Message from Brian | EFF | Misinfo | How eBay can fix their program

 

How eBay can fix their affiliate marketing program to prevent abuse

In June 2007, eBay reported at least two of its top affiliate marketers (companies paid sales commissions to displays ads on the web that led people to become new eBay customers) to the FBI, and filed civil charges against them in 2008. The claim was that the affiliates had defrauded eBay by planting the URL to eBay's web site inside the ads, thus fooling eBay's servers into thinking the person had clicked on the ad, causing eBay to write a cookie to that person's computer that would credit the affiliate for a sales commission, should that person buy something and become a new customer. I was a partner in one of those companies, and was convicted and sentenced to federal prison for it. But I wouldn't be writing this if there wasn't a lot more to this story.

The reason people went to jail, and eBay cried "fraud", had to do with the way they ran their program and the way they communicated with these affiliates.

Between 2002 and 2007, my company was paid between $200,000 and $400,000 in affiliate commissions that were earned as a result of "cookie stuffing" (see definition below), deemed wire fraud in two bizarre criminal prosecutions. I would not have gone to jail had I not ignored many red flags that told me we were on thin ice.

As part of my efforts to cooperate with authorities in helping eBay to prevent this type of abuse in the future, on January 29, 2014 I visited the offices of O'Melveny & Myers in Menlo Park, CA to meet with the FBI, the US attorney, and some members of eBay's legal and technical teams. My job was to tell them everything I could about how they could prevent what they were calling "cookie stuffing" — a somewhat pointless visit, as the "cookie stuffing" had been performed entirely by eBay themselves, not by us; and was a part of their overall business strategy. Nevertheless I did what I could. This document summarizes what I told them.

If you've never heard of "cookie stuffing", that's because it's not a thing; it's a term that was invented by one of eBay's lawyers specifically for this case, to fool the unsophisticated judge into thinking some identifiable criminal act existed. Here is the Google Trends document proving the term did not exist before they filed their civil suit in 2008:

But nevertheless, it's as good a term as any for what they alleged. It describes the placement of an ad by a third party which contains an invisible pixel linked to eBay's web server, allowing eBay to write cookies to the web user's computer if they so choose.

This 80-second video explains what cookie stuffing is in simple terms:

The fact is that at the time of my involvement, cookie stuffing was widely practiced among eBay affiliates. To my knowledge, people I worked with at eBay were fully aware of it, offered material assistance to those practicing it, and actively worked to thwart the efforts of security contractors whose job it was to detect it. eBay's purpose in doing this was to collect massive-scale user behavior: through their cookie-stuffing pixels in the ads placed by tens of thousands of affiliate marketers all across the web, eBay harvested staggering amounts of data telling them what websites their customers visited. The information I present on this page supports this assessment.

I expect that much of the problem lies in the fact that a company as huge as eBay is not a single-minded, monolithic entity. They are a myriad of departments, offices, individuals; any of whom may have conflicting goals. Perhaps some of eBay's departments would have been opposed to the way their affiliate department worked, others embraced it. My reckoning is that one such conflict of viewpoints surfacing is what triggered the June 2007 crackdown.

This article is my advice for how eBay can fix their affiliate marketing program. Its purpose is to help other affiliates stay out of trouble and to help eBay get its own house into a little better order.

1. Don't be a cookie stuffing free-for-all.

When I was indicted in 2010, one of my legal team's first priorities was to see if any other affiliates were doing the same thing (besides those I already knew). On a whim, I went to eBay's blog for affiliates, now the eBay Partner Network. At the time, they were featuring a particular affiliate as an example of great work. Here is what I found when I visited that affiliate's web site:

This was among the most outrageous cookie stuffing examples I'd ever seen; and remember, this was three years after they reported my company to the FBI — and eBay was showcasing it. Clearly, eBay had taken no serious steps to eradicate cookie stuffing, or else they were almost unbelievably incompetent at recognizing it. I believe the former is the case. And regardless, it is eBay, not the affiliate placing the ad, who decides whether or not to write the cookie. At least as recently as 2010, they had plenty of bats remaining in their attic.

