Being Ben Edelman

You’d be hard-pressed to find someone more knowledgeable or dedicated than Ben Edelman when it comes to the evils of spyware. The 24-year-old assiduously tracks the proliferation of adware from his own computer lab. He’s a fierce critic of spyware practices and has testified in several high-profile adware-related lawsuits.

Talk about overachievers: Edelman is a Ph.D. candidate at the Department of Economics at Harvard University and a student at Harvard Law School. He currently is analyzing methods and effects of spyware, uncovering affiliate commission fraud and examining Internet filtering efforts by governments worldwide.

DIANE ANDERSON: Where do you do most of your work?

BEN EDELMAN: I work primarily from my apartment. All the equipment is in my office, the second bedroom in my two-bedroom apartment. I currently have six PCs in my lab, though I’ve had more from time to time. In general, I install one spyware app on each PC, then test its behavior under controlled experiments. For some projects, I install spyware in virtual machines on my fastest PC – which lets me return the system to pristine condition for multiple rounds of tests of install-uninstall or for testing of many different programs in sequence.

DA: How did you get started researching spyware and adware?

BE: It was something I had long been interested in. My recent work focuses on the intersection of law and the Internet – generally including writing software to study whatever software I’m looking at. Programs that show extra pop-up advertisements are a natural candidate for study in this way, because by careful testing I can learn which ads are shown when, how the programs get installed, what personal data they transmit and so forth. I was thinking about these kinds of questions as early as 2001. My earliest publication in this field came in mid-2002, when I served as a technical expert in the case brought by The Washington Post, New York Times, Wall Street Journal and others against Claria (then Gator) as to its pop-up ads covering their sites.

DA: There seems to be a lot of confusion about what the differences are between behavioral targeting, adware and spyware.

BE: I think the differences are often surprisingly small. There’s a large class of programs that use behavioral targeting – meaning watching what a user is doing – to figure out what ads to show (an “adware”-type function) while also sending back information to central servers about users’ online activities (which some might call a “spyware” feature). So I see great overlap between the three terms.

The various programs using these methods have a lot in common. For one, users don’t generally want these programs on their PCs. For another, users don’t generally seek out even the most benign of adware programs. Instead, users get the programs through some kind of bundle, or auto-install (“drive-by”) that occurs when users visit certain Web pages. A further similarity: The resulting advertisements cover Web sites with, in general, their competitors’ sites – a result that I found incredibly surprising when I first experienced it, and that in my experience users continue to find surprising. What an odd thought that the ad you see, when you type in LLBean.com (and are otherwise looking at L.L.Bean content), is in fact an ad for L.L.Bean’s direct competitor!

Of course, there are other kinds of contextual advertising. Google shows ads according to what searches users conduct. Sometimes these ads are controversial – sites’ advertising being triggered by direct competitors’ brand names. But Google certainly isn’t sneaking onto anyone’s PC. The Google ads, at least, are within Web pages that say google.com, so even the most inexperienced user can always understand that the Google ads are there because Google put them there.

DA: What should affiliates and affiliate managers know about search engine cloaking?

BE: First, let’s step back for a quick definition: Search engine cloaking is a set of methods whereby sites attempt to boost their search engine rankings, primarily by giving search engines content different from ordinary users.

Cloaking is a risky strategy. It has rewards, but it has a downside too. For those with savvy competitors or critics, who might notice the cloaking and report it to authorities, the risks are particularly pronounced. Google’s FAQ says it may remove sites from its index, permanently, as a penalty for cloaking.

That said, to date the penalties for cloaking have been pretty limited. Cloak for a year, and you might never be caught. Even if you are caught, you might get at most a slap on the wrist, especially if you’re powerful and can convince Google to be lenient. So the fact is, lots of sites are using cloaking.

DA: What are you working on now?

BE: This year I’m finishing my last year of law school, and planning my dissertation for my Ph.D. in economics. I also have some ongoing testing of more spyware and stealware, work I expect to publish on my Web site in the coming months.

DA: What stealware is the most pernicious these days?

BE: It’s hard to know. If I knew which software were most problematic, I’d surely make it my highest priority! Generally, I try to keep an eye on the programs with the largest installed base – figuring that they’re the programs affecting the most users, and that they’re the programs best positioned to show a large number of pop-ups or to falsely claim a large volume of affiliate commissions.

DA: You’ve studied these programs for some time. What do you think are the biggest dangers facing affiliates right now?

BE: I think the biggest danger is complacency. Affiliates would be wrong to assume that all is well in the affiliate marketing space – that they can simply link to merchants, then wait for the money to come rolling in. Fact is, powerful outside forces seek to profit from affiliate marketing and garner their profits by interfering with the referrals made by other affiliates.

