Cherry Hill Research  
  Interview: Ben Edelman on Spyware and Click Fraud

In this installment of our Thought Leaders series, Henry Blodget interviews Ben Edelman, a Harvard PhD candidate (Economics) and leading expert on spyware, click fraud, affiliate fraud, and other matters. Over the last four years, while attending Harvard and Harvard Law School, Edelman has published a painstaking series of analyses on A recent study concerned the link between spyware and click fraud at Yahoo. Edelman has consulted for The New York Times, Wells Fargo, the ACLU, and others.

The interview covers several topics, including spyware, click fraud, the size and scope of both problems, Yahoo!, Google, and porn ads.

Key Edelman conclusions:

  • Spyware, click fraud, and the like are getting worse, as practitioners get smarter.
  • The problems are hard to quantify. In aggregate, spyware might be a $1 billion business and contribute materially (but not massively) to Yahoo, Google, et al.
  • Eradication of spyware would likely help Yahoo! and Google, as spending would probably be reallocated to the more profitable Yahoo! and Google sites.
  • Spyware-enabled click fraud, a sub-set of broader click fraud, may account for 2% or more of all paid clicks. This type of click fraud is hard to detect.
  • If leading spyware companies like Claria were straightforward about their business practices, they wouldn’t have businesses.
  • Google has tough anti-spyware and anti-pop-up rules, but doesn’t enforce them. Also, “Don’t Be Evil” doesn’t mean “Don’t accept porn ads” or “Don’t show porn ads to children searching for ‘girls’ shoes.’”
  • Spyware and spyware click fraud do NOT affect advertising on and, which contribute the vast majority of both companies’ profit.
  • Advertisers vary in awareness and tolerance of spyware advertising. The most careful companies don’t allow it. The most reckless (e.g., Vonage) devour it.

Edelman on EDELMAN

Henry Blodget: Ben, thanks for doing this. Let me start by asking, who are you? How did you decide to be a one-man anti-sleaze brigade?

Ben Edelman: I had always been interested in detective work, in figuring out puzzles. Spyware is a Windows problem, and I’m a Windows guy, so this is an opportunity to put that knowledge to use.

Blodget: You graduated from Harvard Law School, and then…

Edelman: I started on this while in college, actually. The Internet Advertising Bureau accused Gator [Claria] of fraud, stealing, cheating, lying, etc. So Gator sued them. The IAB wanted to prove that what they had said was truthful, so they hired me to test what Gator actually was.

Well, that suit settled, and another suit presented itself: The New York Times, Washington Post, and others wanted to sue Gator for covering up their sites with competitors’ ads. An advertiser could buy an ad from Gator rather than from the Washington Post and thereby reach the Washington Post demographic—which just didn’t feel right. So the newspapers hired me to figure out how Gator worked. Again, the case settled.

Then, I said to myself, “What is going on here? All the cases are settling. How are we ever going to get courts to tell the world what’s fair and ethical and what’s not? Well, if courts won’t do it, I guess I’ll have to.”

Blodget: Then you went to law school, and now this is part of your PhD work?

Edelman: Some of this might be loosely related to my PhD work, but that tends to be different. I write academic articles on classical economics questions, rather than computer security questions.


Blodget: I was blown away by the level of detail on your site.

Edelman: It has to be twice as good when you’re writing about companies that are well-equipped to defend themselves and say it’s all false.

Blodget: Yes, I noted the comments about “Well, I did have to remove this because I got the call from WhenU’s counsel” and so on.

Edelman: I have no comment on any matter pertaining to WhenU.

Blodget: They’ve threatened you so that you can’t comment on them at all?

Edelman: I am very serious about my position that I don’t comment about WhenU period, including not commenting about why I don’t comment.

Blodget: Well, I was going to follow that up by asking whether they were a consulting client, but I will not do that because, believe me, I get it.

Edelman: I don’t accept adware or spyware companies as consulting clients. Sometimes they approach me. Direct Revenue approached me, and obviously I told them to get lost. [Direct Revenue was just sued by New York Attorney General Eliot Spitzer].


Blodget: So, where is spyware now—in terms of where it should be and where it was three years ago, in terms of ethical practices?

Edelman: In terms of ethical practices, it is getting more and more complicated, as bad guys find more and more ways to get paid. Historically, the business was target a web site with competitors’ pop-ups: If we see you go to Expedia, we’ll show you an ad for Travelocity. And that worked fine, for Gator, for however many years. They made $100 million doing it, so it’s not like it was a bad business. But it does seem like the gig is up on that business, because there is article after article naming names of advertisers who do this—getting their data from me, as often as not. But in any event, we’ve pretty much stopped advertisers from wanting to buy those kind of ads. Not that there aren’t some outliers, of course, but the thought-leaders of advertising, the ones who are ethical and impressive, don’t do that anymore.

So, what other ways? Boy, there are just so many underhanded ways to get paid without folks realizing where the money is going or why. Pay-per-click is a good example of ways for spyware vendors to get paid without anyone understanding that they are paying spyware vendors. But there are other ways, too. Affiliate programs, for example. Other kinds of commission schemes.

Blodget: How big a business do you think this is now?

Edelman: For Direct Revenue at peak it was $50 million a year. For Claria at peak it was $100 million. So these are big numbers. People estimate $1 billion a year all told. I think it could be more when you consider that, for every $1 Yahoo! gets from an advertiser, they’re only paying out $0.50-$0.75 to their partners.

Blodget: And if you fast-forward to a perfect world where all this stuff is stripped away, is there a real business for these companies? Are there enough people that, when everything is completely disclosed, actually want the software on their machines?

Edelman: I don’t think there are many people who actually want the software. There might be some people who will press the “Yes” button or the “Okay” button, but I don’t get the sense that any of them would accept the software if they were fairly told what it is going to do. “In exchange for this screen saver, which will only appear when you are away from your computer, we will show you 20 pop-up ads a day that will appear exactly when you’re trying to get work done.” Who would accept that offer? They sugarcoat it so much that they might be able to convince their lawyer or even a judge that they’ve disclosed what needs to be disclosed, but they haven’t really. When they said “special offers,” the consumer had no idea that what they were talking about was pop-up ads.

Blodget: As this stuff gets eradicated—and if you look at Direct Revenue and others, it sounds as though it’s disappearing—does that spending go to Google, Yahoo!, and others? Does it disappear?

Edelman: I think much of it does go to Google and Yahoo!. The less that’s getting spent on this, the more folks go to what they know and feel comfortable with.

Blodget: Do you think the spyware businesses just get shut down, the way Direct Revenue effectively has been?

Edelman: I think that’s a possibility for some of them. Some might try to stay ahead of the curve in terms of reforming, but once you clean up your practices, as Direct Revenue found, it’s very hard to high installation count and to stay on computers. People don’t like the software, so if you make it easy to remove, they’re going to remove it.


Blodget: Moving on to click-fraud, your latest work shows that clicks are being generated automatically by spyware without anybody clicking. How does that happen?

Edelman: A click is readily fake-able. There’s nothing that makes it easy to tell whether a click has occurred because a user clicked a link or because a web browser was jigged up in some way, say by spyware, to make it look like a user clicked a link. It’s straightforward to fake a click and cause a user to be sent to an advertiser’s site without the user actually clicking on any link.

Blodget: Is that the sort of click that would show up in an audit? As click-fraud becomes a bigger issue, the advertisers themselves are hiring firms to go through click-streams. Is that readily detectable?

Edelman: It’s not obvious that this would come up in an audit. The user’s computer is a real computer, in the United States. It’s not some crazy guy in India, where you can say, “Hey, we don’t even do business in India, why is someone clicking on our links?” The user’s computer does load the page at issue. It’s not like some robot that fakes the click but doesn’t even load the site. The site gets loaded in ordinary Internet Explorer. The site even gets shown to the user, so one out of however many hundred users might go buy something. The conversion rate wouldn’t be zero. And yet it’s all contrary to the underlying promise and the underlying contract, which says pay only when a user clicks your link.

Blodget: Have you done any work on the straight-up click fraud? Zombie networks, bots, etc.?

Edelman: That stuff is much harder to study. My goal in the Yahoo-spyware study was to get these videos, proof of the sort that no one had seen before. No one had ever seen click fraud, because, in general, from an advertiser’s perspective, all you see is the traffic arriving, you don’t know what a user sees.


