380 comments

[ 3.3 ms ] story [ 302 ms ] thread
Has anyone else analyzed their referrals and also seen a significant proportion of bots?
I've run a significant amount of traffic with Facebook Ads and never saw click fraud anywhere close to these kinds of numbers. By estimates it was somewhere between 3-5%, which is pretty typical across major ad networks.

It's also worth noting that Facebook has given refunds for click fraud in the past. That is if you can actually get a hold of someone in support who will talk to you, which isn't easy.

Yes but only in certain US demographics. Most of these bots are ad scrapers/landing page scrapers run by people gathering and stealing the ads/landing pages of their competition. Facebook has known about the problem for a while (years), and have gone so far as to ban some accounts that the scrapers were running out of, but lately it seems the scrapers have been given free reign.

This is not a case of Facebook using bots to deliberately drive up ad spending. It's merely scummy internet marketers at work, with Facebook failing to detect and prevent them. The phenomenon is mostly present in the US 18-30 male demographic (where all the dating ads are, and where creatives can make or break you).

"We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots."

How do you tell if it's a bot? Just by user-agent string or repeated slamming by IP address, or is there some other technique?

The main technique is to notice a pattern that is only explainable by bot activity.

Generally speaking, in addition to the patterns you mentioned (invalid user-agent strings, rapid succession of same-IP access) there are also other patterns, such as failure to load referenced CSS or image files, or 100% failure on Captcha challenges.

"failure to load referenced CSS or image files" -- is there a way for bots (in particular, mechanize in perl/python) to also download those files?

"100% failure on Captcha challenges" -- are captchas generally deployed on click-through ads?

"failure to load referenced CSS or image files" -- is there a way for bots (in particular, mechanize in perl/python) to also download those files?

Very much so, after all your browser does without you having to tell it to do so. It all depends on whether the hassle is worth it for the bot writer.

Of course they could -- all they need to do is parse the HTML, look for the img and link and other tags, and then request the URL. If they were trying to act more like a browser, they would. If they are just trying to click ads, they wouldn't.
> "100% failure on Captcha challenges" -- are captchas generally deployed on click-through ads?

Cloudflare has a mode (used in general for DDOS protection) which you can turn on and get stats on how many users pass a Captcha test.

> "failure to load referenced CSS or image files" -- is there a way for bots (in particular, mechanize in perl/python) to also download those files?

Use http://phantomjs.org/ and the page will loaded by webkit.

Using Captcha on an ad landing page to determine whether someone is bot seems like a bad idea. It would almost certainly increase the bounce rate on that page and you couldn't just say that people who didn't choose fill out the captcha were bots.
> is there a way for bots (in particular, mechanize in perl/python) to also download those files?

The point was mostly that if it is not downloaded, then it's a bot (or any non-browser getter, at least), not that it's not a bot if it does.

Or maybe you were asking for a way to avoid bot detection ? :)

Most likely a combination. In addition to analyzing the user's navigational path, exit points, IP ranges, etc...
They said that for 80% of their clicks , Javascript was off. Now there will be plenty of users who have disabled Javascript but nowhere near 80%.

Although they stated they built their own analytics software, so there's also a chance that it wasn't working as they thought it was.

Furthermore, facebook users in specific I would say have javascript enabled, even though its possible to control per site, I would assume most facebook users would not be aware how it works - and facebook without javascript seems rather impossible or at least, very discomforting.
How do you tell if it's a bot? Just by user-agent string or repeated slamming by IP address, or is there some other technique?

A combination of things. Off the top of my head:

* IP address ranges. Are they all from, e.g., EC2 instances?

* Are images and other content (e.g. CSS) linked from the page loaded? How long does the client take to do so? Are other pages being viewed in line with what you've seen from other users?

* What combinations of user agents are you seeing?

* What's in the headers being sent by the browser? Any foreign language support, or oddities when it comes to not accepting compressed content? Is the referer header always the same? Does it always vary?

* Do you see "normal" user behaviour that indicates activity such as clicking the back button, then clicking the ad again a few seconds later once their brain has kicked in? (nb: not sure if this is possible for Facebook with the way their site works).

* Are there any patterns in the page access times? Is there anything to indicate a cron job is kicking off once an hour at the same time?

Is there a single tool that can take access/error logs and compile these stats? This sounds like something relatively useful ...
If not, it sounds like a great place to use ML/classification algorithms.
From the article it would appear that their definition of a bot is a client with JavaScript disabled
"So we did what any good developers would do. We built our own analytic software. Here's what we found: on about 80% of the clicks Facebook was charging us for, JavaScript wasn't on."

Later:

"So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs"

I think they use a different definition of bot. Otherwise they wouldn't have to use a second logger ...

Wow, even if this is a little true the implications are big.

Is this similar, or related to other ad space inflation? I'm reminded of Google (and others)(1) sending out free $75 adwords coupons to easily allow the costs of bids to inflate since it's not my own real money (thereby increasing the percentage of real cash being made on the ads)?

(1)Edited and clarified

How come, everytime some company does (or seems to be doing) something shady, there is always a bunch of people like this saying "not as bad as Y doing something else that might or might not be true or related". This is not middle school anymore, pointing the finger at other kids is not proper discussion ...
Raising awareness isn't necessarily bad, even though its off topic.
Because unfortunately logical reasoning and argument construction are not educational targets for most people. :(
If genuinely curious: I'm drawing a direct comparison of the potential inflation of ad costs in one playground (google) with another (facebook) through both common and unique means. Another common issue to both is click fraud and it's effects on the said cost of ads. My mistake for assuming this was obvious and known.

The relevance of such a comparison? It's not a one off, as uncommon as we think. Has nothing to do with pointing fingers.

Didn't mean to come across as off topic. To me, if someone upstream and in the past was doing this, chances are it might happen later in time downstream too, and there might be something to see in the forest instead of pointing at one tree or another.

Unless you're buying ads for popular affiliate stuff, handing new AdWord users $75 in credit doesn't have much of an effect (other than some percentage of those users going on to spend real money). I have gotten similar offers from Facebook, Twitter, Bing and a lot of othe advertising companies.
Yeah, lots send it out, but how many end up using them is relative to how big of a player in search (and search related advertising) the player is.

