A Thorny Issue: Detecting Mobile Search Click-Fraud
Search engines, Internet Yellow Pages and other mobile service companies are looking to aggressively deploy applications and advertising through wireless devices, and the iPhone has heated up the intensity another notch. Both Google and Yahoo claim a spike in local search queries coinciding with the iPhone’s launch, indicating that both companies continue to perceive their […]
Search engines, Internet Yellow Pages and other mobile service companies are looking to aggressively deploy applications and advertising through wireless devices, and the iPhone has heated up the intensity another notch. Both Google and Yahoo claim a spike in local search queries coinciding with the iPhone’s launch, indicating that both companies continue to perceive their mobile space presence to be a strategic priority. But all the big players have already been pushing towards providing more mobile services even before the iPhone’s advent.
The mobile space seems to be a particularly ideal medium for local advertising, and mobile local search appears to be poised for a potential explosion of user traffic coupled with advertising opportunities of some sort. Marketers’ expectations and demands are geared towards ad products which function similarly to the dominant internet ad model: Pay Per Click (PPC). But there are some technical weaknesses inherent to using PPC in mobile, and few seem to be aware of them.
Mobile search is considered one of the greatest opportunities for the future growth for local advertising, even though the current traffic through any single wireless provider seems insufficient for most companies to consider doing local-specific targeting. During the Local Search Marketing Tactics session at the recent SES Conference, I asked the panelists what they thought of mobile advertising and they stated that they didn’t really see sufficient potential yet in any one advertising provider for mobile. Michael Boland reported a similar statement from the Mobile Optimization panel at the conference:
"…there aren’t enough users of WAP-based mobile search for some businesses to waste time and money building a separate mobile website. Unless you are MySpace or ESPN, this could be premature."
Mobile usage has been considered the next great frontier in interactive marketing, similar in some ways to the initial commercialization of the internet itself. The potential is still mostly speculative at this point, but people have been expecting mobile phone usage to spike in the US and Europe, based upon the consumer acceptance seen in the more technologically-precocious Japan. (See Greg Sterling’s commentary on this at the beginning of his article on Segmenting Local Mobile Search).
Analysts are prognosticating both "The future of local search is mobile…" and "The future of mobile search is local…". The two are tied together at the hip, and even if the ROI isn’t there yet, most are paying close attention in order to be ready the moment the value hits some subjective measure for critical mass.
While each of the mobile network providers have been holding obsessively tight control of their siloed user base and have attempted to control/limit the content delivered to their users, all of the major players in this area have been working to set themselves up as the middlemen for bringing consumers together with businesses in the mobile space. As all the search engines, IYPs, and other content providers are gearing up to compete in mobile, they’re trying to apply successful business models to the industry as well, and one of the best models for monetization is the use of Pay-Per-Click (PPC) advertising.
But, there’s something of an eight-hundred-pound gorilla in the room where mobile PPC ads are concerned, and that gorilla could threaten the nascent industry. In all the rush to deploy ad products, there hasn’t been a whole lot of effort to prepare for best practices needed to protect advertisers, and some serious holes are left in the technology. PPC as a product concept works well, but from a technical perspective it doesn’t work the same on wireless platforms as it does on the web.
Content delivery on cellular platforms actually reduces a few of the signals that the internet industry has been using to filter out invalid or fraudulent clicks.
I’m not sure that many advertisers are aware of the issue, and the silence on the side of the ad networks is concerning — perhaps they hope the eight-hundred-pound gorilla’s presence will remain invisible to businesses who advertise — a sort of "see no evil, hear no evil, speak no evil" approach. Yet, if we know anything about the information age and internet technology, ignoring a problem in hopes that others won’t notice won’t help, and can damage the industry before it’s properly out of the starting gates. Expecting advertisers to stay docile and in a state of blissful ignorance is at best naive, and people who try to exploit systemic weaknesses for the sake of personal gain will almost certainly already be familiar with these security holes. I think a better approach would be for the industry to proactively address the weaknesses with an accepted standard for what should be acceptable in click accounting for mobile, and they should spell out for advertisers how they’ll address a few of the problems inherent in applying the current system to mobile ads.