DA: What actions would you suggest affiliates take to protect themselves?

BE: I wish there were more that affiliates could do. As it turns out, the major stealware problems are problems for merchants, primarily, and for affiliate networks to the extent that the integrity and value of their tracking systems are called into question. Ordinarily, rule-abiding affiliates lose out when stealware seizes their commissions. But there’s not much an ordinary affiliate can directly do to address the problem.

That said, it’s always good for affiliates to be informed, and to help spread the word. Revenue readers are surely better informed than most. I’m a big fan of ABestWeb, where there’s lots of savvy discussion about which programs are doing what. Those affiliates who have personal relationships with merchants can learn what’s going on and can help keep their merchants in the loop, especially as to programs found to target their merchants.

DA: You write about 180solutions, WhenU, Claria. Which companies are the most egregious violators?

BE: I was, and remain, particularly concerned about the behavior I have observed from 180solutions software. 180’s software was setting affiliate network cookies even on “organic-traffic” type-ins, where users reached merchants’ Web sites directly (not through any other affiliate). So merchants would be paying commissions to 180 for traffic that resulted from their own background marketing efforts. 180 was also overwriting cookies set mere seconds before by other affiliates – so merchants would be paying 180 when the commissions should have gone to other affiliates. These activities had been going on for at least six months when I began to write about the problem publicly. But somehow the existing processes – merchants’ fraud control efforts and affiliate networks’ efforts – had failed to detect what was happening, or to do anything about it.

Claria is notable for continuing to be installed on a huge number of PCs, some 40-plus million, according to recent reports. That’s a lot of users getting extra pop-up ads!

DA: What can be done about them?

BE: To the extent that these programs set affiliate cookies in violation of merchants’ and networks’ rules, I would ordinarily expect merchants and networks to detect the behavior and to issue sanctions, presumably including forfeiture of ill-gotten commissions. Litigation also seems like a possible way forward. After all, merchants might want refunds of commissions wrongly paid six months ago, not just of the most recent months of commissions not yet paid to stealware companies.

In thinking through enforcement options, it’s important to realize that affiliate networks face some odd incentives here. Remember that merchants pay networks a share of the amounts merchants pay affiliates. For example, if a Commission Junction merchant pays $10,000 of affiliate commissions, CJ’s 30 percent fee might be an additional $3,000. Usually, this is a good thing: Networks make more money when affiliates make more money, so networks have an incentive to stop merchants from cheating their affiliates. However, networks also make money when “stealware” affiliates claim commission they’re not entitled to. So networks face an incentive to look the other way and to allow or even to promote programs that claim affiliate commissions in violation of merchants’ and networks’ rules.

Set against this incentive are networks’ overall reputations for honesty and integrity: If the networks try to cheat the merchants too much, or if the networks let the merchants get cheated too much, then networks’ reputations are likely to go down the drain. But these forces are in tension, and my sense is that lots of merchants are coming to question whether they can count on networks to make sure affiliates, especially affiliates using software downloads, are in compliance with the necessary rules.

DA: What role does government play? What are your opinions about the various bills?

BE: I’d love to see legislation that truly addresses the problem of unwanted software getting on users’ computers. So far, though, I’ve failed to see much legislation that addresses the subtlety of the situation here.

The real problem, as I see it, is defining user “consent.” It turns out to be pretty easy to get a user to press an “I accept” button – especially if that button is in a box that looks official, or if it comes as one step in a many-step process of installing some software the user actually wants. But what should we infer from the user pressing “accept”? Can the user, with one quick click of a mouse button, allow a software distributor to claim commissions on the user’s every purchase? Allow the distributor to install whatever software it wants, from whatever third parties, at whatever point in the future? Can the user authorize the software provider to create on-screen advertisement displays that are, to many users, not just annoying but also misleading and confusing, and that many online publishers regard as damaging to their brands?

Then there’s the problem of licenses not actually shown to users. In many drive-by installs, the user gets a message like, “Do you want to, after reading our license (click here to view it), install [program name]?” How should we understand this prompt? If a user clicks on “yes” without reading the license, is the user still bound? What if the link were broken, such that clicking on the license link didn’t actually produce a license? If the unread license claimed “user will pay software provider $100,” I suspect we’d all consider the license unenforceable. What is so different when the license instead says, “We will cause your PC to show extra pop-up ads”?

