advertising security – Page 6

November 20, 2006January 8, 2026

Bad Practices Continue at Zango, Notwithstanding Proposed FTC Settlement and Zango’s Claims with Eric Howes; updated December 8, 2006

Earlier this month, the FTC announced the proposed settlement of its investigation into Zango, makers of advertising software widely installed onto users’ computers without their consent or without their informed consent (among other bad practices).

We commend the proposed settlement’s core terms. But despite these strong provisions, bad practices continue at Zango — practices that, in our judgment, put Zango in violation of the key terms and requirements of the FTC settlement. We begin by explaining the proposed settlement’s requirements. We then present eight types of violations of the proposed settlement, with specific examples of each. We conclude with recommendations and additional analysis.

Except where otherwise indicated, this document describes only downloads we tested during November 2006 — current, recent installations and behaviors.

Zango’s Burdens Under the Proposed FTC Settlement

The FTC’s proposed settlement with Zango imposes a number of important requirements and burdens on Zango, including Zango’s installation and advertising practices. Specifically, the settlement:

Prohibits Zango from using “any legacy program to display any advertisement to, or otherwise communicate with, a consumer’s computer.” (settlement I)
Prohibits Zango from (directly or via third parties) “exploit[ing] a security vulnerability … to download or install onto any computer any software code, program, or content.” (II)
Prohibits from Zango installing software onto users’ computers without “express consent.” Obtaining “express consent” requires “clearly and prominently disclos[ing] the material terms of such software program or application prior to the display of, and separate from, any final End User License Agreement.” (III) Defines “prominent” disclosure to be, among other requirements, “unavoidable.” (definition 5)
Requires Zango to “provide a reasonable and effective means for consumers to uninstall the software or application,” e.g. through a computers’ Add/Remove utility. (VII)
Requires Zango to “clearly and prominently” label each advertisement it displays. (VI)

These are serious burdens and requirements that, were they zealously satisfied by Zango, would do much to protect consumers from the numerous nonconsensual and misleading Zango installations we have observed.

Zango Is Not In Compliance with the Proposed Settlement

Zango has claimed that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.”

Despite Zango’s claim, we continue to find ongoing installations of Zango’s software that fall far short of the proposed settlement’s burdens, requirements, and standards. The example installations that we present below establish that Zango’s current installation and advertising practices remain in violation of the terms and requirements of the proposed settlement.

“Material Terms” Disclosed Only in EULA
Zango often announces “material terms” only in its End User License Agreement, not in the more prominent locations required by the proposed settlement. (Examples A, B)
“Material Terms” Omitted from Disclosure
Zango often omits “material terms” from its prominent installation disclosures — failing to prominently disclose facts likely to affect consumers’ decisions to install Zango’s software. (Examples A, B, C)
Disclosures Not Clear & Prominent
Zango presents disclosures in a manner and format such that these disclosures fail to gain the required “express consent” of users because the disclosures are not “clearly and prominently” displayed. (Examples B, E, F)
Disclosures Presented Only After Software Download & Execution
Zango presents disclosures only after the installation and execution of Zango’s software on the users’ computers has already occurred, contrary to the terms of the proposed settlement. (Examples C, F)
No Disclosure Provided Whatsoever
Some Zango software continues to become installed with no disclosure whatsoever. (Example D)
Installation & Servicing of Legacy Programs
Older versions of Zango’s software — versions with installation, uninstallation, and/or disclosure inconsistent with the proposed settlement — continue to become installed and to communicate with Zango servers. (Examples C, D, E, F)
Installations Promoted & Performed through Miscellaneous Other Deceptive Means & Circumstances
Zango installs are still known to be promoted and performed in or through a variety of miscellaneous practices that can only be characterized as deceptive. (Multiple examples in section G)
Unlabeled Advertising
Some Zango advertisements lack the labeling required by the proposed settlement. (Multiple examples in section H)

These improper practices remain remarkably easy to find, and we have numerous additional recent examples on file. Moreover, these problems are sufficiently serious that they cast doubt on the efficacy and viability of the FTC’s proposed settlement as well as Zango’s ability to meet the requirements of the settlement.

Example A: Zango’s Ongoing Misleading Installations On and From Its Own Servers

The proposed settlement requires “express consent” before software may be “install[ed] or “download[ed]” onto users’ PCs (III). The term “prominent” is defined to mean “clear[] and prominent[]” disclosure of “the material terms” of the program to be installed, and most of Zango’s recent installation disclosures seem to meet this standard. But we are concerned by what those disclosures say. In our view, the disclosures omit the material facts Zango is obliged to disclose.

Although the proposed settlement does not explain what constitute “material” terms, other FTC authority provides a definition. The FTC’s Policy Statement on Deception, holds that a material fact is one “likely to affect the consumer’s conduct or decision with regard to a product or service.”

From our analysis of Zango’s software, we think Zango has two material features — two features particularly likely to affect a reasonable user’s decision to install (or not install) Zango software. First, users must know that Zango will give them extra pop-up ads — not just “advertisements,” but pop-ups that appear in separate, freestanding windows. Second, users must know that Zango will transmit detailed information to its servers, including information about what web pages they view, and what they search for.

A Misleading Zango Installer Appearing Within Windows Media Player

Unfortunately, many of Zango’s installations fail to include these disclosures with the required prominence. Consider the screen shown at right. Here, Zango admits that it shows “advertisements,” but Zango fails to disclose that its ads appear in pop-ups. Zango’s use of the word “advertisements,” with nothing more, suggests that Zango’s ads appear in standard advertising formats — formats users are more inclined to tolerate, like ordinary banner ads within web pages (e.g. the ads at nytimes.com) or within other software programs (e.g. the ads in MSN Messenger). In fact Zango’s pop-up ads are quite different, in that they appear in pop-ups known to be particularly annoying and intrusive. But the word “advertisements” does nothing to alert users to this crucial fact.

Zango also fails to disclose that its servers receive detailed information about users’ online behavior. Zango tell users that ads are “based on” users’ browsing. But this disclosure is not enough, because it omits a material fact. In particular, the disclosure fails to explain that users’ behavior will be transmitted to Zango, a fact that would influence reasonable users’ decision to install Zango.

In addition, Zango’s description of its toolbar omits important, material effects of the toolbar — namely, that the toolbar will show distracting animated ads. Zango says only that the toolbar “lets [users] search the Internet from any webpage” — entirely failing to mention the toolbar’s advertising,

We’re also concerned about the format and circumstances of these installation screens. Zango’s installation request appears in a Windows Media “license acquisition” screen — a system Microsoft provides for bona fide license acquisition, not for the installation of spyware or adware. Zango’s installer appears within Windows Media Player — a context where few users will expect to be on the lookout for unwanted advertising software, particularly when users had merely sought to watch a video, not to install any software whatsoever. Furthermore, the button to proceed with installation is misleadingly labeled “Play Now” — not “I Accept,” Install,” or any other caption that might alert users to the consequences of pressing the button. The screen’s small size further adds to user confusion: At just 485 by 295 pixels, the window doesn’t have room to explain the material effects of Zango’s software, even with Zango’s extra-small font. (In Zango’s main disclosure, capital letters are just seven pixels tall.) Furthermore, a user seeking to read Zango’s EULA (as embedded in these installation screens) faces a remarkable challenge: The 3,033 word document is shown in a box just five lines tall, therefore requiring fully 53 on-screen pages to view in full. Finally, if a user ultimately presses the “Play Now ” button, then the “Open” button on the standard Open/Save box that follows, Zango installs immediately, without any further opportunity for users to learn more or to change their mind. Such a rapid installation is contrary to standard Windows convention of further disclosures within an EXE installer, providing further opportunities for users to learn more and to change their minds. Video capture of this installation sequence.

All in all, we think typical users would be confused by this screen — unable to figure out who it comes from, what it seeks to do, or what exactly will occur if they press the Play Now button. A more appropriate installation sequence would use a standard format users better understand (e.g. a web page requesting permission to install), would tell users far more about the software they’re receiving, and would label its buttons far more clearly.

These installations are under Zango’s direct control: They are loaded directly from Zango’s servers. Were Zango so inclined, it could immediately terminate this installation sequence, or it could rework these installations, without any cooperation with (or even requests to) its distributors.

Example B: Zango’s Ongoing Misleading Hotbar Installations On and From Its Own Servers

Hotbar’s Initial Installation Solicitation – Silent as to Hotbar’s Effects

Hotbar’s ActiveX Installer – Without Disclosure of Material Effects

Final Step in Hotbar Installation – No Cancel Button, No Disclosure of Material Effects

The “express consent” required under the proposed settlement applies not just to software branded as “Zango,” but also to all other software installed or downloaded by Zango. (See “any software” in section III.) The “express consent” requirement therefore applies to Hotbar-branded software owned by Zango as a result of Zango’s recent merger with Hotbar. But Hotbar installations fail to include unavoidable disclosures of material effects, despite the requirements in the proposed settlement.

Consider the Hotbar installation shown in this video and in the screenshots at right. The installation sequence begins with an ad offering “free new emotion icons” (first screenshot at right) — certainly no disclosure of the resulting advertising software, the kinds of ads to be shown, or the significant privacy effects. If a user clicks that ad, the user receives the second screenshot at right — a bare ActiveX screen, again lacking a substantive statement of material effects of installing. If the user presses Yes in the ActiveX screen, the user receives the third screen at right — disclosing some features of Hotbar (e.g. weather, wallpapers, screensavers), and vaguely admitting that Hotbar is “ad supported,” but saying nothing whatsoever about the specific types of ads (e.g. intrusive in-browser toolbar animations) nor the privacy consequences. Furthermore, this third screen lacks any button by which users can decline or cancel installation. (Note the absence of any “cancel” button, or even an “x” in the upper-right corner.)

This installation sequence is substantially unchanged from what Edelman reported in May 2005.

This installation lacks the unavoidable material disclosures required under the proposed settlement. We see no way to reconcile this installation sequence with the requirements of the proposed settlement.

Example C: Incomplete, Nonsensical, and Inconsistent Disclosures Shown by Aaascreensavers Installing Zango Software

Aaascreensavers’ Initial Zango Prompt – Omitting Key Material Information

Zango’s Subsequent Screen — with deficiencies set out in the text at left

We also remain concerned about third parties installing Zango’s software without the required user consent. Zango’s past features a remarkable serious of bad-actor distributors, from exploit-based installers to botnets to faked consent. Even today, some distributors continue to install Zango without providing the required “clear and prominent” notice of “material” effects.

Consider an installation of Zango from Aaascreensavers.com. Aaascreensavers provides a generic “n-Case” installation disclosure that says nothing about the specifics of Zango’s practices — omitting even the word “advertisements,” not to mention “pop-ups” or privacy consequences. (See first screenshot at right.) Furthermore, Aaascreensavers fails to show or even reference a EULA for Zango’s software. Nonetheless, Aaascreensavers continues to place Zango software onto users’ PCs through these installers.

Particularly striking is the nonsensical screen that appears shortly after Aaascreensavers installs Zango. (See second screenshot at right.) Beneath a caption labeled “Setup,” the screen states “the content on this site is free, thanks to 180search Assistant” — although the user has just installed a program (and is not browsing a site), and the program the user (arguably) just agreed to install was called “n-Case” not “180search Assistant.” At least as paradoxically, the “Setup” screen asks users to choose between “Uninstall[ing] 180search Assistant” and “Keep[ing]” the software. Since “180search Assistant” is software reasonable users will not even know they have, this choice is particularly likely to puzzle typical users. After all, it is nonsense to speak of a user making an informed decision to “keep” software he didn’t know he had.

Crucially, both installation prompts omit the material information Zango must disclose under its settlement obligations: Neither prompt mentions that ads will be shown in pop-ups, nor do they mention the important privacy effects of installing Zango software.

Video capture of this installation sequence.

Example D: Msnemotions Installing Zango with No Disclosure At All

Msnemotions continues to install Zango software with no disclosure whatsoever. In particular, Msnemotions never shows any license agreement, nor does it mention or reference Zango in any other on-screen text, even if users fully scroll through all listings presented to them. Video proof.

This installation is a clear violation of section III of the proposed FTC settlement. That section prohibits Zango “directly, or through any person [from] install[ing] or download[ing] … any software program or application without express consent.” Here, no such consent was obtained, yet Zango software downloaded and installed anyway.

In our tests, this Zango installation did not show any ads (although it did contact a Zango server and download a 20MB file). Nonetheless, the violation of section III occurs as soon as the Zango software is downloaded onto the user’s computer, for lack of the requisite disclosure and consent.

Example E: Emomagic Installing Zango with an Off-Screen Disclosure

Emomagic First Mentions Zango 5 Pages Down In Its EULA

Emomagic continues to install Zango software with a disclosure buried five pages within its lengthy (23 on-screen-page) license agreement. That is, unless a user happened to scroll to at least the fifth page of the Emomagic license, the user would not learn that installing Emomagic installs Zango too. Video proof.

This installation is a clear violation of the proposed FTC settlement, because the hidden disclosure of Zango software is not “unavoidable.” In contrast, the proposed Settlement’s provision III and definition 5 define “prominent” disclosures to be those that are unavoidable, among other requirements.

We have additional examples on file where the first mention of Zango comes as far as 64 pages into a EULA presented in a scroll box. See also example F, below, where Zango appears 44 pages into a EULA, after the GPL.

Example F: Warez P2P Speedup Pro Installing Zango with an Off-Screen Disclosure

Warez P2P First Mentions Zango at Page 44 of its EULA, Below the GPL

Warez P2P Speedup Pro continues to install Zango software with a disclosure buried 44 pages within its lengthy license agreement. Video proof. Users are unlikely to see mention of Zango in part because Zango’s first mention comes so far down within the EULA.

Users are particularly unlikely to find Zango’s EULA because the first 43 pages of the EULA scroll box show the General Public License (GPL). (Screenshot of the first page, giving no suggestion that anything but the GPL appears within the scroll box.) Sophisticated users may already be familiar with this license, which is known for the many rights it grants to users and independent developers. Recognizing this pro-consumer license, even sophisticated users are discouraged from reviewing the scroll box’s contents in full — making it all the less likely that they will find the Zango license further down.

