Message from Brian | FAQ | Misinfo | How eBay can fix their program | YouTube interview

 

How eBay can fix their affiliate marketing program to prevent fraud

Last updated August 29, 2014

In June 2007, eBay reported at least two of its top affiliate marketers (companies paid sales commissions to displays ads on the web that led people to become new eBay customers) to the FBI, and filed civil charges against them in 2008. The claim was that the affiliates had defrauded eBay by planting the URL to eBay's web site inside the ads, thus fooling eBay's servers into thinking the person had clicked on the ad, causing eBay to write a cookie to that person's computer that would credit the affiliate for a sales commission, should that person buy something and become a new customer. I was a partner in one of those companies, and fully admit my actions, and was convicted and sentenced to federal prison for it.

Between 2005 and 2007, my company was paid between $200,000 and $400,000 in affiliate commissions that were earned as a result of cookie stuffing, deemed wire fraud under 18 USC § 1343. As the second-highest paid employee in our company, I received slightly over a third of that. I take full responsibility, and ignored many red flags that told me we were on thin ice.

As part of my efforts to cooperate with authorities in helping eBay to prevent this type of fraud, on January 29, 2014 I visited the offices of O'Melveny & Myers in Menlo Park, CA to meet with the FBI, the US attorney, and some members of eBay's legal and technical teams. My job was to tell them everything I could about how they could prevent "cookie stuffing", which was their term for this. This document summarizes what I told them.

This 80-second video explains what cookie stuffing is in simple terms:

The fact is that at the time of my involvement, cookie stuffing was widely practiced among eBay affiliates. In my personal assessment, people I worked with at eBay were fully aware of it, offered material assistance to those practicing it, and actively worked to thwart the efforts of Commission Junction (the third party company that managed eBay's affiliate program) and outside contractors whose job it was to detect it. The information I present on this page supports this assessment.

I expect that much of the problem lies in the fact that a company as huge as eBay is not a single-minded, monolithic entity. They are a myriad of departments, offices, individuals; any of whom may have conflicting goals. I've no doubt that the majority of eBay's departments would have been opposed to cookie stuffing had they known about it, but those in the group I worked with clearly embraced it; and my reckoning is that one such conflict of viewpoints surfacing is what triggered the June 2007 crackdown.

This article is my advice for how eBay can fix their affiliate marketing program. Its purpose is not to excuse my own actions, but to help other affiliates stay out of trouble and to help eBay get its own house into a little better order.

1. Don't be a cookie stuffing free-for-all.

When I was indicted in 2010, one of the first priorities was to see if any other affiliates were doing the same thing (besides those I already knew). On a whim, I went to eBay's blog for affiliates, now the eBay Partner Network. At the time, they were featuring a particular affiliate as an example of great work. Here is what I found when I visited that affiliate's web site:

This was among the most outrageous cookie stuffing examples I'd ever seen; and remember, this was three years after they reported my company to the FBI -- and eBay was showcasing it. Clearly, eBay had taken no serious steps to eradicate cookie stuffing, or else they were almost unbelievably incompetent at recognizing it. I believe the former is the case. At least as recently as 2010, they had plenty of bats remaining in their attic.

2. If you're going to disallow cookie stuffing, do not allow your program managers to actively encourage and assist affiliates in cookie stuffing.

In those days, there was a lot of experimenting going on, trying to find out what worked, what didn't, and what kind of methods would get the most cookies onto the most users' computers within the rules. Consequently, the edges of the rules were always fuzzy. Was it OK to have a small preview of eBay.com pop up when a user hovered their mouse over an ad? Was it OK to have eBay.com appear in a frame within a page? Was it OK to have a eBay.com window pop-under the current page? Was it OK to have the page refresh after 60 seconds, 10 seconds, 1 second, and pass the user along to eBay.com? What exactly constitutes a "proactive user action" - clicking the mouse? Moving the mouse? Scrolling the page? Was it OK to link a tiny clickbait thumbnail graphic of a supermodel to eBay.com? These are examples of things thousands of affiliates were experimenting with.

Our first experience came when we inquired with Commission Junction about a particular type of JavaScript redirect, that seemed to us to be a clever idea. They had no problem with it because it was triggered by a proactive mouse action by the user, and so we employed it on a page. The same day I received a cell phone call from our program manager at eBay, whom I will call "K". "K" always discussed these matters with me over her cell phone, never in writing; so I have no record to show you here. Her advice was that our JavaScript redirect was close; it was getting warm, but we had to do it "just a little bit smarter". She didn't elaborate at the time, but I later learned what she meant was that we should store the IP address of anyone who received a cookie via this method in a database so we wouldn't stuff the same IP twice, and thus compliance checkers would not be able to replicate the redirect.