I've used Google coupons, none with anyone else that I can remember. I also spent ads on google way before any other system and remember the 10 cent clicks going up to $1.00 for not much more traffic.

I wish their post was a bit more technical. Show us the code you used to detect javascript, how did the analytics work? Did they test their code by using their own browser to click an ad and see if the code detected javascript, or their hit in the analytic software?

More technical info and data would be nice!

While that would have been interesting to me as well, I think the post was meant for their actual users, to explain why they are moving away from FB. Technical details would have been an unnecessary distraction for their intended audience.

Maybe if they have any employees who follow HN, someone would share more light on the technicals?

I didn't know Facebook charges businesses for changing the name of Facebook Page. Is this a well known fact?
According to the FAQ, one cannot change the name of the page once it is set. This can be a real problem that I run into quite a few times, even with a couple of small pages, and even more as every website that has "like this page on facebook" has an automatic facebook page, where the name is determined by them, automatically, once, by the <title> element at that time. Talk about stupid.

Anyways, I don't mind since I'm a small fish, but the longer this goes on, the more it will (hopefully, i might say) blow up into their face(book).

Why not open a new page, and delete all content (but a link to the new page) off the old page?
You lose all your Likes.
Which is presumably why this is a policy in the first place...
Facebook allows advertisers to target friends of users who liked your page. They probably restrict name changes so users associated with a page don't get blind-sided if the company radically changes its product or service.
The only well known fact when dealing with Facebook is that if you want to manipulate their documented rules you need to either have deep pockets or a lot of influence.
(comment deleted)
We tried to change the name of our page from "Hit Tennis 2" to "Hit Tennis". (After releasing Hit Tennis 3, we realized a per version FB page was silly.) We were asked to explain the change and it was denied (as I recall they said it could lead to user confusion). I thought that was a bit picky, but I understand the position of being careful of changing their likes our from underneath users. No mention of having to pay to get our name changed.
Your name becomes locked after 200 likes: https://www.facebook.com/help/?faq=271607792873806

For the username, everyone (including users) is allowed one name change.

Presumably, Facebook can bypass these seemingly arbitrary limitations, but will essentially charge you for the right to do so (by requiring you to have purchased a certain amount of advertising with them).

This seems pretty reasonable, as the potential for abuse for arbitrary name changes is very high.
But at the same time is very normal a change of name, because companies adquires other companies, products can change the name too[1], etc... The Facebook page is supposedly owned by the creator, not Facebook and if a change of the name is needed, IMO it does not make sense to try to charge money from it.

I'm with you that F must have some restrictions on name change, but it does not seem reasonable to charge money for it.

[1] Imagine a page called "Sun Microsystems - Java" before being buyed by Oracle with a fer thousands fans. I'm sure a hight percent of the fans would not care of have a name change to "Oracle - Java" for example.

They said they would allow us to change our name. NICE! But only if we agreed to spend $2000 or more in advertising a month.

Well, apparently there is an exception from this rule. Obviously there is a huge potential for abuse when changing name of a page that has plenty of users. However, allowing only the "money making" pages to do so is a bit of an unfair move in my opinion. Reasonable but unfair.

I wonder if this situation will escalate and fb will publish some explanation. Nevertheless, it is still hard to believe for me that a company with such value would fake clicks at all or in a way that is easy to detect.

What benefit could a 3rd party conceivably get out of faking clicks on Facebook ads? Is there a rev share at all with publishers, like with adsense?
Driving up costs for competitors?
Tons! Charge their competitors to run out of budget and/or give up advertising on FB.

A lot of people also have bots to see who/what is advertising on FB to see what is working, what ad text people are trying, etc. Mostly aff marketers trying to stay ahead of the game. There are also SaaS companies scraping ads and landing pages and selling that data.

I'm sure there are other reasons as well...

>But let's move on, because who the bots belong to isn't provable.

I'd love to see someone try and find out though. Any IP doing automated requests of that nature is fair game for a bit of probing IMO.

Take this with a grain of salt. The "company" has 400 likes. Not exactly GM leaving Facebook (and then quietly returning to Facebook).
They are talking about ads, not "likes".
I think he didn't imply that. Obviously a company with 400 likes is not a big player in the Facebook ad space, it was just a measure of popularity.

Obviously the news here is not the loss of business for Facebook, but the fact that a click scam was taking place (if true).

Because they are not related. You can use them just as you would with Google Adsense. Obviously you can get a lot of free advertisement and edorsement with having people "like" you on Facebook, but that is beside of the point.

And the click scam, if true, will take away the only way for Facebook to monetize the product. Marketers are not stupid, things like this spread like wildfire.

I don't see what their number of likes has to do with bots clicking on their ads.

If true, Facebook should really have anti-fraud measures in place for this kind of thing already, and if they don't, the size of the company in question has no relevance to that.

Facebook is relatively new to the advertising game and probably doesn't have the sort of experience that Google, MSN and Yahoo have in dealing with the immense amount of click fraud out there.

Worked 3 years in online advertising, dealing with billions of impressions and millions of clicks daily. 80% fraud rate isn't unsurprising, probably is actually higher. Most mature ad networks can easily filter and reject a substantial portion of the fraud, or at least not bill the client for it.

The huge market represented by the "long tail" of small companies is the reason FB is valued so highly. It is (supposedly) much bigger than the GMs of the world.
Would be nice to see some actual numbers. If "80% of clicks" is only eight clicks then the OP's post doesn't carry much weight.
The other thing to keep in mind is if their page has any "accelerated fans" (read : purchased bot page likes), any time they promote a post, they would be promoting to the same bots that liked the page in the first place.

No accusations, but, just food for thought.

I don't really know how purchased page likes work, but why would that matter? Bots / fake accounts used to generate likes have no reason to keep running and click on ads?
We dropped the Google Display Network about a year back out of very heavy suspicion of bot malfeasance... lots of clicks from frivolous, consumer-oriented, no-name sites with obviously nothing to do with our somewhat technical, LDAP-focused product.
Could it just be a badly written search spider? The ad is simply an anchor tag around an image. If you didn't filter it out specifically, you would just "click" it to get to another page.
I was thinking about it too... but then again why don't we hear the same complain from other advertisers?
I didn't write an own analytic program but can confirm that 80% of clicks from my Facebook ads don't show up on my GoSquared dashboard.
When you build an advertisement network, you end up spending a bunch of time figuring out how to isolate these fake clicks and verify that they are not real. As an example, the IP addresses running the bots are going to be clicking "way too many ads to be a human".
Possibly, but aren't these ads only shown to logged in users?
If FB is not smart enough to discern curl/wget/whatever_crawler_socket_call used from genuine in browser click then the argument is already won. Hell, you could write an army of Selenium Firefox/Chrome bots to drive up costs of ad competitors, randomise the host machines, etc... but it's still hard to believe that FB anti fraud measures can't figure it out.

To me, something is off, whether with FB or these guys.

If FB is not smart enough to discern curl/wget/whatever_crawler_socket_call used from genuine in browser click then the argument is already won. Hell, you could write an army of Selenium Firefox/Chrome bots to drive up costs of ad competitors, randomise the host machines, etc... but it's still hard to believe that FB anti fraud measures can't figure it out.

To me, something is off, whether with FB or these guys.

Please explain to me why a bot would click on ads? (if anyone knows)

Is it crawlers crawling Facebook? Are they alleging that facebook is doing it to boost revenues?

Their hypothesis seems secure, given that you can't really use the facebook site at all without javascript enabled.

More alarming is Facebook holding their name for ransom for the sum of $24,000 a year!

Possibly other advertisers trying to push competitors away from facebook so BigDickPillz Inc can have it all to themselves?
Yes. This used to happen a lot on ad networks, although I personally don't know how pervasive it is now.

The game is as jiggy said. Force competing ad buyers to pay for what appears to be non-productive traffic by forcing ad clicks. Since the real views are dominated by false views, the conversion rate on whatever is being sold appears to be horrible. The competitor goes elsewhere, and the scammer maintains access to artificially cheap ad inventory, since there are fewer bidders.

How does Google prevent this? Is it simply inherently not-problematic, due to their spread of advertising?
Overall it's hard to say whether google wins or loses overall by this. In absence of a real competitor in the search ad space, people generally will swallow google's fee hikes ...
It's a cat and mouse game. Google gets good at it; scammers get more sophisticated; google catches up again; ad infinitum. Also, in addition to the scam mentioned above -- in Google's case, targeting AdWords -- they have to deal with scammers hitting their own AdSense properties.

It's a well known problem. Considering AdWords is Google's primary source of revenue, they work hard at it. For a tiny bit more directly from Google, see: http://support.google.com/adwords/bin/answer.py?hl=en&an...

As pathdependant said, this is a very common shady tactic in the ad business. You drive up your competitors costs with bots in order to drive them away from your keywords or make them think their conversions on those keywords are awful and then abandon them.

By far the most likely explanation in my opinion. Even if it's not the correct one, some of the traffic is almost certainly these kinds of bots.

The biggest conspiracy theory would say that a bot clicking ads would help earn FB money.

I don't really suspect this to be true, Facebook CTR are incredibly low so if they are faking it they are doing it badly.

I suspect the most likely reason is some sort of spam scraper thing that visits every url or something. I would have assumed Facebook would be well protected against this sort of thing in regards to charging advertisers.

Facebook does analytics...they aren't some tiny startup...surely they track the quality of their traffic...so they know that 70-80% of their ad traffic comes from bots.

So Facebook is knowingly profiting from this, and they have the resources to fix this...but they don't since this is making so much money for them.

FB does not need do that shady stuff. Here some facts.

[1] Bot registration on FB is really easy. If you try register 100 fake users in direct way you need to deal with javascript and web forms with strange ids, cookies and so on in your script. But if you enter fb.com without enabled javascript, they ask you change browser or use mobile version, which is not require* js at all.

[2] You can register number of accounts from one ip without CAPTCHA

[3] Only one "difficulty" is to find batch of emails, it is not that big issue since we have services like mailinator.com.

So 15 -25 loc script on python do all your job. It is not required use any tools like selenium or special skills , only basic understanding how http get/post works.

Why fb doing all this super easy bot registration stuff? I think we all know why.

Edit: spelling. Sorry non native English speaker here

You seem knowledgeable. What is the main purpose of bots on facebook?

The article implies they could be used by facebook or competitors to burn up ad revenue, but this approach would just kill the golden pay-per-click goose.

I think reasons is pretty strait forward:

[1] You can win a bunch of contests, competitions like those who have lot of likes can win iphone or other tech.

[2] You can sell likes.. just google and you will see, there are alot of places where you can buy it.

[3] Manipulation of public opinion.

Edit:

From FB side:

[1] they still have growth of users

[2] more bots == more clicks, more likes more FB value "on paper", more revenue

[3] and when they stabilize their market value they can easily kill those bots, just require them activation by phone.

vk.com Russian social network, had same issues, but they enabled phone activation for averybody and its not that easy to buy a lot of phone numbers in Russia, but some hackers just pay to vk.com admins...

Edit2: spelling

Thank you for that. This is the real story here, IMO.
The OP says that they are not accusing FB of using bots to drive up revenue.
They refused to overtly accuse them, but the subtext seem to argue exactly that.
Which is really taking things too far - if Facebook wanted to generate some revenue with bots then it wouldn't be very difficult for them to write ones that supported JavaScript.
That is true, but Facebook's reputation would suffer seriously if they were ever caught.

What they (Facebook) are doing now seems to be some version of DADT (Don't Ask, Don't Tell).

I don't think so, there's lots of reasons that would be a stupid idea for Facebook. But there's clearly something shady going on, and Facebook is being dicks to them in other ways, so they're out. That's the subtext.
They end the bot section with "But let's move on, because who the bots belong to isn't provable." after saying that they weren't accusing Facebook of running the bots. The subtext is screaming out.