After installation, Warez P2P Speedup Pro proceeds to the second screen shown in Example C, above. The video confirms the special deceptiveness of this screen: If a user chooses the “uninstall” button — exercising his option (however deceptively mislabeled) to refuse Zango’s software — the user then receives a further screen attempting to get the user to change his mind and accept installation after all. The substance of this screen is especially deceptive — asking the user whether he wants to “cancel,” when in fact he had never elected even to start the Zango installation sequence in the first place. Finally, if the user presses the “Exit Setup” button on that final screen, the user is told he must restart his computer — a particularly galling and unnecessary interruption.

Section G: Zango Installations Predicated on Consumer Deception or on Use of Other Vendors’ Spyware

A Zango Ad Injected into Google by FullContext

We have also observed Zango installs occurring subsequent to consumer deception or other vendors sending spyware-delivered traffic to Zango.

Fullcontext spyware promoting Zango. We have observed Fullcontext spyware (itself widely installed without consent) injecting Zango ads into third parties’ web sites. Through this process, Zango ads appear without the permission of the sites in which they are shown, and without payment to those sites. These ads even appear in places in which no banner ads are not available for purchase at any price. See e.g. the screenshot at right, showing a Zango banner ad injected to appear above Google’s search results.

Typosquatters promoting Zango. Separately, Websense and Chris Boyd recently documented Zango installs commencing at “Yootube”. “Yootube” is a clear typosquat on the well-known “Youtube” site — hoping to reach users who mistype the address of the more popular site. If users reach the misspelled site, they will be encouraged to install Zango. Such Zango installations are predicated on a typosquat, e.g. on users reaching a site other than what they intended — a particularly clear example of deception serving a key role in the Zango installation process.

Spyware bundlers promoting Zango. In our testing of summer and fall 2006, we repeatedly observed Zango “S3” installer programs downloaded onto users’ computers by spyware-bundlers themselves operating without user consent (e.g. DollarRevenue and TopInstalls). Users received these Zango installation prompts among an assault of literally dozens of other programs. Any consent obtained through this method is predicated on an improper, nonconsensual arrival onto users’ PCs — a circumstance in which we think users cannot grant informed consent. Furthermore. the proposed settlement requires “express consent” before “installing or downloading” (emphasis added) “any software” onto users’ PCs (section III). Zango’s S3 installer is a “software program” within the meaning of the proposed settlement, yet DollarRevenue and TopInstalls downloaded this program onto users’ computers without consent. So these downloads violate the plain language of the proposed settlement, even where users ultimately refuse to install Zango software.

Update (December 8): We have uncovered still other Zango installations predicated on deception, including on phishing at MySpace. We discuss these improper practices in our follow-up comment to the FTC. Our bottom line: These Zango installs are disturbing not because they put zango in violation of hte terms of hte proposed settlement, but precisely because they do not — because tehse isntallations, disturbing though they may be, do not clearly violate any of the settlement’s requirements. These installations raise the alarming prospect that this settlement could allow Zango to continue to pay distributors to create malicious and/or deceptive software and web pages.

Section H: Unlabeled Ads

Today CDT filed a further comment about the FTC’s proposed settlement, focusing in part on Zango’s recent display of unlabeled ads, again specifically contrary to Zango’s obligations under the proposed settlement (section VI). CDT has proof of 39 unlabeled ads — 10% of their recent partially-automated tests — in which Zango’s pop-up ads lacked the labeling required under the proposed settlement. CDT explains that the ads “provide[d] absolutely no information that would allow consumers to correlate the advertisements’ origins to Zango’s software.”

We share CDT’s concern, because we too have repeatedly seen these problems. For example, this video shows a Zango ad served on November 19, 2006 — with labeling that disappears after less than four seconds on screen (from 0:02 to 0:06 in the video). Furthermore, Edelman first reported this same problem in July 2004: That when ads include redirects (as many do), Zango’s labeling often disappears. Compliance with the proposed settlement requires that Zango’s labeling appear on each and every ad, not just on some of the ads or even on most of the ads. So, here too, Zango is in breach of the proposed settlement.

Furthermore, the proposed settlement’s labeling requirement applies to “any advertisement” Zango serves — not just to Zango’s pop-ups, but to other ads too. Zango’s toolbars show many ads, as depicted in the screenshots below. Yet these toolbars lack the labeling and hyperlinks required by the proposed settlement. These unlabeled toolbars therefore constitute an additional violation of Zango’s duties under the proposed settlement.

Zango and Zango/Hotbar Toolbars Without the Labeling Required under the Proposed Settlement

The Size of Zango’s Payment to the FTC

We are puzzled by the size of the cash payment to be made by Zango. We understand that the FTC’s authority is limited to reclaiming ill-gotten profits, not to extracting penalties. But we think Zango’s profits to date far exceed the $3 million payment specified in the proposed settlement.

Available evidence suggests Zango’s company-to-date profits are substantial, probably beyond $3 million. As a threshold matter, Zango’s business is large: Zango claims to have 20 million active users at present (albeit with some “churn” as users manage to uninstall Zango’s software). Furthermore, Zango’s revenues are large: Zango recently told a reporter of daily revenues of $100,000 (i.e. $36 million per year), a slight increase from a 2003 report of $75,000 per day. With annual revenues on the order of $20 to $40 million, and with three years of operation to date, we find it inconceivable that Zango has made only $3 million of profit.

Zango’s prior statements and other companies’ records also both indicate that Zango’s profits exceed $3 million. A 2005 Forbes article confirms high profits at Zango, reporting “double-digit percentage growth in profits” — though without stating the baseline level of profits. But financial records from competing “adware” vendor Direct Revenue indicate a remarkable 75%+ profit margin: In 2004, DR earned $30 million of pre-tax profit on $38 million of revenue. Because Zango’s business is in many respects similar to DR, Zango’s profit margin is also likely to be substantial, albeit reduced from the 2004-era “adware” peak. Even if Zango’s profit margin were an order of magnitude lower, i.e. 7%, Zango would still have earned far more than $3 million profits over the past several years.

If Zango’s profits substantially exceed $3 million, as we think they do, the settlement’s payment is only a slap on the wrist. A tougher fine — such as full disgorgement of all company-to-date profits worldwide — would better send the message that Zango’s practices are and have been unacceptable.

Zango’s Statements and the Need for Enforcement

In its November 3 press release, Zango claims its reforms are already in place. “Every consumer downloading Zango’s desktop advertising software sees a fully and conspicuously disclosed, plain-language notice and consent process,” Zango’s press release proclaims. This claim is exactly contrary to the numerous examples we present above. Zango further claims that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006” — again contrary to our findings that nonconsensual and deceptive installations remain ongoing.

From the FTC’s press release and from recent statements of FTC commissioners and staff, it appears the FTC intends to send a tough message to makers of advertising software. We commend the FTC’s goal. The proposed settlement, if appropriately enforced, might send such a message. But we worry the FTC will send exactly the opposite message if it allows Zango to claim compliance without actually doing what the proposed settlement requires.

As a first step, we endorse CDT’s suggestion that the FTC require Zango to retract its claim of compliance with the proposed settlement. Zango’s statement is false, and the FTC should not stand by while Zango mischaracterizes its behavior vis-a-vis the proposed settlement.

More broadly, we believe intensive ongoing monitoring will be required to assure that Zango actually complies with the settlement. We have spent 3+ years following Zango’s repeated promises of “reform,” and we have first-hand experience with the wide variety of techniques Zango and its partners have used to place software onto users’ PCs. Testing these methods requires more than black-letter contracts and agreements; it requires hands-on testing of actual infected PCs and the scores of diverse infection mechanisms Zango’s partners devise. To assure that Zango actually complies with the agreement, we think the FTC will need to allocate its investigatory resources accordingly. We’ve spent approximately 10 hours on the investigations leading to the results above, and we’ve uncovered these examples as well as various others. With dozens or hundreds of hours, we think we could find many more surviving Zango installations in violation of the proposed settlement’s requirements. We think the FTC ought to find these installations, or require that Zango do so, and then ought to see that the associated files are entirely removed from the web.

***

We filed the material above as a public comment to the FTC in response to their proposed settlement with Zango. Comment as filed (PDF page 5 and onwards).

Update (December 8): Our follow-up comment to the FTC discusses additional concerns, further ongoing bad practices at Zango, and the special difficulty of enforcement in light of practices seemingly not prohibited by the proposed settlement.

November 8, 2006December 2, 2023

Intermix Revisited

I recently had the honor of serving as an expert witness in The People of the State of California ex. rel. Rockard J. Delgadillo, Los Angeles City Attorney v. Intermix Media, Inc., Case No. BC343196 (L.A. Superior Court), litigation brought by the City Attorney of Los Angeles (on behalf of the people of California)against Intermix. Though Intermix is better known for creating MySpace, Intermix also made spyware that, among other effects, can become installed on users’ computers without their consent.

On Monday the parties announced a settlement under which Intermix will pay total monetary relief of $300,000 (including $125,000 of penalties, $50,000 in costs of investigation, and $125,000 in a contribution of computers to local non-profits). Intermix will also assure that third parties cease continued distribution of its software, among other injunctive relief. These penalties are in addition to Intermix’s 2005 $7.5 million settlement with the New York Attorney General.

In the course of this matter, I had occasion to examine my records of past Intermix installations. For example, within my records of installations I personally observed nearly two years ago, I found video evidence of Intermix becoming installed by SecondThought. By all indications, SecondThought’s exploit-based installers placed Intermix onto users’ computers without notice or consent.

Using web pages and installer files found on Archive.org, I also demonstrated that installations on Intermix’s own web sites were remarkably deficient. For example, some Intermix installations disclosed only a portion of the Intermix programs that would become installed, systematically failing to tell users about other programs they would receive if they went forward with installation. Most Intermix installations failed to affirmatively show users their license agreements, instead requiring users to affirmatively click to access the licenses; and in some instances, even when a user did click, the license was presented without scroll bars, such that even a determined user couldn’t read the full license. Furthermore, some Intermix installations claimed a home page change would occur only if a user chose that option (“you can choose to have your default start page reset”), when in fact that change occurred no matter what, without giving users any choice.

Remarkably, I also found evidence of ongoing Intermix installations, despite Intermix’s 2005 promise to “permanently discontinue distribution of its adware, redirect and toolbar programs.” For example, in my testing of October 2006 and again just yesterday, the Battling Bones screensaver (among various others) was still available on Screensavershot.com (a third-party site). Installing Battling Bones gives users Intermix’s Incredifind too. Even worse, this installation proceeds without any disclosure to the user of the Intermix software that would be installed. (Video proof. The installer’s EULA mentions various other programs to be installed, but it never mentions Intermix or the specific Intermix programs that in fact were installed.) Furthermore, I found dozens of “.CAB” installation files still on Intermix’s own web servers — particularly hard to reconcile with Intermix’s claim of having abandoned this business nearly two years months ago. Truly shutting down the business would have entailed deleting all such files from all servers controlled by Intermix.

I continue to think there’s substantial room for litigation against US-based spyware vendors. I continue to see nonconsensual and materially deceptive installations by numerous identifiable US spyware vendors. (For example, I posted a fresh Ask.com nonconsensual toolbar installation just last month. And I see more nonconsensual installations of other US-based vendors’ programs, day in and day out.) These vendors continue to cause substantial harm to the users who receive their unwanted software.

Technology news sites and forums have been abuzz over the FTC’s proposed settlement with Zango, whose advertising software has widely been installed without consent or without informed consent. I commend the FTC’s investigation, and the injunctive terms of the settlement (i.e. what Zango has to do) are appropriately tough. Oddly, Zango claims to have “met or exceeded the key notice and consent standards … since at least January 1, 2006.” I disagree. From what I’ve seen, Zango remains out of compliance to this day. I’m putting together appropriate screenshot and video proof.

October 16, 2006December 2, 2023

Current Ask Toolbar Practices

Last year I documented Ask toolbars installing without consent as well as installing by targeting kids. Ask staff admitted both practices are unacceptable, and Ask promised to make them stop. Unfortunately, Ask has not succeeded.

In today’s post, I report notable current Ask practices. I show Ask ads running on kids sites and in various noxious spyware, specifically contrary to Ask’s prior promises. I document yet another installation of Ask’s toolbar that occurs without user notice or consent. I point out why Ask’s toolbar is inherently objectionable — especially its rearrangement of users’ browsers and its excessive pay-per-click ads to the effective exclusion of ordinary organic links. I compare Ask’s practices with its staff’s promises and with governing law — especially “deceptive door opener” FTC precedent, prohibiting misleading initial statements even where clarified by subsequent statements.

Details:

Current Practices of IAC/Ask Toolbars

October 9, 2006November 21, 2024

False and Deceptive Pay-Per-Click Ads

I present and critique pay-per-click ads that don’t deliver what they promise. I consider implications for search engine revenues, and I analyze legal and ethical duties of advertisers and search engines. I offer a system for others to report similar ads that they find.

Read Google’s voluminous Adwords Content Policy, and you’d think Google is awfully tough on bad ads. If your company sells illegal drugs, makes fake documents, or helps customers cheat drug tests, you can’t advertise at Google. Google also prohibits ads for fireworks, gambling, miracle cures, prostitution, radar detectors, and weapons. What kind of scam could get through rules like these?

As it turns out, lots of pay-per-click advertisers push and exceed the limits of ethical and legal advertising — like selling products that are actually free, or promising their services are “completely free” when they actually carry substantial recurring charges.

In the sections that follow, I flag more than 30 different advertisers’ ads, all bearing claims that seem to violate applicable FTC rules (e.g. on use of the word “free”), or that make claims that are simply false. (All ads were observed on September 15 or later.) I then explain why this problem is substantially Google’s responsibility, and I present evidence suggesting Google’s substantial profits from these scams. Finally, I offer a mechanism for interested users to submit other false or deceptive ads, and I remark on Google’s failure to take action.

