Searching for (Unintentional) Supporters of Spyware? Try Google

It’s a journalistic dictum that, in order to get to the bottom of something, one should follow the money. Spyware researcher Ben Edelman used high technology to discover who is using that hated method to advertise, and thus keeping spyware makers in business. This led to a chain of money whose links may surprise you — and illustrate a larger issue in the tangled web of online advertising.

I don’t know anyone who uses a computer who actually likes spyware. This often malicious software downloads itself to a computer, frequently without the user’s knowledge or consent. Once it settles itself in, it may do anything from showing unwanted ads to monitoring a user’s online behavior and sending information about it back to the spyware maker. Sometimes it will combine these two acts, by monitoring a user’s Web clicks and showing ads related to the kinds of websites visited. Whatever else it does, spyware usually slows down a computer’s performance, and may cause other problems.

If nobody likes spyware, how and why do spyware makers stay in business? As with many Internet-related businesses, they receive revenue from advertisers for showing their commercial messages. One would think that many reputable businesses would refuse to advertise through spyware. While one school of advertising maintains that even annoying ads are useful because at least you’re making an impression, I would think most businesses realize that an annoyed potential customer is someone who will spend their money with competitors. If any ad displayed by spyware is by definition annoying, why spend the money to advertise in that way?

The answer, apparently, is that a lot of businesses are not doing this directly. What happens is that they deal with an intermediary who handles the placement of their advertising. That intermediary might even go through another intermediary, who then goes to a spyware company. Everyone in this line gets paid, so the money goes from the business, through the chain, to the spyware company. As a result, the business in question might not realize that it is paying for its ads to be displayed by spyware, albeit indirectly. Even worse, the business itself might be actively anti-spyware, horrified at the thought of anyone who would use such tactics, and even engaged in lawsuits against spyware companies –- and still discover, much to its chagrin, that some of its advertising dollars support spyware companies.

This scenario is not nearly as unlikely as you might think. In fact, Harvard law student and spyware researcher Ben Edelman recently made some surprising discoveries in this very area. In late May, he revealed some of his findings in a post that left egg on the face of one of the world’s most respected online companies.

{mospagebreak title=Say it isn’t so, Ben!}

Edelman’s post –- and research –- took a close look at the role played by intermediaries in Internet advertising. He examined ads displayed by advertising software from 180solutions. As an example, he showed that PCs with this software, when visiting the American Airlines website, are “treated” to a pop-up of Expedia’s website. He explained that 180 did not show this ad directly, though presumably it could. Rather, it passes through an intermediary, invokes the intermediary’s tracking software, and then displays the ad. According to Edelman, this type of routing is far more common than the direct display of ads.

For those who think that 180solutions might not fit the definition of spyware (or adware, its close cousin), Edelman links to video proof that its software “is often installed with no consent at all…via misleading promises at kids sites, in poorly-disclosed bundles, and otherwise without appropriate notice and consent…” This makes the company a good place to start for hunting down whose advertising budget is going into spyware maker’s pockets. So Edelman fired up his software robots to find out whose ads are being displayed by 180solutions…and that’s where things got interesting, and complicated.

Of 88,388 current pop-up ads run by 180solutions, 4,678 –- about five percent –- were Google AdSense ads. How is this possible? Google has had a policy in place for a year that effectively prohibits any of its AdSense partners from using spyware to promote its ads! Surely the search engine giant would never allow a known spyware company to become an AdSense partner, would it?

Perhaps I should say that it would never knowingly do so. Remember, this particular path is paved with intermediaries. So Google might pay its AdSense partners, who are acting as intermediaries and have promised not to associate with spyware companies –- but then the AdSense partner may use another intermediary, that is under no such obligation. The AdSense partner is not required to check the conduct of its partners –- and in the advertising business, who has the time, right? So this intermediary does deal with a spyware company, and that’s how Google AdSense ads get displayed in spyware. In some cases, according to Edelman, the AdSense partner itself hired 180!

