I've run a significant amount of traffic with Facebook Ads and never saw click fraud anywhere close to these kinds of numbers. By estimates it was somewhere between 3-5%, which is pretty typical across major ad networks.
It's also worth noting that Facebook has given refunds for click fraud in the past. That is if you can actually get a hold of someone in support who will talk to you, which isn't easy.
Yes but only in certain US demographics. Most of these bots are ad scrapers/landing page scrapers run by people gathering and stealing the ads/landing pages of their competition. Facebook has known about the problem for a while (years), and have gone so far as to ban some accounts that the scrapers were running out of, but lately it seems the scrapers have been given free reign.
This is not a case of Facebook using bots to deliberately drive up ad spending. It's merely scummy internet marketers at work, with Facebook failing to detect and prevent them. The phenomenon is mostly present in the US 18-30 male demographic (where all the dating ads are, and where creatives can make or break you).
"We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots."
How do you tell if it's a bot? Just by user-agent string or repeated slamming by IP address, or is there some other technique?
The main technique is to notice a pattern that is only explainable by bot activity.
Generally speaking, in addition to the patterns you mentioned (invalid user-agent strings, rapid succession of same-IP access) there are also other patterns, such as failure to load referenced CSS or image files, or 100% failure on Captcha challenges.
Of course they could -- all they need to do is parse the HTML, look for the img and link and other tags, and then request the URL. If they were trying to act more like a browser, they would. If they are just trying to click ads, they wouldn't.
Using Captcha on an ad landing page to determine whether someone is bot seems like a bad idea. It would almost certainly increase the bounce rate on that page and you couldn't just say that people who didn't choose fill out the captcha were bots.
Furthermore, facebook users in specific I would say have javascript enabled, even though its possible to control per site, I would assume most facebook users would not be aware how it works - and facebook without javascript seems rather impossible or at least, very discomforting.
How do you tell if it's a bot? Just by user-agent string or repeated slamming by IP address, or is there some other technique?
A combination of things. Off the top of my head:
* IP address ranges. Are they all from, e.g., EC2 instances?
* Are images and other content (e.g. CSS) linked from the page loaded? How long does the client take to do so? Are other pages being viewed in line with what you've seen from other users?
* What combinations of user agents are you seeing?
* What's in the headers being sent by the browser? Any foreign language support, or oddities when it comes to not accepting compressed content? Is the referer header always the same? Does it always vary?
* Do you see "normal" user behaviour that indicates activity such as clicking the back button, then clicking the ad again a few seconds later once their brain has kicked in? (nb: not sure if this is possible for Facebook with the way their site works).
* Are there any patterns in the page access times? Is there anything to indicate a cron job is kicking off once an hour at the same time?
"So we did what any good developers would do. We built our own analytic software. Here's what we found: on about 80% of the clicks Facebook was charging us for, JavaScript wasn't on."
Later:
"So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs"
I think they use a different definition of bot. Otherwise they wouldn't have to use a second logger ...
Wow, even if this is a little true the implications are big.
Is this similar, or related to other ad space inflation? I'm reminded of Google (and others)(1) sending out free $75 adwords coupons to easily allow the costs of bids to inflate since it's not my own real money (thereby increasing the percentage of real cash being made on the ads)?
How come, everytime some company does (or seems to be doing) something shady, there is always a bunch of people like this saying "not as bad as Y doing something else that might or might not be true or related". This is not middle school anymore, pointing the finger at other kids is not proper discussion ...
If genuinely curious: I'm drawing a direct comparison of the potential inflation of ad costs in one playground (google) with another (facebook) through both common and unique means. Another common issue to both is click fraud and it's effects on the said cost of ads. My mistake for assuming this was obvious and known.
The relevance of such a comparison? It's not a one off, as uncommon as we think. Has nothing to do with pointing fingers.
Didn't mean to come across as off topic. To me, if someone upstream and in the past was doing this, chances are it might happen later in time downstream too, and there might be something to see in the forest instead of pointing at one tree or another.
Unless you're buying ads for popular affiliate stuff, handing new AdWord users $75 in credit doesn't have much of an effect (other than some percentage of those users going on to spend real money). I have gotten similar offers from Facebook, Twitter, Bing and a lot of othe advertising companies.
Yeah, lots send it out, but how many end up using them is relative to how big of a player in search (and search related advertising) the player is.
I've used Google coupons, none with anyone else that I can remember. I also spent ads on google way before any other system and remember the 10 cent clicks going up to $1.00 for not much more traffic.
I wish their post was a bit more technical. Show us the code you used to detect javascript, how did the analytics work? Did they test their code by using their own browser to click an ad and see if the code detected javascript, or their hit in the analytic software?
While that would have been interesting to me as well, I think the post was meant for their actual users, to explain why they are moving away from FB. Technical details would have been an unnecessary distraction for their intended audience.
Maybe if they have any employees who follow HN, someone would share more light on the technicals?
According to the FAQ, one cannot change the name of the page once it is set. This can be a real problem that I run into quite a few times, even with a couple of small pages, and even more as every website that has "like this page on facebook" has an automatic facebook page, where the name is determined by them, automatically, once, by the <title> element at that time. Talk about stupid.
Anyways, I don't mind since I'm a small fish, but the longer this goes on, the more it will (hopefully, i might say) blow up into their face(book).
Facebook allows advertisers to target friends of users who liked your page. They probably restrict name changes so users associated with a page don't get blind-sided if the company radically changes its product or service.
The only well known fact when dealing with Facebook is that if you want to manipulate their documented rules you need to either have deep pockets or a lot of influence.
We tried to change the name of our page from "Hit Tennis 2" to "Hit Tennis". (After releasing Hit Tennis 3, we realized a per version FB page was silly.) We were asked to explain the change and it was denied (as I recall they said it could lead to user confusion). I thought that was a bit picky, but I understand the position of being careful of changing their likes our from underneath users. No mention of having to pay to get our name changed.
For the username, everyone (including users) is allowed one name change.
Presumably, Facebook can bypass these seemingly arbitrary limitations, but will essentially charge you for the right to do so (by requiring you to have purchased a certain amount of advertising with them).
But at the same time is very normal a change of name, because companies adquires other companies, products can change the name too[1], etc... The Facebook page is supposedly owned by the creator, not Facebook and if a change of the name is needed, IMO it does not make sense to try to charge money from it.
I'm with you that F must have some restrictions on name change, but it does not seem reasonable to charge money for it.
[1] Imagine a page called "Sun Microsystems - Java" before being buyed by Oracle with a fer thousands fans. I'm sure a hight percent of the fans would not care of have a name change to "Oracle - Java" for example.
They said they would allow us to change our name. NICE! But only if we agreed to spend $2000 or more in advertising a month.
Well, apparently there is an exception from this rule. Obviously there is a huge potential for abuse when changing name of a page that has plenty of users. However, allowing only the "money making" pages to do so is a bit of an unfair move in my opinion. Reasonable but unfair.
I wonder if this situation will escalate and fb will publish some explanation. Nevertheless, it is still hard to believe for me that a company with such value would fake clicks at all or in a way that is easy to detect.
Tons! Charge their competitors to run out of budget and/or give up advertising on FB.
A lot of people also have bots to see who/what is advertising on FB to see what is working, what ad text people are trying, etc. Mostly aff marketers trying to stay ahead of the game. There are also SaaS companies scraping ads and landing pages and selling that data.
Because they are not related. You can use them just as you would with Google Adsense. Obviously you can get a lot of free advertisement and edorsement with having people "like" you on Facebook, but that is beside of the point.
And the click scam, if true, will take away the only way for Facebook to monetize the product. Marketers are not stupid, things like this spread like wildfire.
I don't see what their number of likes has to do with bots clicking on their ads.
If true, Facebook should really have anti-fraud measures in place for this kind of thing already, and if they don't, the size of the company in question has no relevance to that.
Facebook is relatively new to the advertising game and probably doesn't have the sort of experience that Google, MSN and Yahoo have in dealing with the immense amount of click fraud out there.
