Zango’s Compliance Problems

Last November, Zango and the FTC announced a settlement of the FTC’s investigation of Zango’s practices. Among the key requirements: Zango agreed to install only after “clearly and prominently disclos[ing] the material terms [of its software] prior to the display of, and separate from, any [EULA].” Zango further agreed to label each of its ads with a “clear[] and prominent[]” marking as to the source of the ad, as well as a hyperlink to removal and complaint procedures.

Some of Zango’s installations do some of what the settlement requires. But others don’t. Today I’m posting a critique. In a series of screenshots, I show widespread Zango installations with no disclosure outside of a EULA. I also present numerous Zango ads appearing with no labeling at all. Details:

Zango Practices Violating Zango’s Recent Settlement with the FTC

ComScore Doesn’t Always Get Consent updated July 26, 2007

This past Wednesday, ComScore raised $82 million in an IPO that jumped 42% in its first day of trading. Some investors clearly like ComScore’s business, but I wonder whether they fully understand ComScore’s business model, privacy implications, and poor track record of nonconsensual installations.

ComScore’s tracking software is remarkably invasive. The privacy policy for ComScore’s RelevantKnowledge tracking program purports to grant ComScore the right to track users’ name and address, browsing, shopping, and even “online accounts … includ[ing] personal financial [and] health information.” Based on these privacy concerns, well-respected security researchers have long warned about ComScore’s software. For example, in 2004 Cornell University began blocking all communications with ComScore’s MarketScore tracking servers. Multiple other universities (including Columbia University and Indiana University) followed up with special warnings to their users.

At least as serious are ComScore’s installation practices. ComScore pays independent distributors to install ComScore software onto users’ computers. Predictably, some of these distributors install ComScore software without getting user consent. Some specific examples:

  • On Wednesday (June 27, 2007), I browsed ExitExchange, a well-known banner farm widely loaded in popups and popunders by various sites (as well as some spyware programs). ExitExchange showed several ads, one of which performed a security exploit that installed ComScore’s RelevantKnowledge. See video proof. Notice the exploit beginning at 0:12. When I ran a HijackThis scan to check for infections (0:29), I found RelevantKnowledge’s “rk.exe” already running (1:10), even though I had not granted permission for it to install. Packet log analysis indicates that the installation was performed by Topinstalls and by Searchclickads. The installation was predicated on two simultaneous attempted exploits — one using a Java vulnerability, another using a Microsoft MSXML vulnerability. Also installed (all without my consent): Deskwizz/Searchingbooth, Look2me, and WebBuying, among others not yet identified.
  • I previously observed and recorded a substantially similar nonconsensual installation of RelevantKnowledge (by these same distributors) on April 26, 2007.
  • Spyware researchers at Sunbelt Software observed a nonconsensual installation of RelevantKnowledge, seemingly by these same distributors, earlier in June 2007. Sunbelt staff browsed FirstStolz and received an exploit that installed TopInstalls and Searchclickads, which in turn installed RelevantKnowledge.
  • In August-September 2006, I repeatedly observed RelevantKnowledge installed by DollarRevenue, a notorious spyware bundler (subsequently shut down by Dutch law enforcement). In my testing, DollarRevenue installed RelevantKnowledge software without users’ consent. ComScore staff later admitted they had “engaged in partnership negotiations with DollarRevenue.” ComScore claims it never paid DollarRevenue — but I personally observed and recorded DollarRevenue installing ComScore software onto my testing systems.
  • In November 2005, I observed ComScore’s MarketScore software installed by PacerD, a notorious spyware bundler that installed through widespread exploits syndicated through ad networks. PacerD installed RelevantKnowledge without user consent.
  • In April 2007, I observed ComScore’s MarketScore software installed when users request and install a media converter program. The inclusion of MarketScore was disclosed only if users scrolled to page four of a box simply labeled “License Agreement.” No on-screen label indicated that multiple documents were concatenated into that single scroll box, nor did any short notice or other prominent text make any mention of RelevantKnowledge’s presence or effects. These omissions stand in stark contrast to recent FTC precedent requiring “clear and prominent disclosure of material terms prior to and separate from any end user license agreement.”

ComScore’s nonconsensual installations are particularly notable because TRUSTe’s Trusted Download program recently granted a certification (albeit “provisional”) to ComScore’s RelevantKnowledge software. I’ve previously criticized other TRUSTe certifications — concerned that TRUSTe-certified sites may be no safer than other sites, and arguably less safe. That said, to TRUSTe’s credit, Integrated Search Technologies’ Vomba is no longer on TRUSTe’s Trusted Download list — albeit a result that TRUSTe attributes to Vomba’s financial concerns rather than to security researcherscritique of Vomba’s practices and lineage. Whatever the reasons for IST’s removal, perhaps ComScore’s MarketScorecould stand for an equally thorough review.

ComScore also boasts a “WebTrust” seal from Ernst & Young. See the associated Audit Report. Ernst & Young indicates that it “test[ed] and evaluat[ed] the operating effectiveness” of ComSCore’s internal controls but concedes that “error or fraud may occur and not be detected.”

Update – TRUSTe’s Response (July 26, 2007)

On Friday July 20 — well after the close of the East Coast business day, and fully three weeks after I first reported the nonconsensual installs described above — TRUSTe announced that ComScore’s RelevantKnowledge has been removed from the Trusted Download whitelist for three months.

I have mixed views about this outcome. On one hand, it’s certainly an improvement from prior TRUSTe practice, during which companies as notorious as Direct Revenue were allowed to continue to hold TRUSTe privacy seals despite widespread nonconsensual installations. But a comment from Sunbelt Software’s Eric Howes offers compelling concerns. Eric explains:

[TRUSTe has] essentially decided to continue working with ComScore, provided ComScore spends a token amount of time in the “naughty corner.” … Who loses as a result? Consumers and web surfers ultimately, as ComScore will be allowed to continue plying its trade of surreptitious, underhanded installs of its RelevantKnowledge software to support some very aggressive and intrusive data collection on unsuspecting users’ machines, all with PR cover from TRUSTe.

Eric also cites a June 27 exchange between Sunbelt CEO Alex Eckleberry and TRUSTe’s Colin O’Malley. Transcribing from the audio recording of the Anti-Spyware Coalition‘s public workshop :

Alex Eckelberry: “So what if you have an application that is installing through an exploit? Do those guys go through a probationary process, or do they just get cut off? Are they just gone?”

Colin O’Malley: “If they’re installing through an exploit, that’s covered in what’s described in what we describe as our prohibited activities. That’s not an activity that is acceptable by any level of notice, and so they’re terminated immediately.”

Alex Eckelberry: “Good. OK.”

Remarkably, TRUSTe’s spokesperson now claims Colin promised termination only when a vendor itself uses exploits, but not when its distributors do so. Reports Vnunet: “‘Colin [O’Malley]’s remarks were specifically about a company that is directly responsible,’ the spokesperson explained. ‘In this case, it was the affiliate that was exploiting the flaw.'”

I’ve read and reread the exchange, and listened repeatedly for good measure. On my interpretation, Colin plainly promised to terminate any vendor whose software is becoming installed through exploits — no matter whether the vendor itself performs the exploit, or whether the exploit is performed by one of the vendor’s distributors. I reach this conclusion for two separate reasons:

1) The plain language of Alex’s question is intentionally inclusive as to who is doing the installation. Notice the broad “that is installing” — vague as to how exactly the installation is occurring.

2) Distributor-perpetrated exploit installs have been standard practice in the “adware” industrry. That’s what I widely observed as to 180solutions, Direct Revenue, eXact Advertising, and so many others. Meanwhile, vendor-perpetrated exploit installs are few and far between — common only among little-known companies, and even then usually comingled with installing third parties’ software. So if Colin had wanted to remark only on the (unusual or unprecedented) vendor-perpetrated exploits, he would have needed to say that specifically.

Perhaps TRUSTe regrets the breadth of Colin’s promise. But Colin made a tough commitment for good reason: As Colin spoke to dozens of anti-spyware researchers already suspicious of Trusted Download, his big promises helped bolster TRUSTe’s credibility. Had Colin told the ASC what now seems to be TRUSTe’s policy — that some exploit-based installs yield only a temporary suspension — I gather Alex would have questioned Colin further to emphasize the need for a tougher response. Other meeting attendees would probably have done the same.

In any event, if Colin’s goal was to build support among anti-spyware researchers, his efforts don’t seem to be succeeding. Eric continues:

Th[is] case was significant in that it was the first big public test of how well TRUSTe would perform when called to defend the standards that allegedly undergird the Trusted Download program. When push came to shove, though, TRUSTe demonstrated itself to be lacking the backbone to deliver on its word. [This is] another illustration of why we at Sunbelt place no value whatsoever in TRUSTe’s whitelisting and certifications.

Added FaceTime’s Chris Boyd:

For Gods sake, when are we going to stop gimping around and actually break out some actual punishments for people? Either kick someone from your program and be done with it, or … just give up already.

TRUSTe’s extreme delay further compromises the standing of Trusted Download: Three weeks elapsed before TRUSTe responded to my documentation and proof of nonconsensual ComScore RelevantKnowledge installations. Throughout that period, the Trusted Download whitelist continued to list RelevantKnowledge — falsely suggesting that RelevantKnowledge was in good standing. Internet users deserve better: When TRUSTe learns of an infraction of such seriousness, all applicable web pages ought to be updated promptly, lest the Internet community mistakenly proceed in reliance on TRUSTe’s supposed diligence.

Spyware Still Cheating Merchants and Legitimate Affiliates updated May 22, 2007

Spyware vendors are trying to clean up their images. For example, Zango settled a FTC investigation, then last week sued PC Tools for detecting and removing Zango software. Meanwhile, Integrated Search Technologies (makers of a variety of software previously widely installed without consent) introduced a new “Vomba” client that even received “provisional” TRUSTe Trusted Download certification.

But these programs’ core designs are unchanged: They still track user behavior, still send browsing to their central servers, and still show pop-up ads — behaviors users rightly disfavor due to serious effects on privacy and productivity.

Putting aside users’ well-known dislike for pop-ups, these programs also continue to interfere with standard online advertising systems. In particular, these programs show ads that overcharge affiliate merchants — especially by claiming commission on organic traffic merchants would have received anyway. This article presents six specific examples, followed by analysis and strategies for enforcement.

The Self-Targeting Scam and an Initial Example: Zango, Roundads, and Performics Claiming Commissions on Blockbuster’s Organic Traffic

Putting spyware vendors’ practices in the best possible light, they perform a comparative advertising function — offering a competitor when a user browses a merchant’s site. But suppose a spyware vendor instead shows a “competitor” that is actually just a commission-earning link to the very site the user had specifically requested. Then, if the user buys from that merchant (through either the original window or the new pop-up, in general), the merchant has to pay a commission to the spyware vendor (or its advertiser or affiliate).

Zango, Roundads, Performics Targeting Blockbuster Zango, Roundads, Performics Targeting Blockbuster

For concreteness, consider the events shown in the screenshot at right and in video. On May 13, my automated testing system browsed Blockbuster. Observing the requested traffic to Blockbuster, Zango opened a popup sending traffic to Roundads.com. Roundads redirected to Performics and then back to Blockbuster. To a typical user, this pop-up is easy to ignore — just a second copy of the Blockbuster site, which users had requested in the first place. But the pop-up has serious cost implications for Blockbuster: If the user signs up with Blockbuster, through either window, then Blockbuster concludes it should pay a $18 commission to Roundads via Performics. That’s a sham: Were it not for Zango’s intervention, Blockbuster could have kept the entirety of the user’s subscription fee, without paying any commission at all.

Zango’s activity here doesn’t even meet the definition of advertising (“attracting public attention to a product or business”). After all, the user was already at Blockbuster — and hence can’t be said to have been “attract[ed]” to that site by Zango’s action.

Unless Blockbuster installs Zango’s software and runs its own tests, Blockbuster is likely to conclude (mistakenly) that Roundads has provided a bona fide lead to a new customer. Indeed, since Blockbuster’s preexisting web site visitors are likely to “convert” to buyers at a high rate (compared to visitors who only arrive thanks to advertising), Blockbuster’s advertising metrics (and Performics’ tracking measurements) are likely to consider Roundads an unusually high-quality affiliate thanks to Roundads’ likely high conversion rate. Blockbuster might even pay Roundads a bonus — when in fact this Roundads traffic is worthless.

URL log of the traffic at issue:

http://tvf.zango.com/showme.aspx?…CD=www.blockbuster.com…
http://ads.roundads.com/ads/clickcash.aspx?keyword=.blockbuster.com
http://clickserve.cc-dt.com/link/tplclick?lid=41000000005307215&pubid=…
https://www.blockbuster.com/signup/rp/regPlan/p.25216/c.firstMonth999F…

For more on these self-targeting pop-ups, targeting merchants’ sites with their own affiliate links, see my earlier The Effect of 180solutions on Affiliate Commissions and Merchants (2004).

