Hacker News new | past | comments | ask | show | jobs | submit login
Pay up or we’ll make Google ban your ads (krebsonsecurity.com)
831 points by akeck on Feb 17, 2020 | hide | past | favorite | 297 comments

When I ran a brick and mortar business, we ran Google Ads to get bookings, and we could always tell when our ads weren't running, met their budget, or were not running for some reason because our bookings would effectively drop to zero since 2 other companies had better organic SEO than us.

THEN, one of our other competitors started outspending us a bit in Adwords. It hurt, but wasn't the end of the world because we could afford to spend just a little more.

However, it seems that as soon as we went over a certain amount, our budgets started getting exceeded by about 10am in the morning.

But our competitors ads kept going.

We contacted Google to find out what was going on. None of these clicks were even resulting in business, contacts, nothing. So we assumed the worst, our competitor was having someone click all our ads.

This process started the downward spiral for our business. Not being able to stay live in Adwords long enough to get any new business was devastating and I sure as heck wasn't going to participate in clicking on my competitors ads because that's fraud as far as I know. SO, we just suffered and I couldn't get any support from Google.

In other news, the business has been closed for a year and Bing still lists it as open with photos, etc. We've tried marking it closed OVER AND OVER again and nothing is changing. We finally got on the phone to them and they actually said they can't change the search results. It's irritating to see a year old business open on Bing that's closed everywhere else.

Clickcease.com is an Israeli company that helps prevent this. It’s a common tactic in high cost keyword industries like lock smiths.

Sorry to hear about your experience. That sucks.


Locksmiths are now a restricted business as grey hat marketers figured it was an industry with a high ticket price and autonomous demand, and the search term was always "locksmith <city>" - so they set up sites that would flood the results, demand payment upfront for a call out, and then have a virtual assistant forward the business on to an actual locksmith in the city - essentially scooping hundreds of dollars for doing nothing but obfuscating who the real locksmiths are and forwarding the leads on them.

Even the real locksmith businesses are pretty shady. CBC Marketplace recently had a story about fake locksmiths in the GTA.

Flowers are the same as you describe. It's depressing to see how easy it is to make money if you're a total scumbag.

So I get that this is sleazy, but why is it google’s job to stop this? How is this different from any other type of middleman living on referral fees?

It's Google's job to make sure their customers (people using the search engine) have a good time. If they're getting scammed after clicking an ad, people will learn not to click ad links and/or migrate to a different search engine, which will hurt Google's business.

Disclaimer: I work for G, but not in search or ads. Opinions are mine.

> customers (people using the search engine)

That's their product. Their customers are the people buying ads.

That is a popular soundbite meme but "product" is a mislead conflation as a rhetorical bludgeon.

The people using their search engine are really more customers who pay input for service. The company sustains itself by processing the product and selling it to another group of customers pay- which is a significant difference as they have agency.

Look at the game free to play model and why pay to win is doomed to failure. There may be "whales" - the customers who pay signficant ammounts of cash but the demand the free players as content effectively. If a pay to win content is sold and drives off the free to play the whales will follow for lack of content. Proper "product" would be game AI or employees as a "rented" or "spoiling" product equivalent. The free players are customers who provide input mediated through the game server to create a product which is sold to cash customers.

Despite the dystopian rhetoric the input customers aren't like livestock because they aren't transfereable, have the agency and can meaningfully opt out.

Bing can't just buy 10 m billion users from Google to try to improve their user base. They need to get their user base directly no matter how they reach them.

That doesn't change the argument. If their products get scammed after clicking an ad, people will learn not to click ad links, and Google loses their product.

This doesn't refute the argument at all though. Regardless of what you want to call people surfing the web and the companies buying ads, it's a problem if ads are scammy and fewer people start clicking them.

Is it really that sleazy? Any service-based company is built on charging their customers more than what it costs to actually do the service. In this case, the service is finding a locksmith and directing them to your location. If someone can find a way to get in front of customers for that, then more power to them - that's the business model for any directory.

Google itself is doing much the same thing and profiting from it. They have become the go-to source for many people looking for a locksmith, when there are other ways to find them.

Maybe there's more to this than has been described, but on the surface, it seems like a common business model.

So if Clickcease.com can help prevent this, why on earth can't Google itself help prevent this?

According to ClickCease:

> Doesn't Google prevent click fraud?

> Google does detect click fraud, but does not prevent it. Instead, Google will give back credit to your account days after the fraud took place and only after you claim it. The immediate result would be that your ad budget would be exhausted and your ad will not be online for hours or even days. In addition, Google's click fraud characteristics are identical for all advertisers. While 10 clicks from the same IP address in a period of a day is completely normal for one advertiser, another might see this as nothing but click fraud. ClickCease will keep your ad online and will configure the service to best suit your business needs.


While this might be true a percentage even maybe a majority of the time, in my experience they don't just send money back to you. I had google's adwords people tell me it's not certainly click fraud, there are all kinds of possibilities where actually different people are clicking on the ad like if an article goes viral lots of people could be clicking over from there..

These were clicks I knew well, as we ran groups of ads from several businesses in the areas that all did the same thing. I knew by the pattern, there was no way 200 people from 8a -9a clicked over to this business's ad, and could also tell by the lack of calls / appointments.

The real kicker was these ads are limited to only show basically along a 5 mile path of highway, very few rooftops in that area - as to get mobile searchers on that side of town - so they were convinced hundreds of people driving down the highway had all clicked over for info and no appointments while driving.

They said no proof, no refund, have a nice day.

Clickcease has an incentive to prevent this, as it's their entire business model. Google has an incentive to let it happen, because it makes them more money by forcing people to keep outbidding each other. As long as Google ads are so ubiquitous that it isn't very feasible to just stop using them, then Google has no reason to stop this abuse.

Google has a very strong incentive to stop fraud and has entire departments dedicated to fighting ad fraud.

Rampant fraud = lack of trust in your product/service, which can destroy your whole business. The internet fraud you hear about is only the tip of the iceberg, and there's much more of it that is prevented by various companies (either Google, Cloudflare, etc.)

I think you're overselling how much Google cares (or needs to care) about trust.

They dominate search traffic (in the markets/countries they exist for). Businesses don't use AdWords because they "trust" Google. They suffer through using AdWords because it's the only game in town.

This article is from 2015: https://adage.com/article/digital/inside-google-s-secret-war...

"If advertisers believed the company's operation were fraud-filled, they could take their money elsewhere and the business would falter."

That's it, in a nutshell.

(and if they had 100 people working on this in 2015; you better believe that number is much higher now)

> This article is from 2015 ...

Maybe Google had more competition in 2015.

Although I find even that difficult to take seriously.

Where else would they "take their money"? Facebook? I doubt that Facebook ads show up in web searches.

A lot of people probably see more Facebook ads than Google ones. And Facebook knows a lot about users, probably including some things that Google knows less reliably. The relevant problem is, do they seem any less scummy?

> elsewhere

And where would that be, exactly?

Google really doesn't care as long as they get paid. They only self-regulate the absolute minimum. I just got this ad in gmail (presented as an email except for the little 'ad' badge): https://imgur.com/xHr7E3e

It's in in Dutch, but it's the typical misleading, copyright infringing ad you would find on shady porn sites.

Why does Google allow this ad? Don't they have the competence to filter it? It's the same company creating a great spam filter on gmail and leading in a lot of AI fields. Surely they could. But they just don't care when they get paid for it.

On the other hand, when they don't get paid or it negatively affects them, they're always happy to make changes "to protect the users" (e.g. changing chrome so adblock plus stops working etc.)

> Why does Google allow this ad?

The most simple explanation is because they make money with it, and get away with it. A good question is why they get away with it.

As for people in The Netherlands, my mother got scammed by a fake locksmith. He asked her to pay with PIN, and he did not fix the problem (which we found out eventually). Total scumbag, yet he was first hit on Google. Here's some good advice on how to find a good locksmith (slotenmaker) in Dutch [1].

