317 comments

[ 31.7 ms ] story [ 590 ms ] thread
I assume it will be a cost benefit analysis for unfortunate victims.
It's ok Google setup a form to communicate with AdSense partners.

> “We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”

I wonder, has anyone contacted Google and somehow avoided getting banned?

Google seems to show no outward no interest in actually unbanning anyone once they're banned, do they care if you tell them beforehand that you're concerned someone is messing with your ads?

And if they do care, does that even help / wouldn't the "ban this guy" script just run anyway?

I highly doubt it.

I've had ~$150 sitting in my adsense account for about 4 years now because I'm unable to cash out. Their 'input bank information' page is broken, seems like my old banking information is stuck filled out and I can't remove it. Won't let me put new information in either. And the link to the help site leads to a 404.

I've tried various forms to reach a person and they've all been fruitless. Google is just holding my money hostage with no recourse.

They even send me a 'your payments are on hold' email every few months to basically say 'remember, we stole your money and theres nothing you can do about it!'. Thanks Google, I almost forgot that you're the definition of faceless corporation again.

I had a similar situation where I bought a domain for an old blogger blog years ago.

So anyway the credit card tied to that has expired (years ago I thought).

Then Google emails me their "update your payment information" email ... and points me to a Gsuite login.

Bro (Google) I don't have a Gsuite account ... and my regular Google account has valid payment options. Every form of help just points back to Gsuite...

Blogger doesn't appear to have any of the old information as far as the domain being purchased.

I managed to get the domain registrar to help. There was no way to contact Google, it was just an infinite loop telling me to login to Gsuite.

Can you bring them to small claims court?
Sounds like a good way to get banned from all Google services.
This would place them in contempt, I suspect, potentially open to equitable remedies.

Of course, IANAL, TINLA.

Why would they obligated to do business with someone who sues them?
Smells like a monopoly that needs a very harsh breakup.
I suppose logically, yeah. I have no idea how to do that though. I don't imagine writing 'Google' on the defendant line is going to work. And if it does they'll likely ban me from all Google services for life. Not really a path I want to go down.
I’ve gone Google free without really noticing. IMO a 150 check makes that an easy choice, but it’s up to you.
Unfortunately their unlimited storage for ~$14/month via gsuite is the best storage deal on the internet. I've got 13TB and counting in there and would prefer to not lose that account.

I've also got another grandfathered in free gsuite account I've been using for personal things for about 7 years, changing from that would be a nightmare.

I suppose I'm part of the problem, being unwilling to do something about it because I have more to lose than gain.

Ok, I had to look that up.

Business / $12 month

"Unlimited cloud storage (or 1TB per user if fewer than 5 users)"

Yeah that is what they write for the terms. In practice though they have never enforced the 1TB/user clause, can't find any references to them doing that ever. Many people claim to have many terabytes with no enforcement on the user clause, myself included at 13TB currently with 1 user for just under a year so far. Apparently it has been this way for years.

Effectively you get unlimited storage for $12 + taxes/month.

It's a pretty smoking deal if you don't mind the (seemingly minuscule) chance that one day they'll ask for more money or pull the plug. In my use case all the data is easily retrieved again so it would only be a minor inconvenience.

Well, if you tell them beforehand, it gives them a chance to ban your account before the illegitimate traffic even occurs. Sounds efficient!
Yeah, Google is well known for being responsive and helpful through their web forms. I've read many a story here on HN about users of Google services having judgements overturned by the friendly support agents who are definitely not robots.
Putting up a captcha would be another option.
captcha on what, the site? since there's basically nothing authenticating the site to the adsense iframe/script, can't the attacker serve a cached version locally?
That has nothing to do with the discussion at hand, and would do nothing to prevent a malicious ad clickbot
To actually enforce the policy described in that link, would require authenticating websites when rendering ads. Otherwise, one could just embed an ad from a different domain, and easily defeat this process.
I'm not sure why the parent (throwaway2048) is getting downvoted over this. He's correct. The attack is as follows:

You want to attack (send fake traffic to) example.com, but example.com has implemented a captcha system (think cloudflare interstitial). If you directed your bots to visit example.com, they'd have to solve the captcha to view the ads. However, there's nothing stopping you from solving the captcha once, getting the page source, and serving that to your bots. This works because example.com doesn't serve any ads directly, it only embeds a <script> or <iframe> element to adsense. Since the bots are under your control, it's trivial to set up the redirection (eg. hosts file or HTTP proxy). HTTPS isn't a problem either because you can MITMing yourself with a self signed certificate, which is not a problem either as you can get your bots to trust that certificate.

From the perspective of the adsense script, it's impossible to tell whether the bot is visiting the real example.com or a fake version, since the browser is under the attacker's control. The only way to mitigate this attack would be some sort of one time use token that's generated server-side by example.com, and authenticated by adsense each time it tries to display an ad, which I doubt adsense supports.

One solution could be some sort of DRM based device attached ad...but that will cause other problems.
"Nearly there - just complete this captcha to see our advert!"
I mean on the page content. Using something like Google's Recaptcha would reduce friction for legit users.
I think there was a time that was true. Now reCAPTCHA is so prone to tagging someone as a bot if they employ any ad blocking or tracking prevention that it significantly interferes with web use. It's an overall harm to the web in my opinion.
AFAIK attackers only need to actually access your content once and extract the ad embed. Please correct me if I'm wrong.
I think parent comment meant putting up a captcha on the website for suspicious traffic, the way Cloudflare does.

I don't think anyone is silly enough to suggest putting captchas on ads.