Charging for software that’s actually free

One scam Google doesn’t prohibit — and as best I can tell, does nothing to stop — is charging for software that’s actually free. Search for “Skype” and you’ll find half a dozen advertisers offering to sell eBay’s free telephone software. Search for “Kazaa” or “Grokster” and those products are sold too. Even Firefox has been targeted.

Each and every one of these ads includes the claim that the specified product is “free.” (These claims are expressed in ad titles, bodies, and/or display URLs). However, to the best of my knowledge, that claim is false, as applied to each and every ad shown above: The specified products are available from the specified sites only if the user pays a subscription fee.

These ads are particularly galling because, in each example, the specified program is available for free elsewhere on the web, e.g. directly from its developer’s web site. Since these products are free elsewhere, yet cost money at these sites (despite promises to the contrary), these sites offer users a particularly poor value.

Often these sites claim to offer tech support, but that’s also a ruse: Tests confirm there’s no real support.

Although sophisticated users will realize that these sites are bad deals, novice or hurried users may not. These sites bid for top search engine placement — often appearing above search engines’ organic (main) results. Some proportion of users see these prominent ads, click through, and get tricked into paying for these otherwise-free programs. Claiming a refund takes longer than it’s worth to most users. So as a practical matter, a site need only trick each user for an instant in order to receive its fee.

The “completely free” ringtones that aren’t

Ringtone ads often claim to be “free,” “totally free,” “all free,” “100% complimentary,” and available with “no credit card” and “no obligation” required. These claims typically appear in pay-per-click ad bodies, but they also often appear in ad titles and even in ad domain names, of course along with landing pages.

Often, these claims are simply false: An ad does not offer a “totally free” product if it touts a limited free trial followed by an auto-renewing paid service (a negative option plan).

Other claims are materially misleading. For example, claiming “no credit card required ” suggests that no charges will accrue. But that too is false, since ringtone sites generally charge users through cell phone billing systems, unbeknown to many users who believe a service has no way to impose a charge if a user provides no credit card number.

Each and every one of these ads includes the claim that the specified product is “free” (or some other claim substantially similar, e.g. “complimentary”). In most cases, subsequent language attempts to disavow these “free” claims. But in each case, to the best of my knowledge, service is available only if a user enters into a paid relationship (e.g. a paid subscription) — the very opposite of “free.” (Indeed, the subscription requirement applies even to unlimitedringtones.com, despite that ad’s claim that “no subscription [is] required.” The site’s fine print later asserts that by requesting a ringtone registration, a user “acknowledge[s] that [he is] subscribing to our service billed at $9.99 per month” — specifically contrary to site’s earlier “no subscription” promise.)

Vendors would likely defend their sites by claiming that (in general) their introductory offers are free, and by arguing that their fine print adequately discloses users’ subsequent obligations. This is interesting reasoning, but it’s ultimately unconvincing, thanks to clear regulatory duties to the contrary.

The FTC’s Guide Concerning the Use of the Word ‘Free’ is exactly on point. The guide instructs advertisers to use the word “free” (and all words similar in meaning) with “extreme care” “to avoid any possibility that consumers will be misled or deceived.” The guide sets out specific rules as to how and when the word “free” may be used, and it culminates with an incredible provision prohibiting fine print to disclaim what “free” promises. In particular, the rule’s section (c) instructs (emphasis added):

All the terms, conditions and obligations upon which receipt and retention of the ‘Free’ item are contingent should be set forth clearly and conspicuously at the outset of the offer … in close conjunction with the offer of ‘Free’ merchandise or service.

In case that instruction left any doubt, the FTC’s rule continues:

For example, disclosure of the terms of the offer set forth in a footnote of an advertisement to which reference is made by an asterisk or other symbol placed next to the offer, is not regarded as making disclosure at the outset.

Advertisers may not like this rule, but it’s remarkably clear. Under the FTC’s policy, ads simply cannot use a footnote or disclaimer to escape a “free” promise made earlier. Nor can an advertiser promise a “free” offer at an early stage (e.g. a search engine ad), only to impose additional conditions later (such as in a landing page, confirmation page, or other addendum). The initial confusion or deception is too strong to be cured by the subsequent revision.

Advertisers might claim that the prohibited “free” ads at issue come from their affiliates or other partners — that they’re not the advertisers’ fault. But the FTC’s Guide specifically speaks to the special duty of supervising business partners’ promotion of “free” offers. In particular, section (d) requires:

[I]f the supplier knows, or should know, that a ‘Free” offer he is promoting is not being passed on by a reseller, or otherwise is being used by a reseller as an instrumentality for deception, it is improper for the supplier to continue to offer the product as promoted to such reseller. He should take appropriate steps to bring an end to the deception, including the withdrawal of the ‘Free’ offer.

It therefore appears that the ads shown above systematically violate the FTC’s “free” rules. Such ads fail to disclose the applicable conditions at the outset of the offer, as FTC rules require. And even where intermediaries have placed such ads, their involvement offers advertisers no valid defense.

Ads impersonating famous and well-known sites

Some pay-per-click ads affirmatively mislead users about who is advertising and what products are available. Consider the ads below, for site claiming to be (or to offer) Spybot. (Note text in their respective display URLs, shown in green type.) Despite the “Spybot” promise, these sites actually primarily offer other software, not Spybot. (Spybot-home.com includes one small link to Spybot, at the far bottom of its landing page. I could not find any link to the true Spybot site from within www-spybot.net.)

In addition, search engine ads often include listings for sites with names confusingly similar to the sites and products users request. For example, a user searching for “Spybot” often receives ads for SpyWareBot and SpyBoot — entirely different companies with entirely different products. US courts tend to hold that competitive trademark targeting — one company bidding on another company’s marks — is legal, in general. (French courts tend to disagree.) But to date, these cases have never considered the heightened confusion likely when a site goes beyond trademark-targeting and also copies or imitates another company’s name. Representative examples follow. Notice that each ad purports to offer (and is triggered by searches for the name of) a well-known product — but in fact these ads take users to competing vendors.

Google’s responsibility – law, ethics, and incentives

Google would likely blame its advertisers for these dubious ads. But Google’s other advertising policies demonstrate that Google has both the right and the ability to limit the ads shown on its site. Google certainly profits from the ads it is paid to show. Profits plus the right and ability to control yield exactly the requirements for vicarious liability in other areas of the law (e.g. copyright infringement). The FTC’s special “free” rules indicate little tolerance for finger-pointing — even specifically adding liability when “resellers” advertise a product improperly. These general rules provide an initial basis to seek greater efforts from Google.

Crucially, the Lanham Act specifically contemplates injunctive relief against a publisher for distributing false advertising. 15 USC § 1125(a)(1) prohibits false or misleading descriptions of material product characteristics. § 1114 (2) offers injunctive relief (albeit without money damages) where a publisher establishes it is an “innocent infringer.” If facing claims on such a theory, Google would surely attempt to invoke the “innocent infringer” doctrine — but that attempt might well fail, given the scope of the problem, given Google’s failure to stop even flagrant and longstanding violations, and given Google’s failure even to block improper ads specifically brought to its attention. (See e.g. World Wrestling Federation v. Posters, Inc., 2000 WL 1409831, holding that a publisher is not an innocent infringer if it “recklessly disregard[s] a high probability” of infringing others’ marks.)

Nonetheless, the Communications Decency Act’s 47 USC § 230(c)(1) potentially offers Google a remarkable protection: CDA § 230 instructs that Google, as a provider of an interactive computer service, may not be treated as the publisher of content others provide through that service. Even if a printed publication would face liability for printing the same ads Google shows, CDA § 230 may let Google distribute such ads online with impunity. From my perspective, that would be an improper result — bad policy in CDA § 230’s overbroad grant of immunity. A 2000 DOJ study seems to share my view, specifically concluding that “substantive regulation … should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world.” But in CDA § 230, Congress seems to have chosen a different approach.

That said, CDA § 230’s reach is limited by its exception for intellectual property laws. § 230(e)(2) provides that intellectual property laws are not affected by § 230(c)(1)’s protection. False advertising prohibitions are codified within the Lanham Act (an intellectual property statute), offering a potential argument that CDA § 230 does not block false advertising claims. This argument is worth pursuing, and it might well prevail. But § 230 cases indicate repeated successes for defendants attempting to escape liability on a variety of fact patterns and legal theories. On balance, I cannot confidently predict the result of litigation attempting to hold Google responsible for the ads it shows. As a practical matter, it’s unclear whether or when this question will be answered in court. Certainly no one has attempted such a suit to date.

Notwithstanding Google’s possible legal defenses, I think Google ought to do more to make ads safe as a matter of ethics. Google created this mess — by making it so easy for all companies, even scammers, to buy Internet advertising. So Google faces a special duty to help clean up the resulting problems. Google already takes steps to avoid sending users to web sites with security exploits, and Google already refuses ads in various substantive categories deemed off-limits. These scams are equally noxious — directly taking users’ money under false pretenses. And Google’s relationship with these sites is particularly unsavory since Google directly and substantially profits from their practices, as detailed in the next section.

Even self-interest ought to push Google to do more here. Google may make an easy profit now by selling ads to scammers. But in the long run, rip-off ads discourage users from clicking on Google’s sponsored links — potentially undermining Google’s primary revenue source.

Who really profits from rip-off ads?

When users suffer from scams like those described above, users’ money goes to scammers, in the first instance. But each scammer must pay Google whenever a user clicks its ad. So Google profits from scammers’ activities. If the scammers ceased operations — voluntarily, or because Google cut off their traffic — Google’s short-run revenues would decrease.

Users
service fees

Scammers
advertising fees

Google

How Google Profits from Scammers

Consider the business model of rogue web sites “selling” software like Skype. They have one source of revenue — users buying these programs. Their expenses tend to be low: they provide no substantial customer service, and often they link to downloads hosted elsewhere to avoid even incurring bandwidth costs. It seems the main expense of such sites is advertising — with pay-per-click ads from Google by all indications a primary component. The diagram at right shows the basic money trail: From users to scam advertisers to Google. When users are ripped off by scammers, at least some of the payment flows through to Google.

How much of users’ payments goes to Google, rather than being retained by scammers? My academic economics research offers some insight. Recall that search engine ads are sold through a complicated multi-unit second-price auction: Each advertiser’s payment is determined by the bid of the price of the advertiser below him. Many equilibria are possible, but my recent paper with Michael Ostrovsky and Michael Schwarz offers one outcome we think is reasonable — an explicit formula for each advertiser’s equilibrium bid as a function of its value (per click) and of others’ bids. In subsequent simulations (article forthcoming), Schwarz and I will demonstrate the useful properties of this bidding rule — that it dominates most other strategies under very general conditions. So there’s good reason to think markets might actually end up in this equilibrium, or one close to it. If so, we need only know advertisers’ valuations (which we can simulate from an appropriate distribution) to compute market outcomes (like advertiser profits and search engine revenues).

One clear result of my recent bidding simulations: When advertisers have similar valuations (as these advertisers do), they tend to “bid away” their surpluses. That is, they bid almost as much as a click is worth to them — so they earn low profits, while search engines reap high revenues. When a user pays such an advertiser, it wouldn’t be surprising if the majority of that advertiser’s gross profit flowed through to Google.

A specific example helps clarify my result. Consider a user who pays $38 to Freedownloadhq.com for a “free” copy of Skype. But Freedownloadhq also received, say, 37 other clicks from 37 other users who left the site without making a purchase. Freedownloadhq therefore computes its valuation per click (its expected gross profit per incoming visitor) to be $1. The other 10 advertisers for “Skype” use a similar business model, yielding similar valuations. They bid against each other, rationally comparing the benefits off high traffic volume (if they bid high to get top placement at Google) against the resulting higher costs (hence lower profits). In equilibrium, simulations report, with 10 bidders and 20% standard deviation in valuations (relative to valuation levels), Google will get 71% of advertisers’ expected gross profit. So of the user’s $38, fully $27 flows to Google. Even if Freedownloadhq’s business includes some marginal costs (e.g. credit card processing fees), Google will still get the same proportion of gross profit.

One need not believe my simulation results, and all the economic reasoning behind them, in order to credit the underlying result: That when an auctioneer sells to bidders with similar valuations, the bidders tend to bid close together — giving the auctioneer high revenues, but leaving bidders with low profits. And the implications are striking: For every user who pays Freedownloadhq, much of the user’s money actually goes to Google.

In January I estimated that Google and Yahoo make $2 million per year on ads for “screensavers” that ultimately give users spyware. Add in all the other terms with dubious ads — all the ringtone ads, the for-free software downloads, ads making false statements of product origin, and various other scams — and I wouldn’t be surprised if the payments at issue total one to two orders of magnitude higher.

Towards a solution

Some of these practices have been improving. For example, six months ago almost all “ringtones” ads claimed to be “free,” but today some ringtones ads omit such claims (even while other ads still include these false statements).

Recent changes in Google pricing rules seem to discourage some of the advertisers who place ads of the sort set out above. Google has increased its pricing to certain advertisers, based on Google’s assessment of their “low quality user experience.” But the specific details of Google’s rules remain unknown. And plenty of scam ads — including all those set out above — have remained on Google’s site well after the most recent round of rule changes. (All ads shown above were received on September 15, 2006, or later.)

Google already has systems in place to enforce its Adwords Content Policy. My core suggestion for Google: Expand that policy to prevent these scams — for example, explicitly prohibiting ads that claim a product is “free” when it isn’t, and explicitly prohibiting charging users for software that’s actually free. Then monitor ads for words like “free” and “complimentary” that are particularly likely to be associated with violations. When a bad ad is found, disable it, and investigate other ads from that advertiser.

To track and present more dubious ads, I have developed a system whereby interested users can submit ads they consider misleading for the general reasons set out above. Submit an ad or view others’ submissions.

These problems generally affect other search engines too — Yahoo, MSN, and Ask.com, among others. But as the largest search engine, and as a self-proclaimed leader on ethics issues, I look to Google first and foremost for leadership and improvement.

Google’s (Non-)Response

When Information Week requested a comment from Google as to the ads I reported, Google responded as follows:

When we become aware of deceptive ads, we take them down. … We will review the ads referenced in this report, and remove them if they do not adhere to our guidelines.