I’ve been surprised at how many courts have been willing to accept the “consent” argument – giving so much weight to a user’s thoughtless and hurried press of the “accept” button. Most legislation also places great significance on “I accept” – sometimes requiring that users be given specific information before they accept, which I think is a good start, but ultimately letting users accept almost anything, no matter how one-sided. I’m not usually one to intervene in free markets – so I, too, have the instinct that if users actually want this stuff, we should let them have it. But my experience is that few users actually do want it. Instead, they’re just not paying attention when they “accept.” So I think there’s a role for government to be helpful here, in requiring consumers to really think before they leap, to read a few screens of disclosures and to press a few different “accept” buttons in a procedure reminiscent of signing a rental car agreement. The formalism of the multiple steps of acceptance might go a long way to helping users understand that pressing “I accept” is actually a big deal.

DA: What are your biggest current concerns?

BE: The current fight over unwanted software on users’ PCs actually seems to me a very big deal. As a society, how do we make sure that users have the freedom to install what they want on their own computers, yet that big companies can’t trick users into signing away (or should I say “clicking away”) their rights for nothing? In the real world, we’ve built up various kinds of unconscionability laws – a prohibition on various kinds of misleading real-world offers that make a user think he’s getting one thing, when the truth is far removed. Can we find the right online balance? Or will corporate interests run rampant and seize users’ computers for their own benefit?

More generally, I’m interested in the balance between public and private on the Internet. The fight over spyware ultimately comes down to how easily users can give up their own desktops – how much of a showing a software company must make to defend its right to be on a user’s PC, when the user quite likely didn’t actually want it there, but when the company claims the user pressed “accept” and granted permission. We shall see.

DIANE ANDERSON is an editor at Brandweek. She was the managing editor of Revenue Magazine for Issue 4 and she previously worked for the Industry Standard, HotWired and Wired News.

Stumped About Stopping Spyware

Tuan Le is mad. And when he’s upset, he speaks quietly, deliberately and very thoughtfully. He’s hardly a hothead. But nothing gets him more riled up, if you can call it that, than knowing he’s losing a large percentage of revenue from his two affiliate Web sites to other affiliates that are acting in unethical and unfair ways.

Le, who’s been an affiliate for the last few years and owns wholesaler.com and findcheapauctions.com, has spent a lot of time researching spyware and adware and has many times considered taking legal action against the companies that use spyware or somehow interfere with his affiliate commissions. But he’s been reluctant to make waves.

“I think there is a percentage of what is supposed to be coming my way that is being diverted,” he says. “I want to do something about it, but I’m not sure what I can do.”

And Le isn’t alone in this. Whether you call it spyware, adware, parasiteware or any of the many other names used to describe the software that positions itself between Web publishers and their merchant partners, the pernicious applications are causing thousands of affiliates to lose a lot of money.

According to an industry watcher who asked not to be named, affiliates are losing up to 40 percent of their annual revenue to illegitimate affiliates (often called bad actors) that entice end users to download free software in exchange for being served advertising.

Le estimates that figure could be as high as 50 percent.

“It’s the most horrible thing on earth. It’s intrusive, evasive and it’s just a very nasty thing to do; and it’s fast becoming one of the hottest ways to generate traffic on the Net,” says Jason McClain, president and CEO of PrimeQ Solutions, an Internet marketer and lead generator.

Once loaded onto the user’s desktop, these free applications often replace ads, redirect links and disable existing browser cookies. That means the ads that users see are not those paid for by affiliates – a consumer is often clicking on another affiliate’s advertisement to make an online purchase or going to a competitor’s site to buy goods. For affiliates that means a loss of commissions and traffic, which ends up hurting their revenue stream.

This issue has been a huge one for affiliates for more than the last four years, according to Kellie Stevens, president and founder of the affiliate marketing resource Web site AffiliateFairPlay.com.

“Affiliates feel the most pain – their cookies are being written over, the merchants are then paying out commissions that are not warranted. The merchants feel the second level of pain,” says Gary Stein, a senior analyst for online advertising and marketing at JupiterResearch.

At the crux of the issue is, who owns the desktop, the browser or the application?

Those companies that derive the bulk of their revenue from selling advertising on free downloadable applications take the position that the user owns the desktop and that consumers have a right to decide for themselves what is displayed on their own computer screens, not publishers.

Thomas Storm, vice president for online services at VentureDirect Worldwide, a performance-based marketing firm, claims the desktop doesn’t belong to a publisher, and if a user agrees to receive an ad, that is their choice. He acknowledges, however, that user agreement licenses for the free software are often so complex that few people actually read them. Or, if they do, few know exactly what they are agreeing to. Still, Storm believes it is the responsibility of users to make sure they understand what they’ve read before they agree.

“If there are three or four steps in the download process and users don’t read through all of them, then that’s their fault,” he says. “You can’t get away with claiming ignorance in a court of law. That won’t fly.”

A Big Problem

Although most market researchers who follow this space do not have specific numbers on the size of the spyware market or how much revenue is generated by the traffic, they agree the market is huge. Anecdotal evidence puts the spyware market at nearly $500 million, and some oft-quoted figures claim that nearly 90 percent of personal computers are infected with spyware or adware.

