Stumped About Stopping Spyware by Chris Trayhorn, Publisher of mThink Blue Book, January 1, 2005 Tuan Le is mad. And when he’s upset, he speaks quietly, deliberately and very thoughtfully. He’s hardly a hothead. But nothing gets him more riled up, if you can call it that, than knowing he’s losing a large percentage of revenue from his two affiliate Web sites to other affiliates that are acting in unethical and unfair ways. Le, who’s been an affiliate for the last few years and owns wholesaler.com and findcheapauctions.com, has spent a lot of time researching spyware and adware and has many times considered taking legal action against the companies that use spyware or somehow interfere with his affiliate commissions. But he’s been reluctant to make waves. “I think there is a percentage of what is supposed to be coming my way that is being diverted,” he says. “I want to do something about it, but I’m not sure what I can do.” And Le isn’t alone in this. Whether you call it spyware, adware, parasiteware or any of the many other names used to describe the software that positions itself between Web publishers and their merchant partners, the pernicious applications are causing thousands of affiliates to lose a lot of money. According to an industry watcher who asked not to be named, affiliates are losing up to 40 percent of their annual revenue to illegitimate affiliates (often called bad actors) that entice end users to download free software in exchange for being served advertising. Le estimates that figure could be as high as 50 percent. “It’s the most horrible thing on earth. It’s intrusive, evasive and it’s just a very nasty thing to do; and it’s fast becoming one of the hottest ways to generate traffic on the Net,” says Jason McClain, president and CEO of PrimeQ Solutions, an Internet marketer and lead generator. Once loaded onto the user’s desktop, these free applications often replace ads, redirect links and disable existing browser cookies. That means the ads that users see are not those paid for by affiliates – a consumer is often clicking on another affiliate’s advertisement to make an online purchase or going to a competitor’s site to buy goods. For affiliates that means a loss of commissions and traffic, which ends up hurting their revenue stream. This issue has been a huge one for affiliates for more than the last four years, according to Kellie Stevens, president and founder of the affiliate marketing resource Web site AffiliateFairPlay.com. “Affiliates feel the most pain – their cookies are being written over, the merchants are then paying out commissions that are not warranted. The merchants feel the second level of pain,” says Gary Stein, a senior analyst for online advertising and marketing at JupiterResearch. At the crux of the issue is, who owns the desktop, the browser or the application? Those companies that derive the bulk of their revenue from selling advertising on free downloadable applications take the position that the user owns the desktop and that consumers have a right to decide for themselves what is displayed on their own computer screens, not publishers. Thomas Storm, vice president for online services at VentureDirect Worldwide, a performance-based marketing firm, claims the desktop doesn’t belong to a publisher, and if a user agrees to receive an ad, that is their choice. He acknowledges, however, that user agreement licenses for the free software are often so complex that few people actually read them. Or, if they do, few know exactly what they are agreeing to. Still, Storm believes it is the responsibility of users to make sure they understand what they’ve read before they agree. “If there are three or four steps in the download process and users don’t read through all of them, then that’s their fault,” he says. “You can’t get away with claiming ignorance in a court of law. That won’t fly.” A Big Problem Although most market researchers who follow this space do not have specific numbers on the size of the spyware market or how much revenue is generated by the traffic, they agree the market is huge. Anecdotal evidence puts the spyware market at nearly $500 million, and some oft-quoted figures claim that nearly 90 percent of personal computers are infected with spyware or adware. “It’s very hard to get a sense of how big it is, but it is big, and the perceived impact is significant,” says Stein, who notes that a quarter of the advertisers Jupiter surveyed are “philosophically opposed” to adware. Furthermore, 7 percent said their respective companies issued mandates prohibiting them from buying adware. In October, EarthLink, along with anti-spyware and system utility software maker Webroot Software, published their SpyAudit Report, which scanned more than 1.1 million PCs for the period of July through September and found an average of 25 spyware-related applications running on each system. That is a slight decrease from the instances of adware and adware cookies, as well as a decrease in the number of system monitors and Trojan horse applications, on Internet surfers’ systems for the period of January through March 2004, when the average was 26.5 percent. This downturn was attributed to the increased awareness of spyware and adware infections and the increasing number of software tools available to fight the threat. Antivirus vendors, including Symantec and McAfee, have been adding some level of spyware and adware detection and removal tools to their software. Defining The Problem It’s hard to fight something that is not defined. One of the biggest issues is one of the most basic – defining what is and isn’t spyware. Spyware is a catchall term typically used to describe computer programs that are designed to stealthily install themselves on people’s computers – often when the users attempt to download seemingly legitimate programs. The most benign spyware programs – also called adware – simply serve up a barrage of pop-up messages, while the