The fascinating thing here is that Google's systems are required to make a judgement of intent. Is this ad fraud ordinary fraud that's intended to increase payouts, or is it intended to be caught so the account is suspended? From the scammer's perspective, there's no reason not to play both sides: test fraud patterns to see if they're detected, and when they get caught just redirect the bots towards extortion victims. No matter how well Google's detection system works, the scammer gets paid.
Yeah if one scam doesn't work... now you've got a known good weapon.

Google's willingness to shut down a lot of things on what seem like a very surface level fingerprinting means it's pretty rock solid to predict what will happen.

Google either doesn't care about intent, or their systems have consistently bad judgment. I've lost count of the horror stories about indie bloggers getting a ban from AdSense when it was time to receive their first check, and being offered no meaningful way to appeal the ban.
Yeah, that happened to me 15 years ago. Just crossed the $100 payout limit and suddenly, FRAUD! What ticks me off the most is if they have the ability to detect and block fraud, then why block accounts? Why the death penalty? Just don't pay out fraudulent clicks and terminate repeat offenders, rather kill the account on the first blush with no appeal.
> if they have the ability to detect and block fraud, then why block accounts?

To protect their business by protecting their reputation.

The scale of Google's advertising business(es) means that a loss in revenue from poor public perception of their ads is likely to be far more than a few thousand small ad buyers (those spending <US$5000/mo) getting cut off, which would barely register as a rounding error (<0.1% of just AdWords revenue alone.)

How is perception affected by not-paying suspect accounts but not banning them either? The public doesn't see the clickfraud
They could be shadow banning them or they could be continuing to allow them to operate in service of their algorithms. The public doesn’t see clickfraud but they also don’t see headlines about Google ads having a fraud problem.

A rare anecdote of Joe Schmo not getting his 97.54 payout is effectively meaningless.

I understand this, but it's suspicious when they manage to detect the fraud only when it's time to pay out the revenue to the site owner. It's also a little unfair to assume every detection of fraud is 100% purposeful action by the site owner and permanently terminating their account without even so much as a warning. In my case, I had ads running on my blog. It took 4 months to rack up $100. I think the chances I was purposefully defrauding them was low, given how long it took to get to the payout point.
I wonder if there's a simple explanation for this pattern.

Fraud detection costs money. If there is no money changing hands, why spend the money on detection?

Terminating after 1 offence, 2 offences, or n offences only changes how long a competitor / blackmailer / disgruntled former employee or ex-spouse / random bored idiot with a stolen credit card needs to continue paying for clicks.
They don't charge the ad buyer. My account was terminated 15+ years ago, still can't run ads under that account for some reason I do not know, but they were able to detect it and block it, whatever "it" was. So I'm punished forever for something forever unknown to me, despite not doing anything. I think the rule is unfair.
It seems unfair to the point that the entire model is unworkable. Well, perhaps they could ignore the "fraudulent" clicks when billing and never terminate anybody.

By "paying for clicks", I was thinking that they'd be paying some service to click on the ads, rather than writing their own scripts or doing it manually.

> Google either doesn't care about intent, or their systems have consistently bad judgment.

Not to defend Google here but... how did you determine this? By seeing those < 0.01% of issues where it goes wrong? How did you determine the magnitude here and how do you know the systems aren't right in > 99.999999% cases?

They don't have to judge intent, just remove the traffic without enforcing a punishment.
The policy that the system is intended to implement requires suspending customer accounts for detected fraud but not for cases of sabotage, so it needs to judge intent until the policy is changed. I would imagine that the current policy was designed under the assumption that traditional click fraud would be the dominant form of fraud and so making it more difficult would be the highest priority. Simply removing detected fraudulent traffic without enforcing a ban would make it easier to test and iterate on fraud bots without burning as many accounts. I don't think there's an easy answer.
Doesn't your hosting platform (Wordpress/Blogger/AWS/etc.) help identify the spam bots and stop them in the first place?
AFAIK you don't need to spam the actual hosting platform since you can extract the embed code of the ad.
Well, the difference is that extorting someone is a lot more illegal in a lot more countries than running not farms. Extradition usually requires that whatever a person is accused of is a crime in both countries, which makes extortion a bigger risk for the scammers.
It's an act of duplicity.

Google wants you to believe both that it can detect a website owner doing bad things (blackhat SEO, click fraud on ads on their site to earn more money, etc), yet simultaneously that they can catch any bad actors faking those things to damage you (negative SEO, click fraud to terminate your own accounts, etc)

That obviously isn't possible. Google cannot determine the intent behind anonymized actions. They just want you to believe that they can in order to discourage people from trying to game the system.

I've heard of Twitter and YouTube accounts being suspended for buying followers, but anyone with $5 can send tens of thousands of fake followers at anyone's account.

The only real solution these services have is to silently ignore the faked traffic whenever they observe it. Anything else can be gamed from either side.

Yes, and if a somebody is offering ad-clicking as a service, how is Google supposed to know who paid for the clicking?
Hooefully this willnget Google to take appeals from suspensions more seriously
No. Their MO has been to remedy only those that get high publicity.
If this doesn't lead to a change in googles fraud policies, I'd bet this will be the next viral scam. It's a classic protection racket, and requires far less technical ability than ransomware. Renting out botnets is big business.
Funny story, Twitch.tv actually has a similar problem and they seemingly have solved it.

On Twitch, "Followers" is a tracked and important metric for streamers (publishers). Therefore there's obviously a lot of benefit to buying fake bot followers and inflating your count.

However, sometimes misguided fans of streamers will buy bot followers for them intending to be helpful (or even to spam them with inappropriately named followers).

From Twitch.tv's perspective, tracking down who issued the bot followers is of paramount importance since they have an interest in preventing gaming of the system without catching innocent streamers in the crossfire.