Blodget: What percentage of computers now have spyware that’s capable of doing this?

Edelman: You get incredible numbers, at least from the anti-spyware companies, numbers like 50%, 60%. I’m not sure I believe that. Think about your office. If your computer was infected with spyware, you would either clean it up yourself or call someone, and in short order you wouldn’t be infected anymore. So, I tend to say maybe 30% infected, 40% infected, still a staggering number.

Blodget: Say it’s a third. What percentage of all clicks could be being generated by spyware—realizing that’s impossible to quantify?

Edelman: It seems like a tall order. I don’t like estimating. I don’t believe other people’s estimates, frankly, so why should anyone believe mine?

Blodget: Well, it doesn’t sound like you had to try too hard to find this happening.

Edelman: The examples were extraordinarily easy to get. I think I could produce a hundred examples like the four that I posted if I worked on this for a month. I think Yahoo’s network would be better for it.

Blodget: How much would it cost them to fix the problem?

Edelman: That’s maybe a $20,000 project. The real cost is the cost of kicking all these folks out and admitting that instead of having X million searches per month, you only have X minus 10 million searches. I’m making the numbers up, but shrinking the network does have costs for them.

Blodget: So, going back to the size question, if you could find 100 examples, would that mean that there were 100 instances?

Edelman: I wouldn’t just find 100 examples. I’d find 100 examples of 100 different partners.

Blodget: So, without estimating, would it be fair to say that this could be generating a material percentage of all clicks?

Edelman: A couple of percent? Definitely. No reason to think that it’s not.

Blodget: But also no reason to think that it’s 30% of all clicks?

Edelman: Well, what’s Yahoo!’s revenue from pay-per-click these days? A couple billion? So, we know from the Direct Revenue documents that Direct Revenue was getting paid $200,000 per month last year merely for showing Yahoo! ads on error pages. If you mistyped a domain, you would get a list of Yahoo ads. That was getting them, call it, $3 million per year. So, one Spyware company showing ads in limited circumstances added up to $3 million.

Blodget: And that’s net revenue, so Yahoo!’s revenue would be higher.

Edelman: Double that, give or take. Do another one. Yahoo!’s relationship with Claria. Claria’s not generating click fraud but doing something else very bad. You go to Dell, you get a pop-under that says “Click here to save even more on Dell.” So you click. You’re still at the same Dell site. You’re not saving any more. All that happened was that Dell had to pay $2 to Yahoo, and Yahoo gave a dollar of that to Claria. A complete scam—to target Dell with its own pay-per-click ads. This is not advertising. It’s lead stealing. It’s fraud. So that created $30 million of revenue for Claria in 2003 on a partial year relationship. If you annualize it, you’re at $40 million. So $40 million out of $2 billion, that’s 2% [approximately $80mm of gross revenue for Yahoo!, or 4%].

Blodget: That’s the whole Claria relationship with Yahoo?

Edelman: Yes, not just the cannibalizing. But, frankly, all of it is upsetting to advertisers. Advertisers who think they’re buying ads on the web site suddenly find themselves buying ads in pop-ups, and pop-ups targeting their competitors. If you’re JC Penney, you don’t intend to be targeting Sears or LL Bean. And yet, now the user is at one of those sites and he gets your pop-under from Claria that says, “Buy from JC Penney instead.” This ends up angering a lot of advertising buyers, causing a lot of unhappy conversations with lawyers, I sense. Nothing to be proud of even though there is no click fraud.


Blodget: Are the advertisers unhappy about this because they are upstanding—or because they are worried about getting embarrassed?

Edelman: Partially, getting embarrassed. Partially, there are legal worries. If you’re LL Bean and you’re sending out threats to people saying “Don’t target our web site,” which LL Bean was doing, and then you find that your ads are targeting other people because Yahoo put them there, it makes you look like a bunch of bumbling idiots.


Blodget: You mention in your recent Yahoo-spyware piece that Google has different problems—not the same as Yahoo!’s.