Does me pointing out the barely shrouded subtext mean that I believe what they are saying? Of course not. It's just as likely, it seems, that their test is simply flawed (as others said, let's see the technical honey trap), that it's some other technical fault, etc. I highly doubt, just on intuition, that Facebook is running such broken bots: Come on, they'd do a better job than make something so easily detected.

It would be outrageous for FB to run the bots themselves. There's two other issues that are more realistic and unfortunately not so great for FB: they're aware of the bots and ignoring them in favor of the ad revenue or they're just becoming aware of the bots and will implement some fix which could result in a substantial decrease in ad revenue. Good to keep in mind that OP's 80% is just one data point and may not be accurate.
I actually think they were trying to say something strange is going on, which I think is pretty obvious given their stats, and that they have no idea who's doing it or why, partially because Facebook can't be bothered to look into it or at least get back to them about it.

That to me sounds like FB is aware of the issue and isn't interested in discussing it. That's the subtext imo.

My own suspicion would be because someone is gaming their ads and they haven't been able to prevent it as of yet, and not because they themselves are gaming the numbers. No doubt they believe that discussing it is tacit admission that they haven't been able to prevent it, which is bad for business.

I see what you're saying, it just isn't very hard for me to take them at their word: They're not claiming that it's Facebook, not out of some sense of propriety, but because they don't have any evidence that it is. It could be anyone.

And it doesn't matter who it is, because they're leaving for a different reason: Facebook never returns their calls unless it's with an offer of extortion.

While I doubt malicious intent on FB's part there's certainly a financial incentive to ignore this problem. How would their earnings reports change if they stopped charging at least some advertisers for 80% of clicks?
It would be a very, very short term financial incentive.

Advertisers monitor to see performance on the other end, and when the campaigns don't yield actual success they move on.

The only real exception to this are mega-brands that advertise just to build namespace. Everyone else expects direct action from some hefty percentage of their ads.

Are you saying it's short term because advertisers would notice? Sure some advertisers would notice. However I doubt the majority are capable of performing the OP's analysis (which could use some scrutiny).

Imagine a 100 person company with 5 people dedicated to advertising. Leadership says to increase on-line presence. Some recent college grad on the advertising team buys FB ads. Next month leadership is pleased that they're advertising on Facebook. Also leadership is pleased that sales increased x%. The FB ads could be completely worthless. Some non-trivial percentage of clicks could be from bots and no one would notice.

You act as if "everyone else" sees results from FB ads. They don't. This is a well known problem. They have a high rate of adoption from new sign-ons, and also a high level of departure. While the first number is greater than the second number, they are ok. Either they will manage to improve value and keep more of the advertisers, or one day the Ponzi scheme implodes.
You act as if "everyone else" sees results from FB ads. They don't.

Most ads target a specific outcome: You buy a product, create an account, joining a mailing list, etc. Even the most technically incompetent advertisers establishes these fundamental metrics such that they can say "I spent $1,000,000 on Facebook ads and only got ten signups. I spent $1,000,000 on iAds ads and got ten million signups." That sort of thing.

I think Hanlon's Razor is appropriate here: Never attribute to malice that which is adequately explained by stupidity.
I don't think so; if anything, the subtext is merely arguing that Facebook isn't doing anything to stop the problem. Whether that is just as bad as running the botnet itself, that is another thing.

Assuming the problem is as bad as many are saying, I personally think it's fair to draw the same conclusion you have -- running and letting run a botnet is one and the same. It's costing other businesses money; it's too big for Facebook to be able to play dumb on the issue.

Bots might be operated by competitors to increase the cost of advertising for Limited Pressing. This is the most likely scenario, in my opinion. However, though rather unlikely, the bots could be affiliated with Facebook itself, as all of those extra clicks translate into lots of extra Facebook revenue.

That doesn't seem like a very sustainable strategy though.

Does anyone know what kind (if any) of anti-bot measures Facebook already has in place for paid advertising?

could be ad spy tools...they crawl around clicking ads and following them to the landing pages and then follow the landing pages to the offer being promoted. Allows affiliates and other advertisers to reverse engineer the competition
I'd like to see the actual data from this.

How much traffic are we talking about? Where were the bots coming from and how were they detected?

Copying the text just incase FB decides they don't like it

---

Hey everyone, we're going to be deleting our Facebook page in the next couple of weeks, but we wanted to explain why before we do. A couple months ago, when we were preparing to launch the new Limited Run, we started to experiment with Facebook ads. Unfortunately, while testing their ad system, we noticed some very strange things. Facebook was charging us for clicks, yet we could only verify about 20% of them actually showing up on our site. At first, we thought it was our analytics service. We tried signing up for a handful of other big name companies, and still, we couldn't verify more than 15-20% of clicks. So we did what any good developers would do. We built our own analytic software. Here's what we found: on about 80% of the clicks Facebook was charging us for, JavaScript wasn't on. And if the person clicking the ad doesn't have JavaScript, it's very difficult for an analytics service to verify the click. What's important here is that in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook. So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs. So we tried contacting Facebook about this. Unfortunately, they wouldn't reply. Do we know who the bots belong too? No. Are we accusing Facebook of using bots to drive up advertising revenue. No. Is it strange? Yes. But let's move on, because who the bots belong to isn't provable.

While we were testing Facebook ads, we were also trying to get Facebook to let us change our name, because we're not Limited Pressing anymore. We contacted them on many occasions about this. Finally, we got a call from someone at Facebook. They said they would allow us to change our name. NICE! But only if we agreed to spend $2000 or more in advertising a month. That's correct. Facebook was holding our name hostage. So we did what any good hardcore kids would do. We cursed that piece of shit out! Damn we were so pissed. We still are. This is why we need to delete this page and move away from Facebook. They're scumbags and we just don't have the patience for scumbags.