On these facts, Blockbuster might reasonably blame Roundads — the entity that purchased the traffic from Zango and put in motion the self-targeting scheme. Investigating Roundads’ identity, Blockbuster will notice Roundads.com’s footer — which states that Roundads is one and the same as Thermo Media / Affiliate Fuel, which credit reporting agency Experian acquired in April 2005. (Update, May 22: Joey Flores, Director of Operations for Affiliate Fuel, wrote to me to report that Roundads has no affiliation with Affiliate Fuel, Thermo Media, or Experian. Joey suggests that Roundads “‘borrowed’ from [Thermo Media’s] site design … and their designers got a little copy happy, including [copying] our copyright information on[to] their site.”)

Blockbuster might also blame Performics. Performics specifically touts its affiliate network as offering “cost-effective” advertising. But in this example, the cost was a total waste, yielding no benefit whatsoever. Performics further promises “quality affiliates” — an important benefit to merchants who might not otherwise know which affiliates to accept. But in this instance, by all indications Performics failed to protect Blockbuster from Roundads’ bad actions and improper charges.

Finally, Blockbuster might blame Zango — whose pop-up generating software made it remarkably easy for Roundads to target Blockbuster’s organic traffic.

Example 2: Vomba, Ccg360, Lynxtrack (Hydra Network), Adrevolver (Blue Lithium) Claiming Commissions on Blockbuster’s Organic Traffic

Vomba, Ccg360, Lynxtrack (Hydra), Adrevolver (BlueLithium) Overcharging Blockbuster Vomba, Ccg360, Lynxtrack (Hydra), Adrevolver (BlueLithium)

Blockbuster’s online advertising is widespread, and the preceding example is but one of many schemes that charge Blockbuster commission it ought not have to pay. This section shows another.

In the screenshot shown at right, reflecting testing of May 11, my automated testing system requested the Blockbuster site. Vomba spyware observed that I was at Blockbuster, and sent traffic to Ccg360 (purportedly Nelson Cheung of Markham, Canada). Ccg360 redirected to Lynxtrack.com (Hydra Network of Beverly Hills, California), which redirected to Adrevolver (BlueLithium of San Jose, California) and finally back to Blockbuster.

As in the prior example, the net effect was to claim commission on Blockbuster’s organic traffic. If the user signs up with Blockbuster, Blockbuster will pay a commission to the sequence of companies that forwarded the Vomba-originating traffic. But had those parties not intervened with that pop-up, Blockbuster would still have closed the sale — without incurring a commission expense. So as in the prior example, this is self-targeting, charging Blockbuster a commission without providing any bona fide value in return.

URL log of the traffic at issue:

http://services.vombanetwork.com/vomba/popup.php
http://blockbuster.med.ccg360.com
http://www.lynxtrack.com/afclick.php?o=3318&b=zm00z1tf&p=11566&l=1&s=med
http://track.adrevolver.com/service.php/16520/1893/11566
https://www.blockbuster.com/signup/s/reg/p.26715/pc.blwm9.99/r./

Example 3: Vomba and LinkShare Claiming Commissions on Netflix’s Organic Traffic

Vomba and LinkShare Claiming Commission on Netflix's Organic Traffic Vomba, LinkShare Claiming Commission on Organic Traffic

Netflix has repeatedly promised to sever ties with spyware vendors, even claiming that incidents that I and others observed were “unique and random.” But through its LinkShare affiliate program, Netflix continues to get ripped off by spyware — needlessly paying commissions to receive the same kind of traffic Netflix long since promised to reject. This section and the three that follow shows four separate examples of such traffic.

In testing of April 11, my automated testing system browsed Netflix. AutoTester found traffic flowing from Vomba to LinkShare, then back to Netflix. URL log:

http://services.vombanetwork.com/vomba/popup.php
http://click.linksynergy.com/fs-bin/click?id=9SOCNdxbJKg&offerid=78684…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=9SOCNdxbJKg-O9…

Example 4: Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, and LinkShare

Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, LinkShare Claiming Commissions on Netflix's Organic Traffic Look2me, MyGeek (AdOn Network), Tcshoppingdeals, Apluswebdeals, LinkShare Overcharging Netflix

In testing of April 25, my automated testing system browsed Netflix. AutoTester found traffic flowing from Look2me (from Minnesota-based NicTech Networks) (widely installed without consent) to MyGeek (AdOn Network of Phoenix, Arizona) to Tcshoppingdeals (purportedly of Buffalo, New York) to Apluswebdeals (location unknown) to LinkShare, then back to Netflix. See screenshot at right and video. URL log:

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://url.cpvfeed.com/cpv.jsp?p=110250&ip=…&url=http://www.netflix….
http://www.tcshoppingdeals.com/r/link.php?id=12
http://www.a-pluswebdeals.com/visit/featured/?id=6
http://click.linksynergy.com/fs-bin/click?id=7XxjiVPyR/A&offerid=78684…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=7XxjiVPyR_A-Mp…

Example 5: Web Nexus, Mediatraffic, Ccg360, and LinkShare

Web Nexus, Mediatraffic, Ccg360, LinkShare Claiming Commissions on Netflix's Organic Traffic Web Nexus, Mediatraffic, Ccg360, LinkShare – Netflix

In testing of May 12, my automated testing system browsed Netflix. AutoTester found traffic flowing from Web Nexus (widely installed without consent) to Mediatraffic (one-and-the-same as Integrated Search Technologies and Vomba) to Ccg360 (purportedly Nelson Cheung of Markham, Canada) to LinkShare, and back to Netflix. See screenshot at right. URL log:

http://stech.web-nexus.net/cp.php?loc=295&cid=…
http://stech.web-nexus.net/mtraff.php/9951709/295/527/…
http://cpvfeed.mediatraffic.com/feed.php?ac=1239&kw=netflix&ip=…
http://cpvfeed.mediatraffic.com/redir.php?ac=1239&sac=&dat=…
http://netflix.med.ccg360.com
http://click.linksynergy.com/fs-bin/click?id=kic1Ixnq*SQ&offerid=…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=kic1Ixnq.SQ-D…

Example 6: Zango, Roundads, and LinkShare

Zango, Roundads, LinkShare Claiming Commission on Netflix's Organic Traffic Zango, Roundads, LinkShare – Netflix

In testing of May 20, my automated testing system browsed Netflix. AutoTester found traffic flowing from Zango to Roundads to LinkShare and back to Netflix. See screenshot, video, and URL log:

http://tvf.zango.com/showme.aspx?…CD=www.netflix.com…
http://ads.roundads.com/ads/dvd.aspx?keyword=.netflix.com/Register
http://click.linksynergy.com/fs-bin/click?id=AnCa4QMGFR4&offerid=786…
http://www.netflix.com/Signup?mqso=60187019&ls_sourceid=AnCa4QMGFR4-…

In each of these four Netflix examples, spyware sent traffic to LinkShare and then onwards to Netflix — all predicated on users first requesting Netflix directly. So as in the two Blockbuster examples, the spyware provides no bona fide advertising benefit. Instead, the spyware vendors simply claim payments from Netflix without providing any service in return — a glaring reason why Netflix should refuse to pay them. Aside from reducing wasteful advertising spending, Netflix might also want to sever these relationships because the underlying spyware imposes serious costs on consumers: Sneaking onto users’ computers, reducing performance, and diminishing both reliability and privacy.

Netflix might reasonably blame LinkShare for the actions of these affiliates. LinkShare specifically touts its “high quality network” with “better affiliates,” whereas these affiliates are the very opposite of high quality. Furthermore, LinkShare prominently claims its service is “cost-efficient” — even as these examples entail Netflix paying for traffic it could have received for free.

Additional Examples on File

The preceding five examples are only a portion of my recent records of spyware advertising fraud and of other spyware advertising. My AutoTester collects dozens of examples per day, and I’ve documented literally hundreds of rogue affiliates during the past year — including dozens of affiliates through each of Commission Junction, LinkShare, and Performics, as well as various affiliates using smaller networks. Any affiliate merchant without a specific plan for detecting and blocking spyware-originating traffic is virtually certain to be receiving — and paying for — this bogus self-targeting spyware-originating traffic.

Winners and Losers

The clearest effect of self-targeting pop-ups is to overcharge merchants. Self-targeting pop-ups ask merchants to pay affiliate commissions on their organic traffic — traffic they should receive for free, thanks to advertising in other media, word of mouth, and repeat buyers. But if merchants fail to take action to protect themselves, they needlessly pay commissions on this organic traffic. Merchants then also pay affiliate network fees and, often, affiliate manager fees too — making the waste that much larger.

Secondarily, self-targeting pop-ups skim commissions from other affiliates. Consider a bona fide rule-following affiliate sending traffic to a targeted merchant. If a spyware self-targeting pop-up intercedes to drop its own affiliate cookies, it overwrites the cookies of the initial affiliate. Affiliate merchants pay commissions on a “last cookie wins” basis — so the first affiliate gets nothing, even though its link truly sent the user to the merchant’s site and actually put the sale in motion. (Examples: 1, 2, 3, 4)

But self-targeting does have beneficiaries. The clearest beneficiaries are the spyware vendors that show self-targeting pop-ups — whether showing these ads directly (with the spyware vendor acting as an affiliate) or indirectly (with some affiliate buying spyware traffic and sending it onwards to a network and a merchant). The resulting revenues fund spyware vendors’ infections, installations, and other expenses.

At least in the short run, self-targeting also benefits affiliate networks. Affiliate networks typically charge merchants a percentage of each commissionable sale. So the more commissions a merchant pays out, the higher the revenues of the merchant’s network. Self-targeting pop-ups convert non-commissionable organic traffic into supposedly-commissionable supposedly-affiliate-originating traffic — expanding networks’ fee base. In the long run, self-targeting fraud could reduce merchants’ interest in affiliate marketing, but in the short run it provides networks with additional revenue. This conflict surely explains at least a portion of networks’ failure to effectively eliminate self-targeting spyware. (Further discussion.)

Nonetheless, I’ve long thought that self-targeting and other spyware traffic present a substantial opportunity for networks seeking to offer increased value to sophisticated merchants. A savvy network could stand behind the quality of its affiliates, exercising real diligence in catching fraud and in protecting merchants from the risk of wasteful, unnecessary payments. Networks can implement protections more efficiently and at lower cost than merchants, because networks can kick out affiliates across their entire network, rather than merely from a single a single merchant’s program. That said, to date the largest three affiliate networks all still receive substantial spyware-originating traffic, including self-targeting traffic.

Revenue Counterfactual

The self-targeting profit opportunity ultimately arises out of mismeasurement of merchants’ own traffic. Networks’ tracking systems encourage merchants to consider the counterfactual labeled #1 in the diagram at right — comparing the sales they made (point C in the diagram) against the supposed counterfactual of not paying commissions and hence not receiving the specified sales (point A). That’s the right comparison for many kinds of advertising, but in these self-targeting examples, it’s entirely misguided. Here, the only appropriate comparison is #2 — comparing the sale that was made with payment of the specified commission (C), versus the very same sale without any commission (B). The difference is stark: In #1, the merchant is pleased to have made a sale at a reasonable marketing expense. But in #2, the true state of affairs, the merchant is paying out commissions without any business benefit whatsoever.

Responses & Next Steps

In Netflix’s 2007 Q1 earnings call, CFO Barry McCarthy noted that Netflix’s recent “word-of-mouth subscriber growth was weak.” There are multiple plausible explanations for that change, but advertising fraud is an important additional factor to consider: In the examples set out above, Netflix would mistakenly pay Look2me, Vomba, Web Nexus, and Zango even if a consumer in fact signed up thanks to a word-of-mouth recommendation rather than as a result of those vendors’ advertising. With marketing costs already consuming more than 23% of Netflix’s revenues, any reduction seems both overdue and welcome.

What will Netflix, Blockbuster, and other affiliate merchants do in response to these examples? One immediate action item is to sever their ties with the specific affiliates I have identified. Merchants could also demand repayment of any commissions previously paid out — a challenging task with small affiliates, but probably possible for some larger affiliates.

More generally, merchants must decide how to protect themselves from the many cheating affiliates not reported here. As usual (1, 2), I think the answer is auditing and enforcement. Merchants can run tests themselves, hire a consulting service (like AffiliateFairPlay), or build an automating testing system to find violations. But ignoring these scams is unpalatable because inaction means wasting merchants’ advertising budgets, penalizing rule-following affiliates, and helping support spyware vendors.

Advertising Through Spyware — After Promising To Stop

On January 29, the New York Attorney General announced an important step in the fight against spyware: Holding advertisers accountable for their payments to spyware vendors. This is a principle I’ve long endorsed — beginning with my 2003 listing of Gator advertisers (then including Apple, Chrysler, and Orbitz), and continuing in my more recent articles about advertising intermediaries funding spyware and specific companies advertising through spyware.

