Who's Funding Spyware Authors? AOL, Dell, Priceline, and Yahoo, Say Critics
Legitimate companies fund adware through loosely affiliated advertising networks that fail to provide sufficient accountability and controls.
Imagine if shoppers were told that once they walked into a store, they would have to carry around with them a special sign that once they left would show advertisements everywhere else they went, with no button to turn it off? People wouldn't tolerate it. But they do online.
The black sheep of the online advertising business -- adware and spyware, those pieces of unwanted software so tough to get rid of once they sneak onto computers without permission -- are the products of a flawed system in which a company placing an ad eventually loses control of how it appears, first working through an agency, which pays distributors operating through a network, which in turn has affiliates. On and on it goes until the dreaded pop-up ad.
"Everyone only knows the person above them and below them. There hasn't been a sense of we need to look four levels out," says Ari Schwartz, deputy director of the Center for Democracy and Technology. "You have all these players in the middle. There are many broken pieces to the puzzle here."
Who's to blame? The easiest target is the marketing companies that redirect Web addresses and deliver pop-up ads: New York Attorney General Eliot Spitzer took Intermix Media Inc. to court earlier this year. But at least two companies, Direct Revenue LLC and 180solutions Inc., whose distributors sometimes command botnets to take over computers, are "doing far worse stuff than Intermix," Schwartz says.
180solutions filed suit in August against seven former distributors alleging they used botnets to surreptitiously install the company’s search software without notice or consent. “We deplore botnets,” says Sean Sundwall, spokesman for 180solutions, which has shut down more than 500 of its more than 8,000 distributors in the past nine months for failing to receive “informed consent” from a user.
Ire also could be directed toward the companies who make their living off selling ads through extensive networks -- like Yahoo Inc., Google Inc. and American Online Inc. -- each with its own set of rules about adware and diligence about policing them. For a quick scorecard, Schwartz praises Google for its advertising policies and says AOL has done the best job of enforcement while Yahoo lags behind, choosing to lead work on an industry standard.
And then there are the advertisers, who pay as much as several dollars for every click on one of their pop-up pitches. "That's were the money starts," Schwartz says. "The chain begins and ends with the advertisers themselves."
Yahoo gained unwanted attention earlier this month when spyware researcher and consultant Ben Edelman reported that Yahoo-syndicated ads appeared more frequently than any other pay-per-click ad network in his tests of various spyware-infected PCs.
"Yahoo has been more willing to take on dubious partners and allow their partners to have partners so that Yahoo couldn't know where the ads are appearing. It's created a real monster in terms of ads getting distributed all over the place," Edelman says. "There's not much accountability as to who's doing what."
Edelman, who counts among his clients AOL, which dumped Claria Corp. and other adware companies after purchasing Advertising.com a year ago, details his findings in his blog.
Yahoo says two of Edelman's four examples of ads shown on software installed without consent, from Direct Revenue and 180solutions, were not authorized by the company, which made sure the ads were terminated immediately.
A spokeswoman said Yahoo was "looking into exactly how our listings showed up through their applications and will take action as appropriate. This can range from terminating an implementation to ceasing to work with a company."
But Edelman says he has proof that Yahoo ads are still shown by these same vendors. What's more, he doesn't think cutting ties to one or two rule-breakers is enough. The whole system -- with the partners of syndication partners having their own partners -- needs to change. He says he finds several new examples every week of other vendors who install ad software without consent, or questionable consent, showing Yahoo ads.
And because that web of partners is so tangled, he doubts that Yahoo could truly shut out a particular offensive vendor if it tried. "Yahoo is surprisingly ill-equipped to terminate relations with 180solutions and kin even if it officially resolves to do so," he says.
As for Edelman's other two Yahoo partners of ill repute: the company could not provide detail about eXact Advertising LLC by press time; it says Claria meets its partner standards for obtaining consent. Yahoo paid Claria $31 million for distributing ads in 2003, back when the company called itself Gator Corp. Edelman estimates that those payments could now total as much as $50 million annually.
Yahoo insists it makes sure that its marketing partners who peddle downloadable applications give consumers -- some of whom actually enjoy the benefits of that free software, despite the ads -- high standards of notice, privacy and ease of removal. "A key element of these standards requires that distribution partners do not download applications onto a user's computer until the user knowingly agrees to the terms of the download agreement," the spokeswoman says.
Yahoo is also working with the industry to develop a better way to enforce those standards. "You can make sure a given company meets the guidelines, but it's difficult to police them on a minute-by-minute basis," she says.
Adding fuel to the fire, not all advertisers are willing to give up ads linked to spyware programs.
Priceline.com, which Edelman ranks as one of the top 10 most widespread spyware advertisers, according to his research, spends "a very small portion" of its advertising budget with Claria, eXact and Direct Revenue, and the site is in the process of drafting a company adware policy, says Brian Ek, a company spokesman.
That might not seem like much of a step, but in the "everyone else is doing it, so I do too" playground mentality that rules the world of online travel advertising -- and dating sites as well -- that counts as progress, Schwartz says.
On the other hand, Dell has terminated its business with Claria, 180solutions, eXact and other affiliates who have been found to use software downloads that are prohibited in the terms and conditions of the affiliate contracts. Spokeswoman Jennifer Davis would disclose neither the total number of Dell advertising affiliates nor those that have been terminated.
An affiliate is not allowed to use adware or spyware programs. "We do not tolerate it," she says. "It's not good for our customers and it's not good for us."
To distribute its online ads, Dell works with affiliates, most of which are coupon aggregator web sites like CouponMoutain.com or FatWallet.com, which earn a commission for every sale they generate. Dell also advertises with banners on news sites and in search results on Google.
Edelman, however, found an instance of a "pop-under" ad from Claria for Dell appearing on Dell's own Web site; if a shopper clicked on the ad, Dell would presumably pay Claria for delivering it a customer it already had. Davis could not explain the anomaly.
Dell, along with AOL, HP, Microsoft, and Yahoo, is a member of the Anti-Spyware Coalition, a group of software companies, academics, and consumer groups working on ways to tackle spyware and other potentially unwanted technologies. The Center for Democracy and Technology convened the coalition, considered one of the more significant industry efforts. The group is expected to release the final draft in early fall of a consensus document, called "Spyware Definitions and Supporting Documents," that will help address best practices, risk modeling and objective criteria for flagging.
The coalition, which defines spyware as tracking software deployed without adequate notice, consent or control for the user, recognizes that the term has also become synonymous for any potentially unwanted technology. It defines adware as advertising display software, "specifically certain executable applications whose primary purpose is to deliver advertising content in a manner or context that potentially may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and may be categorized as tracking technologies."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.