There are a few primary signals that are not available on a large number of wireless devices, which have been commonly used in detecting invalid and fraudulent clicks in the regular internet space.
Click-Fraud Signals Lacking in the Mobile Internet:
- Cookies. Many older wireless devices do not support cookies, and contemporary devices that do may have a very low limit on how many total cookies may be stored on the devices (such as only four). Users themselves may be able to adjust mobile browser settings to disable the cookies. So, cookies may not be available for the purposes of identifying and differentiating individual users.
- IP Address. All internet browsing devices must have IP Addresses, right? Wrong, sort of. Mobile users can connect to the internet, but their carrier provides radio signal connectivity between the users and their local cell tower. And the cell tower likely connects through telephone land lines to a central proxy server which then connects up with the internet. That central proxy would make all cell users on a particular carrier appear to come from the same IP address when requesting pages and content from the internet.
- Geolocation. Since a number of geolocation data providers can only map users through geographic locations associated with their IP Addresses, this signal may not be available, either. The typical geolocation data for a user’s click might reflect the wireless provider’s internet proxy server location, instead of the actual location of the user. (Some geolocation data aggregators are including wireless device data, as I previously mentioned in my article entitled "Geolocation: Core To The Local Space & Key To Click-Fraud Detection", but it’s notable that the wireless geolocation data is frequently dependent upon an opt-in on the part of the user. For instance, on my Verizon Wireless Treo PDA, the setting for "Location Privacy" is set by default to "911 Only", so my geolocation isn’t broadcast along with my usage of the phone’s features.)
Cookies, IP Address, and Geolocation are all some of the primary components that are used by ad networks to identify individual user requests (ad clicks). These components are used to help verify if an ad’s click comes from a single individual versus thousands of individuals. For instance, in classic PPC ads, if a campaign received thousands of clicks on a particular day, and all those clicks came from a common IP Address and/or cookie ID, it would be very strong evidence that the clicks were fraudulent — one computer issuing automatic click requests. Further, if the advertisers’ products were only offered for sale in America, and thousands of clicks were pouring in from China, one would suspect another bot, or a sweatshop full of people paid to click on ads all day long…
Some of fraud detection’s secondary signals could get messed up in this as well. Various types of heuristics and fraudulent click pattern recognition processes might also be based upon being able to identify one individual versus another, and these methods could be rendered useless when the classic signals for individuality are not present. For instance, one or two clicks from a single user in a month could be natural. But, if you had on click per day across a month, it starts to look fishy.
Now, some carriers may be able to make up for the loss of the IP address in some way. After all, each wireless provider must have the ability to tell one cellphone user apart from another for billing purposes. Those carriers might be able to pass some unique identifier over to the ad network such as the user’s account ID, and the user’s phone number or an encrypted version of their phone number. Unfortunately, encrypted phone numbers and account IDs are likely not equivalent in worth to IP addresses, because the ad network would have no way to properly audit the individual user identification to ensure that they’re not being cheated — such as by delivering fictitious ID numbers along with automated clicks. If they passed the users’ phone numbers, that would be ideal, since the phone numbers could be actually called if in-depth auditing were conducted in order to ascertain that each number represented an individual user.
I’d assume that some of the carriers would refuse to provide the bare phone numbers to their partners for competitive reasons, or due to internal business rules set to safeguard consumer privacy and protect from telemarketing calls. So, the phone number might not be allowed for use in click assessment due to legal reasons or internal business rules.
Naturally, the carriers should also be able to provide the ad network with an API to provide back geolocation data through cell tower triangulation, or through GPS-enabled devices. But, this approach would likely only be available through a handful of carriers, and currently would be effected through use of a different data format or method with each separate provider since there is no declared industry standard. And, it still might not be sufficient since consumers might not have opted into exposing their location through the phones.