Thanks to everyone who has supported this page and liked our posts. We really appreciate it. If you'd like to follow us on Twitter, where we don't get shaken down, you can do so here: http://twitter.com/limitedrun

Happend to us too!! we first thought kissmetrics was wrong, so we built a logger that logged server side requests and a client side code that executes on load of the landing page, and we found that 70% of the server side hits had javascript disabled(or that hit the page and left it before the js executed, which seems improbable for such a large number - 70%).
What user agent was reported by those hits? This is fascinating.
It was a few months ago and we've already deleted the db table, we are soon relaunching with a new campaign, so once I get the data again I'll post it here.
> (or that hit the page and left it before the js executed, which seems improbable for such a large number - 70%).

That's actually an interesting proposal-- 100% of the time when I click on an ad, I didn't mean to and I try to close it before it has a chance to annoy me.

Probably doesn't make sense on a large scale, but it's something to consider.

I agree that some users might close the page or hit the "back" button before the $(document).ready() happens, but I can't believe that 70% of the people did that(taking into account that our ad was really targeted and highly relevant to the landing page).
and then we find out drunk or stupid people accidentally click stuff.
drunk or stupid people probably won't click 'back' that quick.
If that is true and 70-80 percent hit the back button before the js files load, it still says a lot about the quality of the clicks from the perspective of someone considering advertising on FB...
To be fair, that pretty much matches what I've heard about Facebook's click quality.
so the net result would be the same.

Someone's grandmother miss-clicking and then mashing back is about as useful to the advertiser as a bot. conversions are where it's at. Poor quality traffic / bots / it's all the same. the advertiser quits paying

70% is a ratio ! The effective number may be small at the same time.
And here is a screenshot: http://i.imgur.com/4hu66.png
Here's ascii of the screenshot in case they censor your picture of text.

http://pastebin.com/raw.php?i=HHeY5nP1

(comment deleted)
Here's the MD5 of your ascii version of the screenshot of the blog post just in case: 14e34998a7bc46174bccd981ad5f41f6
I acknowledge receipt of the MD5 of the ASCII of the screenshot of the blog. Please acknowledge receipt of acknowledgement.
waiting, when screenshot will say "Mark Zuckerberg" likes this :-)
What happened? Is reddit offline again or something?
There is (subjectively) a marked deterioration of comment quality on front-page discussions in the past few days, I feel. I have also noticed that HN articles are getting linked on reddit more frequently (I use both networks, but for highly disparate purposes - gotta get those funny .gif's somewhere). No data supporting this but I fell it's a trend and I'm not liking it.
Few days? Try since forever. As people increase the SNR gets larger. Even on reddit when it started, it was heavily tech focused, you'll find a comment that says it's going downhill. Hard to say what the numbers on HN are like growth wise in comparison to reddit (which has their subscriber numbers on display).
I don't understand why you would post that here. Can you explain?
I didn't write an own analytic program but can confirm that 80% of clicks from my Facebook ads don't show up on my GoSquared dashboard.
you're not alone. I've heard similar stories from other businesses that have tried to advertise on FB. At first I thought they just didn't track properly, but it seems it's a widespread problem.
We built a page logger. Any time a page was loaded, we'd keep track of it.

They reinvented the access log? By hand? Are people really that detached from how servers work?

This is besides the point.
Is it though? It seems they spent a lot of time throwing more and more javascript at the problem until they realized they couldn't figure out what was happening. If they had real logging from the beginning, it would have unconfused them much sooner.
They were taking orthogonal measurements to see if the pattern would appear over and over. Also it sounds like each successive measurement technique was at a lower level than the previous technique. Sounds pretty thorough. I'd love to see some actual data though.
How would you use the access log to determine if client-side javascript was being executed?
Check if it's even being fetched for a start. Assuming it's not inline.
Browser-cache my friend. You'll need to poll the server on page load (or even better in this case, after you load the ad)
For the page in question, count total hits in the server access log and subtract total hits reported by the Javascript analytics software.
Use a javascript function to poll the server for something.
This could be a businessperson's interpretation of what happened.

Or they might have indeed reinvented it. Kids these days and their Heroku! Back in my day we'd process each HTTP request by hand. And we'd do it uphill both ways in the snow.

using awk.
Hey now, awk is simply lovely. It's ridiculous how popular it is to slight it these days.
How does 'using awk' count as a slight?

It was the proper add-on to the previous comment kids today don't learn awk. Becuase they have Perl, Ruby, and Python which are supersets of the unix command line tool set. Awk was the king in the years before Perl.

I never really learned to use cut, so I sitll use awk for one-liners the deal with columns in delimited-data text-files.

Sorry, I read it as a slight because it came right after "uphill both ways in the snow".
Which usually precedes "Get off my lawn!"
Anyway, if I want to take gratuitous pokes at a language, I usually choose XML; sometimes java.
Which, of course, I've just been informed is the "preferred" integration language for the project I'm presently working on. Sigh.
Indeed.

Most of the parsing required for the logfile analysis I describe is written in awk, and goes through roughly 1 million lines of logfile in about 75s on a commodity 2Ghz Intel Xeon.

Pre-caching of host lookups is done via xargs and a suitably high '-j' value. Running on a pre-sorted and de-duped list of IPs, this takes another few minutes. Lookups are read into hash tables for faster processing in the main awk parser (avoids system calls, DNS latency, and especially negative result caching failures).

It's fast and simple. Not a 100% solution, but quick to add bits to over time as new needs arise.

You had awk? Ha! Luxuries! Why when I was a young programmer we had to write the code in the snow with our pee, and a compiler was just a word for the pilot of the hovering dirigible that read the instructions and passed them to the ALU, which was another fellow with an abacus. They would wrap the re- sults around a rock, and drop it on my house when the program would exit. We had to walk uphill...
(comment deleted)
With VB6 you can check IP Addresses.
Please guys. This is not Reddit.
And that is how to do a c-c-c-c-c-combo breaker on Hacker News.
Damn straight. Cheap jokes are not allowed.
I assumed this just meant they built something on top of access logs that told them what percentage of page loads also loaded JavaScript. I don't know about your webserver, but mine doesn't tell me this kind of thing out of the box.

Anyway, it's pretty irrelevant whether they added logging in their app (one line of code?) or enabled their webserver's built in logging.