[1] https://www.consumentenbond.nl/inboedelverzekering/slotenmak...

Stop looking for a neck to wring for a minute and think about the problem. Manual filtering is just plain not viable period. Spam is very different from arbitrary image formats and potential text analysis across language. Nobody really wants ads so spam filter feedback mechanisms of "everyone says to stop sending me this shit" are fundamentally incompatible.

Think about it would take to detect it algorithmically. Even if an image is copyrighted there is no mechanism to tell if the source actually has permission from it especially with the "born copyrighted" doctrine. Even if there was some vast self defeating registered copyrighted images database (containing images of everything copyrighted) it woukd be possible to distort images to be human recognizible but not machine recognized.

The "alternatives" of demanded manual ad control would mean massively disadvantaging smaller business by marginal costs. Oops.

You really think google doesn't have the capability to create a system to detect these ads? This is Google's core business and they do far more impressive stuff in the AI field. I'm not talking about a 100% bulletproof all-copyright-in-the-world solution. If it would be able to detect logo's from the top 1000 brands and some OCR would already go a very long way. Sure ads would try to outsmart it, just like spam it would be a cat-and-mouse game.

The problem is that they don't have time or will to help the small guys.

Google almost certainly can, but probably has no incentive to do it for whatever reason.

> Google almost certainly can, but probably has no incentive to do it for whatever reason.

This has been my conclusion several times after digging deep into some weird data and discovering one of these...'grey areas' where it seems like if they cared about their customers they'd be doing something about it, but presumably they prefer having revenue from unsophisticated ad buyers.

Some of the things they turn on by default are straight up rackets, "Search Partners" for example. Companies like ask.com are arbitraging keyword traffic by buying ads to their own search results pages. These are "Search Partners" that show the ads you're paying Google for, but they're full of dark patterns to make you click the ads, and cost the same as a click directly from the Google results!

> Some of the things they turn on by default are straight up rackets, "Search Partners" for example.

Could you elaborate?

I realized I should have elaborated and edited the post with more information.

FWIW it’s worth, have tested most of these companies and the only one who backs their promise is PPCProtect. But like any good soldier, talk to these companies and you’ll find out who is legit and who isn’t

FWIW the “it’s worth” in “FWIW it’s worth” is redundant.

This brings up an unsatisfying conversation I had with an ex google person. I've worked in the embedded/industrial side of tech for most of my career. And the ratio of customer support vs the amount of money google is charging is utterly shit from my perspective. My friend tried to explain why it needs to be shit for vague security reasons but I'm unconvinced. Company collects thousands of dollars from customers and can't be bothered to give them a phone call when something goes sideways? Give me a break.

You get better support if your $15 hamburger meal is missing cheese. It's weird that companies that operate at scale get a free pass to ignore smaller customers just because they have bigger ones.

You get better support if your $15 hamburger meal is missing cheese.

That's a great way of putting it and 100% accurate. Fast food joints set a minimal customer service level magnitudes better than Google.

They don’t really get a free pass though, maybe in their monopoly market of advertisement, but their poor support is one of the primary reasons google cloud isn’t earning any of the European public cloud money while Azure and AWS are having a party.

Google has a lot of really good tools, that they could sell to enterprise. You could argue that they have the only viable Office365 alternative for non-tech enterprise. But they just don’t seem to know how to sell it because their advertising monopoly infects everything they do.

The single place they’ve been successful is in education, and even there they are struggling to keep supplying what schools actually want + privacy. So I fully expect to see them driven out of this space in the coming decade.

The reason lack of support works at scale is that they are successful with resources channeled places other than direct support so their strategy doesn't need it.

It is sort of a "cars don't handle rugged terrain as well as horses" thing, it isn't crippling when the use case is paved roads. It may suck for your use case but it makes sense.

I'm becoming more and more convinced that Google employees don't give out reasons for their decisions because they can't! They trust too much in their machine learning and there's no way for employees to know why this event triggered over that one.

If your ml model is a magic black box and there's zero visibility into the system, even internally, as to the signals that resulted in a decision, you've hired a monkey that can run a tensorflow tutorial, not actually someone that understands machine learning.

Or (more likely) because they are not allowed to by policy.

Or because the machine won't tell them why because privacy. (Although this applies less in the ad side of the business than consumer facing bits)

Google support is non-existent. One of the reasons, why I stay away from Google Cloud.

The other reason of course being that any given Google product may not even exist a couple of years from now

I don't know about Google Cloud as a whole but I've contacted Firebase support a number of times and they have always answered promptly.

This may be the difference between an acquisition vs a homegrown product at Google

I'm a paying customer of firebase & google maps and both helped me promptly on technical issues.

Not true... you just have to pay for it. I worked for A fortune 100 company that was moving some things to Google App Engine, and paid for the highest level of support. We had a list of guys we could get on the phone whenever we needed, including the main guy in charge of everything.

I helped them fix a lot of bugs and broken processes, but I'm better than most at making reports. If they had to deal with bad developers blaming Google for problems that had nothing to do with Google, that would waste a lot of time. But on the other hand, if we didn't pay for support, those problems probably never would have been fixed, and I don't think we were ever compensated or given discount support for helping.

We pay for the highest level of support on Google Cloud and it isn't worth shit. I'd say it actually provides negative usefulness, as usually their support folks just waste our time and not do anything.

The only place I've gotten actual support from Google was with Ads and my company at the time was spending 9 figures.

To the rude as hell tone of the reply beneath this: The GKE control plane failed. There's no quality improvement that I could have made on a bug report about their shit being broken.

> Google support is non-existent.

> Not true... you just have to pay for it. I worked for A fortune 100 company

It shouldn't come as a surprise to anyone that there only about 100 companies who can afford Fortune 100-ish level support..............................................

I don't see "Fortune 100-level support" listed on Google's website. How do I purchase it?

Presumably, by spending enough money to get an account manager, then asking them to sell you a support contract.

Account manager and support contract are sold together... $150,000/yr paid up front + 4% of yearly spend.

Seems insanely high, especially compared to the next step down which is only $250/mo per user... you could get by with a separate account with a single master user that controlled all the deployments and billing and only pay $3,000/yr. What you get for that extra $147,000+/year is that you talk directly with the lowest level engineer actually working on the problem rather than relaying messages that lose context... but you'll still need to know what you're talking about and be able to actually help the engineer rather than spin them in circles, or you'll be kept at bay.

https://cloud.google.com/support says the highest plan promises 15-min response and a dedicated account manager.

For consumers, https://one.google.com/about/support is the way to pay for the support, since they claim "Cross-Google" support. I haven't used Google One support (even though I am a member as I have a subscription to their storage plan), so I don't know how good it is though, and it's not super clear how "cross" it really is. https://one.google.com/support says 2-3 min response for phone/chat though.

Last time I filed one of those P1 tickets, it was assigned to someone immediately but we didn't get any useful help from the support people for 7 hours.

It took multiple escalations to people responsible for the specific service and the issue was entirely Google's service having an error. Meanwhile production was hard-down that whole time.

What happens to my Google One plan if my account is banned for a TOS violation?

I don't know - I'm just a Google user, and I haven't gotten my account banned. I presume it won't work ?

So the reason I would want guaranteed human support from Google is in the event they mistakenly ban my account of 13 years. If it also bans me from the support product then it’s completely pointless.

I think many here are missing the real problem: Why should customers have to pay for support to fix problems on Google’s end?

yeah, in my exp in industrial you can get a applications engineer on thr phone and even an office visit if you pay enough

Sounds kind of like monopolistic behavior or something

it feels like, if your entire business rests on online bookings, you should have created alternative mechanisms to access your customers, via subscriptions or other kinds of promotion

There was no other marketing channels you could use than Google Ads?

I think you've identified the root cause here. The single point of failure for the business was it's reliance on a tech giant and it's fickle algorithms. Even if google were perfect that's a precarious position to be in.