3. Act on the security reports you receive, rather than pass them along to the affiliates.

An outside contractor, Ben Edelman, conducted periodic checks of eBay affiliates to look for cookie stuffing. Here is a snip from one of his reports that detected our cookie stuffing:

WhoLinked (a Wordpress plugin) was one of our widgets that contained an eBay ad and forced a click. I don't know the other companies/sites mentioned in this report.

I have this report because it's among those that eBay actually sent to me, with advice to avoid Edelman's detection. Eventually this advice even included the physical addresses from where Edelman was known to work, so that we might use IP geolocation to avoid ever stuffing cookies to IP addresses that he might be using (a relatively naïve solution).

In some of his reports, Edelman expressed frustration that his findings were not being acted upon:

This "1st warning" apparently consisted of the phone call I received from "K" described above.

He also expressed frustration in general with the industry's turning a blind eye toward cookie stuffing:

To date, affiliate networks have failed to aggressively pursue, stop, and punish those affiliates using cookie-stuffing. Indeed, LinkShare has repeatedly granted a $15,000 award to affiliates later found to be using cookie-stuffing... LinkShare's repeated awards to affiliates using cookie-stuffing reveal that this technique extends to large affiliates and to well-regarded affiliates. [link]

Well, Ben, you were right. Not only was eBay not acting upon your reports, they were actually passing them along to the very affiliates you were identifying, and advising us to do whatever was necessary to avoid your detection in the future.

Edelman's 84-page February 2007 report to eBay noted dozens of affiliates cookie stuffing. He always recommended "harsh sanctions" -- rightfully so.

The last security warning we received came just one month before the FBI raid. It was from Commission Junction. Here it is:

The warning was, of course, true. My standing instructions from "K" had been to call her if we ever received such a warning, because "eBay valued our business, even if Commission Junction didn't." So I called her as requested. Very soon, I received an email from "K" that said:

Followed quickly by:

Evidently, eBay had plenty of clout with Commission Junction.

4. When you do act on security reports, make reasonable efforts.

In November 2005, eBay's senior director in the affiliate marketing program, "H", received a cookie-stuffing report from Edelman about a certain affiliate who was earning about $1 million per month:

FBI FD-302 interview of "H" on 9/28/2009 that was never introduced into the public record as an exhibit, and so cannot be reproduced here. Paraphrase: Edelman reported replicable cookie stuffing in late 2005 to "H", who stated that eBay was unable to replicate it.

By chance I happened to know this affiliate, and I was familiar with his cookie stuffing. Even though I was a rank novice, I routinely replicated this affiliate's cookie stuffing, every time, simply by using a proxy server, which is a web site you can visit that will bounce your web request through random computers around the world to obscure your IP address. Every 10-year-old who runs a Minecraft server knows how to use a proxy server. They are common tools. Yet eBay, with their technical resources, couldn't quite manage to figure it out -- even with $1 million per month on the line.

In July 2006 (the date is often misreported in court documents) my business partner made a whistle-blowing phone call to "H" to report exactly what we knew about this affiliate's activity, which was basically everything, enough for "H" to verify that we weren't blowing smoke. In other court documents, eBay again claimed to have been unable to replicate what we reported. They continued paying that affiliate $1 million per month for a year even after receiving our detailed and provable report. More than any other single incident, this is what convinced us that we were acting within eBay's model of acceptance.

FBI FD-302 interview of "H" on 9/28/2009 that was never introduced into the public record as an exhibit, and so cannot be reproduced here. Paraphrase: Commission Junction advised "H" of a replicable cookie stuffing incident in the Spring of 2007, but eBay was unable to replicate the cookie stuffing themselves; although they "eventually" did via a proxy server.

eBay happily wrote checks for $1 million for 18 months before they finally took the most basic action: using a proxy server. I don't know, but my guess is that the reports from Edelman and Commission Junction both explained how they had made the detection; or at least would have been happy to share the methodology if eBay had asked.

My bet is that eBay did not make any attempt to duplicate the reported cookie stuffing. If they are telling the truth when they claim they tried to duplicate it but couldn't, their network security staff was less competent than I was.

5. Hold double-dealing employees accountable rather than burying their activity to hide it from shareholders.

The same week that the FBI raided the affiliates in June 2007, "K" disappeared. In later court documents, it was revealed that she had been suddenly stricken with a mysterious and unidentified illness. In 2009 she surfaced, safely and conveniently transferred to eBay's London office; still employed, despite telling the FBI that the following happened in 2005:

FBI FD-302 interview of "K" on 6/25/2010 that was never introduced into the public record as an exhibit, and so cannot be reproduced here. Paraphrase: Another affiliate thanked "K" for helping him achieve large monthly numbers, and asked her for her bank account details. She found a large mid-5-figure sum deposited into her account, and felt "shameful".