Worked 3 years in online advertising, dealing with billions of impressions and millions of clicks daily. 80% fraud rate isn't unsurprising, probably is actually higher. Most mature ad networks can easily filter and reject a substantial portion of the fraud, or at least not bill the client for it.
timaelliott, I can't respond to your comment so I'm responding to its parent. Your account has been hellbanned as of 9 days ago here: http://news.ycombinator.com/item?id=4272758
The huge market represented by the "long tail" of small companies is the reason FB is valued so highly. It is (supposedly) much bigger than the GMs of the world.
The other thing to keep in mind is if their page has any "accelerated fans" (read : purchased bot page likes), any time they promote a post, they would be promoting to the same bots that liked the page in the first place.
I don't really know how purchased page likes work, but why would that matter? Bots / fake accounts used to generate likes have no reason to keep running and click on ads?
We dropped the Google Display Network about a year back out of very heavy suspicion of bot malfeasance... lots of clicks from frivolous, consumer-oriented, no-name sites with obviously nothing to do with our somewhat technical, LDAP-focused product.
Could it just be a badly written search spider? The ad is simply an anchor tag around an image. If you didn't filter it out specifically, you would just "click" it to get to another page.
When you build an advertisement network, you end up spending a bunch of time figuring out how to isolate these fake clicks and verify that they are not real. As an example, the IP addresses running the bots are going to be clicking "way too many ads to be a human".
If FB is not smart enough to discern curl/wget/whatever_crawler_socket_call used from genuine in browser click then the argument is already won. Hell, you could write an army of Selenium Firefox/Chrome bots to drive up costs of ad competitors, randomise the host machines, etc... but it's still hard to believe that FB anti fraud measures can't figure it out.
To me, something is off, whether with FB or these guys.
If FB is not smart enough to discern curl/wget/whatever_crawler_socket_call used from genuine in browser click then the argument is already won. Hell, you could write an army of Selenium Firefox/Chrome bots to drive up costs of ad competitors, randomise the host machines, etc... but it's still hard to believe that FB anti fraud measures can't figure it out.
To me, something is off, whether with FB or these guys.
Yes. This used to happen a lot on ad networks, although I personally don't know how pervasive it is now.
The game is as jiggy said. Force competing ad buyers to pay for what appears to be non-productive traffic by forcing ad clicks. Since the real views are dominated by false views, the conversion rate on whatever is being sold appears to be horrible. The competitor goes elsewhere, and the scammer maintains access to artificially cheap ad inventory, since there are fewer bidders.
Overall it's hard to say whether google wins or loses overall by this. In absence of a real competitor in the search ad space, people generally will swallow google's fee hikes ...
It's a cat and mouse game. Google gets good at it; scammers get more sophisticated; google catches up again; ad infinitum. Also, in addition to the scam mentioned above -- in Google's case, targeting AdWords -- they have to deal with scammers hitting their own AdSense properties.
As pathdependant said, this is a very common shady tactic in the ad business. You drive up your competitors costs with bots in order to drive them away from your keywords or make them think their conversions on those keywords are awful and then abandon them.
By far the most likely explanation in my opinion. Even if it's not the correct one, some of the traffic is almost certainly these kinds of bots.
The biggest conspiracy theory would say that a bot clicking ads would help earn FB money.
I don't really suspect this to be true, Facebook CTR are incredibly low so if they are faking it they are doing it badly.
I suspect the most likely reason is some sort of spam scraper thing that visits every url or something. I would have assumed Facebook would be well protected against this sort of thing in regards to charging advertisers.
Facebook does analytics...they aren't some tiny startup...surely they track the quality of their traffic...so they know that 70-80% of their ad traffic comes from bots.
So Facebook is knowingly profiting from this, and they have the resources to fix this...but they don't since this is making so much money for them.
FB does not need do that shady stuff. Here some facts.
[1] Bot registration on FB is really easy. If you try register 100 fake users in direct way you need to deal with javascript and web forms with strange ids, cookies and so on in your script. But if you enter fb.com without enabled javascript, they ask you change browser or use mobile version, which is not require* js at all.
[2] You can register number of accounts from one ip without CAPTCHA
[3] Only one "difficulty" is to find batch of emails, it is not that big issue since we have services like mailinator.com.
So 15 -25 loc script on python do all your job. It is not required use any tools like selenium or special skills , only basic understanding how http get/post works.
Why fb doing all this supereasybotregistration stuff? I think we all know why.
Edit: spelling. Sorry non native English speaker here
You seem knowledgeable. What is the main purpose of bots on facebook?
The article implies they could be used by facebook or competitors to burn up ad revenue, but this approach would just kill the golden pay-per-click goose.
[1] You can win a bunch of contests, competitions like those who have lot of likes can win iphone or other tech.
[2] You can sell likes.. just google and you will see, there are alot of places where you can buy it.
[3] Manipulation of public opinion.
Edit:
From FB side:
[1] they still have growth of users
[2] more bots == more clicks, more likes more FB value "on paper", more revenue
[3] and when they stabilize their market value they can easily kill those bots, just require them activation by phone.
vk.com Russian social network, had same issues, but they enabled phone activation for averybody and its not that easy to buy a lot of phone numbers in Russia, but some hackers just pay to vk.com admins...
Which is really taking things too far - if Facebook wanted to generate some revenue with bots then it wouldn't be very difficult for them to write ones that supported JavaScript.
I don't think so, there's lots of reasons that would be a stupid idea for Facebook. But there's clearly something shady going on, and Facebook is being dicks to them in other ways, so they're out. That's the subtext.
They end the bot section with "But let's move on, because who the bots belong to isn't provable." after saying that they weren't accusing Facebook of running the bots. The subtext is screaming out.
Does me pointing out the barely shrouded subtext mean that I believe what they are saying? Of course not. It's just as likely, it seems, that their test is simply flawed (as others said, let's see the technical honey trap), that it's some other technical fault, etc. I highly doubt, just on intuition, that Facebook is running such broken bots: Come on, they'd do a better job than make something so easily detected.
It would be outrageous for FB to run the bots themselves. There's two other issues that are more realistic and unfortunately not so great for FB: they're aware of the bots and ignoring them in favor of the ad revenue or they're just becoming aware of the bots and will implement some fix which could result in a substantial decrease in ad revenue. Good to keep in mind that OP's 80% is just one data point and may not be accurate.
I actually think they were trying to say something strange is going on, which I think is pretty obvious given their stats, and that they have no idea who's doing it or why, partially because Facebook can't be bothered to look into it or at least get back to them about it.
That to me sounds like FB is aware of the issue and isn't interested in discussing it. That's the subtext imo.
My own suspicion would be because someone is gaming their ads and they haven't been able to prevent it as of yet, and not because they themselves are gaming the numbers. No doubt they believe that discussing it is tacit admission that they haven't been able to prevent it, which is bad for business.
I see what you're saying, it just isn't very hard for me to take them at their word: They're not claiming that it's Facebook, not out of some sense of propriety, but because they don't have any evidence that it is. It could be anyone.
And it doesn't matter who it is, because they're leaving for a different reason: Facebook never returns their calls unless it's with an offer of extortion.
While I doubt malicious intent on FB's part there's certainly a financial incentive to ignore this problem. How would their earnings reports change if they stopped charging at least some advertisers for 80% of clicks?
It would be a very, very short term financial incentive.
Advertisers monitor to see performance on the other end, and when the campaigns don't yield actual success they move on.
The only real exception to this are mega-brands that advertise just to build namespace. Everyone else expects direct action from some hefty percentage of their ads.
Are you saying it's short term because advertisers would notice? Sure some advertisers would notice. However I doubt the majority are capable of performing the OP's analysis (which could use some scrutiny).
Imagine a 100 person company with 5 people dedicated to advertising. Leadership says to increase on-line presence. Some recent college grad on the advertising team buys FB ads. Next month leadership is pleased that they're advertising on Facebook. Also leadership is pleased that sales increased x%. The FB ads could be completely worthless. Some non-trivial percentage of clicks could be from bots and no one would notice.