Especially for a "brick and mortar business" I can't see why you couldn't try other things - direct marketing, cold calling, events, cards in doctor's offices, whatever else.

Generally, you can, but they are a different beast. You have little way to measure them, they are very time consuming, high risk compared to Ads (because you can't change your cards when you notice a week in that customers don't like some word etc). That's a valid long-term strategy, not something to get you business next week when you're starting.

I have absolutely no faith that Google will be able to fix this. I run a small site that gets ~5K views per day, and a few weeks ago we had a heavy traffic day (~15K views in one day) due to a retweet on Twitter. Google marked it as fraud, and my account was "temporarily" banned. The ban never got lifted, so I did some research and finally got it resolved (if anyone's curious, I made a video detailing how: https://www.youtube.com/watch?v=_pCoBoK1hEM)

If Google marked organic traffic as fraudulent, their algorithm has a long way to go before they can start distinguishing between sabotage and actually fraudulent traffic.

Back when I was in college google stole the ad money my website had generated. They let me run ads for months, but when I went to check out they accused me of click fraud. No recourse, no customer service, and absolutely no respect from Google about this.

Even now, more than a decade later, I refuse to use many Google services (such as their cloud) because I know they built part of their business by stealing from people like me.

Did you consider seeking recourse in court at the time? I wonder if a wave of lawsuits or even small court claims would tip the incentives for Google to create a proper system for contesting.

I wonder if you could file a complaint today in small claims. Do you have any records from the time?

I've often wondered what would happen if someone were to try that. I suspect it would result in Google hell banning you from all of their services in perpetuity, just like they do to people who attempt to dispute a credit card charge.

Just last night I listened to something on NPR about CAPTCHA v3, which doesn't involve checkboxes nor pointing at parking meters anymore. It samples page activity and interactions by the user and supplies a human-likelihood score to the site (h/t Twitter bot scorers).

So we live in a future where our activity is bounded by a variety of quality scores. You're mostly a human, your site's increased traffic is less legitimate...every Taylorist-Goodhartian aspect of existence is priced into the marketplaces of society.

Perhaps a decent analogy could be Black Mirror's "Nosedive" episode, but with endless dimensions instead of just one (which admittedly could be a derived score from the dimensional ratings), and ratings that aren't derived from the moods of peers and other interactors, but passively gathered from everyday behavior.

I think this is the NPR show episode: https://www.npr.org/sections/money/2019/04/24/716854013/epis...

> Just last night I listened to something on NPR about CAPTCHA v3, which doesn't involve checkboxes nor pointing at parking meters anymore. It samples page activity and interactions by the user and supplies a human-likelihood score to the site (h/t Twitter bot scorers).

That turns the web into a walled garden you can't access without submitting to google's tracking. If they'd just drop the pretense of not being a walled garden this wouldn't even be a problem that needed solving.

So you train a bot to show 'human like patterns'.

The problem with relying on ML on one side is it can be gamed by ML on the other.

If it was easy to train a bot to show humanlike patterns, we'd have driverless cars by now.

Hmm... I think training a program to fool another program is a much, much, much, much easier problem than driving a car.

As an example, you only have to learn how to emulate a single 'human like' pattern to fool the ML, where you target function is a simple fool or not fool ML - once you achieved fooled you are done.

Whereas to drive a car you need to deal with all the infinite variation in inputs you might experience in driving a car, with complex target functions ie safety versus speed.

I wish there was a challenge that helped verify OpenStreetMap edits!

I like the way Qwant search engine deals with this. It gives a small challenge to solve which is a lot less cumbersome than finding traffic lights on photos or far less invasive than the fingerprinting technologies others use.

You haven't actually said anything about the challenge, so we have no idea if it is actually any different.

Googles classification algorithms are shit. They mark spam as ham, ham as spam, block good accounts and promote fraudulent ones. It's ridiculous the amount of trust we place in this company.

That's on point, I just got my Google Ads account banned for no reason and support is non-existent of course. Google just doesn't know how to deal with fraud at all.

There's a criminal fiction book to be written here. Disgruntled Google employee ends up playing both sides, as the man supplying the classification algorithms and also selling 'backdoors' to it. Only a rogue loose cannon dev ops can stop him.

It's not really trust. It's really that there is no alternative, and the laws are such that they have no accountability.

Most google products have alternatives. The ones with a network effect (where you need Google servers even if you have an open source client) are Youtube and the Play store (I can't get most content from either in any other way, most companies don't give apks for download), but the rest is replaceable or has open source variants (ungoogled chromium and AOSP for example).

I do agree on the accountability part. When I can't take part in normal life without a certain product, it governs people's lives and they should be held to similar standards as other governing bodies.

Agreed. I hear their Ad Words is tough to beat for those who make money that way.

I don't get why they would ban your account, and not the fraudulent clickers. They are the problem. Surely Google is able to detect where these clicks are coming from, and can tell that it's the same as other fraudulent attacks?

15K is not so much honestly... I would have expected this to happen on much higher numbers.

Thanks for the video btw.

It doesn't really happen to big companies because they have the power to sue.

Every individual I know who's run google ads has been banned right before a payout at some point. They generally all in the range of $3000-6000. It's an amount that's a decent sum, but only to people who don't have deep enough pockets to afford a lawyer to go against a megacorp.

I'm not convinced it's not intentional. The banned people probably aren't generating that much in profit for google, and seizing a few thousand dollars from a customer who's likely to just cancel services at some point probably has a better payoff after a certain threshold. No google employee will ever explain how it works and there's zero support, so I doubt my mind will ever be changed on this subject. One thing I do know is Google isn't a stupid company--just evil. The problem has been too consistently occurring and too consistently ignored that it can't just be incompetence. Say it's spam and show a couple suspicious figures if anyone really tries to investigate and you get off clean.

Knowing Google they probably are using ML to maximize revenue, and the black box is causing the system to fuck little customers over. Oh well, it isn't fraud, they're just doing what the algorithm tells them to.

I 100% don't trust that Google can handle this situation. I actually hope that this practice increases drastically so that Google will be forced to do something about this. Because right now, Google will just ignore the problem and let small publishers and ad purchasers suffer. There is no real customer support so it will happen little by little and nothing will change. Google needs a swift, firm kick in the ass to fix this otherwise they will ignore it completely.

I think the part of „Google will just ignore the problem“ is exactly what the scammers are counting on - knowing that their victims as well expect to be ignored.

I can't agree more. Google has some of the crappiest support around. A few lawsuits and some really bad publicity might make them change their tune.

"A few lawsuits" is an so much an understatement that it might as well be a lie. You'd need one out of every few (13.75) people in the USA to successfully bring a $5k lawsuit against Google to reduce them from highly profitable to break-even. Lawsuits and bad publicity only matter if they're more costly than ignoring the problem.

If the company in the article successfully sued for the $5,000 they were being extorted over that wouldn't even matter. A few of those lawsuits wouldn't matter. A few thousand of those lawsuits wouldn't even matter.

The European Commission last year issued a massive lawsuit against Google Adsense of $1.6 billion [1]. Google marked that EC fine down in its SEC filings on page 86 of their 10-K [2]. European Commission fees constitute an effective tax of 1.0% in 2019, which they add to various other factors for a total tax rate of 13.3%. Page 89 shows that Google revenue was $160B, while expenses were $40B.

Google isn't moral, they don't see this fine as a mistake to be learned from. It's an operating expense. They won't change their tune unless it's more profitable to do so.

[1]: https://ec.europa.eu/commission/presscorner/detail/en/IP_19_...

[2]: https://abc.xyz/investor/static/pdf/20200204_alphabet_10K.pd...

You don't need to sue Google enough to completely eat up their profits, you just need to sue them enough that it becomes cheaper for them to staff a better customer service department.

Google isn't moral, they don't see this fine as a mistake to be learned from. It's an operating expense. They won't change their tune unless it's more profitable to do so.