A week later, these ads remain available. So Google must have concluded that these ads are not deceptive (or else Google would have “take[n] them down” as its first sentence promised). And Google must have concluded that these ads do adhere to applicable Google policies, or else Google would have “remove[d] them” (per its second sentence).

Google’s inaction exactly confirms my allegation: That Google’s ad policies are inadequate to protect users from outright scams, even when these scams are specifically brought to Google’s attention.

All identifications and characterizations have been made to the best of my ability. Any errors or alleged errors may be brought to my attention by email.

I thank Rebecca Tushnet for helpful discussions on the legal duties of advertisers and search engines.

StatCounter - Free Web Tracker and Counter

Originally posted October 9, 2006. Last Updated: October 16, 2006.

September 1, 2006November 13, 2025

Affiliate Fraud Litigation Index

Some analysts view affiliate marketing as “fraud-proof” because affiliates are only paid a commission when a sale occurs. But affiliate marketing nonetheless gives rise to various disputes — typically, merchants alleging that affiliates claimed commission they had not properly earned. Most such disputes are resolved informally: merchants withhold amounts affiliates have purportedly earned but have not yet received. Occasionally, disputes end up in litigation with public availability of the details of alleged perpetrators, victims, amounts, and methods. This page presents known litigation in this area including case summaries and primary source documents.

Uber Technologies v. Hydrane SAS et. al.

Superior Court of California, County of San Francisco – Civil Case No. CGC19576493 – June 5, 2019

Core allegation: Placing Uber ads in prohibited sites and claiming commission on signups that were going to happen anyway

Factual allegations: See docket.

Amount in dispute: $70 million. (See second amended complaint, paragraph 91.)

Settled, May 2021.

Mary Kay Inc. v. Retailmenot, Inc.

U.S. District Court for Northern District of Texas – Civil Case No. 3:15-cv-00825-L – March 13, 2015

Core allegation: RMN purports to aggregate digital coupons, including from affiliate programs. RMN falsely claims to provide coupons for MK.

Legal claims: Trademark infringement, Unfair competition, False advertising, Trademark dilution

United States of America v. Allen J. Chiu and Andrew S. Chiu

U.S. District Court for Western District of Washington – Criminal Case No. CR12-070-RSM – March 14, 2012

Core allegation: Fake orders for affiliate commission. See indictment.

Charges: Fraud by Wire, Radio, or Television (18 USC § 1343)

Victims: Fatwallet, Nordstrom

Affiliate Network: LinkShare

Indictment alleges that Nordstrom initially disallowed the Chius from making purchases due to their excessive claims for merchandise purportedly lost in transit.

Indictment alleges that the Chius later noticed that their further orders continued to yield Fatwallet cashback credit even though Nordstrom correctly canceled the orders and never charged the Chius’ credit cards. The Chius placed additional orders totaling approximately $23 million in order to receive Fatwallet cashback on those purchases.

Complaint alleges that the Chius made multiple attempts to obtain their Fatwallet balance purportedly earned, including changing payee names, payee addresses, and payment methods.

The report of FBI investigator Cory Cote says the Chius obtained 787 separate checks from Fatwallet, sent to three different names at five different mailing addresses, using eighteen different Fatwallet accounts. Cote says the Chius’ orders from Nordstrom used 58 different credit cards.

After Fatwallet blocked the Chius’ withdrawals, Cote reports that the Chius attempted to collect cashback via Ebates, another cashback site. Despite using five different Ebates accounts, the Chius never received any funds from Ebates.

Amount in dispute:

Indictment alleges $1.4 million taken from Nordstrom. Of this amount, a portion was retained by Fatwallet and LinkShare as service fees, and the indictment reports the Chius receiving more than $650,000 of cashback from Fatwallet.

FBI investigator Cory Cote says the Chius caused transactions yielding more than $2 million of commissions and more than $1.1 million of cashback.

Indictment reports approximately $971,000 seized from the Chiu’s personal and retirement accounts.

An August 2012 itemization indicates $1,413,525 paid by Nordstrom to FatWallet and an additional $157,303 paid by Nordstrom to LinkShare (of which LinkShare credited back $103,342 but retained $53,961.

Statement from Defendants: Defendants’ friends and colleagues filed ten letters in support of defendants’ character. (1, 2) Letter-writers: Albert Cheng of Google, Edwin Altomare, Calli Lewis of the University of North Texas, Hua Maggie Sun-Rubin of AT&T, Guillermo Perez-Vega of Trammell Crow Company, Scott Smith of Southern California Edison, Nitin Patel of ComEd, John Rusnak of ComEd, Ronald Hart of ComEd, and Bill Frederick.

Disposition:

Federal sentencing guidelines specified a sentencing range of 33-41 months (after adjustment for defendants’ lack of criminal history). The United States recommended 24 months and the court so ordered (Allen, Andrew).

Defendants forfeited “nearly all of their life savings”, totalling $971,810.86 (including funds earned from legitimate sources).

Defendants sought to avoid repaying amounts that were lost to Nordstrom but never received by Defendants (i.e. fees retained by FatWallet and LinkShare). The United States argued that these are part of Nordstrom’s loss and hence a required part of restitution. The Court ordered that restitution include the FatWallet and LinkShare fees without any offset for amounts those companies might return to Nordstrom.

Companion civil case by victim FatWallet:

Fatwallet, Inc. v. Andrew Chiu and Allen Chiu – complaint

U.S. District Court for Western District of Wisconsin – Civil Case No. 3:12-CV-00012-WMC – January 5, 2012

Legal claims: Theft by Fraud, Computer Fraud and Abuse Act (CFAA), Breach of Contract, Unjust Enrichment

Fatwallet complaint says Fatwallet is “exposed to a claim” that it repay Nordstrom.

United States of America v. Christopher Kennedy

U.S. District Court for Northern District of California – Criminal Case No. 5-10-CR-00082-JW. February 9, 2010

Core allegation: Writing software to perform cookie-stuffing. Information/complaint.

Victim: eBay

Affiliate Network: eBay Partner Network

Legal claim: Conspiracy to Commit Wire Fraud

Information alleges that Kennedy created a program, “Saucekit,” to assist eBay affiliates in performing cookie-stuffing. Alleges that Kennedy conspired with those affiliates in defrauding eBay.

Kennedy routed cookie-stuffing traffic via the many and seemingly-unrelated affiliate links of the various purchasers of Kennedy’s Saucekit program.

Amount taken from victim: Information reports multiple Saucekit customers earning substantial commissions, including one nearing $10,000 per month.

Disposition: In a June 2012 plea agreement, Kennedy was sentenced to six months in prison and ordered to pay $407,934.39 to eBay in restitution. He was scheduled to begin serving his prison sentence on September 20, 2012.

Five separate cases as to Brian Dunning, Todd Dunning, Shan D. Hogan, Digital Point Solutions, Kessler’s Flying Circus, and Thunderwood Holdings – cookie-stuffing targeting eBay via Commission Junction

Case captions:

United States of America v. Brian Dunning. U.S. District Court for Northern District of California, Criminal Case No. 5:10-CR-00494-EJD, June 24, 2010. indictment and superseding information

eBay Inc. v. Brian Dunning; Thunderwood Holdings, Inc.; and Kessler’s Flying Circus. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Commission Junction, Inc. v. Thunderwood Holdings, Inc. dba Kessler’s Flying Circus; Todd Dunning; Brian Dunning. Superior Court of the State of California for the County of Orange, Central Branch, Civil Case No. 30-2008 00101025. January 4, 2008. second amended complaint

United States of America v. Shawn D. Hogan. U.S. District Court for Northern District of California, Criminal Case No. 5:CR-10-0495-JF, June 24, 2010. indictment

eBay Inc. v. Shawn Hogan and Digital Point Solutions, Inc. U.S. District Court for Northern District of California, Civil Case No. CV 08-4052-EJD-PSG, August 25, 2008. complaint

Core allegation: Affiliate cookie-stuffing

Legal claims: Criminal charges against Dunning and Hogan: Wire Fraud Act; eBay civil charges against Dunning, Thunderwood Holdings, and Kessler’s Flying Circus, and Hogan: Computer Fraud and Abuse Act (CFAA), California § 502 (Computer Tampering), Restitution and Unjust Enrichment, California Business and Professions Code, Racketeer Influenced and Corrupt Organizations Act (RICO Act); Commission Junction civil charges: Breach of Contract, Open Book, Account, Reasonable Value, Conversion, Unfair Competition, Declaratory Relief

Indictments allege (Dunning, Hogan) that when users visited any of “a large number of web pages,” Defendants caused users’ computers to send requests to eBay reporting, falsely, that Defendant had referred them to eBay. Alleges that this occurred invisibly and without user knowledge. Alleges that when users happened to make purchases from eBay or open eBay accounts, Defendants collected marketing commissions. eBay complaint is in accord.

CJ complaint alleges that Defendants provided third parties with a widget placed on other sites, including on MySpace (allegedly in violation of MySpace terms) which wrongfully forced traffic to eBay.

Internal CJ correspondence reveals that CJ learned of Defendants’ infractions via a complaint from eBay, not via independent CJ investigations.

Methods of concealment:

eBay complaint alleges that Defendants used images on web pages to effectuate its cookie-stuffing scheme and intentionally set these images to be so small as to be effectively invisible.

eBay complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

Indictments allege (Dunning, Hogan) that Defendants intentionally declined to stuff cookies to users near headquarters of eBay and Commission Junction. eBay complaint is in accord.

Dunning indictment alleges that Defendant knowingly misrepresented that his methods were “in line with” affiliate program rules.

The FBI report from interviewing Shawn Hogan presents Hogan’s statements as to Dunning, including Hogan claiming Dunning “reverse engineer[ed]” Hogan’s tools and “rip[]ped off” some of Hogan’s tools. The associated search warrant (for search of Hogan’s residence) includes details of the FBI’s initial suspicions about Dunning, including a complaint from eBay.

Hogan indictment alleges that when Commission Junction representatives questioned Hogan about cookie-stuffing, he falsely attributed suspicious activity to “coding errors.”

eBay civil complaint alleges that Defendants only stuffed cookies once per user computer in order to avoid discovery by eBay or Commission Junction.

eBay civil complaint alleges that Defendants presented their JavaScript code in a way intended to “obscure[] the purpose and effect” to hinder investigation.

See also a declaration of an FBI agent who searched Hogan’s home, as well as 88 pages of additional material including search warrant (with details of the FBI’s initial suspicions and complaint from eBay), report from the search (including Hogan’s statements during the search), and pictures of Hogan’s home.

Amount at issue:

Dunning indictment alleges more than $5,300,000 in compensation from January 2006 to June 2007.

Hogan indictment alleges more than $15,500,000 in compensation from January 2006 to June 2007.

CJ civil complaint alleges that eBay did not pay CJ $565,517.84 despite CJ paying that amount to Defendants. CJ sought repayment of that amount by Defendants to CJ.

Defendant Dunning’s statements:

A Partial Explanation – Brian Dunning, October 5, 2011. – Describes Brian’s understanding of the meaning of cookie-stuffing: “Take any web browser, erase all its cookies, and adjust its security preferences to allow third party cookies. Then, click through a few pages on any ad-supported web site, like Slate.com or HuffPo.com. Now look at your cookies. You’ll see that your browser is loaded with all sorts of cookies from strange web sites that you don’t recognize. That’s cookie stuffing. It’s a scary-sounding term, but it’s fundamental to the way Internet advertising works.”

References Brian’s anticipated defenses: “Obviously there are many intricacies here that go deeper, but I cannot give further details. There are several legal reasons that the lawsuit is improper, and we’ve been fighting it on that basis. Hopefully it will never go to trial, but if it does, my defense depends on evidence that I cannot describe publicly. It’s quite an amazing story, and I look forward to telling it in full detail as soon as the circumstances make it possible.”

The FBI report from interviewing Dunning (attached to the United States’ opposition to Dunning’s motion to suppress evidence) includes Dunning’s statements that eBay’s affiliate program was “stupid”, and that he was “clever” in finding a way to take advantage of the program. The FBI agent interviewing Dunning reports that Dunning admitted using a 1×1 pixel to force an eBay cookie with his affiliate codes.

Dunning claims that a former CJ employee, Andrew Wey (spelling uncertain) provided inside information regarding how to take advantage of eBay’s affiliate program. Dunning claims he paid Wey ten percent of the money he made from eBay.

Defendant Hogan’s Statements:

What Does Carmen Electra, Cyber-Terrorism and Meg Whitman Have In Common? eBay! – Shawn Hogan, August 2, 2010.

Says he promoted eBay ” using a small percentage of the [Digital Point] Ad Network ad space to serve up tens of millions of eBay ads every day.” Attributes increased eBay commissions to these placements.

As to violations of eBay’s rules: “When I asked [eBay staff] why they … allow affiliates to violate their terms of service, they … avoid[ed] answering my actual question. Finally [they] informed me that their terms of service (and even the entire affiliate program to some degree) was a bit of a facade. It allowed eBay to do things they wanted to do (like spam search engines, deploy in countries where they had no actual presence, etc.), while also giving them a way to wash their hands of any wrong-doing when any of their large partners (like Google) would question them about it (like why there are so many spam sites directing people to eBay).” Says eBay staff gave him suggestions on how to avoid being flagged in compliance reports by outside examiners.

As to relationships with eBay staff: Says he gave one eBay employee $50,000 to buy a new car, and gave others a plasma TV, new laptop, etc.

Disposition:

In an arraignment of April 15, 2013, Dunning entered a guilty plea. In sentencing proceedings, the United States sought 27 months imprisonment of . In a decision of August 4 , 2014, the Court ordered 15 months imprisonment to begin September 2, 2014.

In a December 17, 2012 hearing, Hogan pled guilty. In an April 30, 2014 judgment, Hogan was sentenced to five months imprisonment, three years of supervised release, and a $25,000 fine.

Pursuant to a settlement dated March 9, 2009, Defendants paid CJ $25,000.

Lands’ End, Inc. v. Eric Remy, Thinkspin, Inc., Braderax, Inc., and Michael Seale

U.S. District Court for the Western District of Wisconsin – Civil Case No. 05-C-368-C. September 1, 2006

Core allegation: Affiliate typosquatting – Decision on Motion to Dismiss

Victim: Lands’ End

Affiliate Network: LinkShare

Legal claims: Anticybersquatting Consumer Protection Act (ACPA), Lanham Act, Wisconsin Stat. § 100.18 (Fraudulent Representations), Breach of Contract, Fraud

Plaintiffs alleged, and Court found, that defendants registered thirteen typosquatting domains targeting Lands’ End marks (e.g. lnadsend.com) and redirected traffic from these domains to Lands’ End affiliate links.

Plaintiffs alleged, and Court found, that Defendants were approved as Lands’ End affiliates based on information they provided about the non-typosquatting websites they purported to operate (e.g. www.savingsfinder.com). Defendants failed to disclose their use of the typosquatting domains.

Plaintiffs alleged, and the Court found, that Defendants redirected through Lands’ End affiliate links at most once per user, and subsequently (falsely) said the site was “unavailable” due to “technical difficulties.” As a result, a user or investigator seeking to reproduce a finding might be unable to do so.

Amount at issue: Marketing commissions: Thinkspin ($6,698), Braderax ($500), and Seale ($26); Default judgment of $153,437.50 of actual damages, statutory damages, and attorneys fees.

For additional discussion of some of these practices, see Information and Incentives in Online Affiliate Marketing.

Please send additional cases or notable documents to Ben Edelman.

Thanks to Irene Chen for assistance in gathering and summarizing selected documents.

Last updated: June 9, 2025

September 1, 2006December 2, 2023

Services for Advertisers – Avoiding Waste and Improving Accountability

In the course of my research on spyware/adware, typosquatting, popups, and other controversial online practices, I have developed the ability to identify practices that overcharge online advertisers. I report my observations to select advertisers and top networks in order to assist them in improving the cost-effectiveness of their advertising including by flagging improper ad placements, rejecting unjustified charges, and avoiding untrustworthy partners. This page summarizes the kinds of practices I uncover and presents representative examples drawn from my publications.

For Display Advertisers and Display Networks

In work for display advertisers and display networks, I catch and report the following problems:

Advertisements loaded invisibly, including in invisible IFRAMEs, nested IFRAMEs, invisible CSS layers, and similar. (Examples: Sony’s Crackle receiving invisible traffic, Mytoursinfo creating dozens of invisible IFRAMEs, each with 3+ advertisements)
Advertisements loaded in popups, popunders, and other windows users did not request.
Advertisements loaded in spyware/adware popups and popunders. (Examples: Vonage advertising through full-screen popups covering competitors’ sites, various video sites buying spyware/adware popup traffic.)
Advertisements loaded in “injectors” that insert ads into publishers’ sites without publishers’ approval and without payment to publishers. (Example: networks and advertisers funding AddLyrics, PeachFuzz, and Sambreel WebCake, Vonage advertising through Fullcontext injector, Travelocity and Cingular (AT&T) advertising through Fullcontext injector.)
Automatic/rapid reload of advertisements. (Example: Inqwire reloading advertisements every nine seconds.)
Publishers presenting multiple ads stacked on top of each other, such that even “above the fold” ads are not actually visible to users. (Example: Global-store covering some advertisements with other advertisements.)
Publishers and brokers “multi-serving” multiple ads into a space that can hold only one.
Publishers and brokers making false statement of placement location, i.e. claiming that an ad is placed in one site when it is actually loaded somewhere entirely different.
Advertisements in typosquatting and parked domains.

For Affiliate Advertisers and Affiliate Networks

In work for affiliate advertisers and affiliate networks, I catch and report the following problems:

Spyware and adware invoking affiliate links, claiming commission on merchants’ organic/type-in traffic. (Examples: Six rogue affiliates overcharging VistaPrint, ten rogue affiliates overcharging Hydra Media advertisers, rogue Dell affiliate claiming commission on Dell’s organic traffic, Zango/180solutions using multiple visible and invisible methods to claim commission from affiliate merchants, six further Zango examples and four Viraltube Toolbar examples.)
Spyware and adware invoking affiliate links, covering merchants’ competitors’ sites. (Examples: Rogue Dell affiliate covering competing PC makers’ sites with adware popups, rogue Gateway affiliate presenting popunder for Gateway when users browse the Dell site.)
Typosquatting domains invoking affiliate links, claiming commission on typographic errors of merchants’ domain names.
Web pages loading affiliate links invisibly, without an affirmative end-user click on an affiliate link (“cookie-stuffing”). (30+ examples, cookie-stuffing using encoded JavaScript, hack-based cookie-stuffing, cookie-stuffing using display Google’s ad network as a traffic source, further examples.)
Web pages loading affiliate links in popups and popunders, without an affirmative end-user click on an affiliate link.
Banner advertisements loading affiliate links invisibly, without an end-user click on an affiliate link. (Example: Allebrands banner invisibly loads three affiliate links.)
Email messages promoting affiliate links in violation of merchants’ rules.
Adware, “loyalty programs,” and similar software automatically invoking affiliate links when users request merchants’ sites.
Adware, “loyalty programs,” and similar software presenting affiliate links, and covering a portion of merchants’ sites with such links, while users browse merchants’ sites.
ISP network configurations that claim commission on organic/type-in traffic. (Example: Aspira Networks.)

Information and Incentives in Online Affiliate Marketing analyzes patterns in merchants’ vulnerabilities and effective defenses.

For Advertisers in Comparison Shopping Engines

In work for comparison shopping engines (CSEs) and their advertisers, I catch and report the following problems:

Advertisements loaded, and clicks recorded and billed for, without a user seeing the advertisement link or clicking on it. (CSE click fraud)
CSE advertisements presented in adware including injections, popups, sliders, and toasts.

Methods

I catch infractions using multiple “crawler” PCs which operate 24 hours per day, continuously checking for improper advertising placements. These crawlers run from multiple locations in the US, along with systems to detect behaviors targeting users outside the US. Some of my reports draw on large-scale automation developed in partnership with Wesley Brandi. I supplement automatic observations with manual testing using methods I have refined over more than a decade.

Each of my reports includes a packet log presenting the specific methods and identifiers (ad tags, affiliate IDs, etc.) associated with the infraction. Where an incident includes notable on-screen appearances (e.g. a popup), I typically include a screen-capture video or screenshot image showing occurrences as they appear to users. Each report includes a customized explanatory memorandum.

Please contact me to learn more about my reports.

Last updated: May 21, 2016

July 18, 2006December 2, 2023

How Vonage Funds Spyware

I ought to be a Vonage enthusiast. I support Vonage’s efforts to protect network neutrality. I applaud their flexible voice over IP service and their efforts to compete with incumbent phone companies. I’m even a VoIP customer (albeit using a competitor’s service).

But instead of praising Vonage, I have to criticize them — not for their core business, nor for their customer service (which others have repeatedly criticized), but for their reckless advertising practices. Vonage spends huge amounts on advertising — more than $20 million per month. (source) Unfortunately, among this spending is widespread and substantial spyware-delivered advertising.

For years, my manual and automated testing have documented Vonage ads appearing in all the major spyware programs. Now that Vonage has completed its IPO — itself promoted as a way to raise more money to buy more advertising — this page presents twelve recent examples of Vonage ads appearing in spyware.

Spyware-Delivered Pop-Up Ads

Banners Injected Into Others’ Sites

Spyware Lead Acquisitions

Spyware-Delivered Banner Farms

Direct Revenue

Targetsaver – covering AOL

Targetsaver – covering a sexually-explicit site

SearchingBooth

Fullcontext – ad injected into Google.com

Searchingbooth – ad injected into True.com

Searchingbooth – ad injected into eBay

DollarRevenue – replacing an ad within Boston.com

Direct Revenue – Vendare’s Myphonebillsavings

Direct Revenue – NextClick’s Phonebillsolution

Hula’s Global-Store

ExitExchange

Vonage’s Spyware-Delivered Pop-Up Ads

A Vonage Ad Shown by Direct Revenue

A Vonage Ad Shown by Targetsaver

Vonage
money

viewers
Traffic Marketplace
money

viewers
Targetsaver

The Money Trail – How Vonage Pays Targetsaver

I have repeatedly observed Vonage buying “ordinary” spyware pop-up ads from vendors like 180solutions, Direct Revenue, and eXact Advertising. See e.g. the top thumbnail at right, a March 2006 screenshot of a Vonage ad appearing through Direct Revenue. See also my March 2005 report of Vonage ads appearing through eXact Advertising. These relationships add up to big money: BusinessWeek last week reported that Vonage paid Direct Revenue $31,570 in a single month of 2005 — a remarkable $110 for each customer Direct Revenue sent to Vonage. Meanwhile, in its litigation against Intermix, the New York Attorney General specifically documented Vonage’s ads appearing in Intermix KeenValue pop-ups.

Beyond notorious spyware such as Direct Revenue and Intermix, Vonage ads also appear through less well-known spyware, including through programs that continue to be installed onto users’ computers through security exploits (without user consent). The second thumbnail at right shows a Vonage ad shown by Targetsaver (a California maker of software that becomes installed without consent, tracks users’ behavior, and shows targeted pop-up ads). Targetsaver sends traffic to Vonage in the way set out in the diagram at right: Targetsaver sends users to Traffic Marketplace which forwards users to Vonage (via aQuantive / Atlas, which serves to track most Vonage advertising purchases).

http://a.targetsaver.com/adshow
http://www.targetsaver.com/redirect.php?clientID=…&finalURL=…
http://www.targetsaver.com/js/jf1.html
http://ad.trafficmp.com/tmpad/banner/ad/tmp.asp?poID=emwG
http://t.trafficmp.com/p.t/i15275/37389831/
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the word “target” in its name, Targetsaver isn’t particularly picky about where it shows Vonage’s ads. The screenshot at right reflects a Vonage ad shown while a user tries to sign up for AOL — perhaps reasonable targeting, in that both companies provide telecommunication services. But Targetsaver also shows Vonage’s ads in unseemly locations, such as when users browse sexually-explicit sites. Screenshot.

Vonage pop-up ads also appear through various other spyware. Additional examples: Vonage shown in a SearchingBooth pop-up (via Rpowermedia and Traffic Marketplace), Vonage shown in a Dollar Revenue pop-up (via Oridian / Cydoor, Yield Manager, Falk eSolutions AG / DoubleClick, and Traffic Marketplace).

Spyware Injections of Vonage Ads – Into Others’ Sites

Fullcontext Injecting a Vonage Ad into Google

Vonage
money

viewers
Yield Manager
money

viewers
MediaPrecision
money

viewers
Fullcontext

How Vonage Pays Fullcontext

As users revolt against pop-up ads, a growing trend is to inject ads into others’ sites. Users who receive injected ads may not notice they’re infected with spyware; the telltale signs are, perhaps, less obvious than extra pop-ups. And by hooking into Internet Explorer’s API, injection isn’t particularly difficult.

Of course ad injection raises serious legal concerns. A spyware vendor probably infringes a site’s copyright by inserting an ad right into that site — all the more so when such insertion occurs without a user’s consent and when such insertion lacks any labeling or disclaimer. But consider the vendors who use these methods: they already face substantial legal liability, e.g. from their nonconsensual installations of spyware onto users’ computers. Such vendors are unlikely to be deterred by possible copyright liability.

Despite the problems with spyware-injected banner ads, I have repeatedly observed Vonage ads appearing through banners injected into others’ sites using spyware, without permission from those sites. In general, the resulting Vonage banners appear in places where, but for the spyware at issue, no banner would exist. Consider e.g. the Google screenshot at right. The “real” Google site does not include a banner above the Google logo. Although the banner appears to be an integral part of Google’s site, the banner was injected into the site’s on-screen display by Fullcontext spyware; it was not placed there by Google.

The left and center screenshots below show similar ad injections by Searchingbooth. True.com and eBay do not sell ads that appear above their respective sites. Instead, the Vonage ads at issue were injected there by Searchingbooth, yielding the on-screen appearances shown below.

The DollarRevenue example, right screenshot below, shows a special kind of banner injection. Whereas the first three examples inject ads above a site (albeit within the site’s own window), DollarRevenue injects its ads into a site — covering a banner placed by the site (which would yield payment to the site) with a banner for DollarRevenue (which produces payments to DollarRevenue). This business model is not altogether novel; Claria (then Gator) pioneered this approach with its 2001 covering of other sites’ banners. But whereas Claria quickly abandoned this practice, in the face of IAB and other criticism, DollarRevenue continues unabated. For a particularly vivid view of DollarRevenue’s ad replacement, see the video of this ad injection. Notice the original Boston.com ad appearing for a fifth of a second at 0:00:3.65, only to be covered nearly instantly by the DollarRevenue-injected Vonage ad.

Vonage pays the respective spyware vendors through the relationships set out in the diagrams below and at right. Click an ad thumbnail for a full-size image, along with a packet log of associated network transmissions.

Searchingbooth Injecting a Vonage Ad into True.com

Vonage
money

viewers
Traffic Marketplace
money

viewers
Adecn
money

viewers
Rpowermedia
money

viewers
Searchingbooth

How Vonage Pays Searchingbooth

SearchingBooth Injecting a Vonage Ad into eBay

Vonage
money

viewers
Traffic Marketplace
money

viewers
Rpowermedia
money

viewers
Searchingbooth

How Vonage Pays Searchingbooth

DollarRevenue Replacing a Boston.com Ad with a Vonage Ad

Initial Boston.com Ad – Visible for Only 0.2 Seconds – video

Replacement Vonage Ad Injected by DollarRevenue

Vonage
money

viewers
24/7 RealMedia
money

viewers
Yield Manager
money

viewers
Oridian (Cydoor)
money

viewers
DollarRevenue

How Vonage Pays DollarRevenue

The ads at issue were injected by DollarRevenue (apparently located in the Netherlands), Fullcontext (purportedly of Anguilla), Searchingbooth (from Deskwizz, giving an address in Quebec, Canada).

