Being Ben Edelman

You’d be hard-pressed to find someone more knowledgeable or dedicated than Ben Edelman when it comes to the evils of spyware. The 24-year-old assiduously tracks the proliferation of adware from his own computer lab. He’s a fierce critic of spyware practices and has testified in several high-profile adware-related lawsuits.

Talk about overachievers: Edelman is a Ph.D. candidate at the Department of Economics at Harvard University and a student at Harvard Law School. He currently is analyzing methods and effects of spyware, uncovering affiliate commission fraud and examining Internet filtering efforts by governments worldwide.

DIANE ANDERSON: Where do you do most of your work?

BEN EDELMAN: I work primarily from my apartment. All the equipment is in my office, the second bedroom in my two-bedroom apartment. I currently have six PCs in my lab, though I’ve had more from time to time. In general, I install one spyware app on each PC, then test its behavior under controlled experiments. For some projects, I install spyware in virtual machines on my fastest PC – which lets me return the system to pristine condition for multiple rounds of tests of install-uninstall or for testing of many different programs in sequence.

DA: How did you get started researching spyware and adware?

BE: It was something I had long been interested in. My recent work focuses on the intersection of law and the Internet – generally including writing software to study whatever software I’m looking at. Programs that show extra pop-up advertisements are a natural candidate for study in this way, because by careful testing I can learn which ads are shown when, how the programs get installed, what personal data they transmit and so forth. I was thinking about these kinds of questions as early as 2001. My earliest publication in this field came in mid-2002, when I served as a technical expert in the case brought by The Washington Post, New York Times, Wall Street Journal and others against Claria (then Gator) as to its pop-up ads covering their sites.

DA: There seems to be a lot of confusion about what the differences are between behavioral targeting, adware and spyware.

BE: I think the differences are often surprisingly small. There’s a large class of programs that use behavioral targeting – meaning watching what a user is doing – to figure out what ads to show (an “adware”-type function) while also sending back information to central servers about users’ online activities (which some might call a “spyware” feature). So I see great overlap between the three terms.

The various programs using these methods have a lot in common. For one, users don’t generally want these programs on their PCs. For another, users don’t generally seek out even the most benign of adware programs. Instead, users get the programs through some kind of bundle, or auto-install (“drive-by”) that occurs when users visit certain Web pages. A further similarity: The resulting advertisements cover Web sites with, in general, their competitors’ sites – a result that I found incredibly surprising when I first experienced it, and that in my experience users continue to find surprising. What an odd thought that the ad you see, when you type in LLBean.com (and are otherwise looking at L.L.Bean content), is in fact an ad for L.L.Bean’s direct competitor!

Of course, there are other kinds of contextual advertising. Google shows ads according to what searches users conduct. Sometimes these ads are controversial – sites’ advertising being triggered by direct competitors’ brand names. But Google certainly isn’t sneaking onto anyone’s PC. The Google ads, at least, are within Web pages that say google.com, so even the most inexperienced user can always understand that the Google ads are there because Google put them there.

DA: What should affiliates and affiliate managers know about search engine cloaking?

BE: First, let’s step back for a quick definition: Search engine cloaking is a set of methods whereby sites attempt to boost their search engine rankings, primarily by giving search engines content different from ordinary users.

Cloaking is a risky strategy. It has rewards, but it has a downside too. For those with savvy competitors or critics, who might notice the cloaking and report it to authorities, the risks are particularly pronounced. Google’s FAQ says it may remove sites from its index, permanently, as a penalty for cloaking.

That said, to date the penalties for cloaking have been pretty limited. Cloak for a year, and you might never be caught. Even if you are caught, you might get at most a slap on the wrist, especially if you’re powerful and can convince Google to be lenient. So the fact is, lots of sites are using cloaking.

DA: What are you working on now?

BE: This year I’m finishing my last year of law school, and planning my dissertation for my Ph.D. in economics. I also have some ongoing testing of more spyware and stealware, work I expect to publish on my Web site in the coming months.

DA: What stealware is the most pernicious these days?

BE: It’s hard to know. If I knew which software were most problematic, I’d surely make it my highest priority! Generally, I try to keep an eye on the programs with the largest installed base – figuring that they’re the programs affecting the most users, and that they’re the programs best positioned to show a large number of pop-ups or to falsely claim a large volume of affiliate commissions.

DA: You’ve studied these programs for some time. What do you think are the biggest dangers facing affiliates right now?

BE: I think the biggest danger is complacency. Affiliates would be wrong to assume that all is well in the affiliate marketing space – that they can simply link to merchants, then wait for the money to come rolling in. Fact is, powerful outside forces seek to profit from affiliate marketing and garner their profits by interfering with the referrals made by other affiliates.

DA: What actions would you suggest affiliates take to protect themselves?

BE: I wish there were more that affiliates could do. As it turns out, the major stealware problems are problems for merchants, primarily, and for affiliate networks to the extent that the integrity and value of their tracking systems are called into question. Ordinarily, rule-abiding affiliates lose out when stealware seizes their commissions. But there’s not much an ordinary affiliate can directly do to address the problem.

That said, it’s always good for affiliates to be informed, and to help spread the word. Revenue readers are surely better informed than most. I’m a big fan of ABestWeb, where there’s lots of savvy discussion about which programs are doing what. Those affiliates who have personal relationships with merchants can learn what’s going on and can help keep their merchants in the loop, especially as to programs found to target their merchants.