This is exactly how Microsoft grew evil.

yeah. bullets are mort apt than fines to change people behavior. bank notes do not protect from bullets.

What I'm seeing is industry is doing the same thing to them that they did to Intel. Encapsulate them in a cyst like the body does to a parasitic worm. Basically all of their non ad ventures will fail due customers reflexively choosing their competitors products. Just like no one will pick Intel as a vendor outside of their core products.

> A few lawsuits and some really bad publicity might make them change their tune.

I'm not sure about that. Google's crappy support is deeply, deeply embedded in their culture -- for all the benefits, it's one of the downsides of their PhD-heavy, engineering-first mentality, because engineers and academics loathe dealing with people, and to the extent that it's necessary for some system, regard that as a sign that system was improperly designed.

Google would need a major culture shift to start having good support, and unfortunately it's the exact kind of culture shift that would anger and alienate a lot of Googlers. Don't count on this changing anytime soon.

That's one lousy excuse for a corporation like Google. This has nothing to do with them being PhD-heavy or engineering-first? (what engineering-first are you referring to btw?) The reason for this is the nature of their business. It's a calculated decision by them in terms of how much is worth spending on support without taking an actual hit to their margins.

I agree. Google needs a formal, transparent process to dispute bans and investigate incidents. It hurts small publishers when their idiot machine learning algorithms issue bans with no recourse of action.

I once had a location-based file sharing website banned by Google -- all Chrome browsers would pop up a warning. It actually potentially could have been monetized but I lost all the users due to Google's unexplained ban.

I'm a pretty libertarian minded guy and I generally think the federal government is too big and bloated, but this is exactly where they are needed. They need to start throwing their weight at Google and telling them if they don't start reigning in this kind of shit, they're going to get regulated to high hell then broken up.

Google has shown time and again they do not care. I don't even know if they employ human support reps, I've never actually spoken to anyone who represents google other than recruiters.

I'm wondering from a theoretical perspective how large does a company need to be to effectively challenge the government? I know the USA government is a huge employer and holds vast quantities of stuff, but how large does a company have to get to compete with that? Is it the same size, is it only 50% of the size, is it something even smaller?

At what point in relative size is a company too large for the government to handle and the government has to go to war with it in order to keep power?

What do you mean by effectively challenge the government? Corporations challenge the government all the time. The power of the government is constrained by the constitution, and corporations have been recognized as having certain rights. The government does have the nuclear option though. Alphabet only exists because it was granted a corporate charter by the government in whatever state they incorporated in. The state can revoke its charter and the government can force them to liquidate their assets. It used to be a fairly common practice and still happens quite a bit too smaller corporations.

What I mean is how big does an organisation have to get to effectively challenge the sovereignty of the government. How big does it have to get (relative to the government size) that (threatening to or actually) revoking its charter won't mean anything because so many people are tied up in the corporation that it can just exert its own authority.

I.e. Is there a theoretical size in which the corporation (or effectively any other organisation) can just say "no" to the government?

I don't think any company of any size could just say no. No corporation has enough power to stand up to the government if the government is determined. They do have a lot of soft power to keep things from getting to that point. They can spend a lot of money to influence politicians and the public and apply pressure to the government to back down. Walmart, for example, has ~2.2 million employees. Even if Walmart did something egregious enough to have their charter revoked would you want to be the governor of the state that has to tell those 2.2 million people they don't have jobs tomorrow? Not to mention the enormous ripple effects that would have through the economy. I've seen a lot of people argue that what the banks did during the lead up to the financial crisis was egregious enough to warrant the corporate death penalty, but those institutions were so critical to the economy that they couldn't be shut down. So, in a sense, there are already quite a few companies that are too large for the government to effectively exercise it's power over.

I don't think there is a set number though. It probably depends a lot more on what the business does and how central it is to the health of the economy. It's the "too big to fail" debate, and at various times in the recent past, we have determined several automakers and financial institutions to fall into that category. I think if you are too big for the government to let you fail, you are too big for the government to try to shut you down.

This is what I don't get. If I was running a company and the gov't started sniffing around looking to rein me in, I'd be doing it myself.

If you wait until the gov't get involved, it's going to be a much more painful, slow, bureaucratic process and you'll probably end up in a far worse position than if you just self-corrected in the first place.

A good example are drug prices. If drug companies were smart, they'd find a compromise. If they wait for Washington to do, they're really not going to like the solution.

Isn't it mainly about short-term vs long-term gain? Self-correcting would most likely mean long-term gains, but I'm guessing it is more cost-efficient to wait for government to do something about it, while paying lobbyist to manage things on that side.

It's probably even more profitable to invest in lobbying and prevent the government from ever doing anything meaningful to them in the first place.

The problem with the assumption that governments can do something is that it relies on the notion that they are independent from the businesses. That's most certainly not the case today. Representatives have a lot more interest in keeping Google happy than their constituents.

So, you're a libertarian right up to the point where your libertarian principles matter, and then you're just like everybody else.

The reason why the government is so 'big and bloated' is that your cut-off point for state intervention is >> than someone else who is less fortunate in the lottery of life. Think about that for a minute or two: would you be just as libertarian if you were say a single mom with three kids?

I try to stay apolitical on boards that I want to see nerd stuff on but if you're going to essentially invoke Rawls veil then please explain why policy based on that way of thinking tends to produce worse outcomes than intended or in the case of things like abortion simply cannot be resolved philosophically without resorting to stupidly broken arguments anyone can see through.

I'm a big empathy fan but defending the growth of state power on grounds of being shorted in the lottery of life pretty much always leads to more abuse and only temporary mitigation of suffering. Not to mention the fans of big government tend to be like alleged anti-violence people. They always seem to be fine with big government and using violence as long as it serves what they think is right. Then those same people either freak out on dirty cops and prosecutors or look the other way if those dirty cops and prosecutors are targeting people they hate.

We are so far from a free market state that any invocation of libertarian bent rings kind of hollow. The game is rigged and the safety net exists in one form or another in most places that would allow one the opportunity to post on a website instead looking after their basic survival. The issue now is not the lottery the issue now is trying to fix all the broken things that were allegedly created to help alleviate the effects of the lottery.

So, feel free to invoke 'principles' while banging on those more inclined to want liberty than safety but as someone who worked their way up from a worse start than just having a single mom the last thing I trust are people inclined to social engineering "looking out for me".

So because you made it despite the odds everyone else has to live or die in a Mad Max free-for-all?

That’s not how anything actually works in the real world though.

The arguments against libertarians are almost always some absolutist interpretation of some anarchist movie is world or worse Somalia which has tons of tribal systems, failed states (which includes a fair judicial system and enforcement of the law which markets absolutely depend on) and very little developed capitalist industries.

In reality most libertarians want a smaller government than is currently in place, they don’t want zero government. They most certainly don’t want an unstable state without centralize state run courts or law enforcement (outside of a very tiny extremist minority, a far smaller minority in the world than those who want actual vanguard communism again).

I’m a pragmatic libertarian leaning person which means that being realistic means compromise that some industry just simply makes more sense (as the amount of trouble it would cause to be market based via uncontrollable externalities). You could even factor in the amount of natural political meddling like we see in the US healthcare markets, which creates fake pseudo markets that provide few of the benefits of a real market where a single centralized public insurance option may actually be the least evil option, since the alternative has long ago become unrealistic. But that said I’d go as far as up to 50%+ up industry intervention and pro-social projects (ie helping the poor) are actually making things worse off overall had they not existed at all.

Thomas Sowell has written some great books documenting hundreds of cases of gov intervention coming with good intentions that have backfired (ie. rent control in Toronto and NYC in the 70s and 80s which dramatically reduced the supply of new low income development because no one wanted to build with rent control when they could build somewhere else).

I recommend “Wealth, Poverty, and Politics” by Sowell as a starter.