“It’s very hard to get a sense of how big it is, but it is big, and the perceived impact is significant,” says Stein, who notes that a quarter of the advertisers Jupiter surveyed are “philosophically opposed” to adware. Furthermore, 7 percent said their respective companies issued mandates prohibiting them from buying adware.

In October, EarthLink, along with anti-spyware and system utility software maker Webroot Software, published their SpyAudit Report, which scanned more than 1.1 million PCs for the period of July through September and found an average of 25 spyware-related applications running on each system. That is a slight decrease from the instances of adware and adware cookies, as well as a decrease in the number of system monitors and Trojan horse applications, on Internet surfers’ systems for the period of January through March 2004, when the average was 26.5 percent.

This downturn was attributed to the increased awareness of spyware and adware infections and the increasing number of software tools available to fight the threat. Antivirus vendors, including Symantec and McAfee, have been adding some level of spyware and adware detection and removal tools to their software.

Defining The Problem

It’s hard to fight something that is not defined. One of the biggest issues is one of the most basic – defining what is and isn’t spyware. Spyware is a catchall term typically used to describe computer programs that are designed to stealthily install themselves on people’s computers – often when the users attempt to download seemingly legitimate programs. The most benign spyware programs – also called adware – simply serve up a barrage of pop-up messages, while the most intrusive ones can track online movements, steal passwords and hijack sensitive data.

The fact that different groups use different terminology to describe these malicious programs (see sidebar) has made it difficult for various entities – especially the government – to curb the problem, according to Steve Messer, CEO of network service provider LinkShare. “Everyone’s definition is different. There is not a definitive answer,” Messer says. “Managing this problem will depend on how the community comes together.”

There are a handful of companies that are most often named as perpetrators of these types of acts, including Claria (formerly Gator), WhenU and 180solutions. All say they are not spyware and are legitimate advertising networks (see page 44).

Still, many are upset at the practices employed by these and other firms.

“California and Utah have given Gator and WhenU a clean bill of health, spyware-wise. Now these two guys are legitimate in those states,” says Haiko de Poel, president of ABestWeb. “But parasite- wise they are dirtier than hell.”

Claria, 180solutions and WhenU have all been named in suits that involve improper use of trademarks or unfair trade practices related to advertisements and targeting. Gator’s activities have prompted more than a dozen legal challenges from companies including the New York Times, The Washington Post, Extended Stay, Hertz, Lending Tree, Overstock.com, Quicken Loans, Six Continents Hotels, TigerDirect, UPS and Wells Fargo, among others.

One merchant, who asked not to be named, says he had to drop 180solutions. “I made a lot of money with them working with us on an affiliate basis, but my sense in talking with other retailers is that they were avoiding them like the plague.”

Who Is Responsible?

So whose responsibility is it to try to stop spyware: the government, affiliate networks, the affiliates themselves, end users, anti-spyware vendors? Most think the answer is all these groups.

PC makers have recently joined the fight against spyware in order to control their technical support costs and avoid any legal repercussions, according to Russ Cooper, senior scientist with TruSecure.

Forrester Research analyst Jonathan Penn says a spyware-related support call can cost $15 to $45, and a company may lose business if end users believe the spyware problems are related to its products. “Security is a component of loyalty,” Penn says. “People want all these various services, but they expect security to come with it.”

Yahoo, EarthLink and AOL have all begun offering spyware-detection tools. Hewlett-Packard and Dell also offer limited free trials of anti-spyware software preloaded on their systems.

Messer says he is shocked that some people truly believe the spyware situation can be resolved. “This problem is never going to be solved. It’s like spam or the war on drugs or illiteracy. You just have to manage it and do the best business you can.”

He adds that the concept of obliterating spyware is one of those lingering ideals from the early days of the Internet. “The idea that the Internet would be this free, safe, great place still lingers, but the reality is that we will have to deal with [spyware] for the rest of our lives. So, we need to work together to manage it.”

“I agree that we are not going to solve the problem, but we can minimize it,” says Trey Barnes, president of Public Policy Partners, a Washington, D.C. legal firm, and president of the Consortium Of Anti-Spyware Technology Vendors, a nonprofit organization of anti-spyware vendors that addresses the issue of spyware.

Barnes adds that the solution has to be multifaceted and must include the anti-spyware vendors, legislation, have a consistent code of conduct from the network service providers (see page 36) and focus on education.

“We need to get the word out about the risks of spyware to all the impacted parties without scaring them,” Barnes says. “Education is pre-emption, and pre-emption then goes a long way to help manage the problem. Spyware is not going a way, but if we don’t get it under control then it will threaten the commerce and growth of the Internet.”

