Security

Web Ad Explosion

Web Ad ExplosionFinanced by corporate ad dollars, some online marketers are getting sneakier--and more annoying.Tom Spring

Has your browser's home page changed suddenly in recent months? Does your desktop sport a toolbar you don't remember asking for? Is your system tray crowded with mystery applications? You're not imagining things: Online advertising is more cunning, aggressive, and infuriating than ever. More than 25 percent of top Web destinations now use some kind of in-your-face marketing tactics, according to the Internet research firm Cyveillance.

Worse, corporate America is financing some of these intrusive ad campaigns. A PC World investigation shows that in today's complex Web economy, even reputable companies such as Citibank, Ford, and Sears can wind up paying commissions to aggressive Web marketers--often without realizing it. And since the marketers have little or no government regulation to hamper them--and enjoy the powerful incentive of lucrative ad budgets to underwrite their costs--the new and aggravating practices aren't likely to go away anytime soon.

Perhaps you've experienced some of these tactics, such as InternetFuel's method of pelting you with pop-up advertisements as you leave a site, or Search-Explorer.com's mouse-over downloads that can cause software to be downloaded to your PC's hard drive after you merely roll your pointer across an advertisement. Programs from Brilliant Digital Entertainment, Cydoor Technologies, and Gator may ride along when you install downloaded file-sharing software or Internet utilities. Then there are those InternetAlert pop-up advertisements: They look like Windows' system warnings.

There's nothing illegal about these actions, and they don't run afoul of any government regulations. Rudy Grahn, an analyst for Jupiter Research, says advertising regulations--which historically have been aimed at broadcast and print media--simply haven't yet caught up with the latest online strategies.

Yet the targets of aggressive marketing, including consumers and businesses, must contend with the adverse impact on PC and network performance. And irritated Web surfers have made their feelings abundantly clear on gripe sites. "What I don't understand is why this...isn't illegal," wrote one typical poster at Spywareinfo.com, which tracks online privacy issues. "Seems like a clear form of cyberterrorism to me."

Fueling this ad explosion is an estimated $9.6 billion that the GartnerG2 research firm says will be spent on Internet advertising in 2002. Web sites can now earn bounties for snagging your attention, your browser, your hard drive, or your name. For example, sites can earn up to 5 cents for each visitor who installs marketing software from the Webmaster Revenue Network, according to the company's Web site. They can collect as much as 20 cents for learning your zip code and e-mail address, say people who are familiar with the industry. And Web sites that ran those ubiquitous advertisements for X-10 wireless cameras may have earned up to $45 for each $90 sale they generated, according to Pesach Lattin, who is the author of the online marketing e-newsletter Adbumb. Adds Lattin: "The reason there's an upsurge in advertising sleazeware is because it works."

You Don't Even Need to Click

While most marketing software requires the user to click his or her assent before it installs, some newer technologies bypass this step. Earlier this year, for example, sites ran an ad that automatically downloaded a toolbar from Search-Explorer.com if the user moved their mouse over the ad while their browser was set to a low level of security. AdPowerZone, which created the toolbar, says it has the ability to track "every Web site the user visits, allowing our advertisers to send special offers to our users in real time while they are online." About 1.3 million people downloaded the software over a four-week period, the firm says.

AdPowerZone's president, Yves Lavoie, says that by mid-July only one Web site was still offering the mouse-over download. He notes that automatic installs occurred only if users had set their Web browsers to allow them.

Similar browser settings may enable some of Bonzi Software's pop-up ads to create a directory on your hard drive and download the company's marketing mascot, an animated purple gorilla that pitches to you whether you are online or off. "All we are trying to do is grab your attention the same way the employee outside Wal-Mart does by telling you what's on sale as you walk in," says Bonzi's John Epstein.

Britain-based C2 Media's MP3 Search application, which is distributed by sites such as MP3Search.com, promises to help you locate digital music. When we installed the software in April, however, it also switched our browser home page and default search engine to the Lop.com Web site. A Lop.com toolbar--with ads for Citibank, the Columbia House Record Club, Ford, and Sears--appeared, as did 89 new bookmarks, many of which pointed to Lop.com. And landing on Lop.com triggered a flock of pop-up and pop-under ads.

Informed Consent?

We shouldn't have been surprised. The software's user agreement outlined the various changes that would be made to our system. But not everyone reads such agreements carefully. And at least one site distributing the software, PornLabs.com, advised Webmasters to rename the download as "mp3_finder.exe" or "napster2.exe" in order to "help induce the surfers to run and accept the software."

PC World tried to contact the owners of PornLabs.com, who are listed with the Web domain name registrar VeriSign as Toiling Robots, but could not reach them. C2 Media founder and coprincipal Alex Shamash says he knows nothing about Toiling Robots. As for the downloads, he says, "Everybody knowingly accepts the terms of the software." And C2 Media is just one of many companies that make money by generating ad "impressions"--an industry term used to refer to the number of times an ad is displayed--and the resulting traffic to customer sites.

How do ads from big companies such as Citibank and Ford wind up on tiny Web sites? Corporations or their agencies often place a certain percentage of ads through middlemen such as Advertising.com, ClickXchange, or Commission Junction. Such middlemen may, in turn, route the ads to hundreds or thousands of affiliated sites. ClickXchange, for example, has some 150,000 affiliates that run banner ads for 460 advertisers, according to Craig Tammel, chief technology officer. And each day hundreds more sites inquire about joining the program.