For other examples of failures of gov run central industry making them worse off than before I highly recommend reading the Venezuela economy Wikipedia about all the stuff they did after declaring capitalism is old and dead, creating mass starvation and unnecessary poverty in what could have been the most successful country in South America. Meanwhile countries like South Korea, Taiwan, Singapore, and Hong Kong adopted markets after having large state run industry and dramatically increased the wealth of their entire country in a short few decades.

I 100% agree that there are horribly misguided policies pushed by many progressives that do more harm than good. An overly aggressive minimum wage would be devastating to underskilled or undervalued workers. Rent control is a disaster. Markets are an amazing tool, and few things are more dangerous than a bleeding heart progressive that doesn't understand markets.

But I believe markets are just one tool that a wise society employs to create a prosperous world where everyone has the basic necessities and access to resources to allow them to flourish.

Honestly, it sounds like you and I aren't too far apart.

"Libertarian" is a very broad label. Even more so when you consider left libertarianism, which people usually forget.

But, in any case, many libertarians are in favor of UBI, for example - the whole point of which is to solve the "lottery" problem without creating a bureaucratic monstrosity that is means-tested welfare.

Also libertarian minded....have you considered that in a natural state, businesses this large would be very hard to maintain? The fundamental business structure we have today is based around a government-sanctioned "personhood".

If you could strip this away, there would be no corporate veil, and you could sue the person who failed to act (or whom acted wrongly) and did you wrong. Think of bankers at Wells Fargo creating false accounts in customer names...hire investigator or do your own, sue, discover, repeat...there would be MUCH MORE downside to bad behavior, even if the upside is there.

I think personally that organizations like GORE would exist, and who knows what else might emerge...more co-ops?

Of course this does require 3rd-party alternate court systems (maybe like cert issuers, but held to the same liability standard above?)...our current system cannot handle this, so it may be largely academic thoughts.

If you can be sued into oblivion for even starting a business, who would try? The corporate veil is intended to help the little guy.

Until recently doctors and auditors weren't allowed to be limited-liability companies. There was still a ready supply of people willing to run those businesses as partnerships, with personal liability. There were good and bad firms, just not megascale conglomerates. The "liberalisation" of those rules didn't help the little guy, just the opposite: auditing became concentrated in a handful of giant companies, and quality predictably declined.

If you're doing oblivion-dollars damage to someone, why shouldn't you be accountable. Otherwise you're just making society pay the cost.

Between 36% and 53% of small businesses get sued every year according to this article: https://www.google.com/amp/s/www.forbes.com/sites/basharubin...

If suits only happened when businesses actually did something that truly did damage to society, then I'd agree. But reality is far from this.

Lawsuits are part of doing business, just like taxes and accounting.

> have you considered that in a natural state

a natural state would not have technology.

I would also tend to be libertarian if technology didn't exist. Technology changes the game:

- you can process millions of transactions a minute without a bottle neck from humans

- you can produce plastic, and lots of it

- you can migrate hundreds of thousand of human around the world, which would normally be an invasion

- you can destroy the environment (not so easy without technology)

- you can addict an entire generation of humans to a device (video games, porn, social media)

Without technology there is only so much a person or organization can do.

They could just stop serving to small publishers and purchasers? Would that make you happy?

No, they should be regulated.

In the real world protection rackets are a stable business. You either pay up and are protected or your business gets messed up. No sane criminal would xerox the client list, split from the boss and also try to extort money - it is unhealthy as the turf will be defended.

In the online world there is no concept of local. You can't protect your clients. But then, why should clients pay up - there is an infinite supply of copycats.

So would a valid defence strategy be for a white or gray hat to send out millions of these threats (maybe linked to an invalid payment method so it became impossible to pay up).

Everyone would get so many of them that the "genuine" threats would get lost among the fake ones.

Alternatively somebody uses the same technique to send massive amounts of fake Adsense traffic to multiple businesses without any warning thus forcing Google to improve their customer service or validation algorithms...

> Everyone would get so many of them that the "genuine" threats would get lost among the fake ones.

So the internet will turn into the United States Postal Service then w.r.t. advertisements vs legitimate correspondence?

Surely in many people’s spam folders this is already the case?

I can already see my spam folder being made up of 100% extortions and threats of varying severity. A grizzly thought.

Security companies have a pretty good grasp of how trustworthy an aversary you're dealing with. So if have doubt about whether to pay up for the cryptolocker ransomware that just infected your corporate network you can always give them a call. As happened recently with a Dutch University.


> why should clients pay up

Because otherwise their ad income stops.

How does "I might get extorted again by someone else" factor into this?

> How does "I might get extorted again by someone else" factor into this?

The value of the ad income may be more than paying the extortion when it happens once. That doesn't mean it's more when it happens more than once.

And what prevents them from asking again next week. Or forging account ban regardless of ransom.

The whole scheme would collapse. It only works as long as people reasonably believe paying will solve the problem for a long while. This is why many ransomware campaigns pretty much run a callcentre with support for how to easily buy BTC and make the transfer.

If there’s only one group running the scheme it works, but if there are many, it becomes very difficult to coordinate and limit repeated demands. Soft of like how oil producers can only keep the price up if everyone joins the cartel. Each member will make more money if they defect.

This is why organized crime is very aggressive toward upstarts.

So these scammers have a better customer support system than Google?

You still probably get the best outcomes if you're willing to pay sufficiently credible threats a couple times.

We don't typically see that with ransomeware so I don't know why we'd see that with other types of extortion.

With ransomware if you get hacked you usually fix your defenses.

Or a different extortionist comes along next week?

"there is an infinite supply of copycats. "

No there is not, as the number of botnets is big, but limited. And I can imagine something like online turfs to actually happen, with criminal hacker groups setting up areas. And taking other groups down, if they mess with their turf. (afaik some crackers take already good care of their botnets so they do not get under the control of other groups and effectivly remote admin their bot computers and patching)

Now while there is never such a thing as 100% security, right now the average number is frightening low. So the root problem is that the average tech stack is just too vulnerable. There is way too much truth in that:


And our government agencies don't seem too eager to change that.

The same botnet can back an infinite number of these ransom notices, because when you get one of these ransom notices you have no way of knowing if the ransom notice you got today is the same botnet you paid off last week but with a different name.

Add in the fact that there are botnets available to rent, and you create a near-infinite supply.

Sure thing. But that is allways the thing with ransom. You don't know if paying once is enough. But also the criminals know, there is only a certain amount of money to be extracted from their victims.

IRL, if another gang threatens me, I can go to the first I paid protection for, and usually they try to convince the other gang that, no, they should not do that.

There is no such thing online.

Why not? Wouldn't you be able to forward contact info from one group to another?

A bitcoin address does not give that much information about who wants to get paid.

Ransomware hackers have call centers to teach people how to buy bitcoin. I'd suspect groups involved in this kind of scam would have something similar, isn't it?

I cannot upvote this enough - a deep insight into the problem.

Funny story, Twitch.tv actually has a similar problem and they seemingly have solved it.

On Twitch, "Followers" is a tracked and important metric for streamers (publishers). Therefore there's obviously a lot of benefit to buying fake bot followers and inflating your count.

However, sometimes misguided fans of streamers will buy bot followers for them intending to be helpful (or even to spam them with inappropriately named followers).

From Twitch.tv's perspective, tracking down who issued the bot followers is of paramount importance since they have an interest in preventing gaming of the system without catching innocent streamers in the crossfire.

Twitch actually maintains a help page on what to do when you're being spammed by followers, and it includes a statement that they won't punish people who haven't paid for spam. In my experience, whatever mechanisms they're using under the hood seem to be reasonably effective - I have yet to see someone incorrectly banned for this.

I have yet to see someone incorrectly banned for this.

Because they barely ever ban bots, even the most obvious ones.

I've seen streamers get follow and spam botted by thousands or tens of thousands of accounts within hours or minutes. All accounts had random character names and were created within a couple hours of each other.

