay commissions that, according to program rules, they need not pay. Cookie-stuffing also causes merchants to pay commissions to the wrong affiliates — to affiliates who never caused an actual user click-through — which is likely to reduce the quality and effort of affiliates participating in the merchant’s program.

Cookie-Stuffers Profit from Cookie-Stuffing

Cookie-stuffing apparently proves profitable for those who do it. Suppose an affiliate ordinarily has a 10% click-through rate from its site to its merchants. The affiliate ordinarily receives affiliate commission only if a purchase is made by one of the 10% of users who clicks through the affiliate’s link. In contrast, by cookie-stuffing, the affiliate can claim commissions from any purchases made by the entire 100% of the affiliate’s visitors.

Rule-Following Affiliates Suffer from Cookie-Stuffing

Rule-following affiliates suffer from cookie-stuffing. For one, rule-following affiliates’ cookies may be overwritten by cookie-stuffers. Suppose a user clicks to affiliate site A, a rule-follower not using cookie-stuffing, and clicks through A’s link to a given merchant. The next day, the user visits affiliate site B, a rule-breaker using cookie-stuffing as to the same merchant site. Using cookie-stuffing, site B sets an affiliate tracking cookie that overwrites A’s cookie. If the user subsequently makes a purchase from the merchant, the affiliate commission will be paid to B, not A.

Rule-following affiliates also suffer from cookie-stuffing because cookie-stuffing encourages merchants to cut their commission rates. Without cookie-stuffing, merchants would be paying commissions on fewer orders. At least some merchants would likely then choose to increase commission paid on each order.

Specific Examples of Cookie-Stuffing

This section links to my research and testing, showing cookie-stuffing targeting major affiliate merchants. In initial reporting, I have focused on cookie-stuffing targeting merchants CJ designates as “featured” and on merchants who participate in discussion fora on ABestWeb.

The table below gives “clear-cut” examples of cookie-stuffing — affiliate HTML code that clearly shows intention to set affiliate cookies without a user clicking through any affiliate link.

MerchantCookie-Stuffing AffiliateDateNotes
Amazon (an independent merchant)Avxf (qufrho-20)10/6/08Broken IMG loaded within forum page. Details and video.
Amazon (an independent merchant)consumernow.com (jumpondealscom)11/6/04Obfuscation via a redirect. Details and video.
Amazon (an independent merchant)Bannertracker-script2/27/12JavaScript invisibly inserted into multiple independent sites via web server hacking. 200+ affiliate IDs in use. Details.
Amazon (an independent merchant) Imgwithsmiles 5/2/12Flash-based stuffing syndicated through Google AdSense display ad network. 49+ affiliate IDs in use. Details.
Argos (a CJ Advertiser)Eshop600 (3910892) 1/30/12Encoded JavaScript and invisible IMG. 26 cookies stuffed at once. Details.
Barnes & Noble (a CJ Featured BFAST Advertiser)dailyedeals.com (BFAST 26682568)11/4/04Misleading JavaScript comments. Details and video.
Buy.com (a CJ Advertiser)Couponcodesmall (2705091) 10/5/08Invisible IFRAME. Details and video.
Cooking.com (a LS Selected Merchant)dailyedeals.com (FZOkC4w7rNM)11/6/04Misleading JavaScript comments. Details and video.
Crucial.com (a CJ Featured Vantage Advertiser)dailyedeals.com (340672)11/2/04Details and video.
Dell (a LS Selected Merchant)jumpondeals.com (HAHu6s1Hzp4)11/5/04Obfuscation via a redirect. Details and video.
Dentalplans (an ABestWeb CJ merchant)consumernow.com (517038)11/6/04Obfuscation via a redirect. Details and video.
Drugstore.com (a LS Selected Merchant)dailyedeals.com (FZOkC4w7rNM)11/6/04Misleading JavaScript comments. Details and video.
Eastwood (an ABestWeb CJ merchant)aboutdiscounts.com (1311826)11/4/04SCRIPT after /HTML. Details and video.
eVitamins (an ABestWeb CJ merchant)couponvine.com (465743)11/4/04 Two-step JavaScript. Details and video.
Folica (a CJ merchant)ahugedeal.us (568228)11/8/04 Details and video.
Folica (a CJ merchant)ahugedeal.com (568228)10/25/05 Still occurring with same affiliate ID, 11+ months after prior reporting. Obfuscation via a redirect. Details and video.
FunToCollect (an ABestWeb CJ merchant)specialoffers.com (306244)11/6/04Obfuscation via a redirect. Details and video.
Globat (a CJ merchant)coupon-monkey.com (1446676)11/8/04/CLICK loaded in IMG tag. Details and video. Note: Coupon-monkey claims cookie-stuffing was accidental. Details.
HostGator (an independent merchant)Avxf (dsplcmnt01)10/6/08Broken IMG loaded within forum page. Details and video.
HSN (a CJ Featured BFAST Advertiser)coupons-coupon-codes.com (BFAST 38772000)11/4/04Obfuscation via external JavaScript and redirect. Details and video.
iPowerWeb (a CJ BFAST merchant)bids2buy.com (1525933)11/6/04Details and video.
Irv’s Luggage (an ABestWeb CJ merchant)edealinfo.com (600263)11/4/04IFRAME. Details and video.
JCWhitney (an ABestWeb CJ merchant)consumernow.com (517038)11/6/04Obfuscation via a redirect. Details and video.
LaptopsforLess (an ABestWeb CJ merchant)find-coupon.com (1525933)11/4/04Popup. Details and video.
Match.com (a CJ Featured Vantage Advertiser)asmartcoupon.com (1515738)11/4/04/CLICK loaded in IMG tags. Details and video.
MLB.COM (a CJ Featured Vantage Advertiser)edealinfo.com (600263)11/4/04IFRAME. Details and video.
Napster (a CJ front-page Featured Advertiser) coupons-online-coupon.com (1167113)11/4/04Popup. Details and video.
Netzero (a CJ Featured Vantage Advertiser)consumernow.com (517038)11/4/04Obfuscation via a redirect. Details and video.
Orbitz (a LS Selected merchant)thewinnersclub.net (HAHu6s1Hzp4)11/8/04Obfuscation via a redirect. Details and video.
Oreck (an ABestWeb CJ merchant)1couponstop.com (517038)11/4/04Obfuscation via a redirect. Details and video.
Overstock.com (an ABestWeb LS merchant)dailyedeals.com (FZOkC4w7rNM)11/5/04Misleading JavaScript comments. Details and video.
PetcareCentral (an ABestWeb CJ merchant)aboutdiscounts.com (276460)11/4/04SCRIPT after /HTML. Details and video.
Priceline (a CJ BFAST merchant)findsavings.com (40001021)11/7/04Details and video.
RapidSatellite (an ABestWeb CJ merchant)smartqpon.com (979227)11/4/04Details and video. Details and video.
Relaxtheback.com (a LS Selected Merchant)office-coupons-online.com (g/KOq4zlIIk)11/6/04 Details and video.
Shoes.com (an ABestWeb CJ merchant)ultimatecoupons.com / webbuyingguide.com (1417434)11/4/04Cookie tracking of popunder triggering. Details and video.
ShopNBC (a CJ Featured BFAST Advertiser)ultimatecoupons.com / webbuyingguide.com (BFAST 38954339)11/4/04IFRAME. Details and video.
SkinStore.com (a CJ BFAST merchant)discount-coupons-online.com (568228)11/6/04Details and video.
Spafinder.com (a LS Merchant)ultimatecoupons.com / webbuyingguide.com (OEu024dtHXs)11/6/04JavaScript URL variable. Details and video.
Toshiba (a CJ front-page Featured Advertiser)consumernow.com (517038)11/4/04Obfuscation via a redirect. Details and video.
TigerDirect.com (an ABestWeb CJ BFAST merchant)findsavings.com (39104038)11/5/04Details and video.
Travelocity (a CJ BFAST Selected merchant)xpcoupons.com (40031581)11/8/04IFRAME. Placed after /BODY. Details and video.