DA: You write about 180solutions, WhenU, Claria. Which companies are the most egregious violators?

BE: I was, and remain, particularly concerned about the behavior I have observed from 180solutions software. 180’s software was setting affiliate network cookies even on “organic-traffic” type-ins, where users reached merchants’ Web sites directly (not through any other affiliate). So merchants would be paying commissions to 180 for traffic that resulted from their own background marketing efforts. 180 was also overwriting cookies set mere seconds before by other affiliates – so merchants would be paying 180 when the commissions should have gone to other affiliates. These activities had been going on for at least six months when I began to write about the problem publicly. But somehow the existing processes – merchants’ fraud control efforts and affiliate networks’ efforts – had failed to detect what was happening, or to do anything about it.

Claria is notable for continuing to be installed on a huge number of PCs, some 40-plus million, according to recent reports. That’s a lot of users getting extra pop-up ads!

DA: What can be done about them?

BE: To the extent that these programs set affiliate cookies in violation of merchants’ and networks’ rules, I would ordinarily expect merchants and networks to detect the behavior and to issue sanctions, presumably including forfeiture of ill-gotten commissions. Litigation also seems like a possible way forward. After all, merchants might want refunds of commissions wrongly paid six months ago, not just of the most recent months of commissions not yet paid to stealware companies.

In thinking through enforcement options, it’s important to realize that affiliate networks face some odd incentives here. Remember that merchants pay networks a share of the amounts merchants pay affiliates. For example, if a Commission Junction merchant pays $10,000 of affiliate commissions, CJ’s 30 percent fee might be an additional $3,000. Usually, this is a good thing: Networks make more money when affiliates make more money, so networks have an incentive to stop merchants from cheating their affiliates. However, networks also make money when “stealware” affiliates claim commission they’re not entitled to. So networks face an incentive to look the other way and to allow or even to promote programs that claim affiliate commissions in violation of merchants’ and networks’ rules.

Set against this incentive are networks’ overall reputations for honesty and integrity: If the networks try to cheat the merchants too much, or if the networks let the merchants get cheated too much, then networks’ reputations are likely to go down the drain. But these forces are in tension, and my sense is that lots of merchants are coming to question whether they can count on networks to make sure affiliates, especially affiliates using software downloads, are in compliance with the necessary rules.

DA: What role does government play? What are your opinions about the various bills?

BE: I’d love to see legislation that truly addresses the problem of unwanted software getting on users’ computers. So far, though, I’ve failed to see much legislation that addresses the subtlety of the situation here.

The real problem, as I see it, is defining user “consent.” It turns out to be pretty easy to get a user to press an “I accept” button – especially if that button is in a box that looks official, or if it comes as one step in a many-step process of installing some software the user actually wants. But what should we infer from the user pressing “accept”? Can the user, with one quick click of a mouse button, allow a software distributor to claim commissions on the user’s every purchase? Allow the distributor to install whatever software it wants, from whatever third parties, at whatever point in the future? Can the user authorize the software provider to create on-screen advertisement displays that are, to many users, not just annoying but also misleading and confusing, and that many online publishers regard as damaging to their brands?

Then there’s the problem of licenses not actually shown to users. In many drive-by installs, the user gets a message like, “Do you want to, after reading our license (click here to view it), install [program name]?” How should we understand this prompt? If a user clicks on “yes” without reading the license, is the user still bound? What if the link were broken, such that clicking on the license link didn’t actually produce a license? If the unread license claimed “user will pay software provider $100,” I suspect we’d all consider the license unenforceable. What is so different when the license instead says, “We will cause your PC to show extra pop-up ads”?

I’ve been surprised at how many courts have been willing to accept the “consent” argument – giving so much weight to a user’s thoughtless and hurried press of the “accept” button. Most legislation also places great significance on “I accept” – sometimes requiring that users be given specific information before they accept, which I think is a good start, but ultimately letting users accept almost anything, no matter how one-sided. I’m not usually one to intervene in free markets – so I, too, have the instinct that if users actually want this stuff, we should let them have it. But my experience is that few users actually do want it. Instead, they’re just not paying attention when they “accept.” So I think there’s a role for government to be helpful here, in requiring consumers to really think before they leap, to read a few screens of disclosures and to press a few different “accept” buttons in a procedure reminiscent of signing a rental car agreement. The formalism of the multiple steps of acceptance might go a long way to helping users understand that pressing “I accept” is actually a big deal.

DA: What are your biggest current concerns?

BE: The current fight over unwanted software on users’ PCs actually seems to me a very big deal. As a society, how do we make sure that users have the freedom to install what they want on their own computers, yet that big companies can’t trick users into signing away (or should I say “clicking away”) their rights for nothing? In the real world, we’ve built up various kinds of unconscionability laws – a prohibition on various kinds of misleading real-world offers that make a user think he’s getting one thing, when the truth is far removed. Can we find the right online balance? Or will corporate interests run rampant and seize users’ computers for their own benefit?

More generally, I’m interested in the balance between public and private on the Internet. The fight over spyware ultimately comes down to how easily users can give up their own desktops – how much of a showing a software company must make to defend its right to be on a user’s PC, when the user quite likely didn’t actually want it there, but when the company claims the user pressed “accept” and granted permission. We shall see.

DIANE ANDERSON is an editor at Brandweek. She was the managing editor of Revenue Magazine for Issue 4 and she previously worked for the Industry Standard, HotWired and Wired News.