All reported multiple times by multiple people over months yet no action at all. I have lists with a total of 60k clear and obvious bots reported to Twitch over and over again even by the partnered streamers affected and all were completely ignored and the accounts still alive.

I've been a mod for a couple big streamers for a while and it's absolutely crazy how many reports of follow and spam bots, blatant abuse and ToS infractions Twitch completely ignores. Especially in the last year or so it just keeps getting worse.

I would really not list them as a good example of dealing with bots in any way.

It's quite possible that twitch is able to identify a bot follower vs non-bot. But by keeping this breakdown secret, they've taken away any feedback mechanism the botters can use to monetize their bot followers. For example, you'd likely not get into the twitch partner program by simply just adding bot followers (which means you can't generate revenue from ads on twitch).

Not really.

To avoid bots from inflating viewers, they have banned non-partnered/affiliate channels from appearing in the directory if they have above a certain amount of viewers.

While this solves the bot problem, it ensures that new channels will never become popular. Because if you begin to become popular, your channel will literally disappear and you cannot grow.

(And on a side note, there are a lot of large streamers today that admit they used bots to promote their channel when they were first starting out, years ago. Sometimes, gaming the system is the best way to win.)

Partnership/affiliation status is an almost automatic process that's tied to your metrics (hours streamed, etc), so it's not some hard cap on popularity.

> Partnership/affiliation status is an almost automatic process

Emphasis on almost. It requires an application and approval. Most importantly, being an affiliate/partner is not appealing to some people, since you have to sign an exclusivity contract.

They'll also force you to play a certain amount of ads. I've watched some streamers who wouldn't show any ads because they were making enough money on subscriptions and donations that they didn't want to make anyone watch them. Within the past year though, they've said that twitch told them they need to start showing ads, so they'll tell everyone to take a bathroom break or turn on an adblocker for the next couple of minutes.

The process is also rather arbitrary. If a streamer has barely any viewers but is a friend of a popular streamer, they'll get partnered almost immediately, but a "nobody" streamer that regularly has hundreds of viewers will get denied until they've been streaming for a long time. They'll also ban you if you tell anyone why you were denied.

Where have you heard/read about this? I've seen cases where twitch streamers have super obvious bots watching, literally thousands of them, and Twitch did nothing.

It used to be a very large problem for the 2007scape streamers, I imagine it was solved with a mix of legally prosecuting serious offenders via de-anonymizing the bot networks, as well as a tighter feedback loop of reporting and banning them - effectively making it more of a hassle to setup than its worth, which is saying a lot because the types of people doing those activities have A LOT of free time.

How could they legally prosecute them? What laws were broken?

EULAs are legally-binding in the United States, and the Federal government is very happy to murder people under CFAA violations.

Seeing as this is something personal to me, while Twitch originally used the CFAA, when seeking judgement they dismissed that claim (page 2 footnote 2): https://www.courtlistener.com/recap/gov.uscourts.cand.299961...

Thanks for linking that.

> EULAs are legally-binding in the United States

Not generally. Specific ones may be, but so far it's always been on a case-by-case basis.

IANAL, but at least on the /2007scape streams the viewbots were used to pump up numbers on fake streams linking to phishing sites (which presumably is an illegal activity in most countries).

For other content, it can be seen as a loss of income for the streamer if they are demonetized due to viewbots, and for those where it isn't - it is effectively ad fraud since Twitch revenue is based on those engagement numbers

It doesn't seem too surprising that avoiding false positives means you are more vulnerable to false negatives.

A few false negatives is generally manageable and in the noise. If I have one bot follower who cares - if it is significant to me that means I'm small (5 follows 4 real - nobody cares about me), or I'm so big that the one doesn't matter (100,000 vs 99,999 real - I'd probably cross 100,000 in a few days anyway)

If you're nearing the top of becoming "the most famous" on these platforms, buying fake followers for your competitors -- to get them removed so you ranked higher -- well, that's quite a novel concept. Certainly not ethical, but I'd imagine it'd be quite difficult to track down who actually purchased the fake followers. How do you prove you didn't buy something?

The same rules don't apply to top streamers. Smaller streamers will get banned for playing copyrighted music, but the most popular streamers can break the law, "accidentally" wear see-through pants on stream, etc., and they'll get a couple day ban at most.

Twitch is a dumpster fire and an affirmation system doesn't solve any of this problem.

The fascinating thing here is that Google's systems are required to make a judgement of intent. Is this ad fraud ordinary fraud that's intended to increase payouts, or is it intended to be caught so the account is suspended? From the scammer's perspective, there's no reason not to play both sides: test fraud patterns to see if they're detected, and when they get caught just redirect the bots towards extortion victims. No matter how well Google's detection system works, the scammer gets paid.

Google either doesn't care about intent, or their systems have consistently bad judgment. I've lost count of the horror stories about indie bloggers getting a ban from AdSense when it was time to receive their first check, and being offered no meaningful way to appeal the ban.

Yeah, that happened to me 15 years ago. Just crossed the $100 payout limit and suddenly, FRAUD! What ticks me off the most is if they have the ability to detect and block fraud, then why block accounts? Why the death penalty? Just don't pay out fraudulent clicks and terminate repeat offenders, rather kill the account on the first blush with no appeal.

I wonder if there's a simple explanation for this pattern.

Fraud detection costs money. If there is no money changing hands, why spend the money on detection?

Terminating after 1 offence, 2 offences, or n offences only changes how long a competitor / blackmailer / disgruntled former employee or ex-spouse / random bored idiot with a stolen credit card needs to continue paying for clicks.

They don't charge the ad buyer. My account was terminated 15+ years ago, still can't run ads under that account for some reason I do not know, but they were able to detect it and block it, whatever "it" was. So I'm punished forever for something forever unknown to me, despite not doing anything. I think the rule is unfair.

It seems unfair to the point that the entire model is unworkable. Well, perhaps they could ignore the "fraudulent" clicks when billing and never terminate anybody.

By "paying for clicks", I was thinking that they'd be paying some service to click on the ads, rather than writing their own scripts or doing it manually.

> if they have the ability to detect and block fraud, then why block accounts?

To protect their business by protecting their reputation.

The scale of Google's advertising business(es) means that a loss in revenue from poor public perception of their ads is likely to be far more than a few thousand small ad buyers (those spending <US$5000/mo) getting cut off, which would barely register as a rounding error (<0.1% of just AdWords revenue alone.)

How is perception affected by not-paying suspect accounts but not banning them either? The public doesn't see the clickfraud

They could be shadow banning them or they could be continuing to allow them to operate in service of their algorithms. The public doesn’t see clickfraud but they also don’t see headlines about Google ads having a fraud problem.

A rare anecdote of Joe Schmo not getting his 97.54 payout is effectively meaningless.

I understand this, but it's suspicious when they manage to detect the fraud only when it's time to pay out the revenue to the site owner. It's also a little unfair to assume every detection of fraud is 100% purposeful action by the site owner and permanently terminating their account without even so much as a warning. In my case, I had ads running on my blog. It took 4 months to rack up $100. I think the chances I was purposefully defrauding them was low, given how long it took to get to the payout point.

> Google either doesn't care about intent, or their systems have consistently bad judgment.

Not to defend Google here but... how did you determine this? By seeing those < 0.01% of issues where it goes wrong? How did you determine the magnitude here and how do you know the systems aren't right in > 99.999999% cases?

Yeah if one scam doesn't work... now you've got a known good weapon.

Google's willingness to shut down a lot of things on what seem like a very surface level fingerprinting means it's pretty rock solid to predict what will happen.

They don't have to judge intent, just remove the traffic without enforcing a punishment.

The policy that the system is intended to implement requires suspending customer accounts for detected fraud but not for cases of sabotage, so it needs to judge intent until the policy is changed. I would imagine that the current policy was designed under the assumption that traditional click fraud would be the dominant form of fraud and so making it more difficult would be the highest priority. Simply removing detected fraudulent traffic without enforcing a ban would make it easier to test and iterate on fraud bots without burning as many accounts. I don't think there's an easy answer.