You act as if "everyone else" sees results from FB ads. They don't. This is a well known problem. They have a high rate of adoption from new sign-ons, and also a high level of departure. While the first number is greater than the second number, they are ok. Either they will manage to improve value and keep more of the advertisers, or one day the Ponzi scheme implodes.
You act as if "everyone else" sees results from FB ads. They don't.
Most ads target a specific outcome: You buy a product, create an account, joining a mailing list, etc. Even the most technically incompetent advertisers establishes these fundamental metrics such that they can say "I spent $1,000,000 on Facebook ads and only got ten signups. I spent $1,000,000 on iAds ads and got ten million signups." That sort of thing.
I don't think so; if anything, the subtext is merely arguing that Facebook isn't doing anything to stop the problem. Whether that is just as bad as running the botnet itself, that is another thing.
Assuming the problem is as bad as many are saying, I personally think it's fair to draw the same conclusion you have -- running and letting run a botnet is one and the same. It's costing other businesses money; it's too big for Facebook to be able to play dumb on the issue.
Bots might be operated by competitors to increase the cost of advertising for Limited Pressing. This is the most likely scenario, in my opinion. However, though rather unlikely, the bots could be affiliated with Facebook itself, as all of those extra clicks translate into lots of extra Facebook revenue.
That doesn't seem like a very sustainable strategy though.
Does anyone know what kind (if any) of anti-bot measures Facebook already has in place for paid advertising?
could be ad spy tools...they crawl around clicking ads and following them to the landing pages and then follow the landing pages to the offer being promoted. Allows affiliates and other advertisers to reverse engineer the competition
Copying the text just incase FB decides they don't like it
---
Hey everyone, we're going to be deleting our Facebook page in the next couple of weeks, but we wanted to explain why before we do. A couple months ago, when we were preparing to launch the new Limited Run, we started to experiment with Facebook ads. Unfortunately, while testing their ad system, we noticed some very strange things. Facebook was charging us for clicks, yet we could only verify about 20% of them actually showing up on our site. At first, we thought it was our analytics service. We tried signing up for a handful of other big name companies, and still, we couldn't verify more than 15-20% of clicks. So we did what any good developers would do. We built our own analytic software. Here's what we found: on about 80% of the clicks Facebook was charging us for, JavaScript wasn't on. And if the person clicking the ad doesn't have JavaScript, it's very difficult for an analytics service to verify the click. What's important here is that in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook. So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs. So we tried contacting Facebook about this. Unfortunately, they wouldn't reply. Do we know who the bots belong too? No. Are we accusing Facebook of using bots to drive up advertising revenue. No. Is it strange? Yes. But let's move on, because who the bots belong to isn't provable.
While we were testing Facebook ads, we were also trying to get Facebook to let us change our name, because we're not Limited Pressing anymore. We contacted them on many occasions about this. Finally, we got a call from someone at Facebook. They said they would allow us to change our name. NICE! But only if we agreed to spend $2000 or more in advertising a month. That's correct. Facebook was holding our name hostage. So we did what any good hardcore kids would do. We cursed that piece of shit out! Damn we were so pissed. We still are. This is why we need to delete this page and move away from Facebook. They're scumbags and we just don't have the patience for scumbags.
Thanks to everyone who has supported this page and liked our posts. We really appreciate it. If you'd like to follow us on Twitter, where we don't get shaken down, you can do so here: http://twitter.com/limitedrun
Happend to us too!! we first thought kissmetrics was wrong, so we built a logger that logged server side requests and a client side code that executes on load of the landing page, and we found that 70% of the server side hits had javascript disabled(or that hit the page and left it before the js executed, which seems improbable for such a large number - 70%).
It was a few months ago and we've already deleted the db table, we are soon relaunching with a new campaign, so once I get the data again I'll post it here.
> (or that hit the page and left it before the js executed, which seems improbable for such a large number - 70%).
That's actually an interesting proposal-- 100% of the time when I click on an ad, I didn't mean to and I try to close it before it has a chance to annoy me.
Probably doesn't make sense on a large scale, but it's something to consider.
I agree that some users might close the page or hit the "back" button before the $(document).ready() happens, but I can't believe that 70% of the people did that(taking into account that our ad was really targeted and highly relevant to the landing page).
If that is true and 70-80 percent hit the back button before the js files load, it still says a lot about the quality of the clicks from the perspective of someone considering advertising on FB...
Someone's grandmother miss-clicking and then mashing back is about as useful to the advertiser as a bot. conversions are where it's at. Poor quality traffic / bots / it's all the same. the advertiser quits paying
There is (subjectively) a marked deterioration of comment quality on front-page discussions in the past few days, I feel. I have also noticed that HN articles are getting linked on reddit more frequently (I use both networks, but for highly disparate purposes - gotta get those funny .gif's somewhere). No data supporting this but I fell it's a trend and I'm not liking it.
Few days? Try since forever. As people increase the SNR gets larger. Even on reddit when it started, it was heavily tech focused, you'll find a comment that says it's going downhill. Hard to say what the numbers on HN are like growth wise in comparison to reddit (which has their subscriber numbers on display).
you're not alone. I've heard similar stories from other businesses that have tried to advertise on FB. At first I thought they just didn't track properly, but it seems it's a widespread problem.
Is it though? It seems they spent a lot of time throwing more and more javascript at the problem until they realized they couldn't figure out what was happening. If they had real logging from the beginning, it would have unconfused them much sooner.
They were taking orthogonal measurements to see if the pattern would appear over and over. Also it sounds like each successive measurement technique was at a lower level than the previous technique. Sounds pretty thorough. I'd love to see some actual data though.
This could be a businessperson's interpretation of what happened.
Or they might have indeed reinvented it. Kids these days and their Heroku! Back in my day we'd process each HTTP request by hand. And we'd do it uphill both ways in the snow.
It was the proper add-on to the previous comment kids today don't learn awk. Becuase they have Perl, Ruby, and Python which are supersets of the unix command line tool set. Awk was the king in the years before Perl.
I never really learned to use cut, so I sitll use awk for one-liners the deal with columns in delimited-data text-files.
Most of the parsing required for the logfile analysis I describe is written in awk, and goes through roughly 1 million lines of logfile in about 75s on a commodity 2Ghz Intel Xeon.
Pre-caching of host lookups is done via xargs and a suitably high '-j' value. Running on a pre-sorted and de-duped list of IPs, this takes another few minutes. Lookups are read into hash tables for faster processing in the main awk parser (avoids system calls, DNS latency, and especially negative result caching failures).
It's fast and simple. Not a 100% solution, but quick to add bits to over time as new needs arise.
You had awk? Ha! Luxuries! Why when I was a young programmer we had to write the code in the
snow with our pee, and a compiler was just a word for the pilot of the
hovering dirigible that read the instructions and passed them to the
ALU, which was another fellow with an abacus. They would wrap the re-
sults around a rock, and drop it on my house when the program would
exit. We had to walk uphill...
I assumed this just meant they built something on top of access logs that told them what percentage of page loads also loaded JavaScript. I don't know about your webserver, but mine doesn't tell me this kind of thing out of the box.
Anyway, it's pretty irrelevant whether they added logging in their app (one line of code?) or enabled their webserver's built in logging.
You wouldn't, but if the vast majority of your ad click visitors have javascript disabled, and only a tiny percentage of your other visitors do, what conclusion would you draw?
You don't, but it's very unlikely that there were enough noscript users to match the stats. From the post:
"...in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook."
For example, target something for the Reddit.com users and you'll see 90%+ block ads.
With facebook granular targetting you could very specifically end up with a target segment with a large proportion of noscript type plugin users. Without more details on their campaign I would not be so quick to place blame purely on bots.
But this is about users who click on ads on Facebook. The sort of users who have javascript disabled are going to self-select out of that group pretty strongly.