{mospagebreak title=Following the Money}

Why does this matter? It’s very simple: money makes the world go around, and that’s especially true in advertising. If spyware and adware weren’t making money for someone, we’d see much less of it. When the money is coming, even indirectly, from a source as large as Google, spyware correspondingly flourishes, and it could be a long time indeed before we see the end of it.

The issue is worse than that, however. As Edelman explained, “while other intermediaries often withhold from making claims about the quality of the sites they track or serve, Google tells its advertisers that sites showing Google ads are ‘high-quality’ and ‘reviewed and monitored according to…rigorous standards.’” Businesses working with Google therefore expect a certain adherence to ethics when it comes to the placement of their ads. They certainly do not expect that their AdSense ads will later show up displayed by software that was loaded onto a PC without the user’s knowledge or consent.

They are right to expect better from Google. You see, part of the reason that Google can tell its advertisers that only “high-quality” sites show AdSense ads is because of the conditions it places on its AdSense partners. Item five lists prohibited uses; it states in part that AdSense partners “shall not, and shall not authorize or encourage any third party to…(vi) directly or indirectly access, launch and/or activate Ads, Links or Search results through or from, or otherwise incorporate the Ads, Links or Search Results in, any software application…” As Edelman observed, an AdSense site hiring 180 surely counts as authorization and encouragement to show the site’s AdSense ads within a software application.

Some online advertising intermediaries act in a way that seems to indicate they are aware that this isn’t entirely kosher. Edelman uses the example of This company pays 180solutions to show Top3offers URLs. Top3offers sends the traffic received from the 180solutions ads to Yahoo Personals –- but not directly. First, it goes through a Commission Junction tracking link. If Yahoo or Commission Junction search their advertiser databases, they won’t find 180solutions…and, more than likely, they never asked Top3offers to do this. According to Edelman, this example is merely one among hundreds, maybe thousands of advertising intermediaries that use similar techniques.

It gets worse. Toolbars are also a form of software, and not all toolbars are entirely reputable. Surprisingly, the Ask Jeeves toolbar, which uses Google advertising, breaks a Google guideline for its advertising partners. This guideline states “software should not trick you into installing it.” According to Edelman, the Ask Jeeves toolbar is installed without consent as part of the iMesh and Kazaa P2P file sharing applications, among others.

Instead of punishing Ask Jeeves for this egregious behavior, Google rewards it –- and the rewards literally keep Ask Jeeves in business. In a recent 10-Q, Ask Jeeves revealed that it receives 74 percent of its total revenue from Google. This amounts to hundreds of millions of dollars every year. Ask Jeeves is just one AdSense partner –- and it has a good reputation, at that.

{mospagebreak title=What Can Google Do?}

In the standard online agreement that Google makes with its AdSense partners, under item four, the company enumerates the parties’ responsibilities. It also states, “Google reserves the right to investigate, at its own discretion, any activity that may violate this Agreement, including but not limited to any use of software applications to access Ads, Links, or Search Results, or any engagement in any activity prohibited by this Agreement.” So Google has the right –- and, I would argue, the responsibility –- to make sure its AdSense partners are behaving ethically.

Sadly, it may not be that simple. Ari Schwartz, interviewed recently about enforcing these kinds of policies, made it sound like a game of whack-a-mole. “It’s basically an ongoing struggle. You get rid of the problem in one place and it sprouts up someplace else.”

Edelman’s take on the matter is different. He said that a number of advertising intermediaries, and even big advertisers, have told him that they can’t track how ads are being shown. “They apparently consider it impossible to track all their ads –- so they think they shouldn’t be blamed if they fail, i.e. if their ads are shown through software installed improperly on users’ PCs. I emphatically disagree. The task is definitely doable. I know because I’ve already done it.”

To its credit, Ask Jeeves began taking action with its partners when it heard of Edelman’s research. It wants users to know about the toolbar download. According to Ask Jeeves spokesperson Colby Zintl, “This is a larger industry issue about the need to improve the disclosure and installation practices. It’s our responsibility, ultimately, to make sure that partners comply with our policies.”

Are you listening, Google?

[gp-comments width="770" linklove="off" ]