Twitch actually maintains a help page on what to do when you're being spammed by followers, and it includes a statement that they won't punish people who haven't paid for spam. In my experience, whatever mechanisms they're using under the hood seem to be reasonably effective - I have yet to see someone incorrectly banned for this.

Where have you heard/read about this? I've seen cases where twitch streamers have super obvious bots watching, literally thousands of them, and Twitch did nothing.
It used to be a very large problem for the 2007scape streamers, I imagine it was solved with a mix of legally prosecuting serious offenders via de-anonymizing the bot networks, as well as a tighter feedback loop of reporting and banning them - effectively making it more of a hassle to setup than its worth, which is saying a lot because the types of people doing those activities have A LOT of free time.
How could they legally prosecute them? What laws were broken?
EULAs are legally-binding in the United States, and the Federal government is very happy to murder people under CFAA violations.
> EULAs are legally-binding in the United States

Not generally. Specific ones may be, but so far it's always been on a case-by-case basis.

IANAL, but at least on the /2007scape streams the viewbots were used to pump up numbers on fake streams linking to phishing sites (which presumably is an illegal activity in most countries).

For other content, it can be seen as a loss of income for the streamer if they are demonetized due to viewbots, and for those where it isn't - it is effectively ad fraud since Twitch revenue is based on those engagement numbers

you have no clue how the internet works
(comment deleted)
It doesn't seem too surprising that avoiding false positives means you are more vulnerable to false negatives.
A few false negatives is generally manageable and in the noise. If I have one bot follower who cares - if it is significant to me that means I'm small (5 follows 4 real - nobody cares about me), or I'm so big that the one doesn't matter (100,000 vs 99,999 real - I'd probably cross 100,000 in a few days anyway)
Twitch is a dumpster fire and an affirmation system doesn't solve any of this problem.
If you're nearing the top of becoming "the most famous" on these platforms, buying fake followers for your competitors -- to get them removed so you ranked higher -- well, that's quite a novel concept. Certainly not ethical, but I'd imagine it'd be quite difficult to track down who actually purchased the fake followers. How do you prove you didn't buy something?
(comment deleted)
The same rules don't apply to top streamers. Smaller streamers will get banned for playing copyrighted music, but the most popular streamers can break the law, "accidentally" wear see-through pants on stream, etc., and they'll get a couple day ban at most.
Not really.

To avoid bots from inflating viewers, they have banned non-partnered/affiliate channels from appearing in the directory if they have above a certain amount of viewers.

While this solves the bot problem, it ensures that new channels will never become popular. Because if you begin to become popular, your channel will literally disappear and you cannot grow.

(And on a side note, there are a lot of large streamers today that admit they used bots to promote their channel when they were first starting out, years ago. Sometimes, gaming the system is the best way to win.)

Partnership/affiliation status is an almost automatic process that's tied to your metrics (hours streamed, etc), so it's not some hard cap on popularity.
> Partnership/affiliation status is an almost automatic process

Emphasis on almost. It requires an application and approval. Most importantly, being an affiliate/partner is not appealing to some people, since you have to sign an exclusivity contract.

They'll also force you to play a certain amount of ads. I've watched some streamers who wouldn't show any ads because they were making enough money on subscriptions and donations that they didn't want to make anyone watch them. Within the past year though, they've said that twitch told them they need to start showing ads, so they'll tell everyone to take a bathroom break or turn on an adblocker for the next couple of minutes.
The process is also rather arbitrary. If a streamer has barely any viewers but is a friend of a popular streamer, they'll get partnered almost immediately, but a "nobody" streamer that regularly has hundreds of viewers will get denied until they've been streaming for a long time. They'll also ban you if you tell anyone why you were denied.
I have yet to see someone incorrectly banned for this.

Because they barely ever ban bots, even the most obvious ones.

I've seen streamers get follow and spam botted by thousands or tens of thousands of accounts within hours or minutes. All accounts had random character names and were created within a couple hours of each other.

All reported multiple times by multiple people over months yet no action at all. I have lists with a total of 60k clear and obvious bots reported to Twitch over and over again even by the partnered streamers affected and all were completely ignored and the accounts still alive.

I've been a mod for a couple big streamers for a while and it's absolutely crazy how many reports of follow and spam bots, blatant abuse and ToS infractions Twitch completely ignores. Especially in the last year or so it just keeps getting worse.

I would really not list them as a good example of dealing with bots in any way.

It's quite possible that twitch is able to identify a bot follower vs non-bot. But by keeping this breakdown secret, they've taken away any feedback mechanism the botters can use to monetize their bot followers. For example, you'd likely not get into the twitch partner program by simply just adding bot followers (which means you can't generate revenue from ads on twitch).
I wonder if they sold clicks before. Interesting way to pivot their "business".
In the real world protection rackets are a stable business. You either pay up and are protected or your business gets messed up. No sane criminal would xerox the client list, split from the boss and also try to extort money - it is unhealthy as the turf will be defended.

In the online world there is no concept of local. You can't protect your clients. But then, why should clients pay up - there is an infinite supply of copycats.

I cannot upvote this enough - a deep insight into the problem.
So would a valid defence strategy be for a white or gray hat to send out millions of these threats (maybe linked to an invalid payment method so it became impossible to pay up).

Everyone would get so many of them that the "genuine" threats would get lost among the fake ones.

Alternatively somebody uses the same technique to send massive amounts of fake Adsense traffic to multiple businesses without any warning thus forcing Google to improve their customer service or validation algorithms...

> Everyone would get so many of them that the "genuine" threats would get lost among the fake ones.