most intrusive ones can track online movements, steal passwords and hijack sensitive data. The fact that different groups use different terminology to describe these malicious programs (see sidebar) has made it difficult for various entities – especially the government – to curb the problem, according to Steve Messer, CEO of network service provider LinkShare. “Everyone’s definition is different. There is not a definitive answer,” Messer says. “Managing this problem will depend on how the community comes together.” There are a handful of companies that are most often named as perpetrators of these types of acts, including Claria (formerly Gator), WhenU and 180solutions. All say they are not spyware and are legitimate advertising networks (see page 44). Still, many are upset at the practices employed by these and other firms. “California and Utah have given Gator and WhenU a clean bill of health, spyware-wise. Now these two guys are legitimate in those states,” says Haiko de Poel, president of ABestWeb. “But parasite- wise they are dirtier than hell.” Claria, 180solutions and WhenU have all been named in suits that involve improper use of trademarks or unfair trade practices related to advertisements and targeting. Gator’s activities have prompted more than a dozen legal challenges from companies including the New York Times, The Washington Post, Extended Stay, Hertz, Lending Tree, Overstock.com, Quicken Loans, Six Continents Hotels, TigerDirect, UPS and Wells Fargo, among others. One merchant, who asked not to be named, says he had to drop 180solutions. “I made a lot of money with them working with us on an affiliate basis, but my sense in talking with other retailers is that they were avoiding them like the plague.” Who Is Responsible? So whose responsibility is it to try to stop spyware: the government, affiliate networks, the affiliates themselves, end users, anti-spyware vendors? Most think the answer is all these groups. PC makers have recently joined the fight against spyware in order to control their technical support costs and avoid any legal reper cussions, according to Russ Cooper, senior scientist with TruSecure. Forrester Research analyst Jonathan Penn says a spyware-related support call can cost $15 to $45, and a company may lose business if end users believe the spyware problems are related to its products. “Security is a component of loyalty,” Penn says. “People want all these various services, but they expect security to come with it.” Yahoo, EarthLink and AOL have all begun offering spyware-detection tools. Hewlett-Packard and Dell also offer limited free trials of anti-spyware software preloaded on their systems. Messer says he is shocked that some people truly believe the spyware situation can be resolved. “This problem is never going to be solved. It’s like spam or the war on drugs or illiteracy. You just have to manage it and do the best business you can.” He adds that the concept of obliterating spyware is one of those lingering ideals from the early days of the Internet. “The idea that the Internet would be this free, safe, great place still lingers, but the reality is that we will have to deal with [spyware] for the rest of our lives. So, we need to work together to manage it.” “I agree that we are not going to solve the problem, but we can minimize it,” says Trey Barnes, president of Public Policy Partners, a Washington, D.C. legal firm, and president of the Consortium Of Anti-Spyware Technology Vendors, a nonprofit organization of anti-spyware vendors that addresses the issue of spyware. Barnes adds that the solution has to be multifaceted and must include the anti-spyware vendors, legislation, have a consistent code of conduct from the network service providers (see page 36) and focus on education. “We need to get the word out about the risks of spyware to all the impacted parties without scaring them,” Barnes says. “Education is pre-emption, and pre-emption then goes a long way to help manage the problem. Spyware is not going a way, but if we don’t get it under control then it will threaten the commerce and growth of the Internet.” Steps To Stop Spyware Even though the affiliates are most impacted by spyware, they have not been able to mount a concerted and cohesive effort to fight it. Most are like Le. They are aware of the problems, but don’t want to make waves at that level. They fear repercussions from the networks or the spyware companies that could mean the loss of even more revenue. In addition, there are so many affiliates, each with different strategies, varying levels of technical and business acumen and different opinions, that group efforts have yet to result in a consensus. “Affiliates are an independent lot,” Stevens says. “Every group effort seems to fall apart due to differences in opinion. And individually they are not effective.” The affiliates that are most impacted are mom-and-pop Web publishers. This group is not typically technically savvy, and some may not realize how much they are losing. “Some affiliates don’t have any idea how much revenue is being lost,” Stevens says. “They figure that they are making $5,000 per month and paying their bills. But they are not put in the context that they could be making $12,000 per month. Most of these are smaller affiliates that started with this as a side income and were then able to quit their jobs. This is the first time they’ve been self-employed, and they don’t have as much experience with management.” Many, like Stevens, believe the networks are in the best position to combat spyware problems. “The networks haven’t taken all the necessary steps,” she says. “Maybe with pressure from the affiliates they will do more. Maybe if the affiliates scream loud and long enough something will happen.” While all the major networks have anti-spyware policies (Performics and Commission Junction have adopted a code of conduct, while LinkShare has its own contractual effort to curb spyware see