Steps To Stop Spyware

Even though the affiliates are most impacted by spyware, they have not been able to mount a concerted and cohesive effort to fight it. Most are like Le. They are aware of the problems, but don’t want to make waves at that level. They fear repercussions from the networks or the spyware companies that could mean the loss of even more revenue.

In addition, there are so many affiliates, each with different strategies, varying levels of technical and business acumen and different opinions, that group efforts have yet to result in a consensus.

“Affiliates are an independent lot,” Stevens says. “Every group effort seems to fall apart due to differences in opinion. And individually they are not effective.”

The affiliates that are most impacted are mom-and-pop Web publishers. This group is not typically technically savvy, and some may not realize how much they are losing.

“Some affiliates don’t have any idea how much revenue is being lost,” Stevens says. “They figure that they are making $5,000 per month and paying their bills. But they are not put in the context that they could be making $12,000 per month. Most of these are smaller affiliates that started with this as a side income and were then able to quit their jobs. This is the first time they’ve been self-employed, and they don’t have as much experience with management.”

Many, like Stevens, believe the networks are in the best position to combat spyware problems. “The networks haven’t taken all the necessary steps,” she says. “Maybe with pressure from the affiliates they will do more. Maybe if the affiliates scream loud and long enough something will happen.”

While all the major networks have anti-spyware policies (Performics and Commission Junction have adopted a code of conduct, while LinkShare has its own contractual effort to curb spyware see page 36), some say those policies do not go far enough or are not enforced with regularity.

“Codes of conduct don’t mean beans if they are not enforced,” de Poel says. “And many times these guidelines are not enforced.”

Le says he believes the networks are dealing with the threat of spyware by setting up departments that are supposed to monitor and handle any inappropriate activity, but he also worries they are just a corporate façade.

“These are things they need to put up in order to get new accounts. They can say they have an enforcement department that exists, but if it’s not at all effective then that’s the issue,” Le says.

Stevens calls the networks’ policies related to spyware shortsighted. “When spyware and adware applications started, the networks were struggling,” she says. “Then they started to see revenue and traffic increases, and now they are top performers and have some really good statistics to attract more merchants. It’s like they were boxed into a corner.”

Others say blaming the networks is misguided.

“It’s not the networks’ fault that illegitimate marketers are trying to come up with ways to surreptitiously get to users’ desktops,” says Tim Hickernell, vice president at META Group. “Unlike spam and email, spyware and adware do not correlate to a service that users consider valid. With email, users thought it was a valuable service. Nobody said, ‘let’s do away with email’ to get rid of spam. It’s not the same for spyware. Consumers don’t understand the value at all.”

“As long as [spyware companies] are clearly stating that they will install a program and it’s easy for the user to understand what they are installing and say no, they don’t want it – and as long as users can clearly uninstall the program – then they are legitimate marketers,” he notes.

Still, the networks have not had an easy time policing their affiliates. In September, LinkShare awarded – and then revoked – its $15,000 Titanium Award to the affiliate with the highest quarterly percentage increase because the recipient, TheDesktopShopper.com, was accused of using spyware.

LinkShare took back the award after other affiliates complained on AbestWeb, an advertising/affiliate marketing chat site, that TheDesktopShopper.com had been blacklisted by several watchdog sites. To date, TheDesktopShopper.com has not been kicked out of LinkShare’s network. This was the second time LinkShare had to revoke its Titanium Award because an affiliate allegedly used suspect practices.

And while some companies with reportedly offending practices often remain in their respective networks, many note that trust between the networks and the affiliates may be eroding.

“The networks themselves are in a great position,” Stein says. “They are getting all the traffic, getting all the commissions, but they are degenerating the trust of the network. And when that trust goes away, the affiliates will abandon the network.”

Many, including de Poel, make no bones that the bottom line for all of this is money.

“The networks aren’t doing anything about it, because they are making money off of those guys. It all boils down to the dollar, the dollar, and the dollar,” de Poel says.

de Poel suggests that action is more likely to be taken when parasites start impacting the merchant’s organic traffic and not just the affiliates. “The merchants need to make the networks do something or they should leave. This left-handed administration of the programs just isn’t working, and the networks are not trusted third parties anymore.”

For Le, the turning point will be when merchants get real proof they are paying out unnecessary commissions. “That’s when this will come to a head,” he says.

Spyware-Free Networks

Brian Littleton, president of ShareASale, says spyware is a large overall problem. That’s why his affiliate network provider will not allow any affiliates to sell downloadable software applications.

“It’s a customer nuisance, and I didn’t want our company and my brand and me doing business like that,” he says. “As we saw the problems it was causing affiliates and merchants on other networks, it reinforced the view that we wanted to stay away from it.”