The table below gives additional examples of cookie-stuffing. In these examples, I see insufficient basis to determine whether the affiliate intended to set affiliate cookies without a user clicking through any affiliate link. Nonetheless, that is the net effect of the examples linked below.

MerchantCookie-Stuffing AffiliateDateNotes
DentalPlans (an ABestWeb CJ merchant)savings-center.com11/4/04FRAME. Details and video.
FunToCollect (an ABestWeb CJ merchant)goodbazaar.com11/4/04FRAME with META tags. Details and video.
JCWhitney (an ABestWeb CJ merchant)a2zrewards.com11/4/04FRAME with META tags. Details and video.
Travelocity (a CJ BFAST merchant)couponmountain.com11/8/04Redirect with META tags, broken BACK button. Details and video.

Because LinkShare’s compliance and quality problems are already well-known (e.g. as described above, as to LinkShare’s repeated Titanium Award missteps), the listing above focuses primarily on Commission Junction merchants.

Last Updated: May 8, 2012

Posted on

Pick-Pocket Pop-Ups

I’ve been writing for months — years! — about unwanted programs, installed on users’ PCs, that show users extra pop-up ads. There’s been lots to write about: The actual ads shown (WhenU’s and Gator’s), whether users grant meaningful consent (especially in the face of lengthy licenses), privacy (and possible privacy violations), and online marketing methods (like search engine spamming) sometimes used by companies in this space.

Today I present research about another problem, quite distinct from pop-ups: Programs that tamper with affiliate commissions. Call them stealware, thiefware, or even “pick-pocket pop-ups” (a term recently coined by Kenn Cukier), but their core method is surprisingly simple: Stealware companies join the affiliate networks that merchants operate — networks intended to pay commissions to independent web sites that recommend the merchants to their visitors. Then when users browse to targeted merchants’ sites, the stealware programs jump into action, causing merchants’ tracking systems to think users reached the merchants thanks to the stealware programs’ efforts.

Stealware raises several major policy concerns. For one, merchants risk throwing away money — paying commissions when none are due, increasing their costs, and ultimately raising prices for everyone. For another, legitimate affiliates lose commissions when stealware programs overwrite their tracking codes with stealware programs’ own codes. Finally, stealware puts affiliate networks (like LinkShare and Commission Junction) in a truly odd position: If the networks enforce their rules and remove stealware programs from their networks, then the networks shrink and receive smaller payments from merchants.

I’ve begun my research in this field with a particular program that I believe to be the largest and most prevalent of those that specifically seek to add and replace affiliate commissions: Like Gator and WhenU, Zango (from 180solutions / MetricsDirect) monitors users’ activities and sometimes shows popup ads (though 180’s ads are particularly large, often covering the entire browser window). But the real news is that Zango frequently sets and replaces affiliate tracking codes — as to some 300+ major merchants, using at least 49 different affiliate accounts and scores of redirect servers.

Much of Zango’s affiliate code replacement lacks any on-screen display. As a result, ordinary users (not to mention merchants’ testing staff) are unlikely to notice what’s going on. Where possible, I’ve captured Zango’s behavior with screenshots and videos. As to the rest, I’ve used my trusty network monitor to inspect the raw transmissions passing over my Ethernet wire.

Details:

The Effect of 180solutions on Affiliate Commissions and Merchants