What Stays in Vegas
Page 18
The cookies allow Dstillery to record the sites you visit until you delete them, something some users never do (although browsers and plug-ins such as disconnect.me allow users to block cookies all the time if they want). Perlich says her company can reliably track about half the US population that actively uses a desktop or laptop computer, seeing their cookies for an average of ninety days. The company has gathered data showing users looking at a product and perhaps eventually buying, as well as a trail of some of the websites visited beforehand. By analyzing such trends, Dstillery uses predictive modeling to assign scores to every browser in its system. That score, in turn, determines to whom they will try to serve ads and when.4
Graphical view of all the companies following a user on the site TMZ.com. Source: Graphic from browser plug-in disconnect.me (reprinted with permission).
Dstillery also buys tracking data from outside firms, including from a company that provides a popular toolbar that allows people to share content on Facebook, Twitter, Pinterest, or other sites with just a click. That means that even if Dstillery does not have a direct relationship with the company operating the website, it can see data on people visiting that site if it has the social toolbar installed there.
Perlich can learn even more about people’s patterns of Internet use through the ad networks that her company uses to place advertisements. Dstillery uses real-time bidding (RTB), a process in which companies decide in fractions of a second whether to place an ad targeted to a specific visitor. Dstillery, in effect, asks the RTB network to let the company know when a certain user appears. For example, if that user goes to the New York Times website, the RTB asks Dstillery if it wants to bid to place an ad. Even if it doesn’t buy an ad, Dstillery has gained new information about that user’s pattern of site visits. Dstillery creates a unique twenty-digit number for the people it tracks, but then encrypts the data it gathers so that the information would prove meaningless to outsiders. The company says it does not collect personally identifiable information.
Tracking has become increasingly common in recent years. Many online advertising firms collect information to target their ads, and many well-known firms use web beacons and cookies to gather data on users. Typically they reveal the tracking only in the fine print of their privacy policies, so the process is invisible to almost all users. A sampling of such companies includes Yahoo, Facebook, eBay, HP, American Airlines, Nokia, the Vanguard Group, Microsoft, GE, the New York Yankees, Playboy, Target, Pfizer. Even the Internal Revenue Service makes use of tracking. Also using web beacons are smaller sites such as those of the Nebraska Game and Parks Commission, rasushi.com (a chain of sushi restaurants), and 007.com, the official site of James Bond.
User opinions vary greatly about online tracking, whether through cookies or other means. Some appreciate tracking because it allows advertisers to target messages of interest; others find it sinister. Dstillery CEO Tom Phillips, who cofounded the hip satirical magazine Spy in 1986 and later worked for Google to help the company make better use of its data for advertising, scoffs at criticism of targeted ads. He says people make a big fuss over nothing. “Who cares what advertising they show?” he asks. “What is all of this hullabaloo? It’s just advertising, who cares!”
He contrasts online ad targeting with traditional direct marketing, which relies on a person’s name, address, and other information. He says such ads, addressed to you by name and delivered by mail, email, or telemarketing, are much more personal than messages coming via the Internet and mobile. With Internet and mobile ads, “they can always clear the cookie, not pay attention to the ad. They can be in control.” In fact, in the short term, the biggest threat to Dstillery and the industry overall came not from public outcry about tracking but from a pattern of deliberate deception that Perlich and other data scientists at the company discovered.
What the Hell’s Going On?
Doubts nagged at Perlich. She feared that somehow she had messed up. For months she had noticed patterns of data on her Dell laptop that did not make any sense. Her computers showed a stampede of interest in obscure sites. She feared her computer models had somehow failed, perhaps because they were recording the wrong data. “We found our models doing extremely well, too well for a data scientist’s liking,” she said.
Perlich enjoys the freedom to work from home or from the office. She wanted to talk about her doubts to colleague Ori Stitelman, another bespectacled PhD computer whiz, in person. She took the train to the office in Lower Manhattan and arrived at their open work area in front of a massive whiteboard typically filled with mathematical formulas. They reviewed a checklist of potential flaws in their work. Could their models introduce errors as they measured how people navigated the Internet? Then, as Perlich sat in her beloved Ikea Poäng chair, with its curved back and footrest, a flash of intuition seized her. Someone had deliberately created an Internet illusion, hoping to lure money from some of the world’s biggest advertisers. She told Stitelman: “This has to be fraud!”
A few days later Stitelman walked past the ping pong table near his desk and climbed the narrow stairwell between the two floors of company headquarters. He set his sights on Andrew Pancer, Dstillery’s chief operating officer. To maintain a startup vibe at the young company, Pancer and other executives sit side by side with the rest of the staff, undivided even by cubicles. He looked up and listened as Stitelman and Perlich told him what was on their minds. He reacted sharply. “Oh, shit, there’s a problem,” he said. “What the hell’s going on?”5
Within a day the company’s management realized that click fraud could jeopardize the very survival of their startup. It was hard enough to explain to companies how online behavioral advertising worked. They feared their clients would flee altogether if they learned that fraud polluted the whole sector.
