Can Spyware Ever Come In From The Cold?

Layers of blind partnerships, botnets, and the many distributors that make up the online ad business make spyware almost impossible to trace.
Most everyone is familiar with the black sheep of the online advertising business: unwanted adware and spyware that's tough to get rid of once it sneaks onto computers. But few know that much of it is the product of a flawed system in which a company placing an online ad eventually loses control of how it appears. A company that wants to advertise online works through an agency that pays distributors operating through a network, which in turn has affiliates. On it goes until the original ad becomes the dreaded, can't-get-rid-of-it pop-up.

In the online ad-distribution business, "everyone only knows the person above them and below them," says Ari Schwartz, deputy director of the Center for Democracy and Technology, a nonprofit public-policy group. "There hasn't been a sense of [needing] to look four levels out. You have all these players in the middle. There are many broken pieces to the puzzle."

Who's to blame? The easiest targets are marketing companies that redirect Web addresses and deliver pop-up ads. But it gets more complicated. The Center for Democracy and Technology threatened to file a complaint with the Federal Communications Commission over 180solutions Inc.'s business practices, warning the Internet search-marketing company that its distribution mechanisms likely were violating federal law and charging it with duping consumers into downloading software they didn't ask for. 180solutions filed suit in August against seven former distributors, alleging they used botnets--networks of infected computers--to surreptitiously install search software without notice or consent. "We deplore botnets," says a spokesman for 180solutions, which has stopped using more than 500 of its 8,000 distributors in the past nine months for failing to receive informed consent from users.

Some Praise
Ire also could be directed at companies that make their living selling ads through extensive networks--such as America Online, Google, and Yahoo--each with its own set of rules about adware and diligence about policing them. Schwartz praises Google for its advertising policies and says AOL has done the best job of enforcement, while Yahoo lags, choosing to lead work on an industry standard.

And then there are the advertisers, who pay as much as several dollars for every click on one of their pop-up pitches. "That's where the money starts," Schwartz says. "The chain begins and ends with the advertisers themselves."

Questions About Yahoo
Yahoo gained unwanted attention last month when spyware researcher and consultant Benjamin Edelman reported that Yahoo-syndicated ads appeared more frequently than any other pay-per-click ad network in his tests of various spyware-infected PCs.

"Yahoo has been more willing to take on dubious partners and allow their partners to have partners so that Yahoo couldn't know where the ads are appearing," Edelman says. "It's created a real monster in terms of ads getting distributed all over the place." Edelman counts among his clients AOL, which dumped Claria Corp. and other adware companies after purchasing interactive marketing company a year ago.

Yahoo says it didn't authorize two of Edelman's four examples of ads shown on software installed without consent, from advertising company Direct Revenue and 180solutions. Yahoo made sure the ads were terminated and is "looking into exactly how our listings showed up through their applications and will take action as appropriate,"a spokeswoman says. "This can range from terminating an implementation to ceasing to work with a company." For its part, Direct Revenue last month said it was ending the use of third-party affiliate networks to distribute its software.

But Edelman doesn't believe cutting ties to one or two rule-breakers is enough. The whole system, with the partners of syndication partners having their own partners, must change. He finds several examples each week of other vendors that install ad software without consent, or with questionable consent, showing Yahoo ads. And because that web of partners is so tangled, he doubts that Yahoo could truly shut out a particular offensive vendor if it tried.

Yahoo says it makes sure its marketing partners that peddle downloadable apps give consumers high standards of notice, privacy, and ease of removal. "A key element of these standards requires that distribution partners don't download applications onto a user's computer until the user knowingly agrees to the terms of the download agreement," the spokeswoman says.

Yahoo also is working with the industry to develop a better way to enforce those standards. "You can make sure a given company meets the guidelines, but it's difficult to police them on a minute-by-minute basis," the spokeswoman says.

Everyone's Doing It
Progress is coming in small steps. Inc., which Edelman ranks as one of the top 10 most widespread spyware advertisers, spends "a very small portion" of its advertising budget with Claria, Direct Revenue, and eXact Advertising, and the site is drafting a company adware policy, a spokesman for the travel-shopping site says. That might not seem like much of a step, but in the "everyone else is doing it, so I do, too" mentality that rules the world of online travel advertising, that's progress, the Center for Democracy and Technology's Schwartz says.

So does this: Dell has ended its business with Claria, eXact, 180solutions, and other affiliates that have been found to use software downloads that are prohibited in the terms and conditions of the affiliate contracts. A Dell spokeswoman wouldn't disclose the total number of Dell ad affiliates or those that have been terminated. An affiliate, she says, isn't allowed to use adware or spyware. "We don't tolerate it," she says. "It's not good for our customers, and it's not good for us." To distribute its online ads, Dell works with affiliates, most of which are coupon- aggregator Web sites such as or, which earn commissions. Dell also advertises with banners on news sites and in search results on Google.

However, Edelman found an instance of a "pop-under" ad from Claria for Dell appearing on Dell's own Web site; if a shopper clicked on the ad, Dell would presumably pay Claria for delivering it a customer it already had. A Dell spokeswoman couldn't explain the anomaly.

Dell--along with AOL, Hewlett-Packard, Microsoft, and Yahoo--is a member of the Anti-Spyware Coalition, a group of software companies, academics, and consumer groups working on ways to tackle spyware and other potentially unwanted technologies. The Center for Democracy and Technology convened the coalition, and the group is expected this fall to release the final draft of a consensus document that will address best practices, risk modeling, and objective criteria for flagging the unwanted software.

Illustration by Getty Images

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer