[ISN] Harvard study wrestles with Gator

From: InfoSec News (isnat_private)
Date: Thu May 22 2003 - 22:21:21 PDT

  • Next message: InfoSec News: "[ISN] Corporate IT risks and physical threats are changing security deployment"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    
    http://news.com.com/2100-1032_3-1008954.html
    
    By Declan McCullagh
    Staff Writer, 
    CNET News.com
    May 22, 2003
    
    A Harvard University researcher has completed an investigation of the
    Gator advertising utility, offering a glimpse into the workings of one
    of the Web's most controversial pop-up networks.
    
    Gator is a utility, sometimes derided as " spyware ," that monitors a
    user's Web browsing activity and displays relevant advertisements.  
    Until this week, the service promised advertisers that it could slap
    promotions onto a computer screen when a reader visited a competitor's
    Web site.
    
    According to the Harvard report , pop-up advertisements for Sun
    Microsystems' powerful V880 server, boasting "See how Sun beats IBM,"  
    are aimed at Gator users who visit IBM.com. In the cutthroat travel
    business, Orbitz, Travelocity.com, Priceline.com, and Cheap Tickets
    have purchased pop-ups that Gator users visiting arch rival Expedia
    will see, the study found. Expedia, in turn, uses Gator to aim its own
    "bargain fares" ads at all four of its competitors' sites.
    
    The report "provides some data as to how much advertising Gator is
    showing and to whom it is targeted," said author Ben Edelman , who has
    testified as an expert witness against Gator in at least one legal
    challenge to its service. "For Web site operators, and to be sure,
    their legal staff, it's important to know whether Gator is targeting
    them or not, and if so, how much."
    
    Scott Eagle , Gator's senior vice president for marketing, said the
    company was examining the report for possible errors, but he did not
    contest specific findings as of late Wednesday. Nevertheless, Eagle
    raised general doubts about the study's methodology, observing that
    the report relied on information gleaned from Gator's client software
    without taking into account actions performed on Gator's servers.
    
    "Eighty percent of the magic is what he'll never see," Eagle said of
    Edelman and his findings in a phone interview. "He's only touching a
    part of the elephant."
    
    Gator's advertisers are no secret to millions of Web surfers who have
    installed its software. Still, the company has been guarded about its
    customers and practices due in part to the stigma of pop-up ads and to
    ongoing litigation.
    
    Gator is one of the most aggressive companies peddling pop-ups--an
    Internet marketing technique that opens a browser window loaded with
    advertising over the top of, or underneath, an ordinary Web page.  
    Early versions of Gator's service placed pop-ups directly over the top
    of advertisements embedded in Web pages, but the company has since
    ceased the practice. More recently, it has incorporated delays so that
    ads may be triggered only after visitors leave a Web site.
    
    Pop-ups have been credited with higher-than-average customer response
    rates, making them popular among advertisers. But consumers have
    rebelled against them, and countermeasures that block the ads from
    appearing have gained in popularity.
    
    Popping up in court
    
    Gator has run afoul not only of Web surfers, who generally dislike
    pop-ups, but also of publishers who rely on advertising revenues.
    
    The privately held company, which says it charges advertisers fees
    starting at $25,000, has attracted a slew of lawsuits challenging its
    business practices and the legality of luring advertisers away from
    Web sites that must pay to produce content. The company in February
    settled a case brought by The Washington Post, The New York Times, Dow
    Jones and other media companies. Other lawsuits brought against Gator
    by catalog retailer L.L. Bean, hotel chain Extended Stay America, and
    online loan marketplace LendingTree.com are pending.
    
    Gator says its practices are legal because consumers agree to receive
    the ads when they download and install its software: an e-wallet and
    authentication application that makes it easier for people to register
    with Web sites and make online purchases. Gator is included with
    popular ad-supported software such as Divx and NetSonic , which help
    Redwood City, Ca.-based Gator distribute its product to a claimed 35
    million current users.
    
    Edelman, who is a student fellow at Harvard law school's Berkman
    Center for Internet and Society --which sponsored the report--has
    authored many similar studies in the past about topics such as
    Google's Web filtering, false Whois data, and registration of domain
    names with typographical errors.
    
    Although it would be possible for someone to install the Gator client
    and record its behavior, this approach is problematic. For instance,
    Gator delays serving ads from minutes to hours after a visitor leaves
    a Web site, making it difficult to trace what triggered the pop-ups.
    
    Edelman automated the process by using a packet sniffer to ask Gator
    for its ad lists for thousands of different sites. He found that Gator
    targets specific host names, such as support.microsoft.com, and
    sometimes targets identical ads at dozens or hundreds of Web sites.  
    The University of Phoenix, for instance, pays for ads aimed at scores
    of other university sites, such as the University of California at
    Berkeley, Carnegie Mellon University and Stanford University.
    
    Wednesday's report shows that Gator is very specific in monitoring Web
    browsing. For example, it carefully watches what people type into the
    Google search engine, hunting for phrases like "preventing pregnancy,"
    "high cholesterol" and "Toro lawn mower part," the study says.
    
    Edelman's research shows that even federal government Web sites are
    fair game. Gator users looking for information from the Centers for
    Disease Control and Prevention may see an ad for "thinner thighs in
    four weeks," and Gator watches for users visiting areas of the Food
    and Drug Administration's site relating to Viagra, breast implants and
    weight loss, the study found.
    
    Advertisers identified as Gator customers in Edelman's study,
    including Sun, did not immediately respond to requests for comment.
    
    How Gator works
    
    According to Edelman, a Gator server sends a list of ads to the Gator
    client, based on the domain name of the site visited. In his research,
    the lists consisted of a series of hyperlinks to Zip files, such as
    http://bg.gator.com/Banners/13811.1/13811.gbd2zip . The Gator client
    downloads and displays only the ads that jibe with the user's prior
    actions, Edelman found, which might mean not showing the same ad twice
    in a row. Gator's ad server appears to ignore other variables sent by
    the client utility, including locale, ZIP code, user ID and machine
    ID, and frequently displays ads after users leave a targeted Web site
    instead of while they're still viewing it.
    
    Gator's Eagle would not discuss details, calling it a "proprietary"  
    algorithm. "Why am I going to put my intelligence where people like
    Ben or my competitors may be drilling down?" he said.
    
    Eagle contends that advertisers are only permitted to target groups of
    sites, not individual Web sites. But on Tuesday, after being alerted
    to the existence of the Berkman study, Gator deleted marketing
    materials from its Web site that suggested otherwise. The deleted Web
    page, which had existed since at least February 2002, had promised :
    "Gator can pop up your advertising or promotional message
    anywhere--even at a competitor's site."
    
    Gator said on Wednesday that the deletion was part of a new marketing
    campaign that had been planned for months.
    
    Even faced with the daunting threats of fierce legal battles and the
    dubious honor of marketing the most complained-about piece of
    "spyware," Gator says it's unbowed.
    
    "Companies like Google, Overture and Gator are shining examples of
    success," Eagle said. "Our consumers save billions of dollars per year
    on software that they'd have to spend $20 to $30 on if they weren't ad
    supported. Yes, I am sorry that many Web sites don't have a valid
    business model, but don't blame Gator on their failure. They crashed
    and burned long before we came on the scene."
    
     
    _______________________________________________________________________
    eric wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000		Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    _______________________________________________________________________
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 23 2003 - 00:30:03 PDT