By following the one-pixel images they had placed on millions of computers, Perlich and Stitelman discovered previously obscure websites scoring remarkably well, suggesting that many people were visiting clusters of these sites before moving on to better-known retail sites. Their models showed thousands of websites they had never heard of, including Iamcatwalk.com,6 therisinghollywood.com,7 parentingnews.com,8 and womenshealthspace.com,9 scoring better than any other sites, representing a sort of online stampede to unknown pastures. Such patterns ordinarily would suggest that companies should place their ads where the stampede was taking place.
But were these ghost visitors? The people visiting many of these websites seemed to have utterly unconnected interests. Of those who visited parentingnews.com, 80 percent would also go to ChinaFlix.com.10 “Why would all these parents want to watch Chinese videos?” Perlich wondered. Then ChinaFlix would send heavy traffic to well-known websites such as chase.com or nike.com. Could it be that people visiting ChinaFlix.com were much more likely to apply for a credit card or buy running shoes and pizza than other Internet users?
The data scientists tried to figure out the relationship between the different sites and found that many visitors were going from one to another in fractions of seconds—at speeds that were impossibly fast. The traffic was automated somehow. It was mechanized, not human. Stitelman, who earned his doctorate in biostatistics in 2010 at the University of California, Berkeley, worked until late in the night to try to understand what was happening.
Claudia Perlich at work. Source: Author photo.
In some cases, Perlich and Stitelman detected patterns in which a cookie traveled back and forth among seven hundred websites for a millisecond each, suggesting that a single Internet user had clicked to different pages ten thousand times in one day. The heavy traffic among the sites made them seem like key nodes on which to advertise.
Click fraud presented a dilemma for a firm competing in a tough business.
Overall, the new sites represented as much as a fifth of the total inventory of some online advertising networks, meaning that a fair chunk of advertising did not encounter humans at all. Although the data scientists had produced some scien
tifically fascinating results, their findings pleased nobody. They meant Dstillery, as well as its online advertising rivals, were sometimes buying ads that no one would ever view.
If Dstillery quietly cleaned up its models to avoid the suspect networks, rivals might show better numbers in delivering ads to wider audiences. The executives were unsure how to react. Across the online advertising ecosystem, people made money by not rocking the boat.
Stitelman said some media buyers at companies buying the ads asked them to turn the click fraud back on after they learned what had happened—their numbers looked worse without the fraudulent hits. Without the numbers, their annual bonuses could suffer. “The sad thing is that everyone is incentivized to sort of ignore it,” he says. “Even though we know it’s all fake! I don’t know how people look in the mirror.”
The ruse relied on hijacking the computers of thousands of users, who did not realize that their Internet browsers were reaching out on their own to these little-known sites. Often this hijacking occurred after an Internet user visited a porn site. As the Internet browser displayed erotic images, malicious software known as malware would secretly launch a second browser. The malware running the second browser would then visit hundreds of sites, suggesting that the user might be interested in getting a credit card or buying sneakers. But all the user wanted to do was watch porn. Dstillery eventually created a “penalty box” system to remove suspect traffic from its systems, at least on a temporary basis. “We don’t want to dilute the models with signals from people who watch porn,” Perlich said. The porn sites may have had their own legitimate advertising on their pages, but Dstillery wanted to stay away from those murky waters.
At least initially, Dstillery’s honesty hurt the bottom line. “A couple agencies told us we put you up against this other vendor and they are beating you solidly,” Phillips said. Overall, Dstillery fell short of revenue projections for the year, displeasing its three main investors. Phillips said most of the twenty online ad exchanges where he places ads are polluted, some severely.
“Everyone out there does shady stuff, sometimes inadvertently,” he said. Either sloppiness or deceit lies behind the click fraud. “Benign neglect—it’s not so benign—they are neglecting that they are buying shit. I’m not saying that they know. Part of what I am doing in keeping that dialogue open with competitors is, I want to let them know that we know what they are doing.”
The Dstillery data scientists found that some of the sites with the hyperactive traffic were owned by AlphaBird, a San Francisco–based company that operated more than seventy websites, such as wellhabits.com, brilliantriches.com, fundwiser.com, and fulloffashion.com. The company advertised that it “guarantees targeted, engaged audiences for online video” and said it had “delivered tens of millions of engaged viewers for publishers, agencies, studios and Fortune 1000 brands.”11
Chase Norlin, AlphaBird’s CEO, initially declined to talk about his company, but he later agreed. He said he was not aware of the traffic patterns Dstillery had found, and said that even if some dubious traffic entered into online advertising systems from time to time, his company made an active effort to weed it out. “You have to remember that when you buy media, sometimes crappy stuff does get in there and our system is designed to filter all that out. Sometimes stuff does get through, and this could be one of those occasions, but it is usually caught pretty quickly because we have to catch it or the clients catch it,” he said.12
Norlin stressed that any company seeking to operate a business based on fraudulent traffic would quickly be discovered and would not be able to attract clients. He added that his company ran sophisticated real-time filters against automated, nonhuman bot visits to its site. “If what you are describing is accurate, we would have been shut off a long time ago. We wouldn’t be a business. It’s literally that simple,” he said. “We’re a vertically integrated digital marketing company. We are about a hundred people. This is not some, you know, two-person shady operation in Eastern Europe.”