So the internet will turn into the United States Postal Service then w.r.t. advertisements vs legitimate correspondence?

Surely in many people’s spam folders this is already the case?
I can already see my spam folder being made up of 100% extortions and threats of varying severity. A grizzly thought.
> why should clients pay up

Because otherwise their ad income stops.

How does "I might get extorted again by someone else" factor into this?

And what prevents them from asking again next week. Or forging account ban regardless of ransom.
You still probably get the best outcomes if you're willing to pay sufficiently credible threats a couple times.
We don't typically see that with ransomeware so I don't know why we'd see that with other types of extortion.
With ransomware if you get hacked you usually fix your defenses.
Or a different extortionist comes along next week?
The whole scheme would collapse. It only works as long as people reasonably believe paying will solve the problem for a long while. This is why many ransomware campaigns pretty much run a callcentre with support for how to easily buy BTC and make the transfer.
If there’s only one group running the scheme it works, but if there are many, it becomes very difficult to coordinate and limit repeated demands. Soft of like how oil producers can only keep the price up if everyone joins the cartel. Each member will make more money if they defect.
This is why organized crime is very aggressive toward upstarts.
So these scammers have a better customer support system than Google?
> How does "I might get extorted again by someone else" factor into this?

The value of the ad income may be more than paying the extortion when it happens once. That doesn't mean it's more when it happens more than once.

"there is an infinite supply of copycats. "

No there is not, as the number of botnets is big, but limited. And I can imagine something like online turfs to actually happen, with criminal hacker groups setting up areas. And taking other groups down, if they mess with their turf. (afaik some crackers take already good care of their botnets so they do not get under the control of other groups and effectivly remote admin their bot computers and patching)

Now while there is never such a thing as 100% security, right now the average number is frightening low. So the root problem is that the average tech stack is just too vulnerable. There is way too much truth in that:

https://xkcd.com/2166/

And our government agencies don't seem too eager to change that.

The same botnet can back an infinite number of these ransom notices, because when you get one of these ransom notices you have no way of knowing if the ransom notice you got today is the same botnet you paid off last week but with a different name.

Add in the fact that there are botnets available to rent, and you create a near-infinite supply.

Sure thing. But that is allways the thing with ransom. You don't know if paying once is enough. But also the criminals know, there is only a certain amount of money to be extracted from their victims.
IRL, if another gang threatens me, I can go to the first I paid protection for, and usually they try to convince the other gang that, no, they should not do that.

There is no such thing online.

Why not? Wouldn't you be able to forward contact info from one group to another?
A bitcoin address does not give that much information about who wants to get paid.
Ransomware hackers have call centers to teach people how to buy bitcoin. I'd suspect groups involved in this kind of scam would have something similar, isn't it?
Security companies have a pretty good grasp of how trustworthy an aversary you're dealing with. So if have doubt about whether to pay up for the cryptolocker ransomware that just infected your corporate network you can always give them a call. As happened recently with a Dutch University.

https://www.maastrichtuniversity.nl/um-cyber-attack-symposiu...

(comment deleted)
> We have a help center ... There’s also a form ...

But good luck getting hold of a real human to explain the situation to.

That's just Google in general. Apparently not a single human being still works in their support department. All androids I hear...
I've been saying for a while that the problem with micropayments is microfraud, and this just adds to that.
I’d love to see these extortionists, senior citizen scammers, and ransomware authors who destroy lives from the comforts of anonymity dragged into a public square and shot in the stomach on national television.
In my opinion, the parallel is Black hat seo. The parallel solution is disavowment via Google webmaster console. That concept could work here.
I don’t understand: Why can’t Google just count those clicks as invalid and keep the AdSense running with no ban? If Google has the ability to detect fraudulent clicks, then there is no reason to ever ban any website for AdSense fraud.
That assumes google can actually detect all fraudulent clicks, no?
If Google's fraud-detection isn't 100% accurate (and I'm sure it's not), then simply removing detected fraud disadvantages those who don't have any fraudulent clicks.
In that case you've removed the risk of iterating to try to find a way to get past their checks.
I'm going to make a guess here from my own unrelated experience trying to debug problems in live systems. It is often much easier to detect that there is _some_ unusual activity present than it is to categorically define exactly which activity is legitimate versus which isn't.

Usually, this is because you can easily detect some of the anomalous behavior but not all of it. So you'll have some activity which is obviously anomalous, some which is obviously legitimate, and some which could be either. And sometimes when you've detected some that are obviously anomalous, most of the rest of the activity ends up being in the category of "could be either" with almost none left in the obviously legitimate.

So from Google's point of view, I'm sure they ban the account so that they 1) don't end up paying a lot of money to users for the "could be either" activity, and 2) don't need to keep expending server resources continuously categorizing and serving the obviously anomalous traffic.

I'm sure this is right. You don't have enough statistical mass with any click by itself, but in the aggregate you can detect fraudulent activity with a high degree of certainty.

Google's plan is to make it sufficiently expensive to avoid detection in the aggregate that selling fake clicks isn't a viable business proposition. The fraudsters have inverted the game: they can't beat Google's detection algorithms, so they can't sell you fake clicks, but they can sell you protection from their fake clicks.

Google's move at this point seems to be lessening the punishment for fake clicks so it's still not economically viable to sell them but also not economically viable to use them as a threat.

I worked on fraud detection products for several years, and in the end the only explanation I had was misaligned incentives between the publisher, advertiser, agency, ad server, and other adtech middlemen.