Keep in mind their reason for doing this was the data collection, so we should not have expected them to want the practice stopped.

2. If you're going to disallow cookie stuffing, do not allow your program managers to actively encourage and assist affiliates in cookie stuffing.

In those days, there was a lot of experimenting going on, trying to find out what worked, what didn't, and what kind of methods would get the most cookies onto the most users' computers within the rules. Consequently, the edges of the rules were always fuzzy. Was it OK to have a small preview of eBay.com pop up when a user hovered their mouse over an ad? Was it OK to have eBay.com appear in a frame within a page? Was it OK to have a eBay.com window pop-under the current page? Was it OK to have the page refresh after 60 seconds, 10 seconds, 1 second, and pass the user along to eBay.com? What exactly constitutes a "proactive user action" - clicking the mouse? Moving the mouse? Scrolling the page? Was it OK to link a tiny clickbait thumbnail graphic of a supermodel to eBay.com? These are examples of things thousands of affiliates were experimenting with.

Our first experience came when we inquired with Commission Junction about a particular type of JavaScript redirect, that seemed to us to be a clever idea. They had no problem with it because it was triggered by a proactive mouse action by the user, and so we employed it on a page. The same day I received a cell phone call from our program manager at eBay, whom I will call "K". "K" always discussed these matters with me over her cell phone, never in writing; so I have no record to show you here. Her advice was that our JavaScript redirect was close; it was getting warm, but we had to do it "just a little bit smarter". She didn't elaborate at the time, but I later learned what she meant was that we should store the IP address of anyone who received a cookie via this method in a database so we wouldn't send eBay the same IP address twice, and thus compliance checkers would not be able to easily replicate the redirect.

3. Act on the security reports you receive, rather than pass them along to the affiliates.

An outside contractor, Ben Edelman, conducted periodic checks of eBay affiliates to look for cookie stuffing. Here is a snip from one of his reports that detected our cookie stuffing:

WhoLinked (a Wordpress plugin) was one of our widgets that contained an eBay ad and forced a click. I don't know the other companies/sites mentioned in this report.

I have this report because it's among those that eBay actually sent to me, with advice to avoid Edelman's detection. Eventually this advice even included the physical addresses from where Edelman was known to work, so that we might use IP geolocation to avoid ever stuffing cookies to IP addresses that he might be using (a relatively naïve solution).

In some of his reports, Edelman expressed frustration that his findings were not being acted upon:

This "1st warning" apparently consisted of the phone call I received from "K" described above.

He also expressed frustration in general with the industry's turning a blind eye toward cookie stuffing:

To date, affiliate networks have failed to aggressively pursue, stop, and punish those affiliates using cookie-stuffing. Indeed, LinkShare has repeatedly granted a $15,000 award to affiliates later found to be using cookie-stuffing... LinkShare's repeated awards to affiliates using cookie-stuffing reveal that this technique extends to large affiliates and to well-regarded affiliates. [link]

Well, Ben, you were right. Not only was eBay not acting upon your reports, they were actually passing them along to the very affiliates you were identifying, and advising us to do whatever was necessary to avoid your detection in the future. What has become evident to me is that many publicly-held companies who use affiliate marketing, and eBay in particular, do so to show their shareholders that they're marketing aggressively. The higher the payouts, the more aggressively they must be working. Ben, I believe they deliberately sweep your reports under the rug, and I know for a fact eBay took steps to undermine your investigation, by proactively colluding with us to thwart your efforts. It seems strange that they would have engaged your services without advising you of the data collection purpose of their cookie stuffing.

Edelman's 84-page February 2007 report to eBay noted dozens of affiliates cookie stuffing. He always recommended "harsh sanctions" — advice they did not follow, because they were an active part of the process.

The last security warning we received came just one month before the FBI raid. It was from Commission Junction. Here it is:

The warning was, of course, true. My standing instructions from "K" had been to call her if we ever received such a warning, because "eBay valued our business, even if Commission Junction didn't." So I called her as requested. Very soon, I received an email from "K" that said:

Followed quickly by:

Evidently, eBay had plenty of clout with Commission Junction.