Now, the risk of actual fraud may be pretty low with mobile at the moment, since the wireless providers and the companies providing service through them are likely all reputable companies who will not expose themselves to liability by purposefully cheating advertisers. But, the point is that those companies will be paid referral fees for the ads they may deliver through the devices, so there’s an inherent conflict of interest in blindly trusting them to not artificially increase ad clicks. If they’re only providing their own internal account IDs or encrypted phone numbers as the uniquely identifiable element for differentiating users, we pretty much have to just trust that they’re not artificially generating those ID parameters without being able to independently audit them. And, as regular, non-mobile-specific web pages become increasingly browsable through devices like the iPhone, clicks from wireless users on the regular internet ads running on those sites could be exposed to slightly higher levels of non-detectable fraudulent activity.
The famous "Lane’s Gifts v. Google Report" written by Alexander Tuzhilin (Tuzhilin was called in as an independent auditor to vet Google’s methodology in detecting invalid clicks) doesn’t mention all the specific signals and methods Google uses in detecting click-fraud, because as he says, "…if Google discloses this information, it opens itself to click fraud on a massive scale because, by doing so, it provides certain hints about how its invalid click detection methods work. This means that unethical users will immediately take advantage of this information to conduct more sophisticated fraudulent activities undetectable by Google’s methods." This is true for Google just as it’s true for Yahoo! and the other ad networks.
However, the advertising industry at large knows that at least some of the signals used are most likely to be based upon IP addresses, Cookies, and Geolocation. Since these basic signals are not consistently present in wireless devices, I think it behooves the industry to publicly state a standard method for individually differentiating the mobile users. As things currently stand, actual practice is likely all over the map, with different methods pushed by each of the different wireless carriers themselves. With everyone beating down the doors to be allowed access to the customer base of these wireless providers, the providers are in a position to push solutions that are easy/advantageous for themselves — motivation that could be at odds with being held properly accountable to represent advertisers’ interests.
The lack of a basic degree of transparency coupled with no industry standard could undermine advertisers’ trust before the mobile ad products have had a chance to evolve up to the level of best practices found in regular internet PPC ads. And, there’s already a nagging mistrust by many of the existing click-fraud detection ability of the industry which can’t be escaped due to the limits of technology and the need of the ad networks to keep their detection methods secret. As Tuzhilin states it, "…the validity of a click cannot be detected by technological means with any reasonable measure of certainty." (I paraphrased)
Since there’s an inherent technical barrier to knowing for certain whether clicks should be considered invalid or fraudulent, there’s no way to absolutely test the ad network’s methods for detecting and filtering clicks before charging advertisers. As such, we must trust that they are using best methods for click assessment, and it’s common knowledge that they’re using IP Addresses, Cookies and Geolocation as some of the primary signals for building those processes. With mobile, we currently don’t know what the basic building block of identification is, and we need to hear what the standard should be in order to for us all to have at least the same level of confidence that we have with the current PPC model.
This issue of a weakened ability to filter invalid clicks for mobile ads is likely something that will be addressed to some degree by the Mobile Advertising Committee of the Internet Advertising Bureau. But, that committee was only announced in October of last year, and it doesn’t appear that any guidelines for mobile advertising have been released from them as of yet. We should hope that when guidelines are released, they will include specifics on how user identification should be accomplished. Frankly, the time for publicizing a standard is now.
Until then, what should businesses and ad agencies decide about getting involved in mobile advertising? Well, caveat emptor. There is some value to be had in the mobile search space, particularly for local businesses, and companies need to prepare for the growing potential in the channel. Get your feet wet in it, but perhaps treat PPC in mobile as more of a brand-building exercise for now, since it will be hard to assess conversion rates and ROI. Pay-for-Call ads can be highly trustworthy in this space, and for now are the only dependable method of assessing the ROI of mobile ad campaigns.
I also recommend attending the SMX Local & Mobile conference coming up very soon in early October if you’re interested in learning more about the technology and promotional opportunities in this space.
Opinions expressed in this article are those of the guest author and not necessarily Search Engine Land. Staff authors are listed here.