And even among the most technically literate groups, I'd be amazed if you saw 80% use of noscript. So many sites require javascript that it's easier to browse with it enabled.
There are a few tricks to do that, described on the old ha.ckers.org weblog, or perhaps on the related sla.ckers.org forum. No idea if they still work, though ..
You could always see if you could trigger NoScript's built-in XSS or frame hijacking protection :) Bots will not notice, and users get a scary warning message and believe your ad is trying to hack them. Not good for your conversion rates, but a pretty sure way to tell them apart.
What you say is valid, however no-script users are a small minority of internet users. I doubt their numbers would tip the results in either direction.
Access logs that write continually from different processes or threads (like PHP) can cause System IO to reach critical proportions. In any non-trivial enterprise application it's completely reasonable to have a stat-logic-layer for recording events... The access log can still do it's own sorta thing - this is more true if you have more than 1 server.
Access logs can't record if javascript is enabled. There are other things I would be interested in if I were doing this too, I'd check the browser's TZ, check if flash was enabled, etc. and do it across sessions.
Depends how far they went profiling their visitors, it clearly says in the article they were tracking if js was enabled, so yes, you'd need to roll something or another by hand. GA relies solely on js for example.
The way I understand this is that they want to log who accesses their pages on FaceBook's servers.
I am not familiar with how things work on FaceBook, but I would think that FaceBook users do not have access to the logs that FaceBook's servers write.
And so it seems that Facebook could be proven to be the new groupon.
I would absolutely not be suprised if the hits were FB bots - however I'd expect they wouldn't be that directly stupid so as to have an Ad-bot net in house. Surely this is some service they outsource for plausible deniability.
Something they would have learned from their relationship handing all user data over to the NSA/CIA.
EDIT:
I'd like to make a prediction on how this could potentially play out:
1. FB ignores them. They have nothing to do with this issue and they know the bots are tainting traffic - but they can't/wont do anything about it because it boosts their revenues.
2. FB may or may not be involved in the ad-bots, but, they will drop their $ contingency on ad-rev for the name and payout these guys to shut them up. Their stock was improperly priced and taken a beating. They don't want this coming to light in a large way as it will have a negative affect on the perception of their business model. They hav to be kind of careful of the Barbara Streisand effect here too...
3. Many more people will reveal the same results with empirical testing and it will be revealed that FB earnings are 80% over inflated. Their stock will drop to the predicted real value of <$10... maybe hit that actual projected number of $7.00 - Zynga will BEG FB to purchase them as they are now a penny stock and they can't sustain.
So without ANY facts your conclusion is that Facebook is fraudulently deceiving advertisers.
And that they are doing this using experience from working with the NSA/CIA in order to cover up the fact that $800 million dollars of Facebook's yearly profits will disappear overnight once people realise the truth. And as such they are willing to pay out the ad-bot companies in order to hide this conspiracy.
What about the farking article? Where they proved that 80% of their clicks were from bots. Then several others confirm they ahve the same experience?
What about those facts?
I also speculated on what FB is doing. Them giving user data to the NSA/CIA - that is a supposed fact, sure, but I am not the only person who believes this.
Am I extremely distrustful of Facebook? Of course! Maybe you have not followed their track record or the character of their founder.
If you are into conspiracy theories then how about maybe this is Google directing a massive bot net to make facebook ads useless?
> I also speculated on what FB is doing. Them giving user data to the NSA/CIA - that is a supposed fact, sure, but I am not the only person who believes this.
Great argument! A lot of people believe it, so it must be true! Are you for real?!
It is not my responsibility to educate you on modern internet history. This has been argued here on HN prior; Do you recall the backdoors that AT&T put at 600 Folsom, in SF?
And the backdoors in Cisco's equipment that are a requirement by the federal government?
Maybe you thin this shit is "conspiracy theory" and if you do, you're simply a naive fool.
Look around you at what governments are doing. The NSA has records on everything you do online. They had a system in 2005 which could trace communications between users to 6 degrees, automatically.
I know a couple of guys like you in my local activist community, who take a very hostile "I know the truth and you're all fools!" attitude, despite the fact that their audience is mostly very sympathetic to most of their assertions. We know spying on the Internet takes place; HN is full of cantankerous old Internet geeks who've seen, first-hand, plenty of examples of the state (whatever state you may choose, as it happens all over the world) behaving unethically on the Internet, spying on people and punishing people for things that shouldn't be crimes.
But, your paranoid approach is counter-productive. You might as well be working for the people you claim to be afraid of, for all the good you do (negative good; you're convincing people that the folks who believe the government is spying are all paranoid nutjobs who scream at anyone who has the gall to mention other possible explanations).
So, let's review:
1. Just because spying has taken place, and is currently taking place, and may even have the complicity of facebook in that spying, it does not mean that facebook is running a botnet to steal advertiser dollars. The simplest explanation is that facebook looks the other way while others run the botnets. facebook wins (a lot, as long as most advertisers don't know it's happening), botnet owner wins (a little), and the advertiser loses. But, there are other plausible explanations, including incompetence.
2. When you paint things in a "Either you accept my theory in its entirety, or you're all idiots", you force people to choose a side. Nobody wants to be on the same side as an asshole, so you force them to choose the other side. You make people who may even agree with you (to a greater or lesser degree) to begin to formulate plausible reasons for why you're wrong about the crazier stuff you're spouting...further convincing themselves that you're entirely wrong. The best you can hope for is people ignore you and don't have the chance to be inoculated against your ideas; having you as their first exposure to these concepts guarantees they will be less likely to believe them in the future, even if they come from a more credible source. Humans are funny creatures.
Thus, I would point out that there are some really naive and stupid people on HN that have zero grasp of effective argument, persuasion, and even basic logic.
>But, your paranoid schizophrenic approach is counter-productive.
Really, now I am a paranoid schizophrenic?
Just because I make claims which are readily confirmed and were completely available in the media - even the EFF filed suit on the AT&T events...
Yet, for some reason, it is my responsibility to educate everyone every single time someone new comes along who hasn't been following these things closely.
Now I am a paranoid schizophrenic?
Also, its a strawman to focus on my tone, rather than content. You're trying really hard to be overly pedantic and, frankly, an asshole.
He's not arguing with you, he can't be using a strawman. He's just pointing out that other people will be distracted by your tone, making them ignore your (mostly correct) message.
What I am witnessing is someone trying to inform people, while effectively censoring himself by delivering in such a way as impedes its delivery.
You obviously have a vested interest in seeing your "message" be received, so stop ignoring what people are telling you about your tone and change it. Figure out what it is that people do listen to, or else you have no one but yourself to blame when they take issue with your tone.
To wit: Your tone is defensive. Pejoratives and cursing undermine your expression. What you are effectively telling people is that your thoughts are not important enough to merit self-restraint. Detailed explanations following assertions are also helpful.
FWIW, I work in the performance marketing industry and, IMO, the most complicity facebook could be said to have in this issue is in not placing a sufficiently high priority on preventing bots from clicking on their ads. Even if it is a sizable project there, they represent such a large target that the difficulty of the job becomes much greater. I see no salacious story here, other than a company found itself unable to optimize a campaign into profitability, which I think says more about them than facebook. Ho hum, find a different traffic source and move on.
Thanks - Ill take the constructive criticism on my tone.
However, I will point out that with respect to your comment on FB's complicit actions due to the daunting nature of the problem, this does not take into account their other actions of a 24K ransom on the domain.
Everyone can argue in any direction they want - but neither me nor anyone else is really going to know until we get further down this path...
You're right. It was an unproductive method of describing the behavior I was seeing (and was too easy to interpret as saying the person is schizophrenic rather than exhibiting behavior I associate with schizophrenia). It was also insensitive to schizophrenics.
In my defense, schizophrenia runs in my family, and I'm very familiar with it...I don't think of it as an insult. But that's a local custom in my family that I shouldn't think follows in the rest of the world.