I’m not the only one to applaud this approach. FTC Commissioner Leibowitz recently commended the NYAG’s settlement, explaining that “advertising dollars fuel the demand side of the nuisance adware problem by giving [adware vendors] the incentive to expand their installed base, with or without consumers’ consent.” In a pair of 2006 reports, the Center for Democracy and Technology also investigated spyware advertisers, attempting to expose the web of relationships that fund spyware vendors.

The NYAG’s settlement offers a major step forward in stopping spyware because it marks the first legally binding obligation that certain advertisers keep their ads (and their ad budgets) out of spyware. In Assurances of Discontinuance, Cingular (now part of AT&T), Priceline, and Travelocity each agreed to cease use of spyware. In particular, each company agreed either to stop using spyware advertising, or to use only “adware” that provides appropriate disclosures to users, prominently labels ads, and offers an easy procedure to uninstall. These requirements apply to ads purchased directly by Cingular, Priceline, and Travelocity, as well as to all marketing partners acting on their behalf.

These important promises are the first legally-binding obligations, from any Internet advertisers, to restrict use of spyware. (Compare, e.g., advertisers voluntarily announcing an intention to cease spyware advertising — admirable but not legally binding.) If followed, these promises would keep the Cingular, Priceline, and Travelocity ad budgets away from spyware vendors — reducing the economic incentive to make and distribute spyware.

But despite their duties to the NYAG, both Cingular and Travelocity have failed to sever their ties with spyware vendors. As shown in the six examples below, Cingular and Travelocity continue to receive spyware-originating traffic, including traffic from some of the web’s most notorious and most widespread spyware, in direct violation of their respective Assurances of Discontinuance. That said, Priceline seems to have succeeded in substantially reducing these relationships — suggesting that Cingular and Travelocity could do better if they put forth appropriate effort.

Example 1: Fullcontext, Yieldx (Admedian), Icon Media (Vizi) Injecting Travelocity Ad Into Google

A Travelocity Ad Injected into Google by Fullcontext A Travelocity Ad Injected into Google by Fullcontext

Travelocity
money viewers
   Icon (Vizi Media)    
money viewers
   Yieldx (Ad|Median)    
money viewers
Fullcontext

The Money Trail – How Travelocity Pays Fullcontext

On a PC with Fullcontext spyware installed (controlling server 64.40.99.166), I requested www.google.com. In testing of February 13, I received the image shown in the thumbnail at right — with a large 728×90 pixel banner ad appearing above the Google site. Google does not sell this advertising placement to any advertiser for any price. But Fullcontext spyware placed Travelocity’s ad there nonetheless — without permission from Google, and without payment to Google.

As shown in the video I preserved, clicking the ad takes users through to the Travelocity site. The full list of URLs associated with this ad placement:

http://64.40.99.166/adrotate.php
http://ad.yieldx.com/imp?z=6&Z=728×90&s=41637&u=http%3A%2F%2Fwww.google.com…
http://ad.yieldmanager.com/imp?z=6&Z=728×90&s=41637&u=http%3A%2F%2Fwww.goog…
http://ad.yieldx.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAABgMKxQ…
http://ad.yieldmanager.com/iframe3?jwIAAKWiAABdAwIA5soAAAAAxAEAAAAACwADBAAA…
http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetwork…
http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/e…
http://clk.atdmt.com/AST/go/247mancr0020000002ast/direct;at.astncr00000121;…
http://leisure.travelocity.com/RealDeals/Details/0,2941,TRAVELOCITY_CRU_354…

As shown in the URL log and packet log, Fullcontext initiated the ad placement by sending traffic to the Yieldx ad network. (Yieldx’s Whois reports an address in Hong Kong. But Yieldx is hosted at an IP block registered to Ad|Median, an ad network with headquarters near Minneapolis.) Using the Right Media Exchange marketplace (yieldmanager.com), Yieldx/Ad|Median then sold the traffic to Icon Media Networks (now Vizi Media of LA and New York), which placed the Travelocity ad. The diagram at right depicts the chain of relationships.

This placement is typical of the Fullcontext injector. I have tracked numerous Fullcontext placements, through multiple controlling servers. I retain many dozens of examples on file. See also prior examples posted to my public site: 1, 2, 3.

The Fullcontext injector falls far short of the requirements of Travelocity’s Assurance of Discontinuance. For one, users often receive Fullcontext without agreeing to install it — through exploits and in undisclosed bundles (violating Travelocity Assurance page 4, provision 11.a; PDF page 11). Furthermore, Fullcontext’s ads lack any branding indicating what adware program delivered them — violating Assurance provision 11.b, which requires such branding to appear prominently on each adware advertisement. Fullcontext’s uninstall and legacy user functions also fail to meet the requirements set out in the Assurance.

Example 2: Fullcontext and Motive Interactive Injecting Cingular Ad Into Google

A CingularAd Injected into Google by Fullcontext A Cingular Ad Injected into Google by Fullcontext

Cingular
money viewers
   Motive Interactive   
money viewers
Fullcontext

The Money Trail – How Cingular Pays Fullcontext

Through the MovieInteractive ad network, Fullcontext also injects the Cingular ad into Google. See screenshot at right, taken on February 17. On a PC with Fullcontext spyware installed (controlling server 64.40.99.166), I requested www.google.com. I received the image shown in the thumbnail at right — with a prominent Cingular banner ad appearing above Google. As in the case of Travelocity, this ad appeared without permission from Google and without payment to Google. Rather, the ad was placed into Google’s site by Fullcontext spyware.

The full list of URLs associated with this ad placement:

http://64.40.99.166/adrotate.php
http://ad.motiveinteractive.com/imp?z=6&Z=728×90&s=161838&u=http%3A%2F%2Fwww.goo…
http://ad.yieldmanager.com/imp?z=6&Z=728×90&s=161838&u=http%3A%2F%2Fwww.google.c…
http://ad.motiveinteractive.com/iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAA…
http://ad.yieldmanager.com/iframe3?jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTud…
http://clk.atdmt.com/goiframe/21400598/rghtccin0470000088cnt/direct;wi.728;hi.90…
http://www.cingular.com/cell-phone-service/cell-phone-details/?q_list=true&q_pho…

As shown in the URL log and packet log, Fullcontext sent traffic to Motive Interactive, a Nevada ad network. Using the Right Media Exchange marketplace (yieldmanager.com), Motive Interactive sold the traffic to Cingular. The diagram at right depicts the chain of relationships. Notice that Cingular’s relationship with Fullcontext is one level shorter than the Travelocity relationship in Example 1.

Cingular should have known that this traffic was coming from spyware, because detailed information about the ad placement was sent to Cingular’s web servers whenever a user clicked a FullContext-placed ad. The packet log shows the information sent to the Atlas servers operating on Cingular’s behalf:

http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http:// ad.motiveinteractive.com/click,jwIAAC54AgD5QwMAtVQBAAIAZAAAAP8AAAAHEQAABgTudAIAmUcCAPqaAAC
iJAIAAAAAAAAAAAAAAAAAAAAAAKdz10UAAAAA,,http%3A%2F%2Fwww%2Egoogle%2Ecom%2F,

The first portion of the URL specifies what ad is to be shown, while the portion following the question mark reports how traffic purportedly reached this ad. (This information structure is standard for Right Media placements.) Notice the green highlighted text — telling Atlas (and in turn Cingular) that this ad was purportedly shown at www.google.com. But Atlas and Cingular should know that the www.google.com page does not sell banner ads to any advertiser at any price. The purported placement is therefore impossible — unless the ad was actually injected into Google’s site using spyware. The presence of this Google URL in Cingular’s referer log should have raised alarms at Cingular and should have prompted further investigation.

Example 3: Deskwizz/Searchingbooth and Ad-Flow (Rydium) Injecting Travelocity Ad Into True.com

A Travelocity Ad Injected into True.com by Searchingbooth A Travelocity Ad Injected into True.com by Searchingbooth

Travelocity
money viewers
   Ad-Flow (Rydium)  
money viewers
Deskwizz/Searchingbooth

The Money Trail – How Travelocity Pays Searchingbooth

Fullcontext is just one of several active ad injectors that place ads into other companies’ sites. The screenshot at right shows a injection performed by Deskwizz/Searchingbooth. In March 9 testing, I requested True.com. Deskwizz placed a large (720×300) pixel banner into the top of the page (not shown), and another into the bottom. This latter banner, shown in the thumbnail at right, promoted Travelocity. Just as the preceding examples occurred without payment to or permission from Google, this placement occurred without payment to or permission from True.com. Rather, the ad was placed into Google’s site by Deskwizz/Searchingbooth spyware.

The full list of URLs associated with this ad placement:

http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?…
http://www.uzoogle.com/indexP.php?PID=811
http://www.uzoogle.com   [posted parameter: PID=811]
http://ad.ad-flow.com/imp?z=2&Z=300×250&s=118935&u=http%3A%2F%2Fwww.uzoogle.com%…
http://ad.yieldmanager.com/imp?z=2&Z=300×250&s=118935&u=http%3A%2F%2Fwww.uzoogle…
http://ad.doubleclick.net/adj/N447.rightmedia.com/B2130591.2;sz=300×250;click0=h…

As shown in the URL log and packet log, Deskwizz/Searchingbooth sent traffic to its Uzoogle ad loader, which forwarded the traffic onwards to Ad-Flow. (Ad-flow is the ad server of Rydium, a Toronto ad network.) The traffic then flowed through to the Right Media Exchange marketplace (yieldmanager.com), where it was sold to Travelocity. The diagram at right depicts the chain of relationships.

This placement is typical of Deskwizz/Searchingbooth. I have tracked a web of domain names operated by this group — including Calendaralerts, Droppedurl, Headlinesandnews, Z-Quest, and various others — that all receive traffic from and through similar banner injections. Z-quest.com describes itself as a “meta-search” site, while Uzoogle presents itself as offering Google-styled logos and branded search results. But in fact these sites all serve to route, frame, and redirect spyware-originating traffic, as shown above. I retain many dozens of examples on file. See also the multiple examples I have posted to my public site: 1, 2, 3, 4, 5.

Example 4: Deskwizz/Searchingbooth and Right Media Injecting Cingular Ad Into True.com

A Cingular Ad Injected into True.com by Searchingbooth A Cingular Ad Injected into True.com by Searchingbooth

Cingular
money viewers
   Yield Manager / Right Media Exchange  
money viewers
Deskwizz/Searchingbooth

The Money Trail – How Cingular Pays Searchingbooth

Deskwizz/Searchingbooth also injects Cingular ads into third parties’ sites, including into True.com. The screenshot at right shows the resulting on-screen display (as observed on March 9). The screenshot depicts a Cingular ad placed into True.com without True’s permission and without payment to True.

The full list of URLs associated with this ad placement:

http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?…
http://optimizedby.rmxads.com/st?ad_type=ad&ad_size=728×90&section=160636
http://ad.yieldmanager.com/imp?Z=728×90&s=160636&_salt=3434563176&u=http%3A%2F%2…
http://optimizedby.rmxads.com/iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABg…
http://ad.yieldmanager.com/iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQF…
http://clk.atdmt.com/goiframe/22411278/rghtccin0470000088cnt/direct;wi.728;hi.90…

As shown in the URL log and packet log, Deskwizz/Searchingbooth sent traffic to the Right Media‘s Rmxads. The traffic then flowed through to the Right Media Exchange marketplace (yieldmanager.com), where it was sold to Cingular. The diagram at right depicts the chain of relationships.

Cingular should have known that this ad was appearing through spyware injections for the same reason presented in Example 2. In particular, the packet log reveals that specific information about ad context was reported to Cingular’s server whenever a user clicked an injected ad. This context information put Cingular on notice as to where its ads were appearing — including sites on which Cingular had never sought to advertise, and even including sites that do not accept advertising.

Example 5: Web Nexus, Traffic Marketplace Promoting Travelocity in Full-Screen Pop-Up Ads

Web Nexus Promotes Travelocity - Full-Screen Pop-Up Web Nexus Promotes Travelocity Using a Full-Screen Pop-Up

Travelocity
money viewers
   Traffic Marketplace   
money viewers
Web Nexus

The Money Trail – How Travelocity Pays Web Nexus

Although the four preceding examples all show banner ad injections, pop-up ads remain the most common form of spyware advertising. Spyware-delivered pop-ups continue to promote both Cingular and Travelocity. For example, Web Nexus is widely installed without consent (example) and in big bundles without the disclosures required by the Travelocity’s Assurance of Discontinuance. Yet Web Nexus continues to promote Travelocity through intrusive full-screen pop-ups, like that shown at right (taken on February 22). Indeed, this pop-up is so large and so intrusive that it even covers the Start button — preventing users from easily switching to another program or window.