Norlin asked for evidence of unusual activity Dstillery had found. One spreadsheet I sent him showed the journey of an Internet cookie bouncing among several AlphaBird sites on May 22, 2012. A video also showed that typing in one web address oddly kept leading back to two AlphaBird sites.13 Some time later, Norlin wrote back saying he would not comment anymore.
I wrote Norlin again, telling him I had planned a trip to San Francisco, AlphaBird’s hometown. He agreed to meet, but the day before our scheduled meeting he canceled the appointment and said he would want me to sign a nondisclosure agreement or he would not talk again.
Two days later, an AlphaBird official wrote saying that Norlin, company president Alex Rowland, and chief operating officer Justin Manes wanted to talk. They had heard that several articles were going to appear the next day and had become alarmed about the negative publicity it could generate. Somehow they thought I was behind the articles (I wasn’t). In the following days, a series of articles was published on fake botnet traffic, some naming AlphaBird as one of the problem sites.
AlphaBird said the secret to its ability to attract Internet visitors to previously unknown sites lay in “buying traffic.” Although buying an audience might appear to be a daunting task, an Internet search of “buy Internet traffic” leads to sites offering to bring visitors to any web page. For example, maxvisits.com sells one hundred thousand unique US visitors for $114, or $94.98 per hundred thousand visitors from forty-five countries. The company promised “real and unique human website traffic, no bots.” It also offered traffic from web browsers that “pop under” the browser a web user is looking at. Upgradevisits.com said: “Using our own proprietary software, we are able to ‘push’ visitors that have landed on one of our affiliates directly (or through redirection) to your website.”14
Manes explained how AlphaBird did this. “It is really easy,” he said. “You put your money in the machine and you buy visitors and visitors come to your site.”15
Rowland said his company paid others hundreds of thousands of dollars to deliver visitors to AlphaBird sites. “We do that at massive scale. We’re also looking at this and saying, ‘Well, we figured out a model in which we can basically buy audience to come into the site, and even without a high degree of return rates, we still make money, so why would we not continue to do that?’”
Some of the services selling traffic do acknowledge techniques that raise ethical questions. For example, Fulltraffic.net offered to generate a million worldwide visitors for just $190 when I first looked, a number that increased to $450 at the start of 2014. The company tells potential clients: “Be warned that this type of traffic may not be delivered in the form of full page (visitors may leave your site before the entire content is loaded). Be also warned that these visitors ARE NOT IP Unique, which means that the same person may load the same page SEVERAL TIMES and each of those times will be counted as a ‘VISITOR’ by FullTraffic.”16
The team at AlphaBird, which advertised that it had offices in San Francisco, Los Angeles, New York, and Sydney, said that if some of the companies they had used to deliver visitors deployed botnets or other fraudulent methods, they did not know about it. They portrayed a thriving business, but some months after we last talked in 2013, the name AlphaBird had flown. Its website redirected to a different company. Many of the AlphaBird websites—such as Iamcatwalk.com, which had once showed surges of traffic—also no longer operated by the end of 2013.
A California business filing showed AlphaBird had changed its name to Emerge Digital, whose website listed Norlin as its CEO and Rowland as its president.17 Its home page boasted that Inc. Magazine named Emerge Digital as the fastest-growing advertising and marketing company in Silicon Valley and placed it at number eight on a list of five thousand companies overall in the United States. In 2014, Norlin said his business was thriving, although he had closed down the various websites in 2013. He added, “We were never proven guilty of anything. . . . Owning websites and driving traffic to them
is common business practice. Regardless, we exited that business after all the negative publicity, but this is still happening widespread across the industry. Hopefully the Interactive Advertising Bureau or other governing body will come up with a set of standard practices that companies can follow so that the industry as a whole can improve and provide more value.”18
In the big picture, Perlich says click fraud continues more or less unabated. In fact, the deceptions have grown more sophisticated, although companies such as White Ops have emerged to help advertisers eliminate bot fraud. Their message to marketers is simple. “Sophisticated bots act like people, but they don’t follow your brands or buy your products, and they are diluting your metrics and the effectiveness of your campaigns,” it says on its web page.19
The click fraud issue came to light because Dstillery did not target individuals by name; it had stripped out personal data at the heart of traditional direct marketing. The company does not know who you are and has not linked someone’s details to an Acxiom or other company database on hundreds of millions of people.
By contrast, service businesses want to know as much as they can about each individual patron. Caesars executives think a lot about how to gather data on their customers while behaving in a responsible way, a recurring theme in the next four chapters. They have seen that through clever use of incentives, companies can influence what people do and how they share data. They put those insights to the test when they ushered in a major change to their loyalty program, one that risked alienating their best customers.