He says it’s not a difficult stance to take. Instead, it’s about working only with those companies that make you feel comfortable. “Financially speaking, you’re better off accepting those affiliates, but that will not change our stance.”

Littleton feels for the other larger networks in their struggles to determine who is complying with their regulations and code of conduct. “It’s not an easy task with so many people trying new tricks, but I have confidence in the other networks that they want to enforce it. It’s very difficult to do so.”

KowaBunga Technologies, a provider of private affiliate tracking and management solutions, has also taken a stance on spyware. Although the company was not able to mandate that its clients become free of adware and spyware, it sent a message to its more than 1,800 merchants alerting them to the findings of an August 2003 study by Harvard graduate student and antispyware activist Ben Edelman (see page 50). The study focused on the practices used by 180solutions (also known as MetricsDirect) and Claria.

“This affiliate/company [180solutions] has recently been exposed as engaging in possibly fraudulent activity ” ,” the KowaBunga memo stated. “In summary, this company encourages users to install software on their computers, often in exchange for MP3 downloads or other incentives. This software, once installed, will track the user’s browser activity and, most importantly, will attempt to take credit for any hit to your Web site, regardless of how the visitor finds your site. In this scenario you are rewarding this affiliate for a commission even if the visitor actually found your site through another affiliate, or even if they simply typed your domain into their browser. We believe that these practices not only cheat your other affiliates, they cheat you directly.”

“We received hundreds of responses from our clients and saw that the majority of them removed this ‘affiliate’ from their programs” after KowaBunga sent out the message, says Rachel Honoway, vice president of sales and marketing.

KowaBunga has placed 180solutions and others like them in its Fraud Watch center, an area within its software that allows merchants to alert one another of possible fraudulent activities and the appearance of spyware and adware tactics.

The Upside

However, some think this method of advertising has its strengths and is a very viable tool.

VentureDirect’s Storm says that targeted marketing is a great vehicle as long as the user’s experience is not disrupted. From a consumer’s perspective, they are more likely to get more targeted ads that are helpful if the technology is used properly.

“We’ve got to make sure that we’re forward thinking and tomorrow will come and we will be still be in business. If spyware is wiped out, the end result is that we will be taking away an advertising route,” PrimeQ’s McClain says.

It’s a very effective advertising vehicle, according to Scott Delea, senior vice president and general manager of e-marketing services at Digital Grit. “We are aware of the issue from an industry perspective, and we are trying to be respectful. You don’t want to cross the line; it waters down the overall advertising vehicle and will eventually lead to its demise.”

He notes that affiliates have to be conscious of the brand they are involved with and the product they are selling. Otherwise, targeted advertising is “teetering on the brink of a large abyss where this is no longer a viable marketing channel,” he says.

Even Barnes, who represents anti-spyware vendors, claims that there needs to be consumer respect for distribution methods. “The reason there is not a monetary cost is because the ads are paying for that. My big concern is that all advertising on the Internet is suddenly deemed inherently bad. We need to be more thoughtful than that and focus on types of applications – but not all software that serves ads is bad,” says Barnes.

Ethical Or Technical Issue?

Most claim that the issue is both ethical and technical.

Robert Deignan, business development director at Stopzilla, an anti-spyware software provider, calls the programs that perform browser hijacking and take over a user’s desktop extremely technically savvy. Stopzilla is putting out updates on a daily basis to make sure users have the most current software to render the spyware applications inactive.

Deignan also says “big bucks are at stake” for these spyware vendors. Some of these peer-to-peer programs can easily reach more than 300 million downloads. That means the market for anti-spyware and adware has ballooned over the last two years as well.

AffiliateFairPlay.com’s Stevens says the boom in adware blockers is a no-win situation for affiliates. The affiliates can promote the removal applications to their users to get their computers clean, but then it removes the affiliate’s tracking cookies.

“Programs are getting more clever. Every day they are finding more sophisticated ways to get around protections and to exploit holes,” says Ron Davies, president of joepro.com, which develops affiliate marketing system and trains affiliate marketers and retailers.

“They are using the technology to their advantage. The ideas are usually good, and then they get perverted. Remember, pop-ups used to be the darlings of marketing; now they are the scourge of the industry and people can’t get enough of pop-up blockers.”

Davies is particularly concerned about drive-by downloads, where users don’t even know an application was downloaded on their machine. This can take place in a single step or multiple steps. He likens a three-step drive-by download to a gun.

Some seemingly harmless JavaScript code is downloaded to a user’s system (the rifle). The next day additional code is downloaded, the equivalent of a bullet. So far, those two components are not harmful. But on the third day, the user downloads code that is the trigger. Now all three components click together and become harmful.