Surprised no ones mentioned the noscript plugin.

Since the user is on facebook they'd have facebook unblocked, but noscript still blocking everything else.

How would you discern a noscript user from bot?

You wouldn't, but if the vast majority of your ad click visitors have javascript disabled, and only a tiny percentage of your other visitors do, what conclusion would you draw?
You don't, but it's very unlikely that there were enough noscript users to match the stats. From the post:

"...in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook."

It's a different marketing block.

For example, target something for the Reddit.com users and you'll see 90%+ block ads.

With facebook granular targetting you could very specifically end up with a target segment with a large proportion of noscript type plugin users. Without more details on their campaign I would not be so quick to place blame purely on bots.

But this is about users who click on ads on Facebook. The sort of users who have javascript disabled are going to self-select out of that group pretty strongly.

And even among the most technically literate groups, I'd be amazed if you saw 80% use of noscript. So many sites require javascript that it's easier to browse with it enabled.

Unless you're targeting noscript users there's no way they account for a significant portion of those 80% of clicks.
> How would you discern a noscript user from bot?

There are a few tricks to do that, described on the old ha.ckers.org weblog, or perhaps on the related sla.ckers.org forum. No idea if they still work, though ..

You could always see if you could trigger NoScript's built-in XSS or frame hijacking protection :) Bots will not notice, and users get a scary warning message and believe your ad is trying to hack them. Not good for your conversion rates, but a pretty sure way to tell them apart.

What you say is valid, however no-script users are a small minority of internet users. I doubt their numbers would tip the results in either direction.
Access logs that write continually from different processes or threads (like PHP) can cause System IO to reach critical proportions. In any non-trivial enterprise application it's completely reasonable to have a stat-logic-layer for recording events... The access log can still do it's own sorta thing - this is more true if you have more than 1 server.
Access logs can't record if javascript is enabled. There are other things I would be interested in if I were doing this too, I'd check the browser's TZ, check if flash was enabled, etc. and do it across sessions.

Depends how far they went profiling their visitors, it clearly says in the article they were tracking if js was enabled, so yes, you'd need to roll something or another by hand. GA relies solely on js for example.

easy: < script > (new Image()).src = document.location.href + "Hey, i have javascript < / script >

And then compare in the log.

The way I understand this is that they want to log who accesses their pages on FaceBook's servers.

I am not familiar with how things work on FaceBook, but I would think that FaceBook users do not have access to the logs that FaceBook's servers write.

That escalated quickly!

And so it seems that Facebook could be proven to be the new groupon.

I would absolutely not be suprised if the hits were FB bots - however I'd expect they wouldn't be that directly stupid so as to have an Ad-bot net in house. Surely this is some service they outsource for plausible deniability.

Something they would have learned from their relationship handing all user data over to the NSA/CIA.

EDIT:

I'd like to make a prediction on how this could potentially play out:

1. FB ignores them. They have nothing to do with this issue and they know the bots are tainting traffic - but they can't/wont do anything about it because it boosts their revenues.

2. FB may or may not be involved in the ad-bots, but, they will drop their $ contingency on ad-rev for the name and payout these guys to shut them up. Their stock was improperly priced and taken a beating. They don't want this coming to light in a large way as it will have a negative affect on the perception of their business model. They hav to be kind of careful of the Barbara Streisand effect here too...

3. Many more people will reveal the same results with empirical testing and it will be revealed that FB earnings are 80% over inflated. Their stock will drop to the predicted real value of <$10... maybe hit that actual projected number of $7.00 - Zynga will BEG FB to purchase them as they are now a penny stock and they can't sustain.

So without ANY facts your conclusion is that Facebook is fraudulently deceiving advertisers.

And that they are doing this using experience from working with the NSA/CIA in order to cover up the fact that $800 million dollars of Facebook's yearly profits will disappear overnight once people realise the truth. And as such they are willing to pay out the ad-bot companies in order to hide this conspiracy.

Right.

>...without ANY facts...

What about the farking article? Where they proved that 80% of their clicks were from bots. Then several others confirm they ahve the same experience?

What about those facts?

I also speculated on what FB is doing. Them giving user data to the NSA/CIA - that is a supposed fact, sure, but I am not the only person who believes this.

Am I extremely distrustful of Facebook? Of course! Maybe you have not followed their track record or the character of their founder.

If you are into conspiracy theories then how about maybe this is Google directing a massive bot net to make facebook ads useless?

> I also speculated on what FB is doing. Them giving user data to the NSA/CIA - that is a supposed fact, sure, but I am not the only person who believes this.

Great argument! A lot of people believe it, so it must be true! Are you for real?!

It is not my responsibility to educate you on modern internet history. This has been argued here on HN prior; Do you recall the backdoors that AT&T put at 600 Folsom, in SF?

And the backdoors in Cisco's equipment that are a requirement by the federal government?

Maybe you thin this shit is "conspiracy theory" and if you do, you're simply a naive fool.

Look around you at what governments are doing. The NSA has records on everything you do online. They had a system in 2005 which could trace communications between users to 6 degrees, automatically.

It's odd to me that your posts aren't more downvoted than they are.
You think I make this shit up? There are some really naive and stupid people on HN that have zero grasp on the history of intelligence agencies.
So, this is why people don't take you seriously.

I know a couple of guys like you in my local activist community, who take a very hostile "I know the truth and you're all fools!" attitude, despite the fact that their audience is mostly very sympathetic to most of their assertions. We know spying on the Internet takes place; HN is full of cantankerous old Internet geeks who've seen, first-hand, plenty of examples of the state (whatever state you may choose, as it happens all over the world) behaving unethically on the Internet, spying on people and punishing people for things that shouldn't be crimes.

But, your paranoid approach is counter-productive. You might as well be working for the people you claim to be afraid of, for all the good you do (negative good; you're convincing people that the folks who believe the government is spying are all paranoid nutjobs who scream at anyone who has the gall to mention other possible explanations).