And there are some that actually know what they're talking about in terms if intelligence agencies but choose not to indulge in idle conspiracy hypothesizing. The real operations aren't something that the people with actual knowledge would ever discuss. Those that do claim conspiracies are often ill informed or just have read too many spy novels.
I think problem is more deep, I do not want to make other Conspiracy Theory but here some story from other huge Russian social network (vk 150m. users). There is one small, not that big group (like fb groups), users made agreement, that no one will post next day (something like honeypot), and those who post would be considered as bot and baned forever. So next day couple or so bots generated comments encouraging others do not go on strike against some political party [0].
I do not know is it applies to FB, but those who have like 100k bots have some power too.
We need to see some real numbers before making these kind of predictions. What was the volume of clicks that OP couldn't detect? 10, 1K, 1M? It makes a big difference.
Also given FB users' aversion to ads this whole issue could be explained by users just clicking the back button. Ad supported sites have trained users to do three things very well: install adblock, habitually ignore ads, quickly click away from any interstitial or unexpected ads like on Hulu.
Another note on the "back button": I recently discovered the awesome power of "three-finger swipe back button" on Macbook trackpad. So it's possible users can "click" back even faster than before. I can and before the swipe I was well-trained in the art of "CMD back arrow" :-)
Totally agree. However, I wanted to put my thoughts on this down... Surely we need more info and time to see what the actual truth is - but I just do not believe that FB is in any way some altruistic innocent/neutral entity.
What user data stored on FB servers could be useful to intelligence agencies of that level? People brag about crimes they committed, IP addresses are logged and people may "like" jihad but criminals targeted by the NSA are surely not at that level of stupidity.
Also, FB may not have much of a choice to comply with those agencies, or find themselves pissing off a lot of high level people by refusing to comply with government agencies. But outsourcing / tolerating a network of bots to vastly boost revenue is probably considered fraud, no?
> What user data stored on FB servers could be useful to intelligence agencies of that level? People brag about crimes they committed, IP addresses are logged and people may "like" jihad but criminals targeted by the NSA are surely not at that level of stupidity.
It's not what people brag about, it's the social graph itself that's useful. All the other things like photo-tagging are extra candy.
More info at http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al... and http://nplusonemag.com/leave-your-cellphone-at-home . Sorry it's late out here, or I'd copy/paste the relevant quotes for you--look for the bits about data mining and machine learning, especially in the 2nd article, everything is a signal and they do have the computing power to process it all, apply Bayesian belief nets, algorithms can pull intelligence information about you from the local shape of your social graph that you don't even realize can be inferred from it (humans are not very good at reading complex info from big graphs much further than simple "friend-of-a-friend" relationships).
>in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled //
I use noscript. When I enable it for visits it's usually by enabling the domain itself and leaving third-party scripts disabled. Depending on your area this could be significant.
Also the possibility of blocking of the scripts by other elements not loading - for example if the browser can't parallelise the requests for some reason and a preceding request can't be handled then the page might be displaying well before the script is loaded, especially if it's loaded at the bottom of the markup.
One POSSIBLE explanation for what Facebook would use anonymous bots for: verifying the advertisement goes where the advertiser said it would go.
Facebook has problems with fraudulent or confusing advertisements. for example, iPad's being advertised for $2, but the user clicking the ad is sent to a penny auction site that bills you $100 when you sign up.... so that domain ends up getting banned, but those advertisers/spammers either create a new domain or they use a redirecting domain that redirects to a non fraudulent domain when they see an Facebook IP (in theory, the Facebook IP would mean it's an intern or Facebook bot checking the URL).
so maybe it's Facebook's engineers trying to verify the ads are going to the place they're intended to go, but they are obviously incorrectly counting them as billable clicks
Back when I was in this industry, generally speaking you would have a graylist of your own IPs that would be ignored by the ad metric system.
Ad networks tend to be very serious about anything measurable - it's easy to lie and once you've lied about one thing, no matter how small, what else have you lied about and to what magnitude?
Could FB do something like this to detect click fraud/misbehavior: FB's ad system only counts a click as valid and charges the advertiser when the browser from which the click originated has js enabled.
OP says only 1-2% of users have js disabled hence FB would only miss out on a relatively small amount of ad revenue instead of massively over-charging.
One thing about Facebook ads, instead of buying clicks to webpages, you could buy likes to your Facebook page. This way you can at least look at the FID of the Like to get some confirmation that the Like you bought was from a real person.
Very unlikely to have been bots from FB, they're not yet quite that desperate. They would be 90% sure of getting busted, and it would be a huge deal breaker for a lot of their clients. A suicide move.
The more plausible reality is that there are just a lot of bots crawling FB fan pages, poorly programmed bots that will just follow every single link they come across. That's very much in line with my personal experience of FB fan pages.
But FB is certainly to blame for not detecting these as bots, and putting ads on the pages they serve them. Hopefully they'll take care of this issue soon.
If I am writing a mechanism to charge for ads based on traffic, one of the first things to QA/write test cases for is fraudulent traffic.
The leap here is from facebook being remotely competent (which is likely), and willfully ignoring checks on certain types of traffic because it benefits them financially.
My assertion is that this is the same class of bad behavior as running your own bots. Note the distinction in 'willful' ignorance.
The distinction between ignorance and intent does not compute.
Yes, we dont need a conspiracy to explain stupidity. The stupidity is the conspiracy.
People arent ignorant, because they are handcapped or something. They are ignorant, because thats the behaviour and excuse we reward. Just be an idiot, dont put in the intellectual effort, and you will be allowed to speak lies and screw every one and every thing.
From a corporate point of view, its the golden ticket. Plausible deniability. We didnt know that our insurance helped finance weapon exports to dictators. We didnt know. We didnt know. Sorry this, sorry that. We're keeping the money though.
I dont think that provable intent should have legal meaning. Because all neglect is intentional, as is ignorance in a world, where every one has the choice to be well informed.
I guess a more general question might be: I marketing on Facebook proving to be worthwhile?
We are just finishing a new iOS app. It will be the first one in our catalog with a "Like us on Facebook" feature. I am skeptical about the value of this feature. Not sure it'll convert at all. Asked a bunch of people who use FB on a daily basis and most told me that they pay zero attention to ads or "likes". Not sure.
380 comments
[ 3.3 ms ] story [ 302 ms ] threadIt's also worth noting that Facebook has given refunds for click fraud in the past. That is if you can actually get a hold of someone in support who will talk to you, which isn't easy.
This is not a case of Facebook using bots to deliberately drive up ad spending. It's merely scummy internet marketers at work, with Facebook failing to detect and prevent them. The phenomenon is mostly present in the US 18-30 male demographic (where all the dating ads are, and where creatives can make or break you).
How do you tell if it's a bot? Just by user-agent string or repeated slamming by IP address, or is there some other technique?
Generally speaking, in addition to the patterns you mentioned (invalid user-agent strings, rapid succession of same-IP access) there are also other patterns, such as failure to load referenced CSS or image files, or 100% failure on Captcha challenges.
"100% failure on Captcha challenges" -- are captchas generally deployed on click-through ads?
Very much so, after all your browser does without you having to tell it to do so. It all depends on whether the hassle is worth it for the bot writer.
Cloudflare has a mode (used in general for DDOS protection) which you can turn on and get stats on how many users pass a Captcha test.
Use http://phantomjs.org/ and the page will loaded by webkit.
The point was mostly that if it is not downloaded, then it's a bot (or any non-browser getter, at least), not that it's not a bot if it does.
Or maybe you were asking for a way to avoid bot detection ? :)
Although they stated they built their own analytics software, so there's also a chance that it wasn't working as they thought it was.
A combination of things. Off the top of my head:
* IP address ranges. Are they all from, e.g., EC2 instances?
* Are images and other content (e.g. CSS) linked from the page loaded? How long does the client take to do so? Are other pages being viewed in line with what you've seen from other users?
* What combinations of user agents are you seeing?
* What's in the headers being sent by the browser? Any foreign language support, or oddities when it comes to not accepting compressed content? Is the referer header always the same? Does it always vary?