It's an act of duplicity.

Google wants you to believe both that it can detect a website owner doing bad things (blackhat SEO, click fraud on ads on their site to earn more money, etc), yet simultaneously that they can catch any bad actors faking those things to damage you (negative SEO, click fraud to terminate your own accounts, etc)

That obviously isn't possible. Google cannot determine the intent behind anonymized actions. They just want you to believe that they can in order to discourage people from trying to game the system.

I've heard of Twitter and YouTube accounts being suspended for buying followers, but anyone with $5 can send tens of thousands of fake followers at anyone's account.

The only real solution these services have is to silently ignore the faked traffic whenever they observe it. Anything else can be gamed from either side.

Well, the difference is that extorting someone is a lot more illegal in a lot more countries than running not farms. Extradition usually requires that whatever a person is accused of is a crime in both countries, which makes extortion a bigger risk for the scammers.

Doesn't your hosting platform (Wordpress/Blogger/AWS/etc.) help identify the spam bots and stop them in the first place?

AFAIK you don't need to spam the actual hosting platform since you can extract the embed code of the ad.

Yes, and if a somebody is offering ad-clicking as a service, how is Google supposed to know who paid for the clicking?

> We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding

This wouldn't ring so hollow if Google didn't have such a reputation for blindly automating fraud detection. I seriously doubt it is actually possible to differentiate the two. The fraudulent activity that is visible to Google is the same regardless of the intention of the client that paid for it, be it a beneficiary or an adversary. Any signal that is deemed fraud by Google can eventually be simulated by an adversary.

There seems to be an easy fix for this on Google's end. When their automated systems see fraudulent activity on a site, instead of banning it entirely, they can peg their future revenue to their historical revenue.

This way, malicious publishers will have significantly limited incentive to engage in such behavior. In the short-term, their upside is heavily limited. And in the long-term, they risk being caught and banned.

And at the same time, malicious blackmailers will also lose most of their leverage, like in the example given above. Even if the victim doesn't pay up, their income stream still remains mostly stable. And meanwhile, the attacker is spending a ton of resources on generating fake traffic that isn't earning them any money. This will eventually lead to the "business model" going extinct, which in itself solves the problem as well.

I don’t understand: Why can’t Google just count those clicks as invalid and keep the AdSense running with no ban? If Google has the ability to detect fraudulent clicks, then there is no reason to ever ban any website for AdSense fraud.

I'm going to make a guess here from my own unrelated experience trying to debug problems in live systems. It is often much easier to detect that there is _some_ unusual activity present than it is to categorically define exactly which activity is legitimate versus which isn't.

Usually, this is because you can easily detect some of the anomalous behavior but not all of it. So you'll have some activity which is obviously anomalous, some which is obviously legitimate, and some which could be either. And sometimes when you've detected some that are obviously anomalous, most of the rest of the activity ends up being in the category of "could be either" with almost none left in the obviously legitimate.

So from Google's point of view, I'm sure they ban the account so that they 1) don't end up paying a lot of money to users for the "could be either" activity, and 2) don't need to keep expending server resources continuously categorizing and serving the obviously anomalous traffic.

I'm sure this is right. You don't have enough statistical mass with any click by itself, but in the aggregate you can detect fraudulent activity with a high degree of certainty.

Google's plan is to make it sufficiently expensive to avoid detection in the aggregate that selling fake clicks isn't a viable business proposition. The fraudsters have inverted the game: they can't beat Google's detection algorithms, so they can't sell you fake clicks, but they can sell you protection from their fake clicks.

Google's move at this point seems to be lessening the punishment for fake clicks so it's still not economically viable to sell them but also not economically viable to use them as a threat.

I worked on fraud detection products for several years, and in the end the only explanation I had was misaligned incentives between the publisher, advertiser, agency, ad server, and other adtech middlemen.

The publisher wants to show little clickfraud to keep their rates high, but don't get the data to handle nor often have the technical resources to prevent it if they knew. The advertiser doesn't really understand the modern ad market so sees "fraud" and will go to the agency that promises zero fraud, even if they're more expensive than just eating the fraud. The ad server doesn't really care per se, and can't do much because (outside RTB optimization) the publishers are the only ones who can really do the work to prevent the fraud. But they need to keep the publisher and agency happy, so they measure it. Both the publisher and agency get unhappy if the numbers are high, no matter how true they are or how inefficient it would be to bring them down - so the ad servers are either incentivized to lie (in practice meaning, not investing much in fraud detection) or to kick publishers with high fraud rates off.

(The closely-related question is why fraudulent clicks matter at all, when CPM/CPC rates should pretty quickly decline in proportion to target the same number of real people for the same price. But no matter how much we tried to sell actually useful features - e.g. no ads for your vacation planning service on a news article about a plane crash - all any customer ever cared about was click fraud!)

My guess: because the limit to Google getting paid isn't inventory. There's effectively unlimited places on the internet to put ads. What is limited is the dollars flowing in from advertisers. If they perceive Google Ads to be fraudulent, they bounce.

Put another way: someone testing Google Ads with a $100 ad buy is (my guess) 1000x more valuable than a (new to Google) publisher someone showing $100 worth of ads. If the former experiences fraud, they leave. If the latter has their $ yanked by google, eh, there's still trillions of ad slots per day available.

That is, customers are more important than excess inventory.

Detection is far from precise and the tactics are always changing, a cat-and-mouse game. With enough suspicious activity, it's safer to suspend or ban the whole account.

If only there were some sort of device you could use to determine if the website was a small business. Such as a telephone.

Put another way, actual relationships with customers solve this problem trivially.

In that case you've removed the risk of iterating to try to find a way to get past their checks.

That would give publishers a nice incentive to produce automated clicks themselves. There are no great answers to this issue, Google definitely falls short but full transparency is also not the answer.

The amazing thing to me is Google treats almost everyone the same. From a site getting $5 a month to $5,000 to $50,000. About the only difference I've noticed is I sometimes get to have conference calls with people who have the same suggestions. I've provided Google with billions of (legit!) ad impressions over the years and wouldn't even get a phone call before being kicked off.

won't those publisher produced automated clicks count as invalid as well?

That assumes google can actually detect all fraudulent clicks, no?

Presumably much of the detection is probabilistic. Some algorithm notices a bunch odd traffic from Chile hitting a French website, clicking ads at a high rate, so it all gets tagged as fraudulent. But some of that traffic was probably real.

If the fraud rate is high enough, they likely can't pick out any real users anymore, as they get lost in the noise.

If Google's fraud-detection isn't 100% accurate (and I'm sure it's not), then simply removing detected fraud disadvantages those who don't have any fraudulent clicks.

> If Google has the ability to detect fraudulent clicks

They don't.

Google wants to protect the people paying them, ie the advertisers. They don't care as much about content creators etc.

Google's invalid click contact form that Krebs links to says:

> Please keep in mind that it's your responsibility to prevent invalid activity from occurring in your account, and this form does not absolve you of that responsibility.

How is some random lay person running a wordpress site going to know how to prevent invalid activity when anyone could do this to them? I hate that corporate speak too about they can't comment and how they have tools, without addressing the concern people have. I resent how much power Google and Facebook have over small businesses that have an online presence. I hope the Justice Department takes a real good look at all this bullshit and breaks these giant, powerful companies up so that we end up with small companies, that care about their customers.

> We have a help center ... There’s also a form ...

But good luck getting hold of a real human to explain the situation to.

That's just Google in general. Apparently not a single human being still works in their support department. All androids I hear...

There are other industries where a similar attack could work. Just look at the new fintech banks: send suspicious transfers to an account and get their money blocked by their AI which monitors fraudulent transfers. Because this kind of banks have often too less humans checking and releasing blocking somebody could put a business and their bank account out of business.