The Travelocity ad at issue is also striking for its lack of branding or other attribution. A user who manages to move the pop-up upwards will find a small “Web Nexus” footer at the ad’s bottom edge. But this label initially appears substantially off-screen and hence unreadable. In contrast, Travelocity’s Assurance of Discontinuance (Travelocity section, page 4, provision 11.b; PDF page 11) requires that each adware-delivered advertisement be branded with a “prominent” name or icon. Because it appears off-screen, Web Nexus’s ad label cannot satisfy the NYAG’s prominence requirement. Furthermore, packet log analysis reveals that this placement is the foreseeable result of Web Nexus’s design decisions. Further discussion and analysis.

The full list of URLs associated with this ad placement:

http://stech.web-nexus.net/cp.php?loc=295&cid=9951709&u=ZWJheS5jb20v&en=&pt=3…
http://stech.web-nexus.net/sp.php/9157/715/295/9951709/527/
http://t.trafficmp.com/b.t/e48U/1172127347
http://cache.trafficmp.com/tmpad/content/clickhere/travelocity/0107/contextu…

As shown in the URL log and packet log, Web Nexus sent traffic to Traffic Marketplace (a New York ad network owned by California’s Vendare Media). The traffic then flowed through to Travelocity. The diagram at right depicts the relationships.

Example 6: Targetsaver, EasilyFound, LinkShare Promoting Cingular in Full-Screen Pop-Up Ads

TargetSaver Promotes Cingular Using a Full-Screen Pop-Up TargetSaver Promotes Cingular Using a Full-Screen Pop-Up

Cingular
money viewers
   LinkShare  
money viewers
   EasilyFound  
money viewers
TargetSaver

The Money Trail – How Cingular Pays TargetSaver

In testing of March 8, I searched for “get ringtones” at Google. I received the full-screen pop-up shown at right. This pop-up was served to me by TargetSaver spyware, widely installed consent (example) and with misleading and/or hidden disclosures (1, 2). These installation practices cannot meet Cingular’s duties under its Assurance of Discontinuance (Cingular section, page 4, provision 14.a; PDF page 18).

The full list of URLs associated with this ad placement:

http://a.targetsaver.com/adshow
http://www.targetsaver.com/redirect.php?…www.easilyfound.com%2Fa%2F2.php…
http://www.easilyfound.com/a/2.php?cid=1032
http://www.easilyfound.com/a/3.php?cid=1032
http://click.linksynergy.com/fs-bin/click?id=MCVDOmK0318&offerid=91613.100…
http://www.cingular.com/cell-phone-service/cell-phone-sales/free-phones.js…

As shown in the URL log and packet log, TargetSaver sent traffic to EasilyFound. EasilyFound then forwarded the traffic on to LinkShare, a New York affiliate network, which sent the traffic to Cingular.

Cingular should have known that a partnership with EasilyFound would entail Cingular ads being shown through spyware. EasilyFound describes itself as “a metacrawler search engine.” But in my extended testing, EasilyFound widely buys spyware-originating traffic and sends that traffic onwards to affiliate merchants (Cingular among others). I have previously described this general practice in multiple articles on my public web site. I have also publicly documented this very behavior by EasilyFound specifically. In May 2006 slides, I showed EasilyFound buying traffic from Targetsaver and sending that traffic onwards to LinkShare and Walmart. I even posted an annotated packet log and traffic flow diagram. My slides have been available on the web for approximately ten months. Yet, by all indications, this affiliate remains in good standing at LinkShare and continues the same practices I documented last year.

According to Whois data, EasilyFound is based in Santa Monica, California, although EasilyFound’s Contact page gives no street address.

Additional Examples on File

The preceding six examples are only a portion of my recent records of spyware-originating ads from Cingular and Travelocity. I retain additional examples on file. My additional examples include additional banner injections, additional pop-ups, additional traffic flowing through Cingular’s affiliate program (LinkShare), and traffic flowing through Travelocity’s affiliate program (Commission Junction).

In my extended testing during the past two months, I have recorded only a single example of Priceline ads shown by spyware. That placement occurred through Priceline’s affiliate program, operated by Commission Junction.

The Scope of the Problem

The Assurances of Discontinuance reflect the remarkable size of the advertising expenditures that triggered the New York Attorney General’s intervention.

  Cingular Wireless (AT&T) Priceline Travelocity
Amount spent with Direct Revenue At least $592,172 At least $481,765.05 At least $767,955.93
Duration of Direct Revenue relationship April 1, 2004 through October 11, 2005 May 1, 2004 through February 24, 2006 July 1, 2004 through April 15, 2006
Number of ads shown At least 27,623,257 At least 6,142,395 At least 2,103,341
Knowledge of Direct Revenue’s practices “Even though Cingular was aware of controversy surrounding the use of adware and was aware, or should have been aware, of Direct Revenue’s deceptive practices, including surreptitious downloads, Cingular continued to use Direct Revenue.” “Priceline knew that consumers had downloaded Direct Revenue adware without full notice and consent and continued to receive ads through that software.” “Travelocity was aware that Direct Revenue had … been the subject of consumer complaints that Direct Revenue had surreptitiously installed its software on consumers’ computers without adequate notice.”
Additional factors listed by NYAG   “Some of Priceline’s advertisements were delivered directly to consumers from web servers owned or controlled by Priceline.”  
Payment to New York $35,000 of investigatory costs and penalties $35,000 of investigatory costs and penalties $30,000 of investigatory costs and penalties

These three advertisers alone paid more than $1.8 million to Direct Revenue — approximately 2% of Direct Revenue’s 2004-2005 revenues. See detailed Direct Revenue financial records.

Bad Practices Continue at Zango, Notwithstanding Proposed FTC Settlement and Zango’s Claims with Eric Howes; updated December 8, 2006

Earlier this month, the FTC announced the proposed settlement of its investigation into Zango, makers of advertising software widely installed onto users’ computers without their consent or without their informed consent (among other bad practices).

We commend the proposed settlement’s core terms. But despite these strong provisions, bad practices continue at Zango — practices that, in our judgment, put Zango in violation of the key terms and requirements of the FTC settlement. We begin by explaining the proposed settlement’s requirements. We then present eight types of violations of the proposed settlement, with specific examples of each. We conclude with recommendations and additional analysis.

Except where otherwise indicated, this document describes only downloads we tested during November 2006 — current, recent installations and behaviors.

Zango’s Burdens Under the Proposed FTC Settlement

The FTC’s proposed settlement with Zango imposes a number of important requirements and burdens on Zango, including Zango’s installation and advertising practices. Specifically, the settlement:

  • Prohibits Zango from using “any legacy program to display any advertisement to, or otherwise communicate with, a consumer’s computer.” (settlement I)
  • Prohibits Zango from (directly or via third parties) “exploit[ing] a security vulnerability … to download or install onto any computer any software code, program, or content.” (II)
  • Prohibits from Zango installing software onto users’ computers without “express consent.” Obtaining “express consent” requires “clearly and prominently disclos[ing] the material terms of such software program or application prior to the display of, and separate from, any final End User License Agreement.” (III) Defines “prominent” disclosure to be, among other requirements, “unavoidable.” (definition 5)
  • Requires Zango to “provide a reasonable and effective means for consumers to uninstall the software or application,” e.g. through a computers’ Add/Remove utility. (VII)
  • Requires Zango to “clearly and prominently” label each advertisement it displays. (VI)

These are serious burdens and requirements that, were they zealously satisfied by Zango, would do much to protect consumers from the numerous nonconsensual and misleading Zango installations we have observed.

Zango Is Not In Compliance with the Proposed Settlement

Zango has claimed that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.”

Despite Zango’s claim, we continue to find ongoing installations of Zango’s software that fall far short of the proposed settlement’s burdens, requirements, and standards. The example installations that we present below establish that Zango’s current installation and advertising practices remain in violation of the terms and requirements of the proposed settlement.

  • “Material Terms” Disclosed Only in EULA
    Zango often announces “material terms” only in its End User License Agreement, not in the more prominent locations required by the proposed settlement. (Examples A, B)
  • “Material Terms” Omitted from Disclosure
    Zango often omits “material terms” from its prominent installation disclosures — failing to prominently disclose facts likely to affect consumers’ decisions to install Zango’s software. (Examples A, B, C)
  • Disclosures Not Clear & Prominent 
    Zango presents disclosures in a manner and format such that these disclosures fail to gain the required “express consent” of users because the disclosures are not “clearly and prominently” displayed. (Examples B, E, F)
  • Disclosures Presented Only After Software Download & Execution
    Zango presents disclosures only after the installation and execution of Zango’s software on the users’ computers has already occurred, contrary to the terms of the proposed settlement. (Examples C, F)
  • No Disclosure Provided Whatsoever
    Some Zango software continues to become installed with no disclosure whatsoever. (Example D)
  • Installation & Servicing of Legacy Programs
    Older versions of Zango’s software — versions with installation, uninstallation, and/or disclosure inconsistent with the proposed settlement — continue to become installed and to communicate with Zango servers. (Examples C, D, E, F)
  • Installations Promoted & Performed through Miscellaneous Other Deceptive Means & Circumstances
    Zango installs are still known to be promoted and performed in or through a variety of miscellaneous practices that can only be characterized as deceptive. (Multiple examples in section G)
  • Unlabeled Advertising
    Some Zango advertisements lack the labeling required by the proposed settlement. (Multiple examples in section H)

These improper practices remain remarkably easy to find, and we have numerous additional recent examples on file. Moreover, these problems are sufficiently serious that they cast doubt on the efficacy and viability of the FTC’s proposed settlement as well as Zango’s ability to meet the requirements of the settlement.

Example A: Zango’s Ongoing Misleading Installations On and From Its Own Servers

The proposed settlement requires “express consent” before software may be “install[ed] or “download[ed]” onto users’ PCs (III). The term “prominent” is defined to mean “clear[] and prominent[]” disclosure of “the material terms” of the program to be installed, and most of Zango’s recent installation disclosures seem to meet this standard. But we are concerned by what those disclosures say. In our view, the disclosures omit the material facts Zango is obliged to disclose.

Although the proposed settlement does not explain what constitute “material” terms, other FTC authority provides a definition. The FTC’s Policy Statement on Deception, holds that a material fact is one “likely to affect the consumer’s conduct or decision with regard to a product or service.”

From our analysis of Zango’s software, we think Zango has two material features — two features particularly likely to affect a reasonable user’s decision to install (or not install) Zango software. First, users must know that Zango will give them extra pop-up ads — not just “advertisements,” but pop-ups that appear in separate, freestanding windows. Second, users must know that Zango will transmit detailed information to its servers, including information about what web pages they view, and what they search for.

A Misleading Zango Installer Appearing Within Windows Media Player A Misleading Zango Installer Appearing Within Windows Media Player

Unfortunately, many of Zango’s installations fail to include these disclosures with the required prominence. Consider the screen shown at right. Here, Zango admits that it shows “advertisements,” but Zango fails to disclose that its ads appear in pop-ups. Zango’s use of the word “advertisements,” with nothing more, suggests that Zango’s ads appear in standard advertising formats — formats users are more inclined to tolerate, like ordinary banner ads within web pages (e.g. the ads at nytimes.com) or within other software programs (e.g. the ads in MSN Messenger). In fact Zango’s pop-up ads are quite different, in that they appear in pop-ups known to be particularly annoying and intrusive. But the word “advertisements” does nothing to alert users to this crucial fact.

Zango also fails to disclose that its servers receive detailed information about users’ online behavior. Zango tell users that ads are “based on” users’ browsing. But this disclosure is not enough, because it omits a material fact. In particular, the disclosure fails to explain that users’ behavior will be transmitted to Zango, a fact that would influence reasonable users’ decision to install Zango.

In addition, Zango’s description of its toolbar omits important, material effects of the toolbar — namely, that the toolbar will show distracting animated ads. Zango says only that the toolbar “lets [users] search the Internet from any webpage” — entirely failing to mention the toolbar’s advertising,

We’re also concerned about the format and circumstances of these installation screens. Zango’s installation request appears in a Windows Media “license acquisition” screen — a system Microsoft provides for bona fide license acquisition, not for the installation of spyware or adware. Zango’s installer appears within Windows Media Player — a context where few users will expect to be on the lookout for unwanted advertising software, particularly when users had merely sought to watch a video, not to install any software whatsoever. Furthermore, the button to proceed with installation is misleadingly labeled “Play Now” — not “I Accept,” Install,” or any other caption that might alert users to the consequences of pressing the button. The screen’s small size further adds to user confusion: At just 485 by 295 pixels, the window doesn’t have room to explain the material effects of Zango’s software, even with Zango’s extra-small font. (In Zango’s main disclosure, capital letters are just seven pixels tall.) Furthermore, a user seeking to read Zango’s EULA (as embedded in these installation screens) faces a remarkable challenge: The 3,033 word document is shown in a box just five lines tall, therefore requiring fully 53 on-screen pages to view in full. Finally, if a user ultimately presses the “Play Now ” button, then the “Open” button on the standard Open/Save box that follows, Zango installs immediately, without any further opportunity for users to learn more or to change their mind. Such a rapid installation is contrary to standard Windows convention of further disclosures within an EXE installer, providing further opportunities for users to learn more and to change their minds. Video capture of this installation sequence.

All in all, we think typical users would be confused by this screen — unable to figure out who it comes from, what it seeks to do, or what exactly will occur if they press the Play Now button. A more appropriate installation sequence would use a standard format users better understand (e.g. a web page requesting permission to install), would tell users far more about the software they’re receiving, and would label its buttons far more clearly.

These installations are under Zango’s direct control: They are loaded directly from Zango’s servers. Were Zango so inclined, it could immediately terminate this installation sequence, or it could rework these installations, without any cooperation with (or even requests to) its distributors.

Example B: Zango’s Ongoing Misleading Hotbar Installations On and From Its Own Servers

Hotbar's Initial Installation Solicitation - Silent as to Hotbar's Effects Hotbar’s Initial Installation Solicitation – Silent as to Hotbar’s Effects

Hotbar's ActiveX Installer - Without Disclosure of Material Effects Hotbar’s ActiveX Installer – Without Disclosure of Material Effects

Final Step in Hotbar Installation - No Cancel Button, No Disclosure of Material Effects Final Step in Hotbar Installation – No Cancel Button, No Disclosure of Material Effects

The “express consent” required under the proposed settlement applies not just to software branded as “Zango,” but also to all other software installed or downloaded by Zango. (See “any software” in section III.) The “express consent” requirement therefore applies to Hotbar-branded software owned by Zango as a result of Zango’s recent merger with Hotbar. But Hotbar installations fail to include unavoidable disclosures of material effects, despite the requirements in the proposed settlement.

Consider the Hotbar installation shown in this video and in the screenshots at right. The installation sequence begins with an ad offering “free new emotion icons” (first screenshot at right) — certainly no disclosure of the resulting advertising software, the kinds of ads to be shown, or the significant privacy effects. If a user clicks that ad, the user receives the second screenshot at right — a bare ActiveX screen, again lacking a substantive statement of material effects of installing. If the user presses Yes in the ActiveX screen, the user receives the third screen at right — disclosing some features of Hotbar (e.g. weather, wallpapers, screensavers), and vaguely admitting that Hotbar is “ad supported,” but saying nothing whatsoever about the specific types of ads (e.g. intrusive in-browser toolbar animations) nor the privacy consequences. Furthermore, this third screen lacks any button by which users can decline or cancel installation. (Note the absence of any “cancel” button, or even an “x” in the upper-right corner.)

This installation sequence is substantially unchanged from what Edelman reported in May 2005.

This installation lacks the unavoidable material disclosures required under the proposed settlement. We see no way to reconcile this installation sequence with the requirements of the proposed settlement.

Example C: Incomplete, Nonsensical, and Inconsistent Disclosures Shown by Aaascreensavers Installing Zango Software

Aaascreensavers' Initial Zango Prompt - Omitting Key Material Information Aaascreensavers’ Initial Zango Prompt – Omitting Key Material Information

Zango's Subsequent Screen -- with deficiencies set out in the text at left Zango’s Subsequent Screen — with deficiencies set out in the text at left

We also remain concerned about third parties installing Zango’s software without the required user consent. Zango’s past features a remarkable serious of bad-actor distributors, from exploit-based installers to botnets to faked consent. Even today, some distributors continue to install Zango without providing the required “clear and prominent” notice of “material” effects.

Consider an installation of Zango from Aaascreensavers.com. Aaascreensavers provides a generic “n-Case” installation disclosure that says nothing about the specifics of Zango’s practices — omitting even the word “advertisements,” not to mention “pop-ups” or privacy consequences. (See first screenshot at right.) Furthermore, Aaascreensavers fails to show or even reference a EULA for Zango’s software. Nonetheless, Aaascreensavers continues to place Zango software onto users’ PCs through these installers.

Particularly striking is the nonsensical screen that appears shortly after Aaascreensavers installs Zango. (See second screenshot at right.) Beneath a caption labeled “Setup,” the screen states “the content on this site is free, thanks to 180search Assistant” — although the user has just installed a program (and is not browsing a site), and the program the user (arguably) just agreed to install was called “n-Case” not “180search Assistant.” At least as paradoxically, the “Setup” screen asks users to choose between “Uninstall[ing] 180search Assistant” and “Keep[ing]” the software. Since “180search Assistant” is software reasonable users will not even know they have, this choice is particularly likely to puzzle typical users. After all, it is nonsense to speak of a user making an informed decision to “keep” software he didn’t know he had.

Crucially, both installation prompts omit the material information Zango must disclose under its settlement obligations: Neither prompt mentions that ads will be shown in pop-ups, nor do they mention the important privacy effects of installing Zango software.

Video capture of this installation sequence.

Example D: Msnemotions Installing Zango with No Disclosure At All

Msnemotions continues to install Zango software with no disclosure whatsoever. In particular, Msnemotions never shows any license agreement, nor does it mention or reference Zango in any other on-screen text, even if users fully scroll through all listings presented to them. Video proof.

This installation is a clear violation of section III of the proposed FTC settlement. That section prohibits Zango “directly, or through any person [from] install[ing] or download[ing] … any software program or application without express consent.” Here, no such consent was obtained, yet Zango software downloaded and installed anyway.

In our tests, this Zango installation did not show any ads (although it did contact a Zango server and download a 20MB file). Nonetheless, the violation of section III occurs as soon as the Zango software is downloaded onto the user’s computer, for lack of the requisite disclosure and consent.

Example E: Emomagic Installing Zango with an Off-Screen Disclosure

Emomagic First Mentions Zango Five Pages Down In Its EULA
Emomagic First Mentions Zango 5 Pages Down In Its EULA

Emomagic continues to install Zango software with a disclosure buried five pages within its lengthy (23 on-screen-page) license agreement. That is, unless a user happened to scroll to at least the fifth page of the Emomagic license, the user would not learn that installing Emomagic installs Zango too. Video proof.

This installation is a clear violation of the proposed FTC settlement, because the hidden disclosure of Zango software is not “unavoidable.” In contrast, the proposed Settlement’s provision III and definition 5 define “prominent” disclosures to be those that are unavoidable, among other requirements.

We have additional examples on file where the first mention of Zango comes as far as 64 pages into a EULA presented in a scroll box. See also example F, below, where Zango appears 44 pages into a EULA, after the GPL.

Example F: Warez P2P Speedup Pro Installing Zango with an Off-Screen Disclosure

Warez P2P First Mentions Zango at Page 44 of its EULA, Below the GPL Warez P2P First Mentions Zango at Page 44 of its EULA, Below the GPL

Warez P2P Speedup Pro continues to install Zango software with a disclosure buried 44 pages within its lengthy license agreement. Video proof. Users are unlikely to see mention of Zango in part because Zango’s first mention comes so far down within the EULA.

Users are particularly unlikely to find Zango’s EULA because the first 43 pages of the EULA scroll box show the General Public License (GPL). (Screenshot of the first page, giving no suggestion that anything but the GPL appears within the scroll box.) Sophisticated users may already be familiar with this license, which is known for the many rights it grants to users and independent developers. Recognizing this pro-consumer license, even sophisticated users are discouraged from reviewing the scroll box’s contents in full — making it all the less likely that they will find the Zango license further down.

After installation, Warez P2P Speedup Pro proceeds to the second screen shown in Example C, above. The video confirms the special deceptiveness of this screen: If a user chooses the “uninstall” button — exercising his option (however deceptively mislabeled) to refuse Zango’s software — the user then receives a further screen attempting to get the user to change his mind and accept installation after all. The substance of this screen is especially deceptive — asking the user whether he wants to “cancel,” when in fact he had never elected even to start the Zango installation sequence in the first place. Finally, if the user presses the “Exit Setup” button on that final screen, the user is told he must restart his computer — a particularly galling and unnecessary interruption.

Section G: Zango Installations Predicated on Consumer Deception or on Use of Other Vendors’ Spyware

A Zango Ad Injected into Google by FullContext A Zango Ad Injected into Google by FullContext

We have also observed Zango installs occurring subsequent to consumer deception or other vendors sending spyware-delivered traffic to Zango.

Fullcontext spyware promoting Zango. We have observed Fullcontext spyware (itself widely installed without consent) injecting Zango ads into third parties’ web sites. Through this process, Zango ads appear without the permission of the sites in which they are shown, and without payment to those sites. These ads even appear in places in which no banner ads are not available for purchase at any price. See e.g. the screenshot at right, showing a Zango banner ad injected to appear above Google’s search results.

Typosquatters promoting Zango. Separately, Websense and Chris Boyd recently documented Zango installs commencing at “Yootube”. “Yootube” is a clear typosquat on the well-known “Youtube” site — hoping to reach users who mistype the address of the more popular site. If users reach the misspelled site, they will be encouraged to install Zango. Such Zango installations are predicated on a typosquat, e.g. on users reaching a site other than what they intended — a particularly clear example of deception serving a key role in the Zango installation process.

Spyware bundlers promoting Zango. In our testing of summer and fall 2006, we repeatedly observed Zango “S3” installer programs downloaded onto users’ computers by spyware-bundlers themselves operating without user consent (e.g. DollarRevenue and TopInstalls). Users received these Zango installation prompts among an assault of literally dozens of other programs. Any consent obtained through this method is predicated on an improper, nonconsensual arrival onto users’ PCs — a circumstance in which we think users cannot grant informed consent. Furthermore. the proposed settlement requires “express consent” before “installing or downloading” (emphasis added) “any software” onto users’ PCs (section III). Zango’s S3 installer is a “software program” within the meaning of the proposed settlement, yet DollarRevenue and TopInstalls downloaded this program onto users’ computers without consent. So these downloads violate the plain language of the proposed settlement, even where users ultimately refuse to install Zango software.

Update (December 8): We have uncovered still other Zango installations predicated on deception, including on phishing at MySpace. We discuss these improper practices in our follow-up comment to the FTC. Our bottom line: These Zango installs are disturbing not because they put zango in violation of hte terms of hte proposed settlement, but precisely because they do not — because tehse isntallations, disturbing though they may be, do not clearly violate any of the settlement’s requirements. These installations raise the alarming prospect that this settlement could allow Zango to continue to pay distributors to create malicious and/or deceptive software and web pages.

Section H: Unlabeled Ads

Today CDT filed a further comment about the FTC’s proposed settlement, focusing in part on Zango’s recent display of unlabeled ads, again specifically contrary to Zango’s obligations under the proposed settlement (section VI). CDT has proof of 39 unlabeled ads — 10% of their recent partially-automated tests — in which Zango’s pop-up ads lacked the labeling required under the proposed settlement. CDT explains that the ads “provide[d] absolutely no information that would allow consumers to correlate the advertisements’ origins to Zango’s software.”

We share CDT’s concern, because we too have repeatedly seen these problems. For example, this video shows a Zango ad served on November 19, 2006 — with labeling that disappears after less than four seconds on screen (from 0:02 to 0:06 in the video). Furthermore, Edelman first reported this same problem in July 2004: That when ads include redirects (as many do), Zango’s labeling often disappears. Compliance with the proposed settlement requires that Zango’s labeling appear on each and every ad, not just on some of the ads or even on most of the ads. So, here too, Zango is in breach of the proposed settlement.

Furthermore, the proposed settlement’s labeling requirement applies to “any advertisement” Zango serves — not just to Zango’s pop-ups, but to other ads too. Zango’s toolbars show many ads, as depicted in the screenshots below. Yet these toolbars lack the labeling and hyperlinks required by the proposed settlement. These unlabeled toolbars therefore constitute an additional violation of Zango’s duties under the proposed settlement.


Zango and Zango/Hotbar Toolbars Without the Labeling Required under the Proposed Settlement

The Size of Zango’s Payment to the FTC

We are puzzled by the size of the cash payment to be made by Zango. We understand that the FTC’s authority is limited to reclaiming ill-gotten profits, not to extracting penalties. But we think Zango’s profits to date far exceed the $3 million payment specified in the proposed settlement.

Available evidence suggests Zango’s company-to-date profits are substantial, probably beyond $3 million. As a threshold matter, Zango’s business is large: Zango claims to have 20 million active users at present (albeit with some “churn” as users manage to uninstall Zango’s software). Furthermore, Zango’s revenues are large: Zango recently told a reporter of daily revenues of $100,000 (i.e. $36 million per year), a slight increase from a 2003 report of $75,000 per day. With annual revenues on the order of $20 to $40 million, and with three years of operation to date, we find it inconceivable that Zango has made only $3 million of profit.

Zango’s prior statements and other companies’ records also both indicate that Zango’s profits exceed $3 million. A 2005 Forbes article confirms high profits at Zango, reporting “double-digit percentage growth in profits” — though without stating the baseline level of profits. But financial records from competing “adware” vendor Direct Revenue indicate a remarkable 75%+ profit margin: In 2004, DR earned $30 million of pre-tax profit on $38 million of revenue. Because Zango’s business is in many respects similar to DR, Zango’s profit margin is also likely to be substantial, albeit reduced from the 2004-era “adware” peak. Even if Zango’s profit margin were an order of magnitude lower, i.e. 7%, Zango would still have earned far more than $3 million profits over the past several years.