So, let's review:

1. Just because spying has taken place, and is currently taking place, and may even have the complicity of facebook in that spying, it does not mean that facebook is running a botnet to steal advertiser dollars. The simplest explanation is that facebook looks the other way while others run the botnets. facebook wins (a lot, as long as most advertisers don't know it's happening), botnet owner wins (a little), and the advertiser loses. But, there are other plausible explanations, including incompetence.

2. When you paint things in a "Either you accept my theory in its entirety, or you're all idiots", you force people to choose a side. Nobody wants to be on the same side as an asshole, so you force them to choose the other side. You make people who may even agree with you (to a greater or lesser degree) to begin to formulate plausible reasons for why you're wrong about the crazier stuff you're spouting...further convincing themselves that you're entirely wrong. The best you can hope for is people ignore you and don't have the chance to be inoculated against your ideas; having you as their first exposure to these concepts guarantees they will be less likely to believe them in the future, even if they come from a more credible source. Humans are funny creatures.

Thus, I would point out that there are some really naive and stupid people on HN that have zero grasp of effective argument, persuasion, and even basic logic.

You might be well-served by reading about non-violent communication: http://en.wikipedia.org/wiki/Nonviolent_Communication

Edit: Removed the word "schizophrenic" as it was an insensitive use of the term, and was counter-productive to making my point.

>But, your paranoid schizophrenic approach is counter-productive.

Really, now I am a paranoid schizophrenic?

Just because I make claims which are readily confirmed and were completely available in the media - even the EFF filed suit on the AT&T events...

Yet, for some reason, it is my responsibility to educate everyone every single time someone new comes along who hasn't been following these things closely.

Now I am a paranoid schizophrenic?

Also, its a strawman to focus on my tone, rather than content. You're trying really hard to be overly pedantic and, frankly, an asshole.

Thanks for the link on communication.

He's not arguing with you, he can't be using a strawman. He's just pointing out that other people will be distracted by your tone, making them ignore your (mostly correct) message.
Thanks. In that case, I will try to be less emotional about this issue.

When I was talking about China hacking lockheed as far back as 2005, everyone said I was nuts! (I freaking worked at lockheed!)

There needs to be a better way to log and track this stuff so that we can point people to some sort of Tyranny Wiki.

What I am witnessing is someone trying to inform people, while effectively censoring himself by delivering in such a way as impedes its delivery.

You obviously have a vested interest in seeing your "message" be received, so stop ignoring what people are telling you about your tone and change it. Figure out what it is that people do listen to, or else you have no one but yourself to blame when they take issue with your tone.

To wit: Your tone is defensive. Pejoratives and cursing undermine your expression. What you are effectively telling people is that your thoughts are not important enough to merit self-restraint. Detailed explanations following assertions are also helpful.

FWIW, I work in the performance marketing industry and, IMO, the most complicity facebook could be said to have in this issue is in not placing a sufficiently high priority on preventing bots from clicking on their ads. Even if it is a sizable project there, they represent such a large target that the difficulty of the job becomes much greater. I see no salacious story here, other than a company found itself unable to optimize a campaign into profitability, which I think says more about them than facebook. Ho hum, find a different traffic source and move on.

Thanks - Ill take the constructive criticism on my tone.

However, I will point out that with respect to your comment on FB's complicit actions due to the daunting nature of the problem, this does not take into account their other actions of a 24K ransom on the domain.

Everyone can argue in any direction they want - but neither me nor anyone else is really going to know until we get further down this path...

Hey, calling people "schizophrenic" is not cool. Just sayin'.
You're right. It was an unproductive method of describing the behavior I was seeing (and was too easy to interpret as saying the person is schizophrenic rather than exhibiting behavior I associate with schizophrenia). It was also insensitive to schizophrenics.

In my defense, schizophrenia runs in my family, and I'm very familiar with it...I don't think of it as an insult. But that's a local custom in my family that I shouldn't think follows in the rest of the world.

When describing behavior and not as a slur I don't see any problem.
And there are some that actually know what they're talking about in terms if intelligence agencies but choose not to indulge in idle conspiracy hypothesizing. The real operations aren't something that the people with actual knowledge would ever discuss. Those that do claim conspiracies are often ill informed or just have read too many spy novels.
(comment deleted)
(comment deleted)
(comment deleted)
(comment deleted)
I think problem is more deep, I do not want to make other Conspiracy Theory but here some story from other huge Russian social network (vk 150m. users). There is one small, not that big group (like fb groups), users made agreement, that no one will post next day (something like honeypot), and those who post would be considered as bot and baned forever. So next day couple or so bots generated comments encouraging others do not go on strike against some political party [0].

I do not know is it applies to FB, but those who have like 100k bots have some power too.

[0] http://imgur.com/Vvkbx screenshot in russian

Edit: spelling Edit2: proper link

All this happening as employees in FB are itching to cash out their options in a few months.
We need to see some real numbers before making these kind of predictions. What was the volume of clicks that OP couldn't detect? 10, 1K, 1M? It makes a big difference.

Also given FB users' aversion to ads this whole issue could be explained by users just clicking the back button. Ad supported sites have trained users to do three things very well: install adblock, habitually ignore ads, quickly click away from any interstitial or unexpected ads like on Hulu.

Another note on the "back button": I recently discovered the awesome power of "three-finger swipe back button" on Macbook trackpad. So it's possible users can "click" back even faster than before. I can and before the swipe I was well-trained in the art of "CMD back arrow" :-)

Totally agree. However, I wanted to put my thoughts on this down... Surely we need more info and time to see what the actual truth is - but I just do not believe that FB is in any way some altruistic innocent/neutral entity.
What user data stored on FB servers could be useful to intelligence agencies of that level? People brag about crimes they committed, IP addresses are logged and people may "like" jihad but criminals targeted by the NSA are surely not at that level of stupidity.

Also, FB may not have much of a choice to comply with those agencies, or find themselves pissing off a lot of high level people by refusing to comply with government agencies. But outsourcing / tolerating a network of bots to vastly boost revenue is probably considered fraud, no?