* Do you see "normal" user behaviour that indicates activity such as clicking the back button, then clicking the ad again a few seconds later once their brain has kicked in? (nb: not sure if this is possible for Facebook with the way their site works).
* Are there any patterns in the page access times? Is there anything to indicate a cron job is kicking off once an hour at the same time?
Later:
"So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs"
I think they use a different definition of bot. Otherwise they wouldn't have to use a second logger ...
Is this similar, or related to other ad space inflation? I'm reminded of Google (and others)(1) sending out free $75 adwords coupons to easily allow the costs of bids to inflate since it's not my own real money (thereby increasing the percentage of real cash being made on the ads)?
(1)Edited and clarified
The relevance of such a comparison? It's not a one off, as uncommon as we think. Has nothing to do with pointing fingers.
Didn't mean to come across as off topic. To me, if someone upstream and in the past was doing this, chances are it might happen later in time downstream too, and there might be something to see in the forest instead of pointing at one tree or another.
I've used Google coupons, none with anyone else that I can remember. I also spent ads on google way before any other system and remember the 10 cent clicks going up to $1.00 for not much more traffic.
More technical info and data would be nice!
Maybe if they have any employees who follow HN, someone would share more light on the technicals?
Anyways, I don't mind since I'm a small fish, but the longer this goes on, the more it will (hopefully, i might say) blow up into their face(book).
For the username, everyone (including users) is allowed one name change.
Presumably, Facebook can bypass these seemingly arbitrary limitations, but will essentially charge you for the right to do so (by requiring you to have purchased a certain amount of advertising with them).
I'm with you that F must have some restrictions on name change, but it does not seem reasonable to charge money for it.
[1] Imagine a page called "Sun Microsystems - Java" before being buyed by Oracle with a fer thousands fans. I'm sure a hight percent of the fans would not care of have a name change to "Oracle - Java" for example.
Well, apparently there is an exception from this rule. Obviously there is a huge potential for abuse when changing name of a page that has plenty of users. However, allowing only the "money making" pages to do so is a bit of an unfair move in my opinion. Reasonable but unfair.
I wonder if this situation will escalate and fb will publish some explanation. Nevertheless, it is still hard to believe for me that a company with such value would fake clicks at all or in a way that is easy to detect.
https://www.facebook.com/photo.php?fbid=10151098204101337...
After that, it's unclear.
A lot of people also have bots to see who/what is advertising on FB to see what is working, what ad text people are trying, etc. Mostly aff marketers trying to stay ahead of the game. There are also SaaS companies scraping ads and landing pages and selling that data.
I'm sure there are other reasons as well...
I'd love to see someone try and find out though. Any IP doing automated requests of that nature is fair game for a bit of probing IMO.
Obviously the news here is not the loss of business for Facebook, but the fact that a click scam was taking place (if true).
And the click scam, if true, will take away the only way for Facebook to monetize the product. Marketers are not stupid, things like this spread like wildfire.
If true, Facebook should really have anti-fraud measures in place for this kind of thing already, and if they don't, the size of the company in question has no relevance to that.
Worked 3 years in online advertising, dealing with billions of impressions and millions of clicks daily. 80% fraud rate isn't unsurprising, probably is actually higher. Most mature ad networks can easily filter and reject a substantial portion of the fraud, or at least not bill the client for it.
No accusations, but, just food for thought.
Wrote a post about it here: http://peebs.org/148437517
To me, something is off, whether with FB or these guys.
To me, something is off, whether with FB or these guys.
Is it crawlers crawling Facebook? Are they alleging that facebook is doing it to boost revenues?
Their hypothesis seems secure, given that you can't really use the facebook site at all without javascript enabled.
More alarming is Facebook holding their name for ransom for the sum of $24,000 a year!
The game is as jiggy said. Force competing ad buyers to pay for what appears to be non-productive traffic by forcing ad clicks. Since the real views are dominated by false views, the conversion rate on whatever is being sold appears to be horrible. The competitor goes elsewhere, and the scammer maintains access to artificially cheap ad inventory, since there are fewer bidders.
It's a well known problem. Considering AdWords is Google's primary source of revenue, they work hard at it. For a tiny bit more directly from Google, see: http://support.google.com/adwords/bin/answer.py?hl=en&an...
By far the most likely explanation in my opinion. Even if it's not the correct one, some of the traffic is almost certainly these kinds of bots.
I don't really suspect this to be true, Facebook CTR are incredibly low so if they are faking it they are doing it badly.
I suspect the most likely reason is some sort of spam scraper thing that visits every url or something. I would have assumed Facebook would be well protected against this sort of thing in regards to charging advertisers.
So Facebook is knowingly profiting from this, and they have the resources to fix this...but they don't since this is making so much money for them.
[1] Bot registration on FB is really easy. If you try register 100 fake users in direct way you need to deal with javascript and web forms with strange ids, cookies and so on in your script. But if you enter fb.com without enabled javascript, they ask you change browser or use mobile version, which is not require* js at all.
[2] You can register number of accounts from one ip without CAPTCHA
[3] Only one "difficulty" is to find batch of emails, it is not that big issue since we have services like mailinator.com.
So 15 -25 loc script on python do all your job. It is not required use any tools like selenium or special skills , only basic understanding how http get/post works.
Why fb doing all this super easy bot registration stuff? I think we all know why.
Edit: spelling. Sorry non native English speaker here
The article implies they could be used by facebook or competitors to burn up ad revenue, but this approach would just kill the golden pay-per-click goose.
[1] You can win a bunch of contests, competitions like those who have lot of likes can win iphone or other tech.
[2] You can sell likes.. just google and you will see, there are alot of places where you can buy it.
[3] Manipulation of public opinion.
Edit:
From FB side:
[1] they still have growth of users
[2] more bots == more clicks, more likes more FB value "on paper", more revenue
[3] and when they stabilize their market value they can easily kill those bots, just require them activation by phone.
vk.com Russian social network, had same issues, but they enabled phone activation for averybody and its not that easy to buy a lot of phone numbers in Russia, but some hackers just pay to vk.com admins...
Edit2: spelling
What they (Facebook) are doing now seems to be some version of DADT (Don't Ask, Don't Tell).
Does me pointing out the barely shrouded subtext mean that I believe what they are saying? Of course not. It's just as likely, it seems, that their test is simply flawed (as others said, let's see the technical honey trap), that it's some other technical fault, etc. I highly doubt, just on intuition, that Facebook is running such broken bots: Come on, they'd do a better job than make something so easily detected.
That to me sounds like FB is aware of the issue and isn't interested in discussing it. That's the subtext imo.
My own suspicion would be because someone is gaming their ads and they haven't been able to prevent it as of yet, and not because they themselves are gaming the numbers. No doubt they believe that discussing it is tacit admission that they haven't been able to prevent it, which is bad for business.
And it doesn't matter who it is, because they're leaving for a different reason: Facebook never returns their calls unless it's with an offer of extortion.
Advertisers monitor to see performance on the other end, and when the campaigns don't yield actual success they move on.
The only real exception to this are mega-brands that advertise just to build namespace. Everyone else expects direct action from some hefty percentage of their ads.
Imagine a 100 person company with 5 people dedicated to advertising. Leadership says to increase on-line presence. Some recent college grad on the advertising team buys FB ads. Next month leadership is pleased that they're advertising on Facebook. Also leadership is pleased that sales increased x%. The FB ads could be completely worthless. Some non-trivial percentage of clicks could be from bots and no one would notice.
Most ads target a specific outcome: You buy a product, create an account, joining a mailing list, etc. Even the most technically incompetent advertisers establishes these fundamental metrics such that they can say "I spent $1,000,000 on Facebook ads and only got ten signups. I spent $1,000,000 on iAds ads and got ten million signups." That sort of thing.
Assuming the problem is as bad as many are saying, I personally think it's fair to draw the same conclusion you have -- running and letting run a botnet is one and the same. It's costing other businesses money; it's too big for Facebook to be able to play dumb on the issue.