The publisher wants to show little clickfraud to keep their rates high, but don't get the data to handle nor often have the technical resources to prevent it if they knew. The advertiser doesn't really understand the modern ad market so sees "fraud" and will go to the agency that promises zero fraud, even if they're more expensive than just eating the fraud. The ad server doesn't really care per se, and can't do much because (outside RTB optimization) the publishers are the only ones who can really do the work to prevent the fraud. But they need to keep the publisher and agency happy, so they measure it. Both the publisher and agency get unhappy if the numbers are high, no matter how true they are or how inefficient it would be to bring them down - so the ad servers are either incentivized to lie (in practice meaning, not investing much in fraud detection) or to kick publishers with high fraud rates off.

(The closely-related question is why fraudulent clicks matter at all, when CPM/CPC rates should pretty quickly decline in proportion to target the same number of real people for the same price. But no matter how much we tried to sell actually useful features - e.g. no ads for your vacation planning service on a news article about a plane crash - all any customer ever cared about was click fraud!)

Detection is far from precise and the tactics are always changing, a cat-and-mouse game. With enough suspicious activity, it's safer to suspend or ban the whole account.
If only there were some sort of device you could use to determine if the website was a small business. Such as a telephone.

Put another way, actual relationships with customers solve this problem trivially.

My guess: because the limit to Google getting paid isn't inventory. There's effectively unlimited places on the internet to put ads. What is limited is the dollars flowing in from advertisers. If they perceive Google Ads to be fraudulent, they bounce.

Put another way: someone testing Google Ads with a $100 ad buy is (my guess) 1000x more valuable than a (new to Google) publisher someone showing $100 worth of ads. If the former experiences fraud, they leave. If the latter has their $ yanked by google, eh, there's still trillions of ad slots per day available.

That is, customers are more important than excess inventory.
Google wants to protect the people paying them, ie the advertisers. They don't care as much about content creators etc.
Presumably much of the detection is probabilistic. Some algorithm notices a bunch odd traffic from Chile hitting a French website, clicking ads at a high rate, so it all gets tagged as fraudulent. But some of that traffic was probably real.

If the fraud rate is high enough, they likely can't pick out any real users anymore, as they get lost in the noise.

> If Google has the ability to detect fraudulent clicks

They don't.

That would give publishers a nice incentive to produce automated clicks themselves. There are no great answers to this issue, Google definitely falls short but full transparency is also not the answer.

The amazing thing to me is Google treats almost everyone the same. From a site getting $5 a month to $5,000 to $50,000. About the only difference I've noticed is I sometimes get to have conference calls with people who have the same suggestions. I've provided Google with billions of (legit!) ad impressions over the years and wouldn't even get a phone call before being kicked off.

won't those publisher produced automated clicks count as invalid as well?
Ok - so the search-space - all the things that are in the web - is a finite (!) space but also a "commons". If Google had not a private monopoly on the search space but it was a commonly / public held corpus - would this problem even exist? How would advertising work vs just searching?
This has nothing to do with search. This is an attack on site operators who are running Google ads, not on Google's own search ads.
How is this different from Google encouraging company A to out-bid company B for ads on B’s product names? Online advertising is inherently a racket.
Would it help if you get your site behind Cloudflare or similar?.
They only need to request your site once, to get the ads that are served, then they can "click" them without visiting your site.
So like copying the ad embed code and pasting it in an HTML and the somehow spoofing the ip address?
I'd guess you would only have to spoof the REFERER.

But I might be wrong.

"thousands of IP addresses"

Naive question here, but this seems like a good starting point to combat this. Aren't some hijacked IPs "hotter" than others for spam activity? I would think that with Google's massive AdSense network, patterns would emerge from bot'ed IPs that are blasting away at various Google adsense customers, no?

Botnet IP addresses have kind of a high churn rate. One person notices their computer is acting funny and gets it cleaned, another person gets newly infected. Somebody unknowingly has an infected laptop and they go plug it into a dozen different wifi networks over the course of a month, causing requests from a dozen different IP addresses that are each also shared by legitimate users.

The result is that half the IP addresses on the internet have had bot traffic at one point or another, often at the same time as they have legitimate traffic.

Yes, I suspect Google has a pretty good idea of what IPs are in botnets. I used to work on detecting fraud traffic at an adtech startup and the impressions we got through Google tended not to include the botnets I could identify coming through other ad networks. (Granted, this was near the beginning of last decade and it's a constantly-evolving cat-and-mouse game.)
> We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding

This wouldn't ring so hollow if Google didn't have such a reputation for blindly automating fraud detection. I seriously doubt it is actually possible to differentiate the two. The fraudulent activity that is visible to Google is the same regardless of the intention of the client that paid for it, be it a beneficiary or an adversary. Any signal that is deemed fraud by Google can eventually be simulated by an adversary.

Jesus so how do you protect yourself against something like this?
Don't use Adsense for revenue.
What about other ad networks?
Maybe. The problem with ad networks is they don't pay well. Google is probably the best but still it's a pittance.

I think the sweetspot for adsense is a site will millions of visitors who are not targeted for anything so adsense individually targets them for you.

But if you have a site that is niche then you are better off finding a direct advertiser who will pay you more, and neither of you have to worry about getting banned or quality scores or all of that shit.

I've often suspected that some of the egregiously fake 5 star reviews I see on Amazon are really an attempt to get some seller banned.
How do other ad networks deal with this?

Eg: Carbon, AdThrive, MediaVine, etc.

I 100% don't trust that Google can handle this situation. I actually hope that this practice increases drastically so that Google will be forced to do something about this. Because right now, Google will just ignore the problem and let small publishers and ad purchasers suffer. There is no real customer support so it will happen little by little and nothing will change. Google needs a swift, firm kick in the ass to fix this otherwise they will ignore it completely.
(comment deleted)
They could just stop serving to small publishers and purchasers? Would that make you happy?
No, they should be regulated.
I can't agree more. Google has some of the crappiest support around. A few lawsuits and some really bad publicity might make them change their tune.
> A few lawsuits and some really bad publicity might make them change their tune.