One famous example: Send a PayPal transaction with the word "bitcoin" to somebody. Your account (burned in the process) and the receivers account will get blocked. Welcome to the new AI world.

Money quote from Google rep:

> If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.

Given all the comments here, and everything else I've read about Google having ~no human support, this is plainly bullshit.

I wonder if they sold clicks before. Interesting way to pivot their "business".

Another bad usecase for bitcoin.

I'm not sure if I'm still thrilled by cryptocurrencies. It seems to me that they are mostly wasting energy and helping criminals set up their businesses.

Advertising online is beginning to sound like the 'Law of Rent' https://en.wikipedia.org/wiki/Law_of_rent

ie when a resource is both essential and limited ( user attention in this case, land in the original case ) the person controlling that resource takes a share of the value generated by people using the resource that approaches break-even. ie all the profit.

ie to put it another way - if you need customers and the only route is through Google, then you will have pay almost all your profits to Google for that attention.

I think as well as several app developers using the AdMob sdk have been a victim of similar practice by malicious parties. 3 years ago, google suspended my admob account for fake activity even though I have never ever clicked on the ads nor did I use anything other than the test ad on my devices. This has happened to several developers and google doesn’t want to help. Back then, I got a 30 day suspension but since then, I have completely stopped using ads and solely rely on in app purchases. It’s less money but it’s at least reliable.

I've been saying for a while that the problem with micropayments is microfraud, and this just adds to that.

How do other ad networks deal with this?

Eg: Carbon, AdThrive, MediaVine, etc.

The kicker is that scammers could claim their own site is being attacked in this manner and then drive up their clicks with bots. Google's response necessarily has to include denying sites revenue for clicks they deem fraudulent. This scam basically gives Google justification to pay sites whatever they feel like paying as long as at least some of their clicks look fishy.

I've often suspected that some of the egregiously fake 5 star reviews I see on Amazon are really an attempt to get some seller banned.

A client I worked with long back received a similar threat, and she replied "I don't have $10000 like you requested, I do have $20; would that buy you a nice coffee wherever you live?"

The blackmailer(s) responded with a single alphabet "k" and it was sorted within hours of the first email.

As is par for pretty much all of these types of scams, the best solution is generally to ignore them entirely. They're all after the quick buck, and even if they could pull off an attack, it's easier to just move onto the next potential victim than bother with someone who may or may not even be paying attention.

I assume it will be a cost benefit analysis for unfortunate victims.

It's ok Google setup a form to communicate with AdSense partners.

> “We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”

Yeah, Google is well known for being responsive and helpful through their web forms. I've read many a story here on HN about users of Google services having judgements overturned by the friendly support agents who are definitely not robots.

I wonder, has anyone contacted Google and somehow avoided getting banned?

Google seems to show no outward no interest in actually unbanning anyone once they're banned, do they care if you tell them beforehand that you're concerned someone is messing with your ads?

And if they do care, does that even help / wouldn't the "ban this guy" script just run anyway?

I highly doubt it.

I've had ~$150 sitting in my adsense account for about 4 years now because I'm unable to cash out. Their 'input bank information' page is broken, seems like my old banking information is stuck filled out and I can't remove it. Won't let me put new information in either. And the link to the help site leads to a 404.

I've tried various forms to reach a person and they've all been fruitless. Google is just holding my money hostage with no recourse.

They even send me a 'your payments are on hold' email every few months to basically say 'remember, we stole your money and theres nothing you can do about it!'. Thanks Google, I almost forgot that you're the definition of faceless corporation again.

I had a similar situation where I bought a domain for an old blogger blog years ago.

So anyway the credit card tied to that has expired (years ago I thought).

Then Google emails me their "update your payment information" email ... and points me to a Gsuite login.

Bro (Google) I don't have a Gsuite account ... and my regular Google account has valid payment options. Every form of help just points back to Gsuite...

Blogger doesn't appear to have any of the old information as far as the domain being purchased.

I managed to get the domain registrar to help. There was no way to contact Google, it was just an infinite loop telling me to login to Gsuite.

Can you bring them to small claims court?

Sounds like a good way to get banned from all Google services.

Smells like a monopoly that needs a very harsh breakup.

This would place them in contempt, I suspect, potentially open to equitable remedies.

Of course, IANAL, TINLA.

Why would they obligated to do business with someone who sues them?

I suppose logically, yeah. I have no idea how to do that though. I don't imagine writing 'Google' on the defendant line is going to work. And if it does they'll likely ban me from all Google services for life. Not really a path I want to go down.

I’ve gone Google free without really noticing. IMO a 150 check makes that an easy choice, but it’s up to you.

Unfortunately their unlimited storage for ~$14/month via gsuite is the best storage deal on the internet. I've got 13TB and counting in there and would prefer to not lose that account.

I've also got another grandfathered in free gsuite account I've been using for personal things for about 7 years, changing from that would be a nightmare.

I suppose I'm part of the problem, being unwilling to do something about it because I have more to lose than gain.

Ok, I had to look that up.

Business / $12 month

"Unlimited cloud storage (or 1TB per user if fewer than 5 users)"

Yeah that is what they write for the terms. In practice though they have never enforced the 1TB/user clause, can't find any references to them doing that ever. Many people claim to have many terabytes with no enforcement on the user clause, myself included at 13TB currently with 1 user for just under a year so far. Apparently it has been this way for years.

Effectively you get unlimited storage for $12 + taxes/month.

It's a pretty smoking deal if you don't mind the (seemingly minuscule) chance that one day they'll ask for more money or pull the plug. In my use case all the data is easily retrieved again so it would only be a minor inconvenience.

Well, if you tell them beforehand, it gives them a chance to ban your account before the illegitimate traffic even occurs. Sounds efficient!

Putting up a captcha would be another option.

"Nearly there - just complete this captcha to see our advert!"

I think parent comment meant putting up a captcha on the website for suspicious traffic, the way Cloudflare does.

I don't think anyone is silly enough to suggest putting captchas on ads.

I mean on the page content. Using something like Google's Recaptcha would reduce friction for legit users.

I think there was a time that was true. Now reCAPTCHA is so prone to tagging someone as a bot if they employ any ad blocking or tracking prevention that it significantly interferes with web use. It's an overall harm to the web in my opinion.

AFAIK attackers only need to actually access your content once and extract the ad embed. Please correct me if I'm wrong.

How would it "reduce friction for legit users"

captcha on what, the site? since there's basically nothing authenticating the site to the adsense iframe/script, can't the attacker serve a cached version locally?

Are you sure there is no authentication?


That has nothing to do with the discussion at hand, and would do nothing to prevent a malicious ad clickbot

To actually enforce the policy described in that link, would require authenticating websites when rendering ads. Otherwise, one could just embed an ad from a different domain, and easily defeat this process.

I'm not sure why the parent (throwaway2048) is getting downvoted over this. He's correct. The attack is as follows:

You want to attack (send fake traffic to) example.com, but example.com has implemented a captcha system (think cloudflare interstitial). If you directed your bots to visit example.com, they'd have to solve the captcha to view the ads. However, there's nothing stopping you from solving the captcha once, getting the page source, and serving that to your bots. This works because example.com doesn't serve any ads directly, it only embeds a <script> or <iframe> element to adsense. Since the bots are under your control, it's trivial to set up the redirection (eg. hosts file or HTTP proxy). HTTPS isn't a problem either because you can MITMing yourself with a self signed certificate, which is not a problem either as you can get your bots to trust that certificate.

From the perspective of the adsense script, it's impossible to tell whether the bot is visiting the real example.com or a fake version, since the browser is under the attacker's control. The only way to mitigate this attack would be some sort of one time use token that's generated server-side by example.com, and authenticated by adsense each time it tries to display an ad, which I doubt adsense supports.

One solution could be some sort of DRM based device attached ad...but that will cause other problems.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact