Yahoo Accused of Spyware-Related Misdeeds

Not long after Google settled a click fraud lawsuit, Yahoo is finding itself charged with click fraud. This is different, though; it looks like spyware is involved, along with some very questionable practices. Keep reading to find out more about the charges…and the evidence.

If you advertise your website with the search engines, you’re probably paying a premium price. For that fee, you expect to see a traffic stream that is likely to deliver a higher-than-average percentage of conversions, because these are people that are actually looking for exactly the kind of goods, services, or information you can provide. If you don’t, you may suspect that something is wrong. According to a lawsuit filed last week against Yahoo, your suspicions may be more accurate than the search engines would care to admit.

The lawsuit was filed on behalf of Crafts by Veronica, a New Jersey-based maker of fabric-covered photo albums. Filed in a New Jersey federal court, the suit seeks class action status against Yahoo, Overture, and unnamed third parties. It accuses Yahoo of breach of contract, unjust enrichment, civil conspiracy and violations of the New Jersey consumer fraud act. If the suit receives certification by the court as a class action, anyone can join if they have purchased ads through Yahoo’s pay-per-click system within the last six years.

What did Yahoo do to bring this suit upon itself? It led the companies who advertised with the search engine to believe that their ads were being displayed on “highly targeted” websites, when in fact they were being displayed on sites showing spyware pop-up ads and typosquatter websites. If it was accidental, that would be one thing, but the suit argues that Yahoo continued this practice “even though defendants knew that a substantial percent of click revenue resulted from PPC advertisements shown improperly, including in ways that contravene defendants’ contracts with its advertising customers.”

Yahoo isn’t talking about the suit. A Yahoo representative stated that “We’re not going to comment on this matter other than to say that we plan to vigorously defend our position.” The courts will sort out whether the suit has any merit, of course, and I’m certainly not a lawyer. Nevertheless, it’s worth taking a look at the evidence to see what kind of hot water the venerable search engine has gotten itself into, and how.

One of the lawyers on the side of the plaintiffs has a name that might ring familiar to you: Ben Edelman. Spyware expert and Harvard doctoral candidate, I last wrote about Edelman in this article, published back in July of 2005. At that time, he had found a string of evidence that showed a stream of money flowing from those who advertised with Google, through Google itself, back out to Google affiliates, and eventually winding up in the hands of adware and spyware companies. So much for Google’s “don’t be evil” motto. In August, Edelman reported on a similar stream involving Yahoo’s PPC system.

If anything, the problems have gotten worse since then. Last month, Edelman reported on his website that “I now have many dozens of different examples of Yahoo pay-per-click ads shown with spyware.” This is not an occasional problem. It’s what Edelman refers to as syndication fraud, and as with Google it goes through several stages: advertisers place ads with Yahoo, Yahoo pays its affiliate sites place/run the ads, the affiliates in turn pay/place the ads with their affiliates, until the ads get shown by spyware.

It gets even worse. Edelman insists that “Yahoo’s spyware problems extend beyond improper syndication…[With some spyware showing Yahoo ads,] spyware completely fakes a click — causing Yahoo to charge an advertiser a ‘pay-per-click’ fee, even though no user actually clicked on any pay-per-click link. This is ‘click fraud.’”

In conventional click fraud, pay-per-click ads are clicked by users (or programs) that have no intention of purchasing anything from the business owner. This is sometimes done by competitors seeking to drain their rival’s advertising budget. It has been a real problem for search engine advertisers, who have complained to the search engines about having to pay for fraudulent clicks. In some cases, they’ve taken their claims to court, and won. Google recently paid $90 million to settle a class action click fraud lawsuit in which Yahoo is still a defendant.

On his site, Edelman highlighted four specific examples of spyware-syndicated PPC click fraud. The first three were the most interesting. Edelman browsed certain websites with a computer infected with spyware installed without consent. In the first example, “I received a popup that immediately forwarded traffic to a Yahoo Overture PPC link — faking a click on that link, and charging an advertiser as if a user had clicked on that link, even though I had not actually done so.” He was able to trace the flow of traffic to 180solutions, a company known for its spyware.