If Zango’s profits substantially exceed $3 million, as we think they do, the settlement’s payment is only a slap on the wrist. A tougher fine — such as full disgorgement of all company-to-date profits worldwide — would better send the message that Zango’s practices are and have been unacceptable.

Zango’s Statements and the Need for Enforcement

In its November 3 press release, Zango claims its reforms are already in place. “Every consumer downloading Zango’s desktop advertising software sees a fully and conspicuously disclosed, plain-language notice and consent process,” Zango’s press release proclaims. This claim is exactly contrary to the numerous examples we present above. Zango further claims that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006” — again contrary to our findings that nonconsensual and deceptive installations remain ongoing.

From the FTC’s press release and from recent statements of FTC commissioners and staff, it appears the FTC intends to send a tough message to makers of advertising software. We commend the FTC’s goal. The proposed settlement, if appropriately enforced, might send such a message. But we worry the FTC will send exactly the opposite message if it allows Zango to claim compliance without actually doing what the proposed settlement requires.

As a first step, we endorse CDT’s suggestion that the FTC require Zango to retract its claim of compliance with the proposed settlement. Zango’s statement is false, and the FTC should not stand by while Zango mischaracterizes its behavior vis-a-vis the proposed settlement.

More broadly, we believe intensive ongoing monitoring will be required to assure that Zango actually complies with the settlement. We have spent 3+ years following Zango’s repeated promises of “reform,” and we have first-hand experience with the wide variety of techniques Zango and its partners have used to place software onto users’ PCs. Testing these methods requires more than black-letter contracts and agreements; it requires hands-on testing of actual infected PCs and the scores of diverse infection mechanisms Zango’s partners devise. To assure that Zango actually complies with the agreement, we think the FTC will need to allocate its investigatory resources accordingly. We’ve spent approximately 10 hours on the investigations leading to the results above, and we’ve uncovered these examples as well as various others. With dozens or hundreds of hours, we think we could find many more surviving Zango installations in violation of the proposed settlement’s requirements. We think the FTC ought to find these installations, or require that Zango do so, and then ought to see that the associated files are entirely removed from the web.

Update (December 8): Our follow-up comment to the FTC discusses additional concerns, further ongoing bad practices at Zango, and the special difficulty of enforcement in light of practices seemingly not prohibited by the proposed settlement.

Intermix Revisited

I recently had the honor of serving as an expert witness in The People of the State of California ex. rel. Rockard J. Delgadillo, Los Angeles City Attorney v. Intermix Media, Inc., Case No. BC343196 (L.A. Superior Court), litigation brought by the City Attorney of Los Angeles (on behalf of the people of California)against Intermix. Though Intermix is better known for creating MySpace, Intermix also made spyware that, among other effects, can become installed on users’ computers without their consent.

On Monday the parties announced a settlement under which Intermix will pay total monetary relief of $300,000 (including $125,000 of penalties, $50,000 in costs of investigation, and $125,000 in a contribution of computers to local non-profits). Intermix will also assure that third parties cease continued distribution of its software, among other injunctive relief. These penalties are in addition to Intermix’s 2005 $7.5 million settlement with the New York Attorney General.

In the course of this matter, I had occasion to examine my records of past Intermix installations. For example, within my records of installations I personally observed nearly two years ago, I found video evidence of Intermix becoming installed by SecondThought. By all indications, SecondThought’s exploit-based installers placed Intermix onto users’ computers without notice or consent.

Using web pages and installer files found on Archive.org, I also demonstrated that installations on Intermix’s own web sites were remarkably deficient. For example, some Intermix installations disclosed only a portion of the Intermix programs that would become installed, systematically failing to tell users about other programs they would receive if they went forward with installation. Most Intermix installations failed to affirmatively show users their license agreements, instead requiring users to affirmatively click to access the licenses; and in some instances, even when a user did click, the license was presented without scroll bars, such that even a determined user couldn’t read the full license. Furthermore, some Intermix installations claimed a home page change would occur only if a user chose that option (“you can choose to have your default start page reset”), when in fact that change occurred no matter what, without giving users any choice.

Remarkably, I also found evidence of ongoing Intermix installations, despite Intermix’s 2005 promise to “permanently discontinue distribution of its adware, redirect and toolbar programs.” For example, in my testing of October 2006 and again just yesterday, the Battling Bones screensaver (among various others) was still available on Screensavershot.com (a third-party site). Installing Battling Bones gives users Intermix’s Incredifind too. Even worse, this installation proceeds without any disclosure to the user of the Intermix software that would be installed. (Video proof. The installer’s EULA mentions various other programs to be installed, but it never mentions Intermix or the specific Intermix programs that in fact were installed.) Furthermore, I found dozens of “.CAB” installation files still on Intermix’s own web servers — particularly hard to reconcile with Intermix’s claim of having abandoned this business nearly two years months ago. Truly shutting down the business would have entailed deleting all such files from all servers controlled by Intermix.

I continue to think there’s substantial room for litigation against US-based spyware vendors. I continue to see nonconsensual and materially deceptive installations by numerous identifiable US spyware vendors. (For example, I posted a fresh Ask.com nonconsensual toolbar installation just last month. And I see more nonconsensual installations of other US-based vendors’ programs, day in and day out.) These vendors continue to cause substantial harm to the users who receive their unwanted software.


Technology news sites and forums have been abuzz over the FTC’s proposed settlement with Zango, whose advertising software has widely been installed without consent or without informed consent. I commend the FTC’s investigation, and the injunctive terms of the settlement (i.e. what Zango has to do) are appropriately tough. Oddly, Zango claims to have “met or exceeded the key notice and consent standards … since at least January 1, 2006.” I disagree. From what I’ve seen, Zango remains out of compliance to this day. I’m putting together appropriate screenshot and video proof.

Current Ask Toolbar Practices

Last year I documented Ask toolbars installing without consent as well as installing by targeting kids. Ask staff admitted both practices are unacceptable, and Ask promised to make them stop. Unfortunately, Ask has not succeeded.

In today’s post, I report notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask’s prior promises. I document yet another installation of Ask’s toolbar that occurs without user notice or consent. I point out why Ask’s toolbar is inherently objectionable — especially its rearrangement of users’ browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask’s practices with its staff’s promises and with governing law — especially “deceptive door opener” FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.

Details:

Current Practices of IAC/Ask Toolbars

Affiliate Fraud Litigation Index

Some analysts view affiliate marketing as “fraud-proof” because affiliates are only paid a commission when a sale occurs. But affiliate marketing nonetheless gives rise to various disputes — typically, merchants alleging that affiliates claimed commission they had not properly earned. Most such disputes are resolved informally: merchants withhold amounts affiliates have purportedly earned but have not yet received. Occasionally, disputes end up in litigation with public availability of the details of alleged perpetrators, victims, amounts, and methods. This page presents known litigation in this area including case summaries and primary source documents.


Uber Technologies v. Hydrane SAS Et. Al.

Superior Court of California, County of San Francisco – Civil Case No. CGC19576493 – June 5, 2019

Core allegation: Placing Uber ads in prohibited sites and claiming commission on signups that were going to happen anyway

Factual allegations: See docket.

Amount in dispute: $70 million. (See second amended complaint, paragraph 91.)

Litigation is ongoing.


Mary Kay Inc. v. Retailmenot, Inc.

U.S. District Court for Northern District of Texas – Civil Case No. 3:15-cv-00825-L – March 13, 2015

Core allegation: RMN purports to aggregate digital coupons, including from affiliate programs. RMN falsely claims to provide coupons for MK.

Legal claims: Trademark infringement, Unfair competition, False advertising, Trademark dilution


United States of America v. Allen J. Chiu and Andrew S. Chiu

U.S. District Court for Western District of Washington – Criminal Case No. CR12-070-RSM – March 14, 2012

Core allegation: Fake orders for affiliate commission. See indictment.

Charges: Fraud by Wire, Radio, or Television (18 USC § 1343)

Victims: Fatwallet, Nordstrom

Affiliate Network: LinkShare

Indictment alleges that Nordstrom initially disallowed the Chius from making purchases due to their excessive claims for merchandise purportedly lost in transit.

Indictment alleges that the Chius later noticed that their further orders continued to yield Fatwallet cashback credit even though Nordstrom correctly canceled the orders and never charged the Chius’ credit cards. The Chius placed additional orders totaling approximately $23 million in order to receive Fatwallet cashback on those purchases.

Complaint alleges that the Chius made multiple attempts to obtain their Fatwallet balance purportedly earned, including changing payee names, payee addresses, and payment methods.

The report of FBI investigator Cory Cote says the Chius obtained 787 separate checks from Fatwallet, sent to three different names at five different mailing addresses, using eighteen different Fatwallet accounts. Cote says the Chius’ orders from Nordstrom used 58 different credit cards.

After Fatwallet blocked the Chius’ withdrawals, Cote reports that the Chius attempted to collect cashback via Ebates, another cashback site. Despite using five different Ebates accounts, the Chius never received any funds from Ebates.

Amount in dispute:

Indictment alleges $1.4 million taken from Nordstrom. Of this amount, a portion was retained by Fatwallet and LinkShare as service fees, and the indictment reports the Chius receiving more than $650,000 of cashback from Fatwallet.

FBI investigator Cory Cote says the Chius caused transactions yielding more than $2 million of commissions and more than $1.1 million of cashback.

Indictment reports approximately $971,000 seized from the Chiu’s personal and retirement accounts.

An August 2012 itemization indicates $1,413,525 paid by Nordstrom to FatWallet and an additional $157,303 paid by Nordstrom to LinkShare (of which LinkShare credited back $103,342 but retained $53,961.

Statement from Defendants: Defendants’ friends and colleagues filed ten letters in support of defendants’ character. (1, 2) Letter-writers: Albert Cheng of Google, Edwin Altomare, Calli Lewis of the University of North Texas, Hua Maggie Sun-Rubin of AT&T, Guillermo Perez-Vega of Trammell Crow Company, Scott Smith of Southern California Edison, Nitin Patel of ComEd, John Rusnak of ComEd, Ronald Hart of ComEd, and Bill Frederick.

Disposition:

Federal sentencing guidelines specified a sentencing range of 33-41 months (after adjustment for defendants’ lack of criminal history). The United States recommended 24 months and the court so ordered (Allen, Andrew).

Defendants forfeited “nearly all of their life savings”, totalling $971,810.86 (including funds earned from legitimate sources).

Defendants sought to avoid repaying amounts that were lost to Nordstrom but never received by Defendants (i.e. fees retained by FatWallet and LinkShare). The United States argued that these are part of Nordstrom’s loss and hence a required part of restitution. The Court ordered that restitution include the FatWallet and LinkShare fees without any offset for amounts those companies might return to Nordstrom.

Companion civil case by victim FatWallet:

Fatwallet, Inc. v. Andrew Chiu and Allen Chiu – complaint

U.S. District Court for Western District of Wisconsin – Civil Case No. 3:12-CV-00012-WMC – January 5, 2012

Legal claims: Theft by Fraud, Computer Fraud and Abuse Act (CFAA), Breach of Contract, Unjust Enrichment

Fatwallet complaint says Fatwallet is “exposed to a claim” that it repay Nordstrom.


United States of America v. Christopher Kennedy

U.S. District Court for Northern District of California – Criminal Case No. 5-10-CR-00082-JW. February 9, 2010

Core allegation: Writing software to perform cookie-stuffing. Information/complaint.

Victim: eBay

Affiliate Network: eBay Partner Network

Legal claim: Conspiracy to Commit Wire Fraud

Information alleges that Kennedy created a program, “Saucekit,” to assist eBay affiliates in performing cookie-stuffing. Alleges that Kennedy conspired with those affiliates in defrauding eBay.

Kennedy routed cookie-stuffing traffic via the many and seemingly-unrelated affiliate links of the various purchasers of Kennedy’s Saucekit program.

Amount taken from victim: Information reports multiple Saucekit customers earning substantial commissions, including one nearing $10,000 per month.

Disposition: In a June 2012 plea agreement, Kennedy was sentenced to six months in prison and ordered to pay $407,934.39 to eBay in restitution. He was scheduled to begin serving his prison sentence on September 20, 2012.