I'm not sure about that. Google's crappy support is deeply, deeply embedded in their culture -- for all the benefits, it's one of the downsides of their PhD-heavy, engineering-first mentality, because engineers and academics loathe dealing with people, and to the extent that it's necessary for some system, regard that as a sign that system was improperly designed.

Google would need a major culture shift to start having good support, and unfortunately it's the exact kind of culture shift that would anger and alienate a lot of Googlers. Don't count on this changing anytime soon.

That's one lousy excuse for a corporation like Google. This has nothing to do with them being PhD-heavy or engineering-first? (what engineering-first are you referring to btw?) The reason for this is the nature of their business. It's a calculated decision by them in terms of how much is worth spending on support without taking an actual hit to their margins.
"A few lawsuits" is an so much an understatement that it might as well be a lie. You'd need one out of every few (13.75) people in the USA to successfully bring a $5k lawsuit against Google to reduce them from highly profitable to break-even. Lawsuits and bad publicity only matter if they're more costly than ignoring the problem.

If the company in the article successfully sued for the $5,000 they were being extorted over that wouldn't even matter. A few of those lawsuits wouldn't matter. A few thousand of those lawsuits wouldn't even matter.

The European Commission last year issued a massive lawsuit against Google Adsense of $1.6 billion [1]. Google marked that EC fine down in its SEC filings on page 86 of their 10-K [2]. European Commission fees constitute an effective tax of 1.0% in 2019, which they add to various other factors for a total tax rate of 13.3%. Page 89 shows that Google revenue was $160B, while expenses were $40B.

Google isn't moral, they don't see this fine as a mistake to be learned from. It's an operating expense. They won't change their tune unless it's more profitable to do so.

[1]: https://ec.europa.eu/commission/presscorner/detail/en/IP_19_...

[2]: https://abc.xyz/investor/static/pdf/20200204_alphabet_10K.pd...

You don't need to sue Google enough to completely eat up their profits, you just need to sue them enough that it becomes cheaper for them to staff a better customer service department.
Google isn't moral, they don't see this fine as a mistake to be learned from. It's an operating expense. They won't change their tune

We the community can fix this. Stop inviting Googlers to parties. Don’t go to their talks at conferences. Throw their resumes in the bin. Only when they know their behaviour is unacceptable will they start to get it.

You're missing my point completely.

When the complex system of people and laws and org charts and incentives and procedures that is the organism known as Google makes a decision, whether or not a particular decision is virtuous or not is insignificant.

Even if it was, trying to change their behavior through occasional social interaction is as unlikely to make Google provide good customer service as brushing your teeth without water is unlikely to fix California central valley aquifer depletion. There's a system that rewards Google with billions of dollars and a system that sprays water into the desert that you're fighting against. Ignoring that system, and advocating that people pour emotional effort into ineffective responses, is so unhelpful as to be counterproductive.

It’d be nice if the anti trust people in the US looked into this as a factor. Anti consumer behaviour, not even non-customers as the usual case, but their own customers are being exploited by their monopolistic hold on ad publishers.
and incentives and procedures that is the organism known as Google makes a decision, whether or not a particular decision is virtuous or not is insignificant.

True but you can influence an organism by influencing its cells too. Think global, act local.

Individual contributors at Google are not making these decisions. It's the CEO and upper management that decide not to fund customer support teams and to adopt morally dubious policies.
The individual contributors are part of it though. If they walk and cannot be replaced, policies have to change. They are pretty much the best pressure point there is to get Google to move on something if you're not representing a large amount of shares.
> Walk and cannot be replaced

We live in a world where 99.9999999999999% of people are completely replaceable. Specially for a trillion dollar company.

Unfortunately that stance is naive in my opinion.

Sure, but if you subscribe to the idea that Google is hiring "the best and the brightest" and couldn't pull off a lot of the hard tech if they just had five times the number of average CS majors, that situation changes very quickly, because the pool of people to replace them from shrinks dramatically.

It's not that they couldn't replace them, it's just a lot cheaper to change some policies. If you're threatened with half your R&D staff walking out over some project in China, how hard is that decision, really?

Imho, the problem is that Googlers are paid a lot of money to not care, and that works pretty well.

yeah. bullets are mort apt than fines to change people behavior. bank notes do not protect from bullets.
Google isn't moral, they don't see this fine as a mistake to be learned from. It's an operating expense. They won't change their tune unless it's more profitable to do so.

This is exactly how Microsoft grew evil.

What I'm seeing is industry is doing the same thing to them that they did to Intel. Encapsulate them in a cyst like the body does to a parasitic worm. Basically all of their non ad ventures will fail due customers reflexively choosing their competitors products. Just like no one will pick Intel as a vendor outside of their core products.
I think the part of „Google will just ignore the problem“ is exactly what the scammers are counting on - knowing that their victims as well expect to be ignored.
I agree. Google needs a formal, transparent process to dispute bans and investigate incidents. It hurts small publishers when their idiot machine learning algorithms issue bans with no recourse of action.

I once had a location-based file sharing website banned by Google -- all Chrome browsers would pop up a warning. It actually potentially could have been monetized but I lost all the users due to Google's unexplained ban.

I'm a pretty libertarian minded guy and I generally think the federal government is too big and bloated, but this is exactly where they are needed. They need to start throwing their weight at Google and telling them if they don't start reigning in this kind of shit, they're going to get regulated to high hell then broken up.