4. When you do act on security reports, make reasonable efforts.

In November 2005, eBay's senior director in the affiliate marketing program, "H", received a cookie-stuffing report from Edelman about a certain affiliate who was earning about $1 million per month:

FBI FD-302 interview of "H" on 9/28/2009 that was never introduced into the public record as an exhibit, and so cannot be reproduced here. Paraphrase: Edelman reported replicable cookie stuffing in late 2005 to "H", who stated that eBay was unable to replicate it.

By chance I happened to know this affiliate, and I was familiar with his process. Even though I was a rank novice, I routinely replicated this affiliate's cookie stuffing, every time, simply by using a proxy server, which is a web site you can visit that will bounce your web request through random computers around the world to obscure your IP address. Every 10-year-old who runs a Minecraft server knows how to use a proxy server. They are common tools. Yet eBay, with their technical resources, couldn't quite manage to figure it out — even with $1 million per month on the line.

In July 2006 (the date is often misreported in court documents) my business partner made a whistle-blowing phone call to "H" to report exactly what we knew about this affiliate's activity, which was basically everything, enough for "H" to verify that we weren't blowing smoke. This affiliate was not actually displaying any ads, only eBay's invisible pixel, and so was not bringing eBay any value at all. In other court documents, eBay again claimed to have been unable to replicate what we reported. They continued paying that affiliate $1 million per month for a year even after receiving our detailed and provable report. More than any other single incident, this is what convinced us that we were acting within eBay's model of acceptance at a high, official level, not just a local level with "K" and her team.

FBI FD-302 interview of "H" on 9/28/2009 that was never introduced into the public record as an exhibit, and so cannot be reproduced here. Paraphrase: Commission Junction advised "H" of a replicable cookie stuffing incident in the Spring of 2007, but eBay was unable to replicate the cookie stuffing themselves; although they "eventually" did via a proxy server.

eBay happily wrote checks for $1 million for 18 months before they finally took the most basic action: using a proxy server. I don't know, but my guess is that the reports from Edelman and Commission Junction both explained how they had made the detection; or at least would have been happy to share the methodology if eBay had asked.

My bet is that eBay did not make any attempt to duplicate the reported cookie stuffing. If they are telling the truth when they claim they tried to duplicate it but couldn't, their network security staff was unrealistically incompetent.

5. Hold double-dealing employees accountable rather than burying their activity to hide it from shareholders.

The same week that the FBI raided the affiliates in June 2007, "K" disappeared. In later court documents, it was revealed that she had been suddenly stricken with a mysterious and unidentified illness. In 2009 she surfaced, safely and conveniently transferred to eBay's London office; still employed, despite telling the FBI that the following happened in 2005:

FBI FD-302 interview of "K" on 6/25/2010 that was never introduced into the public record as an exhibit, and so cannot be reproduced here. Paraphrase: Another affiliate thanked "K" for helping him achieve large monthly numbers, and asked her for her bank account details. She found a large mid-5-figure sum deposited into her account, and felt "shameful".

...just not too shameful to give out her bank details. We never found any record that eBay ever took any disciplinary or legal action against "K", "H", or anyone else from their group; or that anyone other than "K" had been spirited away overseas. Why not? I can only speculate, but I believe it's because eBay realized the cookie stuffing was happening only because their affiliate group was permitting it. They needed outside scapegoats, and they got them.

Neither I nor anyone from my company ever gave, received, or discussed gifts or kickbacks of any kind. eBay had consistently given us more than enough reason to believe they condoned our methods.

We do not have any evidence for this, but our working theory is that eBay did not want their shareholders (or regulators) to discover their user data collection scheme through their cookie stuffing program.

6. Employ oversight.

According to the Powerpoint presentation eBay made for the FBI in June 2007 (not 2006 as erroneously reported in Business Insider), their affiliate marketing program averaged around $6 million per month in payouts. That's a fair amount of change. It seems pretty basic to me that the people who interact directly with the affiliates, receive security reports and decide whether and how to act on those reports, and write the checks, should not be the same people. An independent audit of security reports received, and of actions taken, would have put a stop to this circus very early on. eBay would have saved tens of millions of dollars, and guys like me would have been kicked out long before we got a foothold.