Still, Davies believes the issue is more ethical than technical. “A good marketing company has to make the decision of how far are we as a company willing to go to make money,” he says.Clay Lingo, vice president of marketing at Illuminations states emphatically, “I just think it’s poaching. Some say it’s a natural synthesis of search. Someone is searching for a product and a pop-up appears providing a more focused return on what the end user is looking for.” Jupiter’s Stein says it’s an ethical issue, where technology is the weapon. He calls it an “arms race with either side using technology to get ahead.” Others fear the future of affiliate marketing hangs in the balance. “I don’t see affiliate marketing doing well if the thievery and the unethical behavior continue to be condoned and rewarded financially,” says de Poel. Meanwhile, Le says he’ll stay calm. Spyware will remain one of his main concerns, and even though it might not be immediately apparent, he’s fuming. “It is beyond belief. It is bad and it is wrong.”

LISA PICARILLE is the editor of Revenue. She has more than 15 years of experience as senior writer and editor at CMP (as executive editor of TechWeb.com), IDG and Ziff-Davis.

Cyber Creeps

When thousands of consumers got emails asking them to help electronics retailer Best Buy combat Internet fraud, they were eager to help. But those who clicked on the link and entered credit card and Social Security numbers learned the ugly truth too late: They’d been had.

The link took them to a “spoof” page that looked just like Best Buy’s home page but was actually operated by thieves. “The trust we worked so long to achieve was threatened by this rip-off,” said Dawn Bryant, a spokeswoman for Best Buy. “This is some- thing a business should never have to contend with.”

Neither should consumers. But the reality is that identity theft, predatory advertising, spamming, spying and other sleazy practices have left Internet shoppers understandably wary of buying goods on line. The number of complaints of Internet fraud nearly tripled last year to more than 48,200, according to data from the Internet Fraud Complaint Center operated by the FBI and the National White Collar Crime Center. The Federal Trade Commission says the Internet is now the focus of almost one-in-five of the complaints it receives.

“If these kinds of practices continue, it will run the whole thing out of business,” said Ray Everett-Church of the Coalition Against Unsolicited Commercial Email (CAUCE), an activist and lobbying organization.

Honest affiliate marketers face a double threat. Not only do they have to overcome consumer skepticism, but they have to compete with unethical rivals. Several industry organizations have teamed up with consumer groups and government agencies to educate affiliates and corporate program managers about ways to build consumer trust while combating ethically bankrupt practices.

All the ugly horses

One notorious practice involves Trojan horse software that bundles one or more secret programs along with an application that an Internet user desired.

“A surfer might go to a site and download something that looks interesting or might be fun,” said Jim Sterne, the author of five books about online marketing, including World Wide Web Marketing. “Unbeknownst to them, the download includes a piece of spyware, parasiteware, or thiefware as it is sometimes called.”

In its most benign form, a program might serve ads in a window within the application interface. For example, Cydoor is an ad-serving application that rotates ads in a window on the user interface of applications such as file-sharing software from Kazaa and Grokster.

“No one really likes ads, myself included,” said Robert Regular, Cydoor’s vice president of sales and marketing. “But we are just an ad delivery mechanism showing ads only when you’re in the application, to make money to pay the developers who wrote the software.” He said that Cydoor does not gather any personal information on its uses.

Advertising-supported software gets on shakier ground when it includes technology to track people’s movements on the Web. People who provide this software say this tracking technology improves their ability to show more relevant marketing messages. The problem is, most consumers wouldn’t know they’re being watched.

“The user agreement might have a buried reference, or there might be a box to click to accept the other software, only it doesn’t fully explain what is being accepted,” said Jason Catlett of Junkbusters, a privacy advocacy group. Catlett said this is “another example of junk consent creeping into the fine print of transactions. Even if it’s buried somewhere in the legalese, ethical marketers should not give customers stuff from others that [the consumers] don’t expect.”

What really infuriates affiliate marketers are hidden programs that pop up advertisements for competitors while someone is shopping on the affiliate’s site. Sterne said Gator, a marketing company that offers a free electronic wallet for consumers, “waits quietly until the surfer goes to a merchant site that sells a product that is competitive to one of Gator’s clients. Gator then pops up their client’s ad.”

Conceivably, shoppers might benefit from a better deal, but it is a bit like waving an ad for Fords in front of someone test-driving a Chevrolet. Affiliates call this predatory advertising because they feel their commission has been stolen after they converted the shopper into a buyer.

Sterne noted that many people intentionally download Gator, but said “the sticky part is when Gator comes included in something and the surfer is unaware they agreed to install it.”

Gator executives declined to be interviewed. A company representative referred questions to a FAQ on the company’s Web site, where the home page clearly states that users must agree to see ads in return for the free software.