That doesn't seem like a very sustainable strategy though.
Does anyone know what kind (if any) of anti-bot measures Facebook already has in place for paid advertising?
How much traffic are we talking about? Where were the bots coming from and how were they detected?
---
Hey everyone, we're going to be deleting our Facebook page in the next couple of weeks, but we wanted to explain why before we do. A couple months ago, when we were preparing to launch the new Limited Run, we started to experiment with Facebook ads. Unfortunately, while testing their ad system, we noticed some very strange things. Facebook was charging us for clicks, yet we could only verify about 20% of them actually showing up on our site. At first, we thought it was our analytics service. We tried signing up for a handful of other big name companies, and still, we couldn't verify more than 15-20% of clicks. So we did what any good developers would do. We built our own analytic software. Here's what we found: on about 80% of the clicks Facebook was charging us for, JavaScript wasn't on. And if the person clicking the ad doesn't have JavaScript, it's very difficult for an analytics service to verify the click. What's important here is that in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook. So we did what any good developers would do. We built a page logger. Any time a page was loaded, we'd keep track of it. You know what we found? The 80% of clicks we were paying for were from bots. That's correct. Bots were loading pages and driving up our advertising costs. So we tried contacting Facebook about this. Unfortunately, they wouldn't reply. Do we know who the bots belong too? No. Are we accusing Facebook of using bots to drive up advertising revenue. No. Is it strange? Yes. But let's move on, because who the bots belong to isn't provable.
While we were testing Facebook ads, we were also trying to get Facebook to let us change our name, because we're not Limited Pressing anymore. We contacted them on many occasions about this. Finally, we got a call from someone at Facebook. They said they would allow us to change our name. NICE! But only if we agreed to spend $2000 or more in advertising a month. That's correct. Facebook was holding our name hostage. So we did what any good hardcore kids would do. We cursed that piece of shit out! Damn we were so pissed. We still are. This is why we need to delete this page and move away from Facebook. They're scumbags and we just don't have the patience for scumbags.
Thanks to everyone who has supported this page and liked our posts. We really appreciate it. If you'd like to follow us on Twitter, where we don't get shaken down, you can do so here: http://twitter.com/limitedrun
That's actually an interesting proposal-- 100% of the time when I click on an ad, I didn't mean to and I try to close it before it has a chance to annoy me.
Probably doesn't make sense on a large scale, but it's something to consider.
Someone's grandmother miss-clicking and then mashing back is about as useful to the advertiser as a bot. conversions are where it's at. Poor quality traffic / bots / it's all the same. the advertiser quits paying
http://pastebin.com/raw.php?i=HHeY5nP1
$ curl -s http://pastebin.com/raw.php?i=HHeY5nP1 | md5sum 7b69269bd0e25daa8e8b171e5d513011
They reinvented the access log? By hand? Are people really that detached from how servers work?
Or they might have indeed reinvented it. Kids these days and their Heroku! Back in my day we'd process each HTTP request by hand. And we'd do it uphill both ways in the snow.
It was the proper add-on to the previous comment kids today don't learn awk. Becuase they have Perl, Ruby, and Python which are supersets of the unix command line tool set. Awk was the king in the years before Perl.
I never really learned to use cut, so I sitll use awk for one-liners the deal with columns in delimited-data text-files.
Most of the parsing required for the logfile analysis I describe is written in awk, and goes through roughly 1 million lines of logfile in about 75s on a commodity 2Ghz Intel Xeon.
Pre-caching of host lookups is done via xargs and a suitably high '-j' value. Running on a pre-sorted and de-duped list of IPs, this takes another few minutes. Lookups are read into hash tables for faster processing in the main awk parser (avoids system calls, DNS latency, and especially negative result caching failures).
It's fast and simple. Not a 100% solution, but quick to add bits to over time as new needs arise.
Anyway, it's pretty irrelevant whether they added logging in their app (one line of code?) or enabled their webserver's built in logging.
Since the user is on facebook they'd have facebook unblocked, but noscript still blocking everything else.
How would you discern a noscript user from bot?
"...in all of our years of experience, only about 1-2% of people coming to us have JavaScript disabled, not 80% like these clicks coming from Facebook."
For example, target something for the Reddit.com users and you'll see 90%+ block ads.
With facebook granular targetting you could very specifically end up with a target segment with a large proportion of noscript type plugin users. Without more details on their campaign I would not be so quick to place blame purely on bots.
And even among the most technically literate groups, I'd be amazed if you saw 80% use of noscript. So many sites require javascript that it's easier to browse with it enabled.
There are a few tricks to do that, described on the old ha.ckers.org weblog, or perhaps on the related sla.ckers.org forum. No idea if they still work, though ..
You could always see if you could trigger NoScript's built-in XSS or frame hijacking protection :) Bots will not notice, and users get a scary warning message and believe your ad is trying to hack them. Not good for your conversion rates, but a pretty sure way to tell them apart.
Depends how far they went profiling their visitors, it clearly says in the article they were tracking if js was enabled, so yes, you'd need to roll something or another by hand. GA relies solely on js for example.
And then compare in the log.
I am not familiar with how things work on FaceBook, but I would think that FaceBook users do not have access to the logs that FaceBook's servers write.
And so it seems that Facebook could be proven to be the new groupon.
I would absolutely not be suprised if the hits were FB bots - however I'd expect they wouldn't be that directly stupid so as to have an Ad-bot net in house. Surely this is some service they outsource for plausible deniability.
Something they would have learned from their relationship handing all user data over to the NSA/CIA.
EDIT:
I'd like to make a prediction on how this could potentially play out:
1. FB ignores them. They have nothing to do with this issue and they know the bots are tainting traffic - but they can't/wont do anything about it because it boosts their revenues.
2. FB may or may not be involved in the ad-bots, but, they will drop their $ contingency on ad-rev for the name and payout these guys to shut them up. Their stock was improperly priced and taken a beating. They don't want this coming to light in a large way as it will have a negative affect on the perception of their business model. They hav to be kind of careful of the Barbara Streisand effect here too...
3. Many more people will reveal the same results with empirical testing and it will be revealed that FB earnings are 80% over inflated. Their stock will drop to the predicted real value of <$10... maybe hit that actual projected number of $7.00 - Zynga will BEG FB to purchase them as they are now a penny stock and they can't sustain.
And that they are doing this using experience from working with the NSA/CIA in order to cover up the fact that $800 million dollars of Facebook's yearly profits will disappear overnight once people realise the truth. And as such they are willing to pay out the ad-bot companies in order to hide this conspiracy.
Right.
What about the farking article? Where they proved that 80% of their clicks were from bots. Then several others confirm they ahve the same experience?
What about those facts?
I also speculated on what FB is doing. Them giving user data to the NSA/CIA - that is a supposed fact, sure, but I am not the only person who believes this.
Am I extremely distrustful of Facebook? Of course! Maybe you have not followed their track record or the character of their founder.
> I also speculated on what FB is doing. Them giving user data to the NSA/CIA - that is a supposed fact, sure, but I am not the only person who believes this.
Great argument! A lot of people believe it, so it must be true! Are you for real?!
And the backdoors in Cisco's equipment that are a requirement by the federal government?
Maybe you thin this shit is "conspiracy theory" and if you do, you're simply a naive fool.
Look around you at what governments are doing. The NSA has records on everything you do online. They had a system in 2005 which could trace communications between users to 6 degrees, automatically.
I know a couple of guys like you in my local activist community, who take a very hostile "I know the truth and you're all fools!" attitude, despite the fact that their audience is mostly very sympathetic to most of their assertions. We know spying on the Internet takes place; HN is full of cantankerous old Internet geeks who've seen, first-hand, plenty of examples of the state (whatever state you may choose, as it happens all over the world) behaving unethically on the Internet, spying on people and punishing people for things that shouldn't be crimes.