Google has shown time and again they do not care. I don't even know if they employ human support reps, I've never actually spoken to anyone who represents google other than recruiters.

Also libertarian minded....have you considered that in a natural state, businesses this large would be very hard to maintain? The fundamental business structure we have today is based around a government-sanctioned "personhood".

If you could strip this away, there would be no corporate veil, and you could sue the person who failed to act (or whom acted wrongly) and did you wrong. Think of bankers at Wells Fargo creating false accounts in customer names...hire investigator or do your own, sue, discover, repeat...there would be MUCH MORE downside to bad behavior, even if the upside is there.

I think personally that organizations like GORE would exist, and who knows what else might emerge...more co-ops?

Of course this does require 3rd-party alternate court systems (maybe like cert issuers, but held to the same liability standard above?)...our current system cannot handle this, so it may be largely academic thoughts.

I've thought about how little risk people have doing business, but how much risk customers and the environment take by LLC licenses.

Or how inflation forces people to grow at whatever expense/ethics necessary. Our 401ks have unethical companies getting pumped because tax advantages and monetary policy.

I wonder if the free market would be safer and more conservative.

If you can be sued into oblivion for even starting a business, who would try? The corporate veil is intended to help the little guy.
If you're doing oblivion-dollars damage to someone, why shouldn't you be accountable. Otherwise you're just making society pay the cost.
Between 36% and 53% of small businesses get sued every year according to this article: https://www.google.com/amp/s/www.forbes.com/sites/basharubin...

If suits only happened when businesses actually did something that truly did damage to society, then I'd agree. But reality is far from this.

Lawsuits are part of doing business, just like taxes and accounting.
Until recently doctors and auditors weren't allowed to be limited-liability companies. There was still a ready supply of people willing to run those businesses as partnerships, with personal liability. There were good and bad firms, just not megascale conglomerates. The "liberalisation" of those rules didn't help the little guy, just the opposite: auditing became concentrated in a handful of giant companies, and quality predictably declined.
> have you considered that in a natural state

a natural state would not have technology.

I would also tend to be libertarian if technology didn't exist. Technology changes the game:

- you can process millions of transactions a minute without a bottle neck from humans

- you can produce plastic, and lots of it

- you can migrate hundreds of thousand of human around the world, which would normally be an invasion

- you can destroy the environment (not so easy without technology)

- you can addict an entire generation of humans to a device (video games, porn, social media)

Without technology there is only so much a person or organization can do.

So, you're a libertarian right up to the point where your libertarian principles matter, and then you're just like everybody else.

The reason why the government is so 'big and bloated' is that your cut-off point for state intervention is >> than someone else who is less fortunate in the lottery of life. Think about that for a minute or two: would you be just as libertarian if you were say a single mom with three kids?

I try to stay apolitical on boards that I want to see nerd stuff on but if you're going to essentially invoke Rawls veil then please explain why policy based on that way of thinking tends to produce worse outcomes than intended or in the case of things like abortion simply cannot be resolved philosophically without resorting to stupidly broken arguments anyone can see through.

I'm a big empathy fan but defending the growth of state power on grounds of being shorted in the lottery of life pretty much always leads to more abuse and only temporary mitigation of suffering. Not to mention the fans of big government tend to be like alleged anti-violence people. They always seem to be fine with big government and using violence as long as it serves what they think is right. Then those same people either freak out on dirty cops and prosecutors or look the other way if those dirty cops and prosecutors are targeting people they hate.

We are so far from a free market state that any invocation of libertarian bent rings kind of hollow. The game is rigged and the safety net exists in one form or another in most places that would allow one the opportunity to post on a website instead looking after their basic survival. The issue now is not the lottery the issue now is trying to fix all the broken things that were allegedly created to help alleviate the effects of the lottery.

So, feel free to invoke 'principles' while banging on those more inclined to want liberty than safety but as someone who worked their way up from a worse start than just having a single mom the last thing I trust are people inclined to social engineering "looking out for me".

So because you made it despite the odds everyone else has to live or die in a Mad Max free-for-all?
That’s not how anything actually works in the real world though.

The arguments against libertarians are almost always some absolutist interpretation of some anarchist movie is world or worse Somalia which has tons of tribal systems, failed states (which includes a fair judicial system and enforcement of the law which markets absolutely depend on) and very little developed capitalist industries.

In reality most libertarians want a smaller government than is currently in place, they don’t want zero government. They most certainly don’t want an unstable state without centralize state run courts or law enforcement (outside of a very tiny extremist minority, a far smaller minority in the world than those who want actual vanguard communism again).

I’m a pragmatic libertarian leaning person which means that being realistic means compromise that some industry just simply makes more sense (as the amount of trouble it would cause to be market based via uncontrollable externalities). You could even factor in the amount of natural political meddling like we see in the US healthcare markets, which creates fake pseudo markets that provide few of the benefits of a real market where a single centralized public insurance option may actually be the least evil option, since the alternative has long ago become unrealistic. But that said I’d go as far as up to 50%+ up industry intervention and pro-social projects (ie helping the poor) are actually making things worse off overall had they not existed at all.

Thomas Sowell has written some great books documenting hundreds of cases of gov intervention coming with good intentions that have backfired (ie. rent control in Toronto and NYC in the 70s and 80s which dramatically reduced the supply of new low income development because no one wanted to build with rent control when they could build somewhere else).

I recommend “Wealth, Poverty, and Politics” by Sowell as a starter.