page 36), some say those policies do not go far enough or are not enforced with regularity. “Codes of conduct don’t mean beans if they are not enforced,” de Poel says. “And many times these guidelines are not enforced.” Le says he believes the networks are dealing with the threat of spyware by setting up departments that are supposed to monitor and handle any inappropriate activity, but he also worries they are just a corporate façade. “These are things they need to put up in order to get new accounts. They can say they have an enforcement department that exists, but if it’s not at all effective then that’s the issue,” Le says. Stevens calls the networks’ policies related to spyware shortsighted. “When spyware and adware applications started, the networks were struggling,” she says. “Then they started to see revenue and traffic increases, and now they are top performers and have some really good statistics to attract more merchants. It’s like they were boxed into a corner.” Others say blaming the networks is misguided. “It’s not the networks’ fault that illegitimate marketers are trying to come up with ways to surreptitiously get to users’ desktops,” says Tim Hickernell, vice president at META Group. “Unlike spam and email, spyware and adware do not correlate to a service that users consider valid. With email, users thought it was a valuable service. Nobody said, ‘let’s do away with email’ to get rid of spam. It’s not the same for spyware. Consumers don’t understand the value at all.” “As long as [spyware companies] are clearly stating that they will install a program and it’s easy for the user to understand what they are installing and say no, they don’t want it – and as long as users can clearly uninstall the program – then they are legitimate marketers,” he notes. Still, the networks have not had an easy time policing their affiliates. In September, LinkShare awarded – and then revoked – its $15,000 Titanium Award to the affiliate with the highest quarterly percentage increase because the recipient, TheDesktopShopper.com, was accused of using spyware. LinkShare took back the award after other affiliates complained on AbestWeb, an advertising/affiliate marketing chat site, that TheDesktopShopper.com had been blacklisted by several watchdog sites. To date, TheDesktopShopper.com has not been kicked out of LinkShare’s network. This was the second time LinkShare had to revoke its Titanium Award because an affiliate allegedly used suspect practices. And while some companies with reportedly offending practices often remain in their respective networks, many note that trust between the networks and the affiliates may be eroding. “The networks themselves are in a great position,” Stein says. “They are getting all the traffic, getting all the commissions, but they are degenerating the trust of the network. And when that trust goes away, the affiliates will abandon the network.” Many, including de Poel, make no bones that the bottom line for all of this is money. “The networks aren’t doing anything about it, because they are making money off of those guys. It all boils down to the dollar, the dollar, and the dollar,” de Poel says. de Poel suggests that action is more likely to be taken when parasites start impacting the merchant’s organic traffic and not just the affiliates. “The merchants need to make the networks do something or they should leave. This left-handed administration of the programs just isn’t working, and the networks are not trusted third parties anymore.” For Le, the turning point will be when merchants get real proof they are paying out unnecessary commissions. “That’s when this will come to a head,” he says. Spyware-Free Networks Brian Littleton, president of ShareASale, says spyware is a large overall problem. That’s why his affiliate network provider will not allow any affiliates to sell downloadable software applications. “It’s a customer nuisance, and I didn’t want our company and my brand and me doing business like that,” he says. “As we saw the problems it was causing affiliates and merchants on other ne tworks, it reinforced the view that we wanted to stay away from it.” He says it’s not a difficult stance to take. Instead, it’s about working only with those companies that make you feel comfortable. “Financially speaking, you’re better off accepting those affiliates, but that will not change our stance.” Littleton feels for the other larger networks in their struggles to determine who is complying with their regulations and code of conduct. “It’s not an easy task with so many people trying new tricks, but I have confidence in the other networks that they want to enforce it. It’s very difficult to do so.” KowaBunga Technologies, a provider of private affiliate tracking and management solutions, has also taken a stance on spyware. Although the company was not able to mandate that its clients become free of adware and spyware, it sent a message to its more than 1,800 merchants alerting them to the findings of an August 2003 study by Harvard graduate student and antispyware activist Ben Edelman (see page 50). The study focused on the practices used by 180solutions (also known as MetricsDirect) and Claria. “This affiliate/company [180solutions] has recently been exposed as engaging in possibly fraudulent activity ” ,” the KowaBunga memo stated. “In summary, this company encourages users to install software on their computers, often in exchange for MP3 downloads or other incentives. This software, once installed, will track the user’s browser activity and, most importantly, will attempt to take credit for any hit to your Web site, regardless of how the visitor finds your site. In this scenario you are rewarding this affiliate for a commission even if the visitor actually found your site through another affiliate, or even if they simply typed your domain into their browser. We believe that these practices not only cheat your other affiliates, they cheat you