Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine

Enough about Facebook Beacons

December 3rd, 2007

Tired of hearing about Beacons? I know I am, so if you are, stop reading. (yes, that probably makes me a hypocrite for writing this post in the first place).

First off — It’s fascinating how the Silicon Valley love-fest can backfire like all hell. Just a few months ago Facebook was the best platform. Everyone proclaimed they were going to win, they had the winning API, they were so much cooler and better than Myspace. Kind of amazing how fast people will turn on you.

Second I’d like to point you to a Freakonomics post, “Why Is Family Guy Okay When Imus Wasn’t?”, which has probably the best explanation as to why this seems to have such a dramatic impact. Stephen asks why Imus got fired from his job for a bad racist comment when a show like Family guy airs similar or worse comments on a daily basis:

5. There is no real difference between the two, but the kind of big public storm that resulted in Imus being fired is essentially a random event, unpredictable and nearly inexplicable, and it typically arises when political, social, and media pressures all align just right. It can’t be concocted, or controlled. It happened to Imus because it happened; and it hasn’t happened to Family Guy just because it hasn’t.

Now to some extent this wasn’t a purely random event. Facebook has been the poster-child of the valley, so it was only a matter of time until they made a bad move. The fact that everyone happened to pick Beacons, more random.

What bugs me is that the media picked this particular invasion to draw attention to. You think Beacons are invasive? How about the fact that your ISP might be installing a sniffer box that not only tracks what you buy — it tracks everything. It tracks what movies you watch, what sites you go to, where you purchase things, how often you purchase things. I mean, that freaks me out a hell of a lot more than a little Facebook Beacon — because one you can control, the other you cannot. Don’t believe me? Check out: NebuAd or AdZilla. Or how about Errorsafe? The little program that installs on your machine and probably sniffs out and steals your credit card numbers when you buy something. It’s being distributed via advertising networks left & right, yet I don’t see much media attention there either.

Maybe it was part random, part fate — but Facebook has definitely gotten the full fury of the blogosphere thrown at it these past few weeks. So bloggers & journalists. We get the point — Facebook invades your privacy. It has from day one, showing your friends pictures, status updates, all sorts of things. Don’t like it? Stop using Facebook. In the meantime, please pay some attention to some more invasive and much scarier things, like Errorsafe or ISPs that sniff and sell your data without the opportunity to opt-out.

Someone pointed me to an interesting blog post from StatCounter, that discusses how they were approached by an advertiser to place a ‘spyware’ cookie. What is a spyware cookie? It’s funny, I’ve always thought of “Spyware” as “Shitty desktop software that installs without user consent.” Which is, in fact, exactly what this wikipedia article says about it:

Spyware is computer software that collects personal information about users without their informed consent. The term, coined in 1995 but not widely used for another five years, is often used interchangeably with adware and malware (software designed to infiltrate and damage a computer respectively).

Interestingly enough, this entry has a strikingly different definition:

any software that covertly gathers information about a user while he/she navigates the Internet and transmits the information to an individual or company that uses it for marketing or other purposes

Ok, so I”m getting confused as hell. So next I did a Google Search for “spyware cookie” and clicked on the first entry and found this page.

Spyware Cookies are Intrusive
A spyware cookie is any cookie that