Five separate cases as to Brian Dunning, Todd Dunning, Shan D. Hogan, Digital Point Solutions, Kessler’s Flying Circus, and Thunderwood Holdings – cookie-stuffing targeting eBay via Commission Junction

Case captions:

United States of America v. Brian Dunning. U.S. District Court for Northern District of California, Criminal Case No. 5:10-CR-00494-EJD, June 24, 2010. indictment and superseding information

eBay Inc. v. Brian Dunning; Thunderwood Holdings, Inc.; and Kessler’s Flying Circus. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Commission Junction, Inc. v. Thunderwood Holdings, Inc. dba Kessler’s Flying Circus; Todd Dunning; Brian Dunning. Superior Court of the State of California for the County of Orange, Central Branch, Civil Case No. 30-2008 00101025. January 4, 2008. second amended complaint

United States of America v. Shawn D. Hogan. U.S. District Court for Northern District of California, Criminal Case No. 5:CR-10-0495-JF, June 24, 2010. indictment

eBay Inc. v. Shawn Hogan and Digital Point Solutions, Inc. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Core allegation: Affiliate cookie-stuffing

Legal claims: Criminal charges against Dunning and Hogan: Wire Fraud Act; eBay civil charges against Dunning, Thunderwood Holdings, and Kessler’s Flying Circus, and Hogan: Computer Fraud and Abuse Act (CFAA), California § 502 (Computer Tampering), Restitution and Unjust Enrichment, California Business and Professions Code, Racketeer Influenced and Corrupt Organizations Act (RICO Act); Commission Junction civil charges: Breach of Contract, Open Book, Account, Reasonable Value, Conversion, Unfair Competition, Declaratory Relief

Indictments allege (Dunning, Hogan) that when users visited any of “a large number of web pages,” Defendants caused users’ computers to send requests to eBay reporting, falsely, that Defendant had referred them to eBay. Alleges that this occurred invisibly and without user knowledge. Alleges that when users happened to make purchases from eBay or open eBay accounts, Defendants collected marketing commissions. eBay complaint is in accord.

CJ complaint alleges that Defendants provided third parties with a widget placed on other sites, including on MySpace (allegedly in violation of MySpace terms) which wrongfully forced traffic to eBay.

Internal CJ correspondence reveals that CJ learned of Defendants’ infractions via a complaint from eBay, not via independent CJ investigations.

Methods of concealment:

eBay complaint alleges that Defendants used images on web pages to effectuate its cookie-stuffing scheme and intentionally set these images to be so small as to be effectively invisible.

eBay complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

Indictments allege (Dunning, Hogan) that Defendants intentionally declined to stuff cookies to users near headquarters of eBay and Commission Junction. eBay complaint is in accord.

Dunning indictment alleges that Defendant knowingly misrepresented that his methods were “in line with” affiliate program rules.

The FBI report from interviewing Shawn Hogan presents Hogan’s statements as to Dunning, including Hogan claiming Dunning “reverse engineer[ed]” Hogan’s tools and “rip[]ped off” some of Hogan’s tools. The associated search warrant (for search of Hogan’s residence) includes details of the FBI’s initial suspicions about Dunning, including a complaint from eBay.

Hogan indictment alleges that when Commission Junction representatives questioned Hogan about cookie-stuffing, he falsely attributed suspicious activity to “coding errors.”

eBay civil complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

eBay civil complaint alleges that Defendants presented their JavaScript code in a way intended to “obscure[] the purpose and effect” to hinder investigation.

See also a declaration of an FBI agent who searched Hogan’s home, as well as 88 pages of additional material including search warrant (with details of the FBI’s initial suspicions and complaint from eBay), report from the search (including Hogan’s statements during the search), and pictures of Hogan’s home.

Amount at issue:

Dunning indictment alleges more than $5,300,000 in compensation from January 2006 to June 2007.

Hogan indictment alleges more than $15,500,000 in compensation from January 2006 to June 2007.

CJ civil complaint alleges that eBay did not pay CJ $565,517.84 despite CJ paying that amount to Defendants. CJ sought repayment of that amount by Defendants to CJ.

Defendant Dunning’s statements:

A Partial Explanation – Brian Dunning, October 5, 2011. – Describes Brian’s understanding of the meaning of cookie-stuffing: “Take any web browser, erase all its cookies, and adjust its security preferences to allow third party cookies. Then, click through a few pages on any ad-supported web site, like Slate.com or HuffPo.com. Now look at your cookies. You’ll see that your browser is loaded with all sorts of cookies from strange web sites that you don’t recognize. That’s cookie stuffing. It’s a scary-sounding term, but it’s fundamental to the way Internet advertising works.”

References Brian’s anticipated defenses: “Obviously there are many intricacies here that go deeper, but I cannot give further details. There are several legal reasons that the lawsuit is improper, and we’ve been fighting it on that basis. Hopefully it will never go to trial, but if it does, my defense depends on evidence that I cannot describe publicly. It’s quite an amazing story, and I look forward to telling it in full detail as soon as the circumstances make it possible.”

The FBI report from interviewing Dunning (attached to the United States’ opposition to Dunning’s motion to suppress evidence) includes Dunning’s statements that eBay’s affiliate program was “stupid”, and that he was “clever” in finding a way to take advantage of the program. The FBI agent interviewing Dunning reports that Dunning admitted using a 1×1 pixel to force an eBay cookie with his affiliate codes.

Dunning claims that a former CJ employee, Andrew Wey (spelling uncertain) provided inside information regarding how to take advantage of eBay’s affiliate program. Dunning claims he paid Wey ten percent of the money he made from eBay.

Defendant Hogan’s Statements:

What Does Carmen Electra, Cyber-Terrorism and Meg Whitman Have In Common? eBay! – Shawn Hogan, August 2, 2010.

Says he promoted eBay ” using a small percentage of the [Digital Point] Ad Network ad space to serve up tens of millions of eBay ads every day.” Attributes increased eBay commissions to these placements.

As to violations of eBay’s rules: “When I asked [eBay staff] why they … allow affiliates to violate their terms of service, they … avoid[ed] answering my actual question. Finally [they] informed me that their terms of service (and even the entire affiliate program to some degree) was a bit of a facade. It allowed eBay to do things they wanted to do (like spam search engines, deploy in countries where they had no actual presence, etc.), while also giving them a way to wash their hands of any wrong-doing when any of their large partners (like Google) would question them about it (like why there are so many spam sites directing people to eBay).” Says eBay staff gave him suggestions on how to avoid being flagged in compliance reports by outside examiners.

As to relationships with eBay staff: Says he gave one eBay employee $50,000 to buy a new car, and gave others a plasma TV, new laptop, etc.

Disposition:

In an arraignment of April 15, 2013, Dunning entered a guilty plea. In sentencing proceedings, the United States sought 27 months imprisonment of . In a decision of August 4 , 2014, the Court ordered 15 months imprisonment to begin September 2, 2014.

In a December 17, 2012 hearing, Hogan pled guilty. In an April 30, 2014 judgment, Hogan was sentenced to five months imprisonment, three years of supervised release, and a $25,000 fine.

Pursuant to a settlement dated March 9, 2009, Defendants paid CJ $25,000.


Lands’ End, Inc. v. Eric Remy, Thinkspin, Inc., Braderax, Inc., and Michael Seale

U.S. District Court for the Western District of Wisconsin – Civil Case No. 05-C-368-C. September 1, 2006

Core allegation: Affiliate typosquatting – Decision on Motion to Dismiss

Victim: Lands’ End

Affiliate Network: LinkShare

Legal claims: Anticybersquatting Consumer Protection Act (ACPA), Lanham Act, Wisconsin Stat. § 100.18 (Fraudulent Representations), Breach of Contract, Fraud

Plaintiffs alleged, and Court found, that defendants registered thirteen typosquatting domains targeting Lands’ End marks (e.g. lnadsend.com) and redirected traffic from these domains to Lands’ End affiliate links.

Plaintiffs alleged, and Court found, that Defendants were approved as Lands’ End affiliates based on information they provided about the non-typosquatting websites they purported to operate (e.g. www.savingsfinder.com). Defendants failed to disclose their use of the typosquatting domains.

Plaintiffs alleged, and the Court found, that Defendants redirected through Lands’ End affiliate links at most once per user, and subsequently (falsely) said the site was “unavailable” due to “technical difficulties.” As a result, a user or investigator seeking to reproduce a finding might be unable to do so.

Amount at issue: Marketing commissions: Thinkspin ($6,698), Braderax ($500), and Seale ($26); Default judgment of $153,437.50 of actual damages, statutory damages, and attorneys fees.



For additional discussion of some of these practices, see Information and Incentives in Online Affiliate Marketing.

Please send additional cases or notable documents to Ben Edelman.

Thanks to Irene Chen for assistance in gathering and summarizing selected documents.

Last updated: October 27, 2020

Services for Advertisers – Avoiding Waste and Improving Accountability

In the course of my research on spyware/adware, typosquatting, popups, and other controversial online practices, I have developed the ability to identify practices that overcharge online advertisers. I report my observations to select advertisers and top networks in order to assist them in improving the cost-effectiveness of their advertising including by flagging improper ad placements, rejecting unjustified charges, and avoiding untrustworthy partners. This page summarizes the kinds of practices I uncover and presents representative examples drawn from my publications.

For Display Advertisers and Display Networks

In work for display advertisers and display networks, I catch and report the following problems:

For Affiliate Advertisers and Affiliate Networks

In work for affiliate advertisers and affiliate networks, I catch and report the following problems:

Information and Incentives in Online Affiliate Marketing analyzes patterns in merchants’ vulnerabilities and effective defenses.

For Advertisers in Comparison Shopping Engines

In work for comparison shopping engines (CSEs) and their advertisers, I catch and report the following problems:

  • Advertisements loaded, and clicks recorded and billed for, without a user seeing the advertisement link or clicking on it. (CSE click fraud)
  • CSE advertisements presented in adware including injections, popups, sliders, and toasts.

Methods

I catch infractions using multiple “crawler” PCs which operate 24 hours per day, continuously checking for improper advertising placements. These crawlers run from multiple locations in the US, along with systems to detect behaviors targeting users outside the US. Some of my reports draw on large-scale automation developed in partnership with Wesley Brandi. I supplement automatic observations with manual testing using methods I have refined over more than a decade.

Each of my reports includes a packet log presenting the specific methods and identifiers (ad tags, affiliate IDs, etc.) associated with the infraction. Where an incident includes notable on-screen appearances (e.g. a popup), I typically include a screen-capture video or screenshot image showing occurrences as they appear to users. Each report includes a customized explanatory memorandum.

Please contact me to learn more about my reports.

Last updated: May 21, 2016

How Vonage Funds Spyware

I ought to be a Vonage enthusiast. I support Vonage’s efforts to protect network neutrality. I applaud their flexible voice over IP service and their efforts to compete with incumbent phone companies. I’m even a VoIP customer (albeit using a competitor’s service).

But instead of praising Vonage, I have to criticize them — not for their core business, nor for their customer service (which others have repeatedly criticized), but for their reckless advertising practices. Vonage spends huge amounts on advertising — more than $20 million per month. (source) Unfortunately, among this spending is widespread and substantial spyware-delivered advertising.

For years, my manual and automated testing have documented Vonage ads appearing in all the major spyware programs. Now that Vonage has completed its IPO — itself promoted as a way to raise more money to buy more advertising — this page presents twelve recent examples of Vonage ads appearing in spyware.

Spyware-Delivered Pop-Up Ads Banners Injected Into Others’ Sites Spyware Lead Acquisitions Spyware-Delivered Banner Farms
Direct Revenue

Targetsaver – covering AOL

Targetsaver – covering a sexually-explicit site

SearchingBooth

Fullcontext – ad injected into Google.com

Searchingbooth – ad injected into True.com

Searchingbooth – ad injected into eBay

DollarRevenue – replacing an ad within Boston.com

Direct Revenue – Vendare’s Myphonebillsavings

Direct Revenue – NextClick’s Phonebillsolution

Hula’s Global-Store

ExitExchange

Vonage’s Spyware-Delivered Pop-Up Ads

A Vonage Ad Shown by Direct Revenue. A Vonage Ad Shown by Direct Revenue

A Vonage Ad Shown by Targetsaver A Vonage Ad Shown by Targetsaver

Vonage
money viewers
Traffic Marketplace
money viewers
Targetsaver

The Money Trail – How Vonage Pays Targetsaver

I have repeatedly observed Vonage buying “ordinary” spyware pop-up ads from vendors like 180solutions, Direct Revenue, and eXact Advertising. See e.g. the top thumbnail at right, a March 2006 screenshot of a Vonage ad appearing through Direct Revenue. See also my March 2005 report of Vonage ads appearing through eXact Advertising. These relationships add up to big money: BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 — a remarkable $110 for each customer Direct Revenue sent to Vonage. Meanwhile, in its litigation against Intermix, the New York Attorney General specifically documented Vonage’s ads appearing in Intermix KeenValue pop-ups.