directly.” “We received hundreds of responses from our clients and saw that the majority of them removed this ‘affiliate’ from their programs” after KowaBunga sent out the message, says Rachel Honoway, vice president of sales and marketing. KowaBunga has placed 180solutions and others like them in its Fraud Watch center, an area within its software that allows merchants to alert one another of possible fraudulent activities and the appearance of spyware and adware tactics. The Upside However, some think this method of advertising has its strengths and is a very viable tool. VentureDirect’s Storm says that targeted marketing is a great vehicle as long as the user’s experience is not disrupted. From a consumer’s perspective, they are more likely to get more targeted ads that are helpful if the technology is used properly. “We’ve got to make sure that we’re forward thinking and tomorrow will come and we will be still be in business. If spyware is wiped out, the end result is that we will be taking away an advertising route,” PrimeQ’s McClain says. It’s a very effective advertising vehicle, according to Scott Delea, senior vice president and general manager of e-marketing services at Digital Grit. “We are aware of the issue from an industry perspective, and we are trying to be respectful. You don’t want to cross the line; it waters down the overall advertising vehicle and will eventually lead to its demise.” He notes that affiliates have to be conscious of the brand they are involved with and the product they are selling. Otherwise, targeted advertising is “teetering on the brink of a large abyss where this is no longer a viable marketing channel,” he says. Even Barnes, who represents anti-spyware vendors, claims that there needs to be consumer respect for distribution methods. “The reason there is not a monetary cost is because the ads are paying for that. My big concern is that all advertising on the Internet is suddenly deemed inherently bad. We need to be more thoughtful than that and focus on types of applications – but not all software that serves ads is bad,” says Barnes. Ethical Or Technical Issue? Most claim that the issue is both ethical and technical. Robert Deignan, business development director at Stopzilla, an anti-spyware software provider, calls the programs that perform browser hijacking and take over a user’s desktop extremely technically savvy. Stopzilla is putting out updates on a daily basis to make sure users have the most current software to render the spyware applications inactive. Deignan also says “big bucks are at stake” for these spyware vendors. Some of these peer-to-peer programs can easily reach more than 300 million downloads. That means the market for anti-spyware and adware has ballooned over the last two years as well. AffiliateFairPlay.com’s Stevens says the boom in adware blockers is a no-win situation for affiliates. The affiliates can promote the removal applications to their users to get their computers clean, but then it removes the affiliate’s tracking cookies. “Programs are getting more clever. Every day they are finding more sophisticated ways to get around protections and to exploit holes,” says Ron Davies, president of joepro.com, which develops affiliate marketing system and trains affiliate marketers and retailers. “They are using the technology to their advantage. The ideas are usually good, and then they get perverted. Remember, pop-ups used to be the darlings of marketing; now they are the scourge of the industry and people can’t get enough of pop-up blockers.” Davies is particularly concerned about drive-by downloads, where users don’t even know an application was downloaded on their machine. This can take place in a single step or multiple steps. He likens a three-step drive-by download to a gun. Some seemingly harmless JavaScript code is downloaded to a user’s system (the rifle). The next day additional code is downloaded, the equivalent of a bullet. So far, those two components are not harmful. But on the third day, the user downloads code that is the trigger. Now all three components click together and become harmful. Still, Davies believes the issue is more ethical than technical. “A good marketing company has to make the decision of how far are we as a company willing to go to make money,” he says.Clay Lingo, vice president of marketing at Illuminations states emphatically, “I just think it’s poaching. Some say it’s a natural synthesis of search. Someone is searching for a product and a pop-up appears providing a more focused return on what the end user is looking for.” Jupiter’s Stein says it’s an ethical issue, where technology is the weapon. He calls it an “arms race with either side using technology to get ahead.” Others fear the future of affiliate marketing hangs in the balance. “I don’t see affiliate marketing doing well if the thievery and the unethical behavior continue to be condoned and rewarded financially,” says de Poel. Meanwhile, Le says he’ll stay calm. Spyware will remain one of his main concerns, and even though it might not be immediately apparent, he’s fuming. “It is beyond belief. It is bad and it is wrong.” LISA PICARILLE is the editor of Revenue. She has more than 15 years of experience as senior writer and editor at CMP (as executive editor of TechWeb.com), IDG and Ziff-Davis. Filed under: Revenue Tagged under: 05 - Winter 2005, Adware, affiliate marketing, affiliate networks, Columns, Commission, Cover Story, Fraud, mtadmin, Spyware, Tools About the Author Chris Trayhorn, Publisher of mThink Blue Book Chris Trayhorn is the Chairman of the Performance Marketing Industry Blue Ribbon Panel and the CEO of mThink.com, a leading online and content marketing agency. He has founded four successful marketing companies in London and San Francisco in the last 15 years, and is currently the founder and publisher of Revenue+Performance magazine, the magazine of the performance marketing industry since 2002.