Adware Witchhunt Gone Awry
By Eric Goldman
Ben Edelman’s latest “research report”/attack salvo goes after Claria because an ad promoting a Claria product was delivered via alleged spyware. To connect Claria with the “spyware” vendor, Ben traces the money as follows:
Step 1: Claria pays ad network Zedo.com
Step 2: Zedo.com pays 02320.com
Step 3: 02320.com pays ad network Yieldmanager.com
Step 4: Yieldmanager.com pays Venus123.com
Step 5: Venus123.com pays “spyware” vendor ContextPlus
Step 6: ContextPlus does a non-consensual installation (this presumably happens before the money flows)
Based on this 6 step process, Ben’s report reaches the conclusions that “Claria pays spyware vendors to show Claria’s own ads through their popups,” “Claria funds and supports such vendors” and “Claria Shows Ads Through Exploit-Delivered Popups.”
Notice the pronoun-verb connection/disconnect here. Claria “pays”…”shows”…”supports.” But per Step 5, Venus123.com was the one who entered into the relationship with the “spyware” vendor, and Claria was six contractual relationships away from the delivery of the ads via a non-consensual installation. Was the report confused about who dealt with the vendor? Was this a deliberate decision to ignore steps 1-4?
Either way, this grammatical sleight-of-hand reveals a critical assumption of the report–and of anti-spyware zealots generally–that has not been adequately elucidated, examined or justified. Before we can care about the report’s assertions, I feel like someone–anyone–ought to establish that a money source six contractual relations away is “supporting”/”paying”/”funding” the downstream party. If we don’t agree with this grammatical construction, there’s nothing interesting at all in the report.
Note that I’m not disputing that cash originating from Claria ends up in the hands of a “spyware” vendor who may have directly (or more likely indirectly) made a non-consensual install. (I haven’t validated the findings, but I’m willing to accept their truth for now). But even if this finding is true, SO WHAT? If we open up an inquiry to find every person or entity who is a source of funding for ContextPlus 5 degrees of separation away, my guess is that we find hundreds, thousands or even tens of thousands of “supporters.” And if we keep working upstream from Claria (going 6, 7 or 8 degrees of separation from the offending event), we find more “supporters” of Claria that are, by association, supporters of ContextPlus. Go far enough up the chain, and I’m 100% convinced we’ll find money flowing through Claria to ContextPlus from every anti-spyware zealot and agitator out there. Using this illogic, I think we would unavoidably conclude that every anti-spyware zealot “supports” spyware.
The previous sentence would be partially in jest if it weren’t prompted by a serious social threat. That threat isn’t spyware; it is witchhunts where mere association, even if attenuated, equals guilt. We saw similar manias in the Seventeenth century witchhunts of Puritan New England, with the 1940s and 50s Red Scare of McCarthyism, and now with the latest round of zealotry, the anti-spyware crusade. I think each of us has the personal responsibility to vigilantly guard against the temptation of a taint-by-association mania and the resulting significant negative consequences it can produce for the falsely accused.
[NB: I've made some changes to the previous paragraph to clarify some points that may have been misinterpreted.]
To be clear, I recognize that Claria, in theory, derives an economic benefit from the ad placed by Venus123.com and delivered via ContextPlus. But once again, SO WHAT? Everyone upstream from Claria derives the same economic benefit–its investors, its landlord, its Internet access providers, etc. Using this rationale, shouldn’t they be on the hook too?
No. As a matter of law, policy and logic, we don’t go this far. We don’t hold stockholders or lenders responsible for the illegal actions of the company they invested in. We don’t hold the power company responsible for the actions of a customer. And we don’t hold Company A responsible for what Company B, five contractual relationships away from it, does.
Here’s how I propose we put a stop to this nonsense. It’s time for the anti-spyware zealots to make their assumptions explicit. We deserve a simple and plain answer to the following question:
When is X responsible for an adware vendor’s unauthorized installation, and why?
In answering this question, I would like to know: (a) the full universe of people who could be X (and does it include their vendors? customers? investors? employees?), and (b) is X’s responsibility based on the law (if so, which legal doctrines?), morality (if so, what moral doctrines?), blinding emotional outrage, or some other basis?
Until we get upfront and clear answers to these questions, any report concluding that X or Y supports/funds/pays for/is responsible for “spyware,” without justifying the causality link, lacks credibility. I further think any reporter who repeats those report’s findings without also referencing this omission abrogates his or her journalistic responsibilities.