...just not too shameful to give out her bank details. We never found any record that eBay ever took any disciplinary or legal action against "K", "H", or anyone else from their group; or that anyone other than "K" had been spirited away overseas. Why not? I can only speculate, but I believe it's because eBay realized the cookie stuffing was happening only because their affiliate group was permitting it. They needed outside scapegoats, and they got them.

Neither I nor anyone from my company ever gave, received, or discussed gifts or kickbacks of any kind. eBay had consistently given us more than enough reason to believe they condoned our methods.

6. Employ oversight.

According to the Powerpoint presentation eBay made for the FBI in June 2007 (not 2006 as erroneously reported in Business Insider), their affiliate marketing program averaged around $6 million per month in payouts. That's a fair amount of change. It seems pretty basic to me that the people who interact directly with the affiliates, receive security reports and decide whether and how to act on those reports, and write the checks, should not be the same people. An independent audit of security reports received, and of actions taken, would have put a stop to this circus very early on. eBay would have saved tens of millions of dollars, and guys like me would have been kicked out long before we got a foothold.

7. Use basic programming logic to determine when to write a cookie; don't just blast affiliate cookies out to every browser.

Typically, an online business that wants to track or identify customers with cookies will first check for the presence of a cookie on each customer's browser. They'll read the contents of that cookie, check it against a database to determine when and why it was written and what data it contained, and then employ appropriate program logic to determine if a new or different cookie should be written, depending on what they're trying to accomplish. This is pretty basic stuff.

In eBay's model, they did none of this; they simply wrote an affiliate cookie to every browser request, with no checks, thus overwriting any other affiliate's cookie that might have been there. This is not just a small bug, it's a massive fail that may be unequaled in the history of the Internet. Employing basic program logic would have protected them from most true fraudulent cookie-stuffing attempts, and it would have protected them from one of their claims they tried to blame my company for: overwriting the cookies of browsers that had clicked on other affiliate's ads. If that happened, it wasn't my fault; it was the fault of their lack of program logic. And it applied equally to all affiliates, not just to those who were cookie stuffing.

This gaping hole is not consistent with a program that's intended to function efficiently and properly credit affiliates. It is, however, consistent with a program intended to simply write as many cookies as possible to as many different computers as possible, and make it look like the affiliate program is massively successful by the measure of dollars paid out.

8. Communicate with your affiliates.

It is a fact that my entire case could have been avoided if eBay had simply picked up the phone, called me, and said they're no longer going to allow the pass-through "cookie stuffing" model. A number of times they called me to request other changes to our program: change the wording on the ad, focus on a different set of MySpace profiles, put the ad on the front of the WhoLinked widget instead of inside the slide-out "What's This?" drawer, and we always complied. If they had called to tell us to stop cookie stuffing, I would have protested since it was so lucrative for everyone, but I would have complied. Until the FBI raid, I'd never been given any reason to suspect eBay was dissatisfied with our program; in fact, we received constant accolades and compliments from them, even throughout all of Ben Edelman's and Commission Junction's reports of violations.

It's surprising what simple, open communication can accomplish. It's equally surprising how much harm can be inflicted by the lack of communication.

Finally:

9. Pretending you have no internal problems and calling the FBI to cry "We've been tricked!!" may get you some good press, but will not solve your problem.

I've taken full responsibility for my role in this, and am paying a very high price for it (and have been since 2007) that will dog me for the rest of my life as a convicted felon. If eBay is serious about their affiliate program being an efficient marketing tool rather than simply showing high numbers, and if they want their affiliates to feel safe working with them, they have a lot of housecleaning to do.

My final word

Whether my actions were a crime, or a contract dispute, or unethical, doesn't make any difference. It was wrong. I shouldn't have been involved in it. Nothing on this page changes that. When you do something wrong, it makes no difference whether other people let you do it, or whether other people were doing it too, or whatever the circumstances might have been. Nothing excuses my participation in this, and I look forward to the point when it's all behind me, and I've paid my price, and can move on.

Brian Dunning
Brian Dunning

@BrianDunning
facebook.com/briandunning

 

Footnote: A May 2013 article in Business Insider erroneously reported that eBay first contacted the FBI in 2006, one year before the raids were conducted. This is false; eBay's Powerpoint is dated June 2007. Reporter Jim Edwards made this assumption based on a single typo in one of the public court filings giving the FBI interview date of one eBay employee as June 2006 instead of June 2007. However, in Edwards' defense, of all the writers and bloggers who have written about this case, he is the only one who ever contacted for me information.

 

Message from Brian | FAQ | Misinfo | How eBay can fix their program | YouTube interview