For Edelman’s second example, a spyware popup ad redirected him without a click to the exact same website he was actually browsing! In his third example, a spyware popup showed him an ad for something he had never shown any prior interest in. That can hardly be described as displaying ads to “high quality” traffic!

Many of you have heard of 180solutions before. There are some other interesting players here. Edelman cites Intermix and Qklinkserver. He makes a particularly distressing point about the latter: “I have tested the Qklinkserver advertising software at length. Of the links I have received from Qklinkserver, every single one ultimately passes through Yahoo Overture. As best I can tell, Yahoo Overture is the sole source of funding for Qklinkserver.”

And Intermix? It settled for $7.5 million with the New York Attorney General’s office last year after NYAG Eliot Spitzer sued the company. Spitzer accused Intermix of bundling hidden spyware into the millions of programs it gave away for free. You might be interested to know that Intermix owns the MySpace social networking site; both Intermix and MySpace are now owned by News Corp.

Intermix, 180solutions, and Qklinkserver are hardly alone. Direct Revenue has also been charged by Spitzer with including spyware programs in the free software it gave away. Spitzer found it particularly egregious that the company “deliberately designed spyware that, once downloaded, was extremely difficult for users to detect and remove.”

Some analysts have linked Yahoo to Direct Revenue. If the two companies are connected, I see a shredding party in Yahoo’s future. Indeed, the NYAG was able to show that Direct Revenue earned $226,964 from Yahoo Overture pay-per-click advertising during April 2005, to say nothing of May and June. As Edelman’s lawsuit against Yahoo points out, “by placing ads into illegal platforms such as spyware programs, [Yahoo] wrongfully collected high search engine advertising fees for ads that are actually shown in contexts that are worth far less, if anything. It is well known that spyware advertising is much cheaper than search engine advertising.” Indeed, never mind the “click” part; that sounds like plain old fraud to me.

Advertisers and businesses know that ads placed in spyware are worthless or even harmful to them. Edelman’s lawsuit goes on to say that “Advertisers want no part of spyware-delivered advertising. Staff of the FTC and the New York attorney general’s office have repeatedly instructed advertisers to be wary of spyware-delivered advertising. Furthermore, advertisers recognize spyware for the scourge that it is, and they therefore seek to keep their ads out of spyware.”

Unfortunately for Yahoo, this isn’t the end of it; the behavior it is charged with gets even worse. Not only does the suit state that the search engine turned a blind eye to the abuses of its system, but all but encouraged it at certain times of the year. It says that Yahoo “knowingly…manipulated that system for their own benefit, by increasing the volume of improper advertising displays during financial reporting periods when defendants were at risk of failing to meet investor expectations.” This might not be cooking the books exactly, but it strikes me that it’s close enough to — well, to get someone sued.

Another point raised by the lawsuit was the issue of ads placed in typosquatter domains. I’ve described this problem recently in relation to Google here. The lawsuit describes the problem explicitly in this example: “Take for example Yahoo’s advertising customer Expedia.com. A user intending to visit the Expedia web site might mistype it as `expedai.com.’ At ‘expedai.com,’ the user sees a list of ads provided by Defendants, including an ad for Expedia, along with other customers of Defendants. If the user clicks the Expedia ad, the user is taken to the true Expedia site, which is where he or she wanted to go in the first place — without clicking an Expedia ad — and Expedia has to pay defendants a PPC fee.”

Typosquatter domains are valuable enough, and a big enough potential nuisance, that businesses will go through arbitration with the International Corporation for Assigned Names and Numbers to wrest them from control of the typosquatters. Indeed, Google won a judgment not too long ago against someone who held four domains that typosquatted on Google’s good name. It was clear that Google was trying to preserve its good name in a number of ways; anyone visiting the typosquatting domains risked getting a variety of malware installed on their computer completely without their consent…including adware and spyware-related files.
 
The issues with advertising on spyware and typosquatted domains might be at a couple of removes now, but the idea that the search engines themselves are doing it now brings no comfort. Especially since, according to Edelman, Yahoo could have prevented this from becoming a problem. “They could have refused to partner with spyware companies. Instead, they are partnering with spyware companies and have paid out millions of dollars in advertising money to them.” How much of that money might have come indirectly from you?

Google+ Comments

Google+ Comments