> What user data stored on FB servers could be useful to intelligence agencies of that level? People brag about crimes they committed, IP addresses are logged and people may "like" jihad but criminals targeted by the NSA are surely not at that level of stupidity.

It's not what people brag about, it's the social graph itself that's useful. All the other things like photo-tagging are extra candy.

More info at http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al... and http://nplusonemag.com/leave-your-cellphone-at-home . Sorry it's late out here, or I'd copy/paste the relevant quotes for you--look for the bits about data mining and machine learning, especially in the 2nd article, everything is a signal and they do have the computing power to process it all, apply Bayesian belief nets, algorithms can pull intelligence information about you from the local shape of your social graph that you don't even realize can be inferred from it (humans are not very good at reading complex info from big graphs much further than simple "friend-of-a-friend" relationships).

>in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled //

I use noscript. When I enable it for visits it's usually by enabling the domain itself and leaving third-party scripts disabled. Depending on your area this could be significant.

Also the possibility of blocking of the scripts by other elements not loading - for example if the browser can't parallelise the requests for some reason and a preceding request can't be handled then the page might be displaying well before the script is loaded, especially if it's loaded at the bottom of the markup.

I think unless you run a forum for javascript virus injection techniques, you're not going to see 80% visitors with disabled javascript.
Just curious, could it be a competitor and Facebook doesn't block them like google does for click fraud?
One POSSIBLE explanation for what Facebook would use anonymous bots for: verifying the advertisement goes where the advertiser said it would go.

Facebook has problems with fraudulent or confusing advertisements. for example, iPad's being advertised for $2, but the user clicking the ad is sent to a penny auction site that bills you $100 when you sign up.... so that domain ends up getting banned, but those advertisers/spammers either create a new domain or they use a redirecting domain that redirects to a non fraudulent domain when they see an Facebook IP (in theory, the Facebook IP would mean it's an intern or Facebook bot checking the URL).

Here's an example of the penny auction crap http://www.fastcompany.com/1771099/facebook-spam-ads-damage-...

and an example of manipulating the landing page URL with a redirect http://www.larrylim.net/seo-online-marketing/facebook-ads-pr...

so maybe it's Facebook's engineers trying to verify the ads are going to the place they're intended to go, but they are obviously incorrectly counting them as billable clicks

(comment deleted)
True, but they shouldn't be charging for those verification checks.
So you think that a facebook ad checking bot is taking up 80% of the clicks?

I know facebook doesn't have the best reputation for careful engineering but that's quite a stretch.

Well why not? It is really more expensive to run such a bot at 80% rather than say 5%.
If it was coming from Facebook, I would expect not to be charged for the clicks.
Back when I was in this industry, generally speaking you would have a graylist of your own IPs that would be ignored by the ad metric system.

Ad networks tend to be very serious about anything measurable - it's easy to lie and once you've lied about one thing, no matter how small, what else have you lied about and to what magnitude?

I think the only fix for PPC is PPA.
Could FB do something like this to detect click fraud/misbehavior: FB's ad system only counts a click as valid and charges the advertiser when the browser from which the click originated has js enabled.

OP says only 1-2% of users have js disabled hence FB would only miss out on a relatively small amount of ad revenue instead of massively over-charging.

FB just gave him the best advertising ever through this publicity.
One thing about Facebook ads, instead of buying clicks to webpages, you could buy likes to your Facebook page. This way you can at least look at the FID of the Like to get some confirmation that the Like you bought was from a real person.
Why hasn't anyone asked what IP, user agent, etc. the bots were showing up as in the log?
Very unlikely to have been bots from FB, they're not yet quite that desperate. They would be 90% sure of getting busted, and it would be a huge deal breaker for a lot of their clients. A suicide move.

The more plausible reality is that there are just a lot of bots crawling FB fan pages, poorly programmed bots that will just follow every single link they come across. That's very much in line with my personal experience of FB fan pages.

But FB is certainly to blame for not detecting these as bots, and putting ads on the pages they serve them. Hopefully they'll take care of this issue soon.

In my mind having an in-house bot network and being totally ignorant that you're charging for bot traffic via ads amount to the same thing.

This is very, very bad.

It does not amount to the same thing at all. Keep some perspective.
It does amount to the same thing.

If I am writing a mechanism to charge for ads based on traffic, one of the first things to QA/write test cases for is fraudulent traffic.

The leap here is from facebook being remotely competent (which is likely), and willfully ignoring checks on certain types of traffic because it benefits them financially.

My assertion is that this is the same class of bad behavior as running your own bots. Note the distinction in 'willful' ignorance.

How? In house bot network implies active fraudulent charging, while being unaware of bot clicks is simply neglect or ignorance.
(comment deleted)
The distinction between ignorance and intent does not compute.

Yes, we dont need a conspiracy to explain stupidity. The stupidity is the conspiracy.

People arent ignorant, because they are handcapped or something. They are ignorant, because thats the behaviour and excuse we reward. Just be an idiot, dont put in the intellectual effort, and you will be allowed to speak lies and screw every one and every thing.

From a corporate point of view, its the golden ticket. Plausible deniability. We didnt know that our insurance helped finance weapon exports to dictators. We didnt know. We didnt know. Sorry this, sorry that. We're keeping the money though.

I dont think that provable intent should have legal meaning. Because all neglect is intentional, as is ignorance in a world, where every one has the choice to be well informed.

>"Hopefully they'll take care of this issue soon."

Much like the multiple account issue, it's beneficial for Facebook to turn a blind eye. That is, unless it escalates into a PR issue.

First page in HN, for some people this is considered a PR issue :)
HN's opinion of anything is not remotely significant to FB's PR, really.
Facebook couldn't be that pathetic...
I guess a more general question might be: I marketing on Facebook proving to be worthwhile?

We are just finishing a new iOS app. It will be the first one in our catalog with a "Like us on Facebook" feature. I am skeptical about the value of this feature. Not sure it'll convert at all. Asked a bunch of people who use FB on a daily basis and most told me that they pay zero attention to ads or "likes". Not sure.

I am surprised that there has been no proof released by the page owners. It feels a lot like a linkbait / FB viral campaign.