Edelman: Google has rules about who can show their pay-per-click ads and how. For example, there’s a no-pop-ups rule. There’s a no-spyware rule. But Google isn’t very tough about enforcing these rules. The net effect is that there are any number of Google syndicators who get paid by Google for showing ads in spyware-delivered pop-ups. It sounds innocuous except that Google specifically prohibits it. And the advertisers, meanwhile, are paying Google top-dollar, premium prices, the prices you would expect to pay to reach users at Google doing searches, but not the prices you would expect to pay when a user is at some partner site. If you wanted to buy spyware advertising, it wouldn’t cost you $2 a click. Spyware prices tend to be one penny.

Blodget: This is only if they’re going into the Google Network, correct? My understanding is that advertisers can now dictate that their ads only be shown on Google or the network, and they have some control over which sites they appear on within the network.

Edelman: I don’t know that it’s quite as good as you make it sound. [Edelman checks Google’s web site, finds the policy.] Here: An advertiser can choose Google Search, Search Network, Content Network, or any combination. So what I described is an advertiser who wanted Google Search who ends up shown on a Content Network page.

Here’s an example. I was at MapQuest, and MapQuest was showing me five Google ads all keyed off the keyword “vacation.” I hadn’t told MapQuest I was seeking a map for a vacation. I wasn’t. But they had asked Google for the top 5 sponsored links for the search term “vacation,” participating in the Google Search Network, which has the very highest pricing of any part of the Google partner network. In fact, this was a content page, not a search page, so it wasn’t appropriate to charge the high search rates. And this is MapQuest. A real company, not a spyware company.

Blodget: But if you’re an advertiser, you’re not going to get charged unless the user clicks, correct?

Edelman: That’s all well and good. But that’s not the whole question. An advertiser should only be placed there if the advertiser opted into the Content Network. And the advertiser should get the discount that is associated with the Content Network. Instead, MapQuest is making this look like it’s part of the search network, so they’re getting the search network advertisers and the higher Search Network fees. So it’s all screwed up—all in a way that serves MapQuest’s interests but not the advertisers’.

Blodget: So that is a MapQuest problem and a Google enforcement problem.

Edelman: It’s a Google enforcement problem.

Blodget: I think one thing that will work for Google as they get stricter is that such a tiny percentage of their profit comes from the network business. It’s a huge piece of revenue, but a tiny percentage of profit.

Edelman: They could turn off the network. It would be giving a big opportunity to Yahoo, I guess, and Yahoo would probably grab that because Yahoo loves networks.

Blodget: I’m sure they have similar economics: a huge chunk of revenue but a small part of profit. Which is an important point. Aside from the generic click fraud that everyone talks about, it doesn’t sound like any of the policies that you’ve looked at would affect the actual Yahoo! and Google sites themselves.

Edelman: That’s right. These don’t affect those sites. They all come through partners because that’s how the bad guys get paid.

Edelman on THE TREND

Blodget: So, overall, stepping back on both spyware and click fraud, is your sense that it is getting better as a percentage of the total business?

Edelman: I think it’s getting worse, frankly. I’m seeing the bad guys getting more and more sophisticated at getting into these systems.


Blodget: The two click-fraud lawsuits that I’m aware of are in Arkansas and California. The Google settlement of $90 million in the Arkansas case struck people both as very material in terms of the size of the number but also sort of a joke compared to the size of their revenue. So you could infer from that that Google is right in saying that click fraud is immaterial. Based on your legal background, do you think there is any serious financial exposure here or is this just a perception issue?

Edelman: I think there’s a serious problem. And I don’t think the story is over in that Arkansas case.

Blodget: Because the settlement hasn’t been accepted?

Edelman: The settlement hasn’t been accepted, and there are a lot of people who think the settlement is a bogus deal for advertisers.

Blodget: As I understand it, the California lawsuit is the only one in which there has been discovery. Aside from Google having to pay a big chunk of money—and the company could afford $1 billion and not even think about it—I do think there is a psychological risk to the whole medium if it comes out that Google believes internally that, say, 25% of the clicks are suspect.

Edelman: I’m sure there are emails that say things like that.