For other examples of failures of gov run central industry making them worse off than before I highly recommend reading the Venezuela economy Wikipedia about all the stuff they did after declaring capitalism is old and dead, creating mass starvation and unnecessary poverty in what could have been the most successful country in South America. Meanwhile countries like South Korea, Taiwan, Singapore, and Hong Kong adopted markets after having large state run industry and dramatically increased the wealth of their entire country in a short few decades.

I 100% agree that there are horribly misguided policies pushed by many progressives that do more harm than good. An overly aggressive minimum wage would be devastating to underskilled or undervalued workers. Rent control is a disaster. Markets are an amazing tool, and few things are more dangerous than a bleeding heart progressive that doesn't understand markets.

But I believe markets are just one tool that a wise society employs to create a prosperous world where everyone has the basic necessities and access to resources to allow them to flourish.

Honestly, it sounds like you and I aren't too far apart.

LOL! An urban elitist dilettante who feels they are better than everyone just lost their mask of moral superiority for a second there. Is this the same urbanite who has previously mentioned nuanced conversation in other posts? Never mind, as there is no sport as easy as making fun of the hypocrisy of the hard core leftist statist.

So, let me make this simple then if you want simple. You support aggressive wealth and income distribution. I do not. I believe those who earn things should keep most of what they have earned. So, if it's between Harrison Bergeron or Mad Max then let's get in the thunderdome.

"Libertarian" is a very broad label. Even more so when you consider left libertarianism, which people usually forget.

But, in any case, many libertarians are in favor of UBI, for example - the whole point of which is to solve the "lottery" problem without creating a bureaucratic monstrosity that is means-tested welfare.

This is what I don't get. If I was running a company and the gov't started sniffing around looking to rein me in, I'd be doing it myself.

If you wait until the gov't get involved, it's going to be a much more painful, slow, bureaucratic process and you'll probably end up in a far worse position than if you just self-corrected in the first place.

A good example are drug prices. If drug companies were smart, they'd find a compromise. If they wait for Washington to do, they're really not going to like the solution.

Isn't it mainly about short-term vs long-term gain? Self-correcting would most likely mean long-term gains, but I'm guessing it is more cost-efficient to wait for government to do something about it, while paying lobbyist to manage things on that side.
It's probably even more profitable to invest in lobbying and prevent the government from ever doing anything meaningful to them in the first place.

The problem with the assumption that governments can do something is that it relies on the notion that they are independent from the businesses. That's most certainly not the case today. Representatives have a lot more interest in keeping Google happy than their constituents.

I'm wondering from a theoretical perspective how large does a company need to be to effectively challenge the government? I know the USA government is a huge employer and holds vast quantities of stuff, but how large does a company have to get to compete with that? Is it the same size, is it only 50% of the size, is it something even smaller?

At what point in relative size is a company too large for the government to handle and the government has to go to war with it in order to keep power?

What do you mean by effectively challenge the government? Corporations challenge the government all the time. The power of the government is constrained by the constitution, and corporations have been recognized as having certain rights. The government does have the nuclear option though. Alphabet only exists because it was granted a corporate charter by the government in whatever state they incorporated in. The state can revoke its charter and the government can force them to liquidate their assets. It used to be a fairly common practice and still happens quite a bit too smaller corporations.
What I mean is how big does an organisation have to get to effectively challenge the sovereignty of the government. How big does it have to get (relative to the government size) that (threatening to or actually) revoking its charter won't mean anything because so many people are tied up in the corporation that it can just exert its own authority.

I.e. Is there a theoretical size in which the corporation (or effectively any other organisation) can just say "no" to the government?

I don't think any company of any size could just say no. No corporation has enough power to stand up to the government if the government is determined. They do have a lot of soft power to keep things from getting to that point. They can spend a lot of money to influence politicians and the public and apply pressure to the government to back down. Walmart, for example, has ~2.2 million employees. Even if Walmart did something egregious enough to have their charter revoked would you want to be the governor of the state that has to tell those 2.2 million people they don't have jobs tomorrow? Not to mention the enormous ripple effects that would have through the economy. I've seen a lot of people argue that what the banks did during the lead up to the financial crisis was egregious enough to warrant the corporate death penalty, but those institutions were so critical to the economy that they couldn't be shut down. So, in a sense, there are already quite a few companies that are too large for the government to effectively exercise it's power over.

I don't think there is a set number though. It probably depends a lot more on what the business does and how central it is to the health of the economy. It's the "too big to fail" debate, and at various times in the recent past, we have determined several automakers and financial institutions to fall into that category. I think if you are too big for the government to let you fail, you are too big for the government to try to shut you down.

I think as well as several app developers using the AdMob sdk have been a victim of similar practice by malicious parties. 3 years ago, google suspended my admob account for fake activity even though I have never ever clicked on the ads nor did I use anything other than the test ad on my devices. This has happened to several developers and google doesn’t want to help. Back then, I got a 30 day suspension but since then, I have completely stopped using ads and solely rely on in app purchases. It’s less money but it’s at least reliable.
(comment deleted)
If the entire third party ad supplier web blew up tomorrow nothing of value would be loss.
There seems to be an easy fix for this on Google's end. When their automated systems see fraudulent activity on a site, instead of banning it entirely, they can peg their future revenue to their historical revenue.

This way, malicious publishers will have significantly limited incentive to engage in such behavior. In the short-term, their upside is heavily limited. And in the long-term, they risk being caught and banned.

And at the same time, malicious blackmailers will also lose most of their leverage, like in the example given above. Even if the victim doesn't pay up, their income stream still remains mostly stable. And meanwhile, the attacker is spending a ton of resources on generating fake traffic that isn't earning them any money. This will eventually lead to the "business model" going extinct, which in itself solves the problem as well.