By now, many if not most of you have probably read, or at least heard,
about the lawsuit filed against several search engines, accusing them
of conspiring to overcharge for advertisements. More information
here:
http://money.iwon.com/jsp/nw/nwdt_rt.jsp?cat=USMARKET&src=704&feed=dji§ion=news&news_id=dji-00001320050405&date=20050405&alias=/alias/money/cm/nw
The WSJ recently featured a front-page story on the issue of click
fraud as well.
I have always been skeptical of the pay-per-click (PPC) method of
charging for advertisements. I have always felt it was a poor
business model, because of its susceptibility to fraud. I have never
understood the search industry's fascination with PPC, especially
since there are other methods of selling advertising, such as fixed
fees, which provide no means (and thus, no incentive) to game the
system by merely clicking on ads. Furthermore, the money that is
spent both by the advertisers and publishers (including the search
engines) implementing complex fraud detection systems can be put to
more productive uses. Just about everyone I have spoken to with a
technical background in Internet protocols and architecture seems to
realize this, but the message doesn't get through to business people
who feel that despite click fraud, PPC is a superior advertising model
to any others. Perhaps there is something I have overlooked in my
assessment of the risks vs. rewards of PPC advertising.
It seems that PPC advertising is going to be a fixture in web
advertising. Given that PPC makes click fraud easy, we can expect to
see more of it in the future. This should be a serious concern to
anyone who invests in search engines or other companies that do PPC
advertising, or is a customer of such companies. At the very least,
the companies need to disclose the criteria they use for determining
that fraud has taken place, and the rights their customers
(advertisers) have with regards to getting refunds for fraudulent
clicks.
I'd also like to know if there are any technical groups that are
studying the issue and proposing solutions. From a standpoint of
detecting fraud at its inception, I thought I might find some interest
among the intrusion detection community, but I haven't yet. The types
of intrusion detection done at the packet level don't seem to scale to
the types of attacks I've witnessed, which suggests that the detection
might be better done at the web server and/or web log processing
level. I checked the Apache documentation to see if any work of that
type had been done, and outside of some basic configuration options
for blocking certain types of sites and requests, there wasn't any.
Also, based on what I've read about some of the tools people are using
to analyze web logs, they can detect certain types of fraud, but don't
necessarily provide alerts of impending fraud, especially if the site
receives a considerable amount of traffic. (This is especially the
case for the largest search engines.)
--gregbo
gds at best dot com