But, your paranoid approach is counter-productive. You might as well be working for the people you claim to be afraid of, for all the good you do (negative good; you're convincing people that the folks who believe the government is spying are all paranoid nutjobs who scream at anyone who has the gall to mention other possible explanations).
So, let's review:
1. Just because spying has taken place, and is currently taking place, and may even have the complicity of facebook in that spying, it does not mean that facebook is running a botnet to steal advertiser dollars. The simplest explanation is that facebook looks the other way while others run the botnets. facebook wins (a lot, as long as most advertisers don't know it's happening), botnet owner wins (a little), and the advertiser loses. But, there are other plausible explanations, including incompetence.
2. When you paint things in a "Either you accept my theory in its entirety, or you're all idiots", you force people to choose a side. Nobody wants to be on the same side as an asshole, so you force them to choose the other side. You make people who may even agree with you (to a greater or lesser degree) to begin to formulate plausible reasons for why you're wrong about the crazier stuff you're spouting...further convincing themselves that you're entirely wrong. The best you can hope for is people ignore you and don't have the chance to be inoculated against your ideas; having you as their first exposure to these concepts guarantees they will be less likely to believe them in the future, even if they come from a more credible source. Humans are funny creatures.
Thus, I would point out that there are some really naive and stupid people on HN that have zero grasp of effective argument, persuasion, and even basic logic.
You might be well-served by reading about non-violent communication: http://en.wikipedia.org/wiki/Nonviolent_Communication
Edit: Removed the word "schizophrenic" as it was an insensitive use of the term, and was counter-productive to making my point.
Really, now I am a paranoid schizophrenic?
Just because I make claims which are readily confirmed and were completely available in the media - even the EFF filed suit on the AT&T events...
Yet, for some reason, it is my responsibility to educate everyone every single time someone new comes along who hasn't been following these things closely.
Now I am a paranoid schizophrenic?
Also, its a strawman to focus on my tone, rather than content. You're trying really hard to be overly pedantic and, frankly, an asshole.
Thanks for the link on communication.
When I was talking about China hacking lockheed as far back as 2005, everyone said I was nuts! (I freaking worked at lockheed!)
There needs to be a better way to log and track this stuff so that we can point people to some sort of Tyranny Wiki.
You obviously have a vested interest in seeing your "message" be received, so stop ignoring what people are telling you about your tone and change it. Figure out what it is that people do listen to, or else you have no one but yourself to blame when they take issue with your tone.
To wit: Your tone is defensive. Pejoratives and cursing undermine your expression. What you are effectively telling people is that your thoughts are not important enough to merit self-restraint. Detailed explanations following assertions are also helpful.
FWIW, I work in the performance marketing industry and, IMO, the most complicity facebook could be said to have in this issue is in not placing a sufficiently high priority on preventing bots from clicking on their ads. Even if it is a sizable project there, they represent such a large target that the difficulty of the job becomes much greater. I see no salacious story here, other than a company found itself unable to optimize a campaign into profitability, which I think says more about them than facebook. Ho hum, find a different traffic source and move on.
However, I will point out that with respect to your comment on FB's complicit actions due to the daunting nature of the problem, this does not take into account their other actions of a 24K ransom on the domain.
Everyone can argue in any direction they want - but neither me nor anyone else is really going to know until we get further down this path...
In my defense, schizophrenia runs in my family, and I'm very familiar with it...I don't think of it as an insult. But that's a local custom in my family that I shouldn't think follows in the rest of the world.
I do not know is it applies to FB, but those who have like 100k bots have some power too.
[0] http://imgur.com/Vvkbx screenshot in russian
Edit: spelling Edit2: proper link
Also given FB users' aversion to ads this whole issue could be explained by users just clicking the back button. Ad supported sites have trained users to do three things very well: install adblock, habitually ignore ads, quickly click away from any interstitial or unexpected ads like on Hulu.
Another note on the "back button": I recently discovered the awesome power of "three-finger swipe back button" on Macbook trackpad. So it's possible users can "click" back even faster than before. I can and before the swipe I was well-trained in the art of "CMD back arrow" :-)
Also, FB may not have much of a choice to comply with those agencies, or find themselves pissing off a lot of high level people by refusing to comply with government agencies. But outsourcing / tolerating a network of bots to vastly boost revenue is probably considered fraud, no?
It's not what people brag about, it's the social graph itself that's useful. All the other things like photo-tagging are extra candy.
More info at http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al... and http://nplusonemag.com/leave-your-cellphone-at-home . Sorry it's late out here, or I'd copy/paste the relevant quotes for you--look for the bits about data mining and machine learning, especially in the 2nd article, everything is a signal and they do have the computing power to process it all, apply Bayesian belief nets, algorithms can pull intelligence information about you from the local shape of your social graph that you don't even realize can be inferred from it (humans are not very good at reading complex info from big graphs much further than simple "friend-of-a-friend" relationships).
I use noscript. When I enable it for visits it's usually by enabling the domain itself and leaving third-party scripts disabled. Depending on your area this could be significant.
Also the possibility of blocking of the scripts by other elements not loading - for example if the browser can't parallelise the requests for some reason and a preceding request can't be handled then the page might be displaying well before the script is loaded, especially if it's loaded at the bottom of the markup.
Facebook has problems with fraudulent or confusing advertisements. for example, iPad's being advertised for $2, but the user clicking the ad is sent to a penny auction site that bills you $100 when you sign up.... so that domain ends up getting banned, but those advertisers/spammers either create a new domain or they use a redirecting domain that redirects to a non fraudulent domain when they see an Facebook IP (in theory, the Facebook IP would mean it's an intern or Facebook bot checking the URL).
Here's an example of the penny auction crap http://www.fastcompany.com/1771099/facebook-spam-ads-damage-...
and an example of manipulating the landing page URL with a redirect http://www.larrylim.net/seo-online-marketing/facebook-ads-pr...
so maybe it's Facebook's engineers trying to verify the ads are going to the place they're intended to go, but they are obviously incorrectly counting them as billable clicks
I know facebook doesn't have the best reputation for careful engineering but that's quite a stretch.
Ad networks tend to be very serious about anything measurable - it's easy to lie and once you've lied about one thing, no matter how small, what else have you lied about and to what magnitude?
OP says only 1-2% of users have js disabled hence FB would only miss out on a relatively small amount of ad revenue instead of massively over-charging.
The more plausible reality is that there are just a lot of bots crawling FB fan pages, poorly programmed bots that will just follow every single link they come across. That's very much in line with my personal experience of FB fan pages.
But FB is certainly to blame for not detecting these as bots, and putting ads on the pages they serve them. Hopefully they'll take care of this issue soon.
This is very, very bad.
If I am writing a mechanism to charge for ads based on traffic, one of the first things to QA/write test cases for is fraudulent traffic.
The leap here is from facebook being remotely competent (which is likely), and willfully ignoring checks on certain types of traffic because it benefits them financially.
My assertion is that this is the same class of bad behavior as running your own bots. Note the distinction in 'willful' ignorance.
Yes, we dont need a conspiracy to explain stupidity. The stupidity is the conspiracy.
People arent ignorant, because they are handcapped or something. They are ignorant, because thats the behaviour and excuse we reward. Just be an idiot, dont put in the intellectual effort, and you will be allowed to speak lies and screw every one and every thing.
From a corporate point of view, its the golden ticket. Plausible deniability. We didnt know that our insurance helped finance weapon exports to dictators. We didnt know. We didnt know. Sorry this, sorry that. We're keeping the money though.
I dont think that provable intent should have legal meaning. Because all neglect is intentional, as is ignorance in a world, where every one has the choice to be well informed.
Much like the multiple account issue, it's beneficial for Facebook to turn a blind eye. That is, unless it escalates into a PR issue.
We are just finishing a new iOS app. It will be the first one in our catalog with a "Like us on Facebook" feature. I am skeptical about the value of this feature. Not sure it'll convert at all. Asked a bunch of people who use FB on a daily basis and most told me that they pay zero attention to ads or "likes". Not sure.