7. Use basic programming logic to determine when to write a cookie; don't just blast affiliate cookies out to every browser.

Typically, an online business that wants to track or identify customers with cookies will first check for the presence of a cookie on each customer's browser. They'll read the contents of that cookie, check it against a database to determine when and why it was written and what data it contained, and then employ appropriate program logic to determine if a new or different cookie should be written, depending on what they're trying to accomplish. This is pretty basic stuff.

In eBay's model, they did none of this; they simply wrote an affiliate cookie to every browser request, with no checks, thus overwriting any other affiliate's cookie that might have been there. This is not just a small bug, it's a massive fail that may be unequaled in the history of the Internet. Employing basic program logic would have protected them from most true fraudulent cookie-stuffing attempts, and it would have protected them from one of their claims they tried to blame my company for: overwriting the cookies of browsers that had clicked on other affiliate's ads. If that happened, it wasn't my fault; it was the fault of their lack of program logic. And it applied equally to all affiliates, not just to those who were cookie stuffing.

This gaping hole is not consistent with a program that's intended to function efficiently and properly credit affiliates. It is, however, consistent with a program intended to simply write as many cookies as possible to as many different computers as possible, and make it look like the affiliate program is massively successful by the measure of dollars paid out.

8. Communicate with your affiliates.

It is a fact that my entire case could have been avoided if eBay had simply picked up the phone, called me, and said they're no longer going to allow the pass-through "cookie stuffing" model. A number of times they called me to request other changes to our program: change the wording on the ad, focus on a different set of MySpace profiles, put the ad on the front of the WhoLinked widget instead of inside the slide-out "What's This?" drawer, and we always complied. If they had called to tell us to stop cookie stuffing, I would have protested since it was so lucrative for everyone, but I would have complied. Until the FBI raid, I'd never been given any reason to suspect eBay was dissatisfied with our program; in fact, we received constant accolades and compliments from them, even throughout all of Ben Edelman's and Commission Junction's reports of violations.

It's surprising what simple, open communication can accomplish. It's equally surprising how much harm can be inflicted by the lack of communication.

Finally:

9. Pretending you have no internal problems and calling the FBI to cry "We've been tricked!!" may get you some good press, but will not solve your problem.

I've taken full responsibility for my role in this, and am paying a very high price for it (and have been since 2007) that will dog me for the rest of my life as a convicted felon. If eBay is serious about their affiliate program being an efficient marketing tool rather than a user data collection scheme, and if they want their affiliates to feel safe working with them, they have a lot of housecleaning to do.

My final word

Whether my actions were a crime, or a contract dispute, or unethical, doesn't make any difference. It was against the terms of the contract, and I should have been smart enough to note the red flags and get out of the business and as far away from it as I could. I'm confident that most eBay employees believe the version of the story that has me as the villain; this is because a program was running that was against the majority wish at eBay. I should not have been a part of that program. I only wish they had spread their retribution around to everyone who was a willing participant, not just the one outside individual who they knew had insufficient resources to defend himself.

Brian Dunning
Brian Dunning

@BrianDunning
facebook.com/briandunning

 

Footnote: A May 2013 article in Business Insider erroneously reported that eBay first contacted the FBI in 2006, one year before the raids were conducted. This is false; eBay's Powerpoint is dated June 2007. Reporter Jim Edwards made this assumption based on a single typo in one of the public court filings giving the FBI interview date of one eBay employee as June 2006 instead of June 2007. However, to Edwards' credit, of all the writers and bloggers who have written about this case, he is the only one who ever contacted for me information.

After this was concluded, Edwards very kindly wrote me:

It sounds like a nightmare. This whole case has been bizarre. I think eBay behaved extremely strangely — turning a straightforward contract dispute into a criminal case.

Truth.

 

Message from Brian | EFF | Misinfo | How eBay can fix their program