Beyond notorious spyware such as Direct Revenue and Intermix, Vonage ads also appear through less well-known spyware, including through programs that continue to be installed onto users’ computers through security exploits (without user consent). The second thumbnail at right shows a Vonage ad shown by Targetsaver (a California maker of software that becomes installed without consent, tracks users’ behavior, and shows targeted pop-up ads). Targetsaver sends traffic to Vonage in the way set out in the diagram at right: Targetsaver sends users to Traffic Marketplace which forwards users to Vonage (via aQuantive / Atlas, which serves to track most Vonage advertising purchases).

http://a.targetsaver.com/adshow
http://www.targetsaver.com/redirect.php?clientID=…&finalURL=…
http://www.targetsaver.com/js/jf1.html
http://ad.trafficmp.com/tmpad/banner/ad/tmp.asp?poID=emwG
http://t.trafficmp.com/p.t/i15275/37389831/
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the word “target” in its name, Targetsaver isn’t particularly picky about where it shows Vonage’s ads. The screenshot at right reflects a Vonage ad shown while a user tries to sign up for AOL — perhaps reasonable targeting, in that both companies provide telecommunication services. But Targetsaver also shows Vonage’s ads in unseemly locations, such as when users browse sexually-explicit sites. Screenshot.

Vonage pop-up ads also appear through various other spyware. Additional examples: Vonage shown in a SearchingBooth pop-up (via Rpowermedia and Traffic Marketplace), Vonage shown in a Dollar Revenue pop-up (via Oridian / Cydoor, Yield Manager, Falk eSolutions AG / DoubleClick, and Traffic Marketplace).

Spyware Injections of Vonage Ads – Into Others’ Sites

A Vonage Ad Injected by Fullcontext Fullcontext Injecting a Vonage Ad into Google

Vonage
money viewers
Yield Manager
money viewers
MediaPrecision
money viewers
Fullcontext

How Vonage Pays Fullcontext

As users revolt against pop-up ads, a growing trend is to inject ads into others’ sites. Users who receive injected ads may not notice they’re infected with spyware; the telltale signs are, perhaps, less obvious than extra pop-ups. And by hooking into Internet Explorer’s API, injection isn’t particularly difficult.

Of course ad injection raises serious legal concerns. A spyware vendor probably infringes a site’s copyright by inserting an ad right into that site — all the more so when such insertion occurs without a user’s consent and when such insertion lacks any labeling or disclaimer. But consider the vendors who use these methods: they already face substantial legal liability, e.g. from their nonconsensual installations of spyware onto users’ computers. Such vendors are unlikely to be deterred by possible copyright liability.

Despite the problems with spyware-injected banner ads, I have repeatedly observed Vonage ads appearing through banners injected into others’ sites using spyware, without permission from those sites. In general, the resulting Vonage banners appear in places where, but for the spyware at issue, no banner would exist. Consider e.g. the Google screenshot at right. The “real” Google site does not include a banner above the Google logo. Although the banner appears to be an integral part of Google’s site, the banner was injected into the site’s on-screen display by Fullcontext spyware; it was not placed there by Google.

The left and center screenshots below show similar ad injections by Searchingbooth. True.com and eBay do not sell ads that appear above their respective sites. Instead, the Vonage ads at issue were injected there by Searchingbooth, yielding the on-screen appearances shown below.

The DollarRevenue example, right screenshot below, shows a special kind of banner injection. Whereas the first three examples inject ads above a site (albeit within the site’s own window), DollarRevenue injects its ads into a site — covering a banner placed by the site (which would yield payment to the site) with a banner for DollarRevenue (which produces payments to DollarRevenue). This business model is not altogether novel; Claria (then Gator) pioneered this approach with its 2001 covering of other sites’ banners. But whereas Claria quickly abandoned this practice, in the face of IAB and other criticism, DollarRevenue continues unabated. For a particularly vivid view of DollarRevenue’s ad replacement, see the video of this ad injection. Notice the original Boston.com ad appearing for a fifth of a second at 0:00:3.65, only to be covered nearly instantly by the DollarRevenue-injected Vonage ad.

Vonage pays the respective spyware vendors through the relationships set out in the diagrams below and at right. Click an ad thumbnail for a full-size image, along with a packet log of associated network transmissions.

A Vonage Ad Injected by Searchingbooth
Searchingbooth Injecting a Vonage Ad into True.com

Vonage
money viewers
Traffic Marketplace
money viewers
Adecn
money viewers
Rpowermedia
money viewers
Searchingbooth

How Vonage Pays Searchingbooth

A Vonage Ad Injected by SearchingBooth
SearchingBooth Injecting a Vonage Ad into eBay

Vonage
money viewers
Traffic Marketplace
money viewers
Rpowermedia
money viewers
Searchingbooth

How Vonage Pays Searchingbooth

DollarRevenue Replacing a Boston.com Ad with a Vonage Ad
Initial Boston.com Ad – Visible for Only 0.2 Seconds – video

DollarRevenue Replacing a Boston.com Ad with a Vonage Ad
Replacement Vonage Ad Injected by DollarRevenue

Vonage
money viewers
24/7 RealMedia
money viewers
Yield Manager
money viewers
Oridian (Cydoor)
money viewers
DollarRevenue

How Vonage Pays DollarRevenue

The ads at issue were injected by DollarRevenue (apparently located in the Netherlands), Fullcontext (purportedly of Anguilla), Searchingbooth (from Deskwizz, giving an address in Quebec, Canada).

Vonage Lead Acquisitions via Spyware Pop-Ups

Vendare Group Using Direct Revenue to Promote Vonage Vendare Group Using Direct Revenue to Promote Vonage

Vonage
money viewers
Vendare Group / eMarketMakers
money viewers
LeadClick Media / eAdvertising
money viewers
Rextopia
money viewers
RevenueLoop
money viewers
Direct Revenue

The Money Trail – How Vonage Pays Direct Revenue

NextClick Media Using Direct Revenue to Promote Vonage NextClick Media Using Direct Revenue to Promote Vonage

As recently as March 2006, I was still observing Vonage ads shown by notorious spyware vendor Direct Revenue. (Screenshot.) But Vonage partners continue to advertise with Direct Revenue — even using Vonage-supplied site designs to do so. So Vonage’s money still reaches Direct Revenue and still helps to fund Direct Revenue.

Consider the top screenshot at right. As I browsed other telecom sites, I got a pop-up promoting Vonage. The pop-up is nearly full-screen — covering all but the title bars of the pages I had requested. The pop-up ad lacks a visible URL, but packet log analysis indicates that it was loaded from www.myphonebillsavings.com. Notably, the bottom of www.myphonebillsavings.com reads “©2001-2006, Vonage Marketing, Inc.” — reflecting that this Vonage-branded page was, by all indications, designed by Vonage itself.

To see who placed this pop-up with Direct Revenue, I again turn to packet log analysis. I observe that loading the ad entailed loading the following URLs. Click the list for the full packet log.

http://xadsj.offeroptimizer.com/imp/servlet/ImpServe?urlContext=http%3A%2F%2F…
http://login.revenueloop.com/sw/3211/CD1087/
http://rextopia.com/sw/5551/CD436/1087%3A%3A3211%3A%3A%3A%3A%3A%3A18a259ac88a…
http://www.eajmp.com/sw/7601/CD154/
http://clicks.emarketmakers.com/redir.aspx?id=671651&AFFID=CD154
http://clicks.emarketmakers.com/redir.aspx?from_pu=true&id=671651
http://clk.atdmt.com/VON/go/thvndvon0550000019von/direct/01?bannerid=671651&f…
http://www.myphonebillsavings.com/?bannerid=671651&AFFID=CD154

This analysis indicates that traffic and money flowed as listed at right. RevenueLoop (a California-based ad network), or a RevenueLoop business partner, bought traffic from Direct Revenue (controlling server offeroptimizer.com). Then RevenueLoop sent traffic to Rextopia (a New Jersey affiliate network), which redirected to Eajmp.com (LeadClick Media’s eAdvertising, of California), which redirected to eMarketMakers, which redirected to aQuantive’s Atlas and finally on to Myphonebillsavings.

The last few links of this chain reflect substantial involvement of Vendare Group. Vendare owns eMarketMakers, and Whois data indicates that Myphonebillsavings is also registered to Vendare Group. But despite receiving venture funding from Insight Venture Partners, Vendare’s ties to spyware are well-known. For example, I have widely observed — and carefully documented — Vendare’s New.net installed through security exploits without users’ consent . Furthermore, Vendare’s eMarketMakers directly funds a variety of spyware. For example, in January 2006 I documented eMarketMakers promoting NetZero using traffic purchased directly from 180solutions, and in March 2005 I documented eMarketMakers promoting Earthlink and Petchews via traffic purchased directly from eXact Advertising. Despite the direct and well-documented relationships between Vendare and spyware, Vonage nonetheless purchases advertising from Vendare and its eMarketMakers group.

Vendare’s Myphonebillsavings is just one of many Vonage partners still paying to receive traffic from Direct Revenue. Last month I also observed Phonebillsolution pop-ups appearing through Direct Revenue. Like Myphonebillsavings.com, Phonebillsolution.com’s copyright line reflects creation by Vonage. Phonebillsolutions hides its Whois data, but directly requesting the IP address of the Phonebillsolution web server yields a default page titled “NextClick Media” (a California-based ad network). The final thumbnail at right shows NextClick promoting Vonage using Direct Revenue.

Spyware-Delivered Banner Farms Promoting Vonage

A Vonage Ad Shown by Targetsaver Look2me and Hula’s Global-Store Promoting Vonage

Vonage
money viewers
ad networks (one or more)
money viewers
banner farm
money viewers
placement intermediaries (zero or more)
money viewers
spyware vendors

How Vonage Funds Spyware via Banner Farms

Last month I explained the problem of spyware-delivered banner farms: Web sites that buy spyware traffic (directly or indirectly), then show substantially only ads, thereby serving as ad placement intermediaries. I posted three distinct examples of Vonage appearing in spyware-delivered banner farms: Hula’s Global-Store promoting Vonage in a large window at screen center, a further Global-Store promotion of Vonage in a smaller window partially covered by another ad, and in ExitExchange.

But there are plenty of other banner farms, and in my testing most banner farms promote Vonage. For example, my June banner farm article mentions Whatsnewreport, which I have also observed promoting Vonage.

The diagram at right reflects the canonical relationships between Vonage, ad networks, banner farms, and spyware

Vonage’s Spyware Advertising in Context

Vonage isn’t the only advertiser with widespread spyware ad-buys. Other buyers of untargeted or semi-targeted ads get plenty of spyware-delivered advertising too. For example, I see Verizon ads in spyware pop-ups with remarkable frequency. In a future article, I’ll present screenshots of some other big spyware advertisers.

As best I can tell, Vonage does not specifically intend to have its ads shown in spyware. Instead, the advertising chains shown above reveal that these are generally indirect relationships, not direct spyware ad buys. (In comparison, see my September 2005 report of Expedia directly and intentionally buying spyware-delivered advertising from numerous notorious spyware vendors — a practice that, to its credit, Expedia subsequently stopped.) Yet by failing to take appropriate precautions and failing to diligently supervising its ads, Vonage makes payments to spyware vendors — funding spyware that is known to harm users’ PCs.

Vonage may seek to write off these examples as insignificant within its nine-digit advertising budget. But these spyware placements have important negative externalities: When Vonage pays spyware vendors, even indirectly, Vonage helps make spyware more profitable, and helps make the spyware problem worse. Even if Vonage is content to waste some money on buying unwanted spyware ads, it still needs to take action to avoid funding software that damages users’ PCs.

When asked about Vonage’s spyware funding, Vonage CEO Jeffrey Citron last year told the Associated Press “We do everything we can to make sure our partners adhere to our standards.” I disagree. There’s plenty more Vonage could do. For example, Vonage could refuse to work with partners like Vendare, that have known ties to spyware vendors and that even make and distribute their own spyware. Vonage could refuse to work with Traffic Marketplace and Yield Manager — partners that can’t provide reasonable assurances of keeping ads out of spyware. Vonage could specifically review all its advertising partners, and Vonage could prevent those partners from subcontracting with further unverified subpartners of their own. Vonage may consider these changes burdensome or inconvenient. But based on current practices, Vonage can’t credibly claim to be doing “everything” to stop spyware advertising. To the contrary, as the many examples above indicate, far more work is still required.

Last month Vonage won an “Effie” award for the “effectiveness” of its advertising campaign. I can’t speak to Effie’s criteria in granting this award. But advertisers might appropriately hesitate to praise an advertising strategy that, whether intentionally or recklessly, includes buying ads in spyware.

Beyond Vonage, criticism might reasonably focus on the advertising intermediaries that broker Vonage’s spyware placements. For example, Vonage receives and tracks all these spyware placements through aQuantive’s Atlas advertising. Atlas’s Acceptable Use Policy proclaims that “Atlas technology may not be used in connection with any downloadable application that is downloaded without notice and consent.” But I see no indication that Atlas actually enforces this policy: All the programs discussed above are programs I have observed installed without consent, yet these placements repeatedly flow through Atlas, as shown in each posted packet log. Other ad intermediaries lack even Atlas’s anti-spyware statement: Searching 24/7 Real Media’s site for “spyware” yields no hits, and 24/7’s lengthy and prominent code of conduct does not prohibit use of spyware.As advertising service providers, advertising specialists, publicly-traded companies, and purported ethical leaders, aQuantive, 24/7, and others could do far more to keep spyware out of their networks.