Can the spam

Unsolicited commercial email now accounts for more than half of all messages, but nobody seems to want it. That leads to a curious question: Why would anyone want to send out emails that nobody wants to read? The answer may stem from the type of commission offered to affiliates by merchants selling those products.

“If a program rewards the affiliate for clickthroughs and not sales, it’s more apt to be abused,” Everett-Church said. “If all [the affiliate has] to do is get the person to go to a site, you are more apt to spam.” On the other hand, he said, programs that pay only for leads that result in sales don’t experience the same kind of abuse, because affiliates must add value in the form of information before users will click on their links.

Everett-Church recommends that affiliate programs that pay commissions based on clickthroughs institute checks and balances to make sure users aren’t gaming the system. “If you’re rewarding people for volume but there aren’t controls in place, you’re unwittingly encouraging abuse,” he said.

The worst spammers buy CDs containing millions of email addresses, then use software to automatically spew out millions and millions of ads touting prescription drugs, low-cost mortgages or what-have-you. But the problem doesn’t end there. If you send your email newsletter to someone who didn’t specifically ask for it, you could be in trouble.

“Spamming is against the law in most states,” said Marc Rotenberg, president of the Electronic Privacy Information Center in Washington, D.C. “Most affiliate agreements have clear usage guidelines on how you can advertise them. If you’re caught spamming, you could be fired as an affiliate for the merchant on whose behalf you spammed.”

The fallout can radiate beyond your network and get you into hot water with your Internet service provider, said Brian Huseman, a staff attorney for the Federal Trade Commission. “Your ISP may shut you down, and then you can’t send any email at all,” Huseman said. Worse, you could be placed on a blacklist so that even if your ISP reinstated you, your emails would be bounced by many other ISPs.

“An affiliate marketer who intends to be around for any length of time can’t use these kinds of marketing approaches,” said David Nielsen, founder and principal of consumer information resource FightIdentityTheft.com. “Overall, they’re a threat to the legitimacy of the industry.”

Got ethics?

It’s not the technology that’s to blame, industry experts say. It’s the unethical or uneducated businesses that abuse that technology. Unfortunately, it can be hard to know where to draw the line.

“What makes the difference between ethical and unethical is, the person has to know what is happening. You have to be straight with your customers as to why you collect information [like email addresses] and what you use it for,” said Rotenberg from the Electronic Privacy Information Center.

Smart affiliates use their tech tools wisely. For example, there’s a very simple guideline for email marketing. “If the person has asked for an e-mail, it’s okay, but otherwise, don’t send it,” said Steven Salter, director of operations and administration for BBBOnLine, the Internet arm of the Better Business Bureau in the United States.

Huseman agreed e-mail ads are fine on an “opt-in” basis where the user makes a choice to receive messages. That can happen when a consumer makes a purchase or registers on a Web site. Typically, a box will be provided with the prompt, “Click here to receive messages about promotions from this merchant.” The very best approach is double-verification, when users who sign up for promotions get a second email that confirms their interest.

BBBOnLine and other groups are anxious to help rebuild consumer trust. “The whole BBBOnLine program was created as a way to give online businesses a way to show they can be trusted,” said Salter. BBBOnLine.com has a reliability seal for Internet businesses. To qualify, affiliates must join the BBB chapter where their company is headquartered and agree to participate in the BBB’s advertising self-regulation program.

You can also bolster consumer confidence by designing a professional-looking site. “If your site doesn’t pass the visual inspection, users will think it’s not very credible,” said B. J. Fogg of Stanford’s Persuasive Technology Lab, author of a study on Web credibility conducted in partnership with Consumer WebWatch. According to Fogg’s research, design was the top factor consumers used when deciding how trustworthy a Web site appeared to be.

To differentiate yourself from spoofers, it’s a good idea to let consumers know who you are. Be clear in your advertising and on your Web site that you’re an affiliate of the merchants you mention, not the merchant itself. To maximize credibility, it’s a good idea to provide actual contact information, not just a “contact us” form, on your site, according to Leslie Marable, research project manager for Consumer WebWatch.

It’s not enough to have your heart in the right place. Ethical affiliates must constantly monitor their own activities to make sure they stay firmly on the side of the good guys.

And if the affiliate marketing industry doesn’t cleanup its own act, others will likely step in to do the job.

Abused consumers are taking up arms against unethical merchants and affiliate marketers, encouraging state and national legislators to consider tough laws to prevent spam and to punish scamsters. The question for affiliates and program managers is whether to work with them or against them.

JANIS MARA covered interactive advertising and marketing as a senior writer for Adweek. Her articles have appeared extensively in a variety of print publications.