Vonage Lead Acquisitions via Spyware Pop-Ups

Vendare Group Using Direct Revenue to Promote Vonage

Vonage
money

viewers
Vendare Group / eMarketMakers
money

viewers
LeadClick Media / eAdvertising
money

viewers
Rextopia
money

viewers
RevenueLoop
money

viewers
Direct Revenue

The Money Trail – How Vonage Pays Direct Revenue

NextClick Media Using Direct Revenue to Promote Vonage

As recently as March 2006, I was still observing Vonage ads shown by notorious spyware vendor Direct Revenue. (Screenshot.) But Vonage partners continue to advertise with Direct Revenue — even using Vonage-supplied site designs to do so. So Vonage’s money still reaches Direct Revenue and still helps to fund Direct Revenue.

Consider the top screenshot at right. As I browsed other telecom sites, I got a pop-up promoting Vonage. The pop-up is nearly full-screen — covering all but the title bars of the pages I had requested. The pop-up ad lacks a visible URL, but packet log analysis indicates that it was loaded from www.myphonebillsavings.com. Notably, the bottom of www.myphonebillsavings.com reads “©2001-2006, Vonage Marketing, Inc.” — reflecting that this Vonage-branded page was, by all indications, designed by Vonage itself.

To see who placed this pop-up with Direct Revenue, I again turn to packet log analysis. I observe that loading the ad entailed loading the following URLs. Click the list for the full packet log.

http://xadsj.offeroptimizer.com/imp/servlet/ImpServe?urlContext=http%3A%2F%2F…
http://login.revenueloop.com/sw/3211/CD1087/
http://rextopia.com/sw/5551/CD436/1087%3A%3A3211%3A%3A%3A%3A%3A%3A18a259ac88a…
http://www.eajmp.com/sw/7601/CD154/
http://clicks.emarketmakers.com/redir.aspx?id=671651&AFFID=CD154
http://clicks.emarketmakers.com/redir.aspx?from_pu=true&id=671651
http://clk.atdmt.com/VON/go/thvndvon0550000019von/direct/01?bannerid=671651&f…
http://www.myphonebillsavings.com/?bannerid=671651&AFFID=CD154

This analysis indicates that traffic and money flowed as listed at right. RevenueLoop (a California-based ad network), or a RevenueLoop business partner, bought traffic from Direct Revenue (controlling server offeroptimizer.com). Then RevenueLoop sent traffic to Rextopia (a New Jersey affiliate network), which redirected to Eajmp.com (LeadClick Media’s eAdvertising, of California), which redirected to eMarketMakers, which redirected to aQuantive’s Atlas and finally on to Myphonebillsavings.

The last few links of this chain reflect substantial involvement of Vendare Group. Vendare owns eMarketMakers, and Whois data indicates that Myphonebillsavings is also registered to Vendare Group. But despite receiving venture funding from Insight Venture Partners, Vendare’s ties to spyware are well-known. For example, I have widely observed — and carefully documented — Vendare’s New.net installed through security exploits without users’ consent . Furthermore, Vendare’s eMarketMakers directly funds a variety of spyware. For example, in January 2006 I documented eMarketMakers promoting NetZero using traffic purchased directly from 180solutions, and in March 2005 I documented eMarketMakers promoting Earthlink and Petchews via traffic purchased directly from eXact Advertising. Despite the direct and well-documented relationships between Vendare and spyware, Vonage nonetheless purchases advertising from Vendare and its eMarketMakers group.

Vendare’s Myphonebillsavings is just one of many Vonage partners still paying to receive traffic from Direct Revenue. Last month I also observed Phonebillsolution pop-ups appearing through Direct Revenue. Like Myphonebillsavings.com, Phonebillsolution.com’s copyright line reflects creation by Vonage. Phonebillsolutions hides its Whois data, but directly requesting the IP address of the Phonebillsolution web server yields a default page titled “NextClick Media” (a California-based ad network). The final thumbnail at right shows NextClick promoting Vonage using Direct Revenue.

Spyware-Delivered Banner Farms Promoting Vonage

Look2me and Hula’s Global-Store Promoting Vonage

Vonage
money

viewers
ad networks (one or more)
money

viewers
banner farm
money

viewers
placement intermediaries (zero or more)
money

viewers
spyware vendors

How Vonage Funds Spyware via Banner Farms

Last month I explained the problem of spyware-delivered banner farms: Web sites that buy spyware traffic (directly or indirectly), then show substantially only ads, thereby serving as ad placement intermediaries. I posted three distinct examples of Vonage appearing in spyware-delivered banner farms: Hula’s Global-Store promoting Vonage in a large window at screen center, a further Global-Store promotion of Vonage in a smaller window partially covered by another ad, and in ExitExchange.

But there are plenty of other banner farms, and in my testing most banner farms promote Vonage. For example, my June banner farm article mentions Whatsnewreport, which I have also observed promoting Vonage.

The diagram at right reflects the canonical relationships between Vonage, ad networks, banner farms, and spyware

Vonage’s Spyware Advertising in Context

Vonage isn’t the only advertiser with widespread spyware ad-buys. Other buyers of untargeted or semi-targeted ads get plenty of spyware-delivered advertising too. For example, I see Verizon ads in spyware pop-ups with remarkable frequency. In a future article, I’ll present screenshots of some other big spyware advertisers.

As best I can tell, Vonage does not specifically intend to have its ads shown in spyware. Instead, the advertising chains shown above reveal that these are generally indirect relationships, not direct spyware ad buys. (In comparison, see my September 2005 report of Expedia directly and intentionally buying spyware-delivered advertising from numerous notorious spyware vendors — a practice that, to its credit, Expedia subsequently stopped.) Yet by failing to take appropriate precautions and failing to diligently supervising its ads, Vonage makes payments to spyware vendors — funding spyware that is known to harm users’ PCs.

Vonage may seek to write off these examples as insignificant within its nine-digit advertising budget. But these spyware placements have important negative externalities: When Vonage pays spyware vendors, even indirectly, Vonage helps make spyware more profitable, and helps make the spyware problem worse. Even if Vonage is content to waste some money on buying unwanted spyware ads, it still needs to take action to avoid funding software that damages users’ PCs.

When asked about Vonage’s spyware funding, Vonage CEO Jeffrey Citron last year told the Associated Press “We do everything we can to make sure our partners adhere to our standards.” I disagree. There’s plenty more Vonage could do. For example, Vonage could refuse to work with partners like Vendare, that have known ties to spyware vendors and that even make and distribute their own spyware. Vonage could refuse to work with Traffic Marketplace and Yield Manager — partners that can’t provide reasonable assurances of keeping ads out of spyware. Vonage could specifically review all its advertising partners, and Vonage could prevent those partners from subcontracting with further unverified subpartners of their own. Vonage may consider these changes burdensome or inconvenient. But based on current practices, Vonage can’t credibly claim to be doing “everything” to stop spyware advertising. To the contrary, as the many examples above indicate, far more work is still required.

Last month Vonage won an “Effie” award for the “effectiveness” of its advertising campaign. I can’t speak to Effie’s criteria in granting this award. But advertisers might appropriately hesitate to praise an advertising strategy that, whether intentionally or recklessly, includes buying ads in spyware.

Beyond Vonage, criticism might reasonably focus on the advertising intermediaries that broker Vonage’s spyware placements. For example, Vonage receives and tracks all these spyware placements through aQuantive’s Atlas advertising. Atlas’s Acceptable Use Policy proclaims that “Atlas technology may not be used in connection with any downloadable application that is downloaded without notice and consent.” But I see no indication that Atlas actually enforces this policy: All the programs discussed above are programs I have observed installed without consent, yet these placements repeatedly flow through Atlas, as shown in each posted packet log. Other ad intermediaries lack even Atlas’s anti-spyware statement: Searching 24/7 Real Media’s site for “spyware” yields no hits, and 24/7’s lengthy and prominent code of conduct does not prohibit use of spyware.As advertising service providers, advertising specialists, publicly-traded companies, and purported ethical leaders, aQuantive, 24/7, and others could do far more to keep spyware out of their networks.

June 22, 2006December 2, 2023

Spyware Showing Unrequested Sexually-Explicit Images

Are pop-up ads anything more than an annoyance? For advertisers they can certainly be a bad deal — particularly when spyware-delivered pop-ups cheat advertisers through PPC click fraud, PPC syndication fraud, affiliate fraud, banner farms, or other improper ways of getting paid. For users, pop-ups in overwhelming quantities may cause substantial harm — especially because pop-up-delivering spyware reduces computer speed and reliability, and because spyware transmits sensitive user information to remote servers.

But spyware-delivered pop-ups can do more than annoy. They can also offend. Consider spyware that shows sexually-explicit (most would say, pornographic) pop-ups. When such ads appear unrequested, they’re likely to be shown to users who don’t want to see sexually-explicit material. It’s a troubling practice — but all too common even among “adware” vendors that claim to have reformed. Meanwhile, some old tricks remain — like pop-ups with their “X” buttons off-screen, making the ads particularly hard to close.

ZenoTecnico and AlmondNet Showing AdultFriendFinder

The ZenoTecnico ad, edited to cover sexually-explicit areas.

AdultFriendFinder
money

viewers
AlmondNet / ProMarket
money

viewers
ZenoTecnico

The money trail for this ad.

Let’s start with a simple example. On a test PC, I browsed the Findromance.com site. That’s definitely a dating site — but it’s not sexually explicit. Many users browse online dating service without wanting to see online porn.

In testing in May 2006, ZenoTecnico served me the pop-up shown at right (modified to cover the bare breasts exposed in the original). ZenoTecnico is notorious spyware which I have seen installed through a variety of misleading bundles and security exploits. Zeno’s web site claims an address in Panama, but I believe this address is a sham. I’m working on identifying their true location.

Packet log analysis shows that traffic flowed in the way shown in the diagram at right: From ZenoTecnico to ProMarket (part of New York-based AlmondNet) to AdultFriendFinder. See also the associated packet log.

Set against the more complex examples that follow, this Zeno-ProMarket-AdultFriendFinder is particularly notable: These three parties alone decided to show this ad, in this way, under these circumstances and with this targeting (or lack thereof), without influence by any other spyware installed on my test PC, and with a reasonably direct relationship between advertiser and spyware vendor, as shown at right. They may blame each other. But as best I can tell, they have no one but each other to blame.

Direct Revenue Showing MorpheusOfPorn

The Direct Revenue ad, edited to cover explicit areas.

MorpheusOfPorn
money

viewers
Direct Revenue

The money trail for this ad.

It’s well-known that most spyware-infected computers contain multiple spyware programs. When multiple spyware programs interact, they are particularly likely to show sexually-explicit images without a user requesting any such materials.

The screenshot at right presents a pop-up shown to me on a massively infected test PC. The pop-up bears Direct Revenue’s branding (“The Best Offers”), and packet log analysis confirms that the ad came through the Direct Revenue pop-up system.

What caused Direct Revenue to show this ad? Mere seconds earlier, unidentified spyware on my test PC had sent traffic to ad network YieldManager, which had in turn redirected me to AdultFriendFinder. Direct Revenue saw that traffic to AdultFriendFinder and took that as a trigger to display the explicit pop-up shown at right. See the associated packet log (showing the preceding YieldManager traffic), as well as a video of the sequence (edited to cover sexually-explicit areas).

Observing my computer’s traffic to AdultFriendFinder.com, Direct Revenue’s advertising software assumed I was seeking sexually-explicit material. But where the AdultFriendFinder site itself appears unrequested, as in my example, Direct Revenue’s assumption is badly in error. To the contrary, sexually-explicit content is unlikely to be desired or appropriate when other spyware has decided to show a user AdultFriendFinder.

Even AdultFriendFinder recognized that it might not be appropriate to show a sexually-explicit image to users reaching its site in the manner captured in my testing. See a screenshot (from video at 2:46) of the landing page AdultFriendFinder showed me. As delivered to my test PC (via the undetermined spyware), AdultFriendFinder’s site included no visible sexually-explicit images. Instead, the page was a mere doorway — with a disclosure (“Warning! You are about to view…”) along with separate links for users above 18 (to enter) and below age 18 (to go elsewhere).

It is particularly notable for Direct Revenue to show unrequested sexually-explicit materials because Direct Revenue has specifically promised not to do so. In the proposed settlement of a consumer class action lawsuit against Direct Revenue, provision (m) specifically requires that Direct Revenue’s software “will not display adult content ads unless the user is viewing adult websites.” In this example, I did not request any adult web site. Neither did I actually view any adult material (prior to the material shown by Direct Revenue): The AdultFriendFinder page at issue cannot be categorized as “adult,” because it includes no sexually-explicit images. In short, on these facts, I see a strong argument that Direct Revenue violated its duties under its settlement agreement.

Deskwizz/SearchingBooth, Z-Quest, YieldManager and Zedo Showing Vitalix

The SearchingBooth ad, edited to cover explicit areas.

Vitalix
money

viewers
Zedo
money

viewers
YieldManager
money

viewers
Z-Quest
money

viewers
Deskwizz / SearchingBooth

The money trail for this ad.

Deskwizz/SearchingBooth shows a variety of intrusive advertisements, largely untargeted. Many of its ads are injected into others’ sites (without those sites’ consent), as in this screenshot showing a Vonage ad injected into the Vistaprint site. The SearchingBooth.com web site gives an address in Quebec. I have repeatedly observed Deskwizz/SearchingBooth installed through exploits and in large bundles (e.g. the Dollarrevenue bundle) without meaningful user consent.

The screenshot at right shows an ad served to me on a PC with SearchingBooth installed. The ad shows a total of four nude individuals, and I have edited the ad to cover sexually-explicit areas.