Blodget: So, stepping back again, looking at all the stuff you’ve looked at over the past few years, and all the stuff you haven’t had time to get to, what percentage of the Net economy comes from this sort of behavior? Are we talking about a problem that is just noise, a few percent of revenue? Or is it a big chunk of the Internet business?

Edelman: I think there is a fair amount of advertising that would fail the smell test if advertisers got to do a smell test. If the ad buyer knew what he was buying, he would stop buying it.

Blodget: Any way to quantify that?

Edelman: It’s different for different companies. Companies that are careful advertisers, probably close to zero. Companies that are kind of reckless, like Vonage? I think 50% of Vonage’s advertising spending, if they knew what they were getting, they would be outraged. They would be publicly humiliated. (Which I am considering doing, frankly. “Ten examples of Vonage ads in spyware.” “Vonage advertising within porn sites.” “Vonage advertising within bomb-making sites.”)

Blodget: And Vonage is one of the biggest online advertisers.

Edelman: They are. That’s the thing: They’re so big, and they care so little. When you get a quote from them in the press, of course, they say they care a lot, but actions speak louder than words. Their actions say to me, “We don’t care, we’re just going to buy $150 million of ads each year and see what happens.”

Blodget: Is that a function of not caring, or do they believe they can get to people they wouldn’t reach otherwise?

Edelman: I’m not sure. It may be that the CEO looked at $75 million-worth of advertising and said “Give me more.” And the ad buyers said, “These ads have problems, but the CEO said he wanted more…” I don’t think that the boss would exactly have wanted this. It’s a question of specific intent versus general intent. They didn’t specifically intend to buy spyware ads—who would?—but they put in place a set of policies where everyone knew full well that that was a realistic possibility, if not an inevitability.


Blodget: Anything you haven’t had time to study that you think is big?

Edelman: I guess I’m overdue for more work on Google. I did some Google material last summer. People were interested. Google was annoyed. Google said “Send us your code, and send us all the examples—for free.” I told them it doesn’t work like that. I want them to solve the problem, but they’re not a charity case.

Blodget: Any specific issues?

Edelman: I’d like to write more about porn. Porn ads being shown to users when they’re at family-friendly sites. Family-friendly companies advertising more within porn sites. Not that I care particularly much about porn, but there are a lot of people who do. Many people shrug off [the spyware problem]: “What’s the big deal? So our ad appeared in some spyware. It’s the spyware that’s the problem. They would have existed without us.” But when you put a porn angle into it, suddenly people are willing to listen.

Blodget: And does Google benefit a lot from porn?

Edelman: I think Google benefits some from porn ads. They don’t turn down porn business. “Don’t be evil” apparently doesn’t imply “Don’t run porn ads.” I’ve seen a few examples. You’re at a shoe store, and you go to “Girl’s Shoes”, and up pops a list of ten different Google ads about porn keyed off of the keyword “girls.” So you were looking for “girls’ shoes” and you got “naked girls.” That’s the kind of thing that, if it’s in a Business Week article, makes Google look awfully close to evil. And that happens, day in and day out.


Blodget: Based on your experience, when you or someone else outs one of these practices, do you get the sense that the advertisers stop spending? Or do they just reallocate their online budget?

Edelman: They reallocate it. So it’s probably good for the folks that we don’t write about. When I out Claria advertisers, that should be good for Google and Yahoo.

Blodget: So it’s not a question of effectiveness? It’s not a case where the advertiser is just getting such a good ROI on a spyware ad that they can’t possibly duplicate that at Yahoo?

Edelman: There may be some that are really committed to this stuff., a long-time spyware advertiser, seems committed to it. They know exactly what they are doing. They have professionals monitoring their campaigns, buying their advertising for them. They decided they want spyware where if you go to some other web site you get a Lowermybills pop-up. But in general, most companies are willing to put it aside once they get a little media attention.

Blodget: Thanks, Ben.

Thought Leaders interviews are published by Cherry Hill Associates, LLC. Cherry Hill Associates, LLC is not an investment adviser, and this publication does not contain investment advice. We do not represent that the facts or opinions in this publication are accurate or complete, and we assume no liability for the use of it. Copyright © 2006 Cherry Hill Associates, LLC.


    ©2006 Cherry Hill Associates, LLC  |  Legal notice  |  Site design