Given these numbers, it can be impractical or even impossible for a middleman to police every affiliate. For example, General Counsel and Vice President Tom McMahon at Advertising.com said he was not aware of the details of how C2 Media generated ad impressions when he was first contacted by a PC World reporter, although C2 Media was an affiliate at the time. The two companies have since ended their relationship.

Agencies and companies also place ads through brokers who buy and resell bulk inventory of online ads for a small profit, says Lattin. In these transactions, he adds, it's possible to lose control over exactly where an ad is placed--explaining how a mainstream ad can end up on a porn site even if the sponsor forbids marketing on such sites. "Half the companies [advertising with these sites] may not even know it," he says.

A Potential for Huge Profits

The affiliates who distribute these advertisements can earn substantial cash, as demonstrated by a recent federal court case in Philadelphia. A judge ordered Web marketer John Zuccarini to pay back $1.8 million in "ill-gotten gains" from tricking people to view banner ads and visit Web sites run by pornographers and a self-styled psychic named Miss Cleo. Unfortunately, Zuccarini vanished without paying, and is still being sought by Federal Trade Commission investigators.

How the System Can Go Wrong

The case offers insight into how an unscrupulous operator can exploit the system. Prosecutors said Zuccarini registered about 5500 Internet domain names that were misspelled versions of popular, legitimate domain names--including 41 variations on "Britney Spears." Surfers who misspelled the singer's name in a Web search could wind up at a Zuccarini site where they were bombarded by multiple pop-ups. Attempting to close one of these windows or to click a Back button simply launched new pop-ups. In this way, Zuccarini generated ad impressions for legitimate middlemen such as Commission Junction. The firm's chief executive officer, Jeff Pullen, declines to say how much Commission Junction paid Zuccarini. But he says that at that time the company typically took 20 cents out of every dollar paid to affiliate sites for running ads.

"By the law of large numbers, some people are going to try to cheat the system," Pullen adds. But he says that misuse of the Commission Junction network has never been widespread and that the company is always on the lookout for abusers.

Though the Zuccarini scam was detected, regulatory agencies are hamstrung by the fact that there are few laws governing Internet ads. The FTC has filed suit against those it considers to be clear offenders--like Web sites that trick people into downloading programs that cause their modems to dial expensive 1-900 phone numbers. But the agency has no mandate to combat certain other questionable marketing practices.

Online marketers argue that self-regulation is the best way to protect consumers. One group that already serves as an industry watchdog is the National Advertising Division (NAD) of the Council of Better Business Bureaus. Andrea Levine, its director, points to a November 2001 case in which the NAD recommended that Bonzi Software modify ads for InternetBoost modem-optimization software. The pop-up ads looked like a Windows error message that declared: "Your Internet Connection Is Not Optimized. Download InternetBOOST 2001 Now!"

The NAD recommended that Bonzi change the ad's appearance to make clear that it was marketing, not a Windows message. The group also asked the company to change the wording so as not to imply that a system defect had been detected. Bonzi changed "is not optimized" to read "may not be optimized," and also labeled the window clearly as an ad, says NAD attorney Peter Marinello. But this summer, ads for Bonzi's InternetAlert security program again looked similar to Windows warnings. The message this time: "Your Computer's Data is Currently at Risk. Download InternetALERT now."

Consumers who don't like Gator got some relief in July, when a federal judge ordered the firm to stop delivering pop-ups over sites run by some prominent media companies. Dow Jones, the New York Times, and the Washington Post, among others, alleged that the ads hurt their revenue by directing visitors to other sites. An attorney for Gator said the company was considering an appeal and believes it will win the case when it comes to trial.

Changing the Law

Washington may yet act to stop some of the worst abuses. The Senate Commerce Committee in May signed off on S. 2201, a bill that would require Web sites to inform visitors if they intend to collect personal information--for example, by tracking Web activity--or share it with others.

For now, however, you're mostly on your own in dealing with Web advertising (for specific advice, see "Outfox the Marketers"). "As soon as you think you've seen it all, advertisers are right back in your face with something new and even more annoying," says Lattin. So read the user agreements carefully, check your browser's security settings--and, even after taking those precautions, don't be too surprised if a wily Web marketer still manages to grab control of your PC.

Outfox the Marketers

In the absence of government regulation and effective self-policing of aggressive online marketing technology, consumers must fend for themselves. Here are some tips to help you cope:

Reach the license agreement carefully: Check for clauses about software that seem unrelated to the application you intend to install on your PC.

Get software that fights adware: Ad-aware, PestPatrol, and Spybot-Search & Destroy can remove offending software; ZoneAlarm lets you know when your PC tries to send data to the Internet.

Check out freebies: Consult Spychecker.com, which maintains an online database of software that bundles advertising components.

Adjust your browser settings: Make sure that your Internet Explorer security levels (select Tools, Internet Options, Security) are set to Medium (or higher), which prevents automatic software installations. Set the browser to prompt you before running programs like ActiveX applets that can start automatically.

Learn the lingo: Don't trust an ActiveX applet just because a dialog box tells you it's been "signed." This language just means the applet is really from the site it claims to be from. It says nothing about what the applet does.

Remove any unwanted ActiveX applets: To do so, go to Tools, Internet Options, General, Settings, View Objects. Right-click any questionable programs and select View Properties to see where they came from. If you want to uninstall one, right-click it again and select Remove.

Get uninstallers: Some adware can't easily be removed through Control Panel's Add/Remove Programs window. If this happens, check the adware company's Web site for an uninstall program that can eliminate it completely.

Subscribe to the Security Watch Newsletter