Packet log analysis indicates that traffic flowed in the following way: First, SearchingBooth spyware sent traffic to its SearchingBooth.com controlling server, seeking an ad to be displayed. SearchingBooth.com replied with a URL to a Z-quest.com (a Canadian company whose site describes meta-search services as well as a toolbar). Z-quest sent me on to YieldManager. YieldManager in turn sent me to Zedo (a San Francisco ad server that features Internet luminary Esther Dyson on its advisory board). Finally, Zedo opened a new window of Vitalix, which showed the sexually-explicit content at issue. These relationships are set out in the diagram at right, in the URL list below, and in the full packet log.

http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/html…
http://ads.z-quest.com/MarkSect720x300.html
http://ad.yieldmanager.com/imp?z=0&s=16185&r=1&y=23&w=720&h=300
http://c5.zedo.com/jsc/c5/ff2.html?n=377;c=40;s=17;d=15;w=1;h=1
http://c4.zedo.com/ads2/d/3869/172/377/40/i4.js?z=5414
http://l5.zedo.com//log/p.html?a=146636;x=3869;g=172,0;c=377000040,37…
http://ads.vitalix.net/ads/3day/wb03/index.html?prov=seedcorn&subprov…

The longer chain of relationships in this example makes it more difficult to determine who is responsible for the unrequested display of sexually-explicit content. One might reasonably blame Deskwizz/SearchingBooth, whose nonconsensually-installed spyware was the root cause of any ad being shown at all. But also responsible is Zedo, which had the last clear chance to prevent the display of this ad, and which showed these sexually-explicit images without obtaining a correct and reliable verification that such a display was appropriate. Meanwhile, ad placement system YieldManager was squarely in the middle of the chain, and YM’s detailed Media Guard blog suggests they’ve thought at length about the special problems of sexually-explicit ads. Yet they too failed to prevent this sexually-explicit ad from appearing unrequested.

Typical users are likely to find this sexually-explicit ad particularly intrusive and particularly hard to remove because the ad’s “X” button appears off-screen. Notice the absence of a title bar, “X” button, or minimize button in the screenshot at right. Sophisticated users may know they can press Alt-F4 to close the ad. But novices don’t. Reviewing the packet log, it appears that Zedo is responsible for this partially-off-screen window placement: The ad is placed in the specified location by JavaScript code served from the Zedo server, which instructs as follows:

zzWindow.moveTo(Math.ceil((screen.availWidth – 380) / 2), Math.ceil((screen.availHeight – 680) / 2));

This code moves the ad window to a vertical location given by the screen’s available height (in pixels) minus 680 (the intended height of the ad at issue), divided by two. If the user’s screen is more than 680 pixels tall, this code has the effect of centering the window vertically on the user’s screen. But if the user’s screen is less than 680 pixels tall, e.g. a 800×600 pixel screen common on many older laptops and some older desktops, then this code predictably and inevitably has the effect of placing the “X” button off-screen. Zedo and its advertiser should have checked the user’s actual screen-height (e.g. via the code “if screen.availHeight>680”), to make sure they were not positioning the pop-up with its “X” off-screen.

Look2me/Ad-w-a-r-e, FirstAdSolution, YieldManager, Falk AG/DoubleClick, eXact Advertising, MyGeek Showing Naughtyplay

The SearchingBooth ad, edited to cover explicit areas.

Naughtyplay
money

viewers
MyGeek
money

viewers
Instant Navigation / eXact Advertising
money

viewers
Falk AG / DoubleClick
money

viewers
YieldManager
money

viewers
FirstAdSolution / Oridian
money

viewers
Look2me / Ad-w-a-r-e / Intern-etadvertising

The money trail for this ad.

From Minnesota-based NicTech Networks, Look2me/Ad-w-a-r-e spyware is widely installed through security exploits and misleading bundles. Its revenue sources are equally broad. I’ve seen Look2me/Ad-w-a-r-e getting paid by performing click fraud against Yahoo advertisers, and by seizing unearned commission through merchants’ affiliate programs. But Look2me/Ad-w-a-r-e also shows ordinary banner ads and pop-up ads, including untargeted run-of-network ads through sites such as its buyer-shabit.com banner loading page (among many others).

The screenshot at right shows an ad served to me on a PC with Look2me/Ad-w-a-r-e installed. The ad is exceptionally explicit: Its large images show four women completely nude and one partially disrobed, in addition to two protruding male members from men not otherwise pictured. Smaller images show at least sixteen women and ten male members (although not a single male face). In total, the ad pictures at least thirty-three individuals in an overwhelming array of sexual positions. The ad arrived on my screen as a full-screen pop-up, but with its upper-right “X” button entirely off-screen, just as shown in the screenshot and thumbnail.

Packet log analysis indicates that traffic flowed in the following way: First, Look2me sought an ad from its controlling server, Ad-w-a-r-e.com. Ad-w-a-r-e specified an ad at intern-etadvertising.com, a standard Look2me loading page which shows untargeted (run-of-network) ads. Intern-etadvertising specified that the ad was to come from Firstadsolution.com (Oridian Online Media Solutions of Israel), which in turn sent me to YieldManager, which specified that the ad was actually at Falkag.net. Falk AG (recently acquired by DoubleClick) in turn sent me on to Instantnavigation.com (whose Contact Us page indicates that it is part of Brainfox.com, recently acquired by eXact Advertising). Instantnavigation sent me to the 207.97.227.29 server (eXact Advertising), which redirected me to MyGeek, which finally passed me to Naughtyplay, the explicit web site shown in the pop-up.

These relationships are set out in the diagram at right, in the URL list below, and in the full packet log.

http://www.ad-w-a-r-e.com/cgi-bin/UMonitorV2
http://www.intern-etadvertising.com/muon.html
http://ad.firstadsolution.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.inter…
http://ad.yieldmanager.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.intern-e…
http://a.as-us.falkag.net/dat/cjf/00/14/73/07.js
http://a.as-us.falkag.net/dat/dlv/aslframe.html?dat=147307&kid=130138…
http://www.instantnavigation.com/search.php?cat=dvd&partner=ap_tk
http://207.97.227.29/clk/?313b313134373035373939352e34327e61705f746b3…
http://xmlsearch.mygeek.com/presults.jsp?partnerid=110126&vendorI…
http://www.naughtyplay.com/pornstars/heatherhunter/index.html

By all indications, the 207.97.227.29 server performed click fraud against MyGeek. The structure and obfuscation of the HTML on that server indicate a special desire to avoid being caught, as does eXact’s unilateral insertion of purported search keywords (“heather hunter”) not specified earlier in the traffic. I have observed nearby server addresses with the same URL syntax serving in a click fraud chain against Yahoo Overture. Furthermore, I understand that the xmlsearch.mygeek.com server runs a pay-per-click advertising system, distinct from MyGeek’s separate “cost per view” system for which advertisers may be charged without a click occurring. Traffic to and through that server, without a bona fide user click, seems to constitute click fraud.

This chain of relationships is notable for its extreme length — five intermediaries between spyware vendor and advertiser. These many relationships provide numerous opportunities for ad context to be lost — for ad networks to fail to tell each other that a sexually-explicit ad is not appropriate here.

Policy Recommendations; The Problem In Context

The four examples shown above are just a tiny portion of the problem of sexually-explicit images shown to users who didn’t request such materials. I have numerous additional examples on file. In one example on file, spyware on my test PC identifies the name of a fashion designer on a well-known retailer’s site, then uses that word as a trigger for an ad, ultimately showing an ad that is sexually-explicit. In another example, spyware on my test PC observes me browsing the children’s section of an online shoe store, a page mentioning “girls” in its title. The spyware then serves me a full-screen sexually-explicit pop-up. Notably, the pop-up was obtained via click fraud against a major pay-per-click search engine.

In my view, unrequested displays of sexually-explicit content largely arise out of the unaccountability pervasive in the spyware space. In each of the examples above, I anticipate that the parties involved will blame each other. Ad networks may claim that other ad networks told them (through tags, attributes, or contracts) that traffic was suitable for sexually-explicit ad display. Spyware vendors will blame other spyware for having suggested that users wanted such content. In all likelihood, no party will take responsibility for the bad outcomes that resulted.

In other contexts, online service providers face serious penalties for showing unrequested sexually-explicit images. Section 521 of the PROTECT Act creates criminal liability (up to two years imprisonment) for “us[ing] a misleading domain name … with the intent to deceive a person into viewing material constituting obscenity”, and additional liability for deceiving minors into viewing material that is harmful to minors. This law responded to the problem of typosquatters and other bulk domain registrants showing adult materials — such that users would stumble onto sexually-explicit images unrequested. But no such law protects users from unrequested pornography shown by spyware.

Even without legislative intervention, well-intentioned ad networks have tools at their disposal to prevent the unrequested display of sexually-explicit materials. One natural approach is to make all ads and landing pages non-explicit. Then a mistaken ad display does not show sexually-explicit materials (although it might still link to such materials). Ad networks could also redouble their supervision of their partners — checking the specific circumstances in which explicit ads may be shown, and confirming that these circumstances leave no doubt that a user actually wanted to receive explicit content. Tough ad networks could create financial incentives that penalize their partners for any errors uncovered — warnings, fines, and contract termination. Finally, ad networks could improve their public statements of applicable policies and procedures, making it easier for consumers to report unwanted images — including helping consumers learn where and how to submit such reports. Ad networks that find these steps too difficult or too costly could simply leave the business of serving or placing sexually-explicit advertisements.

Semi-explicit sites raise particular problems for spyware targeting. In my Direct Revenue example (above) and in various other examples I have on file, AdultFriendFinder buys spyware-delivered traffic and shows ads that, while suggestive, are not sexually-explicit. But then other spyware observes this AdultFriendFinder traffic, using this traffic as a catalyst to show ads that are explicit. Spyware vendors need to recognize that while some AdultFriendFinder ads are explicit (e.g. my first example above), others are not. With AdultFriendFinder’s mix of ads, and with typical spyware-infected PCs running multiple spyware programs, a visit to AdultFriendFinder cannot be interpreted as a proper trigger to show sexually-explicit images. Same for any other sites that buy run-of-network (or other spyware-delivered) advertising, or that otherwise straddle the border between explicit and non-explicit materials.

Yesterday the Direct Marketing Association released best practices for online advertising networks and affiliate marketing.The DMA calls for obtaining assurances of compliance with applicable law, performing due diligence on prospective partners, and monitoring compliance. It’s easy to criticize these approaches as obvious or overdue. But if the ad networks above were using the DMA’s recommended methods, these problems would be substantially less widespread. Meanwhile, I continue to think the DMA’s final recommendation — “develop a system to routinely monitor your ad placements” — remains essential yet under-appreciated. Tough enforcement and real penalties could stop thesepractices: Spyware purveyorswouldn’t run these (or any other) ads if they weren’t getting paid for it.

June 12, 2006September 22, 2025

Banner Farms in the Crosshairs updated June 23, 2006

For the last 8 months, I’ve been following ads from Global-Store, Inqwire, Venus123, and various others — all sites operated by Hula Direct. They’re engaged in a troubling scheme: They buy popups and popunders from various notorious spyware vendors. They show numerous banner ads in “banner farms” without substantial bona fide content. They show advertisers’ ads (and charge advertisers for those ad displays) without the advertisers’ specific permission. They automatically reload ads to rack up extra fees.

Some advertisers and ad networks have taken action to remove themselves from these practices. But others have not, whether from ignorance or indifference. See specific names and screenshots, below.

Buying traffic from spyware vendors

The Inqwire site, as presented to users by SurfSidekick spyware.

I’ve seen Hula banner farms delivered by numerous spyware programs. My October 2005 Claria Shows Ads Through Exploit-Delivered Popups presented Hula’s Venus123 buying traffic from ContextPlus, a spyware program so noxious it used a rootkit to hide its presence on users’ PCs. But that’s just one of many spyware vendors sending traffic to Hula.

The image at right shows Hula’s Global-store.net buying traffic from SurfSidekick. SurfSidekick comes from California-based Santa Monica Networks (also known as SMNi), and I have often seen SurfSidekick installed without consent, as well as installed in misleading bundles where users aren’t fairly told what software they’ll be receiving.

I have also often observed Hula buying traffic from Look2me (a.k.a. Ad-w-a-r-e, made by Minnesota-based NicTech Networks, and widely installed via security exploits). Look2me doesn’t label its ads, so the Hula window doesn’t bear Look2me’s name. But packet log analysis confirms that Hula receives traffic from Look2me.

In further testing, I have also received Hula ads shown by DealHelper (made by Daniel Yomtobian, also of Xupiter), among others.

Hula cannot write off its spyware-sourced traffic as a mere anomaly or glitch. I have received Hula popups from multiple spyware programs over many months. Throughout that period, I have never arrived at any Hula site in any way other than from spyware — never as a popup or popunder served on any bona fide web site, in my personal casual web surfing or in my professional examination of web sites and advertising practices. From these facts, I can only conclude that spyware popups are a substantial source of traffic to Hula’s sites.

Update (June 23): Hula’s attorney, Sandor D. Krauss, has sent me a Cease and Desist letter demanding that I remove all references to Hula from my site. Hula claims that my article is “baseless,” in part because, Krauss claims, Hula “does not buy from spyware vendors.” Krauss further claims that “Hula did not buy from [Surf]SideKick.”

To disprove Krauss’s claim, I have posted a supplemental screenshot and packet log, showing traffic flowing directly from SurfSideKick to Hula’s Clickandtrack.net, and on to Hula’s Venus123 site. I have also posted a packet log showing traffic flowing directly from Web Nexus (widely installed without consent and without informed consent), to Hula’s ClickAndTrack, to Hula’s Inqwire. Similarly, my 2005 proof of ContextPlus spyware sending traffic to Hula’s Venus123 entailed a packet log with traffic flowing directly from ContextPlus to Hula’s ClickAndTrack to Venus123. I have numerous other examples on file, and I may post further examples in the future.

These several examples of direct relationships between Hula and spyware vendors serve to rebut Hula’s claims that it is a “victim” of spyware or that it “did not buy” traffic from the spyware vendors I reported.

Banner farms and their overwhelming advertising

The Global-Store site, as loaded by Look2me/Ad-w-a-r-e spyware.
The site includes numerous large ads but no bona fide content.

