PPC Advertising, Click Fraud, and Its Effect on Search Engines

By now, many if not most of you have probably read, or at least heard, about the lawsuit filed against several search engines, accusing them of conspiring to overcharge for advertisements. More information here:

formatting link
The WSJ recently featured a front-page story on the issue of click fraud as well.

I have always been skeptical of the pay-per-click (PPC) method of charging for advertisements. I have always felt it was a poor business model, because of its susceptibility to fraud. I have never understood the search industry's fascination with PPC, especially since there are other methods of selling advertising, such as fixed fees, which provide no means (and thus, no incentive) to game the system by merely clicking on ads. Furthermore, the money that is spent both by the advertisers and publishers (including the search engines) implementing complex fraud detection systems can be put to more productive uses. Just about everyone I have spoken to with a technical background in Internet protocols and architecture seems to realize this, but the message doesn't get through to business people who feel that despite click fraud, PPC is a superior advertising model to any others. Perhaps there is something I have overlooked in my assessment of the risks vs. rewards of PPC advertising.

It seems that PPC advertising is going to be a fixture in web advertising. Given that PPC makes click fraud easy, we can expect to see more of it in the future. This should be a serious concern to anyone who invests in search engines or other companies that do PPC advertising, or is a customer of such companies. At the very least, the companies need to disclose the criteria they use for determining that fraud has taken place, and the rights their customers (advertisers) have with regards to getting refunds for fraudulent clicks.

I'd also like to know if there are any technical groups that are studying the issue and proposing solutions. From a standpoint of detecting fraud at its inception, I thought I might find some interest among the intrusion detection community, but I haven't yet. The types of intrusion detection done at the packet level don't seem to scale to the types of attacks I've witnessed, which suggests that the detection might be better done at the web server and/or web log processing level. I checked the Apache documentation to see if any work of that type had been done, and outside of some basic configuration options for blocking certain types of sites and requests, there wasn't any. Also, based on what I've read about some of the tools people are using to analyze web logs, they can detect certain types of fraud, but don't necessarily provide alerts of impending fraud, especially if the site receives a considerable amount of traffic. (This is especially the case for the largest search engines.)

--gregbo gds at best dot com

Reply to
Greg Skinner
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.