I call Hula’s sites “banner farms” because they offer little bona fide content, yet they show many banner-type advertisements. Consider the Global-store.net screenshot shown at right. The page embeds two distinct advertisements that are substantially visible: A large Vonage ad at bottom center, with a smaller text ad above. These ads fill substantially all of the window’s usable screen-space. Indeed, the window shows no substantive material other than this advertising; the “Globalstore.net” name and logo don’t provide users with any useful features or information. The abundance of advertising, vis-a-vis no bona fide content, means this site is, as a practical matter, just ads.

Although the screenshot at right is representative of the ads in Hula sites, some Hula sites show even more ads. The preceding Inqwire example includes four visible ads: A prominent top ad for Verizon, a large ad for Universal Studios, a weather search box from the Weather Channel, and a car rental ad from an unknown provider. The Inqwire site also includes a search box — not an ad in its own right, but a pathway to sponsored links obtained from Epilot, a pay-per-click search network. (Furthermore, Inqwire shows Epilot’s links without the advertising disclosure required by FTC regulation.)

Update (6/23/06): I have posted a screenshot of the unlabeled PPC ads at issue.

Some of Hula’s embedded ads aren’t even seen by typical users. For one, users understandably seek to get rid of Hula’s ads as quickly as possible. But Hula stacks ads, so that users can’t even see all of Hula’s ads without multiple clicks. For example, the large Vonage ad at right was superimposed above several others; seeing those others requires closing the Vonage ad first. Other ads are “below the fold,” off-screen and visible only if a user scrolls down. All told, a typical Global-Store page includes half a dozen different ad frames, but typical users are unlikely to see most of these ads. Nonetheless, CPM (pay-per-impression) advertisers are charged for all the ad displays. For these CPM ads, Hula gets paid more each time it serves up another page of ads, whether or not users actually see the ads.

Update (6/23/06): Hula’s attorney claims “Hula does not take multiple clicks to get the ads. Ads are not below the fold. Based on an 800×600 screen all ads are above the fold.”

To disprove this claim, I have posted further screenshots of Hula’s Inqwire site. I show that Hula’s lowest Inqwire ad is entirely off-screen — “below the fold,” on a standard 800×600 screen, just as I claimed. Reaching this ad requires at least two clicks (one to close the “super pop-up,” and a second to scroll down), which I accurately characterize as “multiple” clicks.

Automatic advertising reloads

Most Hula ads include automatic reloads that charge extra fees to CPM (pay-per-impression) advertisers’ accounts. The main Hula web sites embed a set of ads, in the locations set out above. But rather than directly putting ad-reference code into its sites, Hula’s sites embed a set of ad-loader pages that in turn invoke the ad-reference code. Importantly, these ad reference pages include refresh tags that automatically reload the ad-reference pages. So the outer ad wrapper page stays on-screen permanently, but the ad-reference pages continually reload. Each time an ad-reference page reloads, Hula sends additional traffic to advertisers — and gets paid accordingly, on a per-impression basis for CPM ads.

In October 2005, Hula’s automatic reload code was particularly straightforward. Hula’s Venus123 site loaded an ad-reference page (here, a page called 728×90.asp):

Then the 728×90.asp ad-reference page automatically refreshes itself every 9 seconds. Note the META REFRESH code (highlighted in yellow).

<html>
<head>
<meta http-equiv=”Refresh” content=”9 url=728×90.asp?jscode=…”>
<body leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 >
<p align=center valign=bottom>
<SCRIPT TYPE=’text/javascript’ SRC=’http://ad.yieldmanager.com/rmtag2.js’></SCRIPT><SCRIPT language=’JavaScript’>var rm_host = ‘http://ad.yieldmanager.com’;var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd(‘728×90’);</script>
</p>
</body>
</html>

I have seen Hula sites using a variety of automatic reload times, including times as low as 9 seconds (as shown above). Ads are replaced every time the ad-reference page reloads, so in this case an advertiser’s per-impression fee buys only 9 seconds on the Hula site. These days, Hula’s automatic reload code is somewhat more complicated, largely implemented via JavaScript rather than a META REFRESH. And Hula currently sets its auto-reload for 21 to 25 seconds rather than 9. But the net effect remains the same — showing advertisers’ ads for less time than advertisers reasonably expect.

Hula’s automatic reloads stand in contrast to Interactive Advertising Bureau (IAB) guidelines for advertising tracking, measurement, and charges. The IAB specifies that ad refresh rates must be “reasonable based on content type.” Despite some vagueness in this standard, it seems unlikely that 9 seconds could be a reasonable refresh rate.

Hula’s automatic refreshes also contradict stated rules at Yield Manager (the primary advertising system to which Hula sends traffic). Yield Manager’s Publisher Signup rules specifically prohibit ads that auto-refresh more often than every 90 seconds.

Update (June 23): In its demand letter, Hula claims that “The major falsity [of my article] is the assumption that the majority of the media placed [in Hula’s sites] is on a CPM [basis].”

I take no position as to the prevalence of CPM advertising within Hula’s site, although some of my sources indicate that CPM advertising is or has been widespread. In any event, my automatic reload analysis primarily applies to CPM ads — such reloads being of far less significance as to CPC or CPA relationships. I have revised some text above to make clear that this analysis primarily applies to CPM ads.

Following the money trail; complacent advertisers

Vonage
money

viewers
aQuantive / Atlas DMT
money

viewers
Traffic Marketplace
money

viewers
Yield Manager
money

viewers
Hula / Global-Store

The money trail – how funds flow from advertisers
to ad networks to Hula

Few advertisers are likely to want to pay for their ads to be shown in spyware-delivered popups, stacked among (and often obscured by) other ads, reloaded quickly. So, according to the advertisers and ad networks I talk to, Hula doesn’t exactly ask advertisers for permission to show their ads. Instead, Hula sells its advertising space through bulk marketplaces, most notably Yield Manager. Other Yield Manager market participants buy traffic from Hula, apparently without fully understanding how and where Hula will show their ads.

Hula’s Yield Manager relationship provided Hula with the Vonage ad shown in the example above. Hula’s Global-Store sent traffic to Yield Manager which sent traffic to Traffic Marketplace, which sent traffic to aQuantive’s Atlas DMT, which sent traffic to Vonage. Payments flowed in the opposite direction. See diagram at right, and a full packet log of the chain of redirects. Traffic Marketplace may or may not have understood what traffic Hula was selling it via Yield Manager. But consider the perspective of Vonage, three steps removed from Hula. When Vonage bought traffic from Traffic Marketplace, it’s unlikely that Vonage had specific knowledge of what traffic it would receive.

http://global-store.net/index_tiny.asp?st=6755&sc=956&lc=60&ld=20…
http://www.inqwire.com/Ad720x300.asp?flc=5&fld=26&st=6755&sc=956
http://ad.yieldmanager.com/imp?z=0&i=6755&S=956&r=1&y=23&w=720&h=300
http://t.trafficmp.com/b.t/eMMt/11
http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
http://www.vonage.com/startsavingnow

Despite the complexity of the advertising sales relationships, advertisers and intermediate ad networks have considerable power to investigate and terminate improper traffic sources. Reviewing the Vonage packet log, notice that each HTTP transaction contains a HTTP Referer header reporting that traffic came from Inqwire.com, another Hula property. Seeing this reference to Inqwire, Vonage could have investigated Inqwire, immediately uncovering their bad practices: Most top Google results for “inqwire” are users complaining of unwanted Inqwire popups delivered by spyware. After learning that Inqwire serves ads in unwanted popups and through spyware, Vonage could have terminated its indirect relationship with Inqwire by instructing aQuantive and Traffic Marketplace to cease buying Hula traffic on Vonage’s behalf.

Instead, many big advertisers have failed to investigate or stop these practices. I have seen Vonage’s ads served by Hula on dozens of occasions, over a period of many months. Same for other big advertisers, like Verizon (promoting DSL and cell phone service) and Claria (promoting PersonalWeb). Additional well-known advertisers promoted by Hula: Blizzard Entertainment (makers of World of Warcraft), the Blu-ray Disc Association, Circuit City, Classmates.com, Micron, Monster.com, Universal Studios, and the Weather Channel.

In other contexts, Hula’s advertisers are careful, thoughtful companies, focused on how they present and protect their brands. But these companies throw caution to the wind when it comes to banner advertising — mistakenly trusting ad networks to select ad placements, without investigating and supervising ad networks’ decisions and practices.

Some ad networks take action

I first reported Hula’s practices in October 2005, when I showed Claria ads appearing through Hula’s Venus123, as opened by ContextPlus spyware. Since then, various ad networks have noticed and have begun to take action.

Ad network Red McCombs Media became dissatisfied with Hula’s ad practices and apparently refused to pay a $200,000+ bill from Hula. In response Hula sued McCombs, claiming breach of contract. I’m working on getting case documents, and I’ll post them here when available. Without seeing the contract between McCombs and Hula, it’s hard to know whether Hula breached the contract (giving McCombs proper basis to refuse to pay). But if the contract (explicitly or implicitly) required Hula to show ads on bona fide web sites, not in spyware-delivered popups, then McCombs is probably on strong ground. Same if the contract required Hula to show ads for a commercially reasonable period of time, consistent with IAB recommendations and industry norms, not just for a period of seconds.

More recently, ValueClick’s FastClick sent its partners a pointed emailalerting them to this problem. Having concluded that Yield Managerpartnerships are the core of Hula’s business, FastClick moved to ban Yield Manager from the FastClick network. FastClick told its publishers: “Due to recent network quality concerns regarding misuse of ad servers by some publishers the decision was made to no longer allow banner hosting through the Yield Manager ad serving system.” Though FastClick does not mention Hula specifically, my review of industry practices leaves no serious doubt that this policy change was a response to Hula.

I’ve seen other efforts from other networks seeking to stop buying traffic from Hula. But networks find this task surprisingly hard: Many networks buy and sell traffic through convoluted paths; even if a network terminates its direct relationship with Hula, it might still receive Hula traffic through some partner, or some partner’s partner. To me the solution seems clear: Stop buying ad placements through such complex, unaccountable channels. But for ad networks committed to these convoluted placements, Hula presents a serious challenge. A sophisticated network may be able to supervise its own partners, but can it track its partners’ partners’ partners?

Banner farms in context

In general I don’t object to careless advertisers throwing away their money. Of course I seek to prevent my advertiser and ad network clients from being cheated. But I see no overwhelming public policy requiring advertisers to get a good deal on their ad purchases.

Nonetheless, certain rip-offs carry serious public policy concerns. When advertisers pay Hula for ads within Hula’s banner farms, advertisers don’t just get a bad deal. Instead, advertisers paying Hula help contribute to the spyware ecosystem: Advertisers pay Hula, then Hula pays spyware vendors, who, in anticipation of such payments, had infected users’ computers with noxious advertising software like Look2me and SurfSidekick. Were it not for revenue sources like Hula, spyware would have less reason to exist — less ability to make money from infecting users’ computers. In short, Hula’s practices have negative externalities — harming users through spyware infections. So I see substantial reason for the public to want Hula to stop buying traffic from spyware vendors, or simply to shut its banner farms altogether.

The Global-Store site, with numerous large ads but without any bona fide content. ExitExchange, another banner farm, as shown by a SurfSidekick popup.

Though Hula’s use of banner farms is unusual, it is not entirely unique. Consider ExitExchange. Like Hula, ExitExchange buys spyware-delivered traffic, such as the SurfSidekick popup shown at right. Through a variety of ad networks, ExitExchange promotes numerous large advertisers — including Vonage, as shown at right. (I’ve also seen ExitExchange running security exploits which infect users’ PCs with spyware — a particularly unsavory practice.) Another similar banner farm: Whatsnewreport, which I show to be running ads for Claria, Verizon, and Washington Mutual Bank, among others. So the banner farm problem extends beyond Hula.

It’s particularly ironic to see Hula getting paid by Vonage. Vonage went public last month in large part to get money to buy more advertising — to continue their incredible $243 million of advertising spending in 2005. Vonage is one of the web’s largest advertisers, and it’s a sophisticated technology company. So Vonage might be expected to be savvy enough to avoid buying ads in Hula’s banner farms — but in fact, as I’ve shown above, Vonage often appears in Hula’s ads and in other banner farms. Of course these are not Vonage’s only payments to spyware vendors: I have previously reported Vonage buying ads from Direct Revenue and eXact Advertising. That’s a veritable who’s-who of the spyware world. How much other waste is there in Vonage’s advertising budget?

Who’s responsible here? Hula and other banner farms put these problems in motion, so it’s natural to blame them first and foremost. But I also see substantial room for improvement among large advertisers. Anyone buying millions of dollars of online advertising — or tens or hundreds of millions — needs to anticipate bad actors, and needs systems and procedures to detect and block the inevitable unsavory practices. Same for ad networks, who owe special responsibility since they’re spending and allocating their clients’ money rather than their own. So I’m disappointed to see huge advertisers and huge networks allow these problems to fester for so long. That said, it’s reassuring that at least some ad networks have recognized the issue and have taken steps to blunt its effects.

Update (6/23): My article mentions three specific Hula sites: Global-Store, Inqwire, and Venus123. But a cached page from the huladirect.com site shows their admission that they run several other sites too. In particular, Hula takes credit for searchhound.com. (Facts seem to corroborate that claim: SearchHound is hosted within the same “class c” (“slash 24”) network block as other Hula servers. And the SearchHound site shares a common look and feel with other Hula sites.)

Is SearchHound a spyware-delivered banner farm too? I’m stil conducting investigations. But I do know SearchHound receives spyware-delivered traffic. Earlier this week I saw SearchHound in the midst of spyware-delivered click fraud. See packet log and screen-capture video proof : I requested www.zappos.com and was sent, by TrafficSector spyware installed on my test PC my without informed consent, to Click2begin. Click2begin then redirected me to Hula’s SearchHound, which sent me on to an unnamed server at 64.14.206.59, then to LookSmart, and finally on to a LookSmart advertiser. The net effect was that the LookSmart advertiser had to pay for a “click” that never occured — standard click fraud. Meanwhile, SearchHound served as a middle-man in this relationship — receiving traffic from the notorious Click2begin that has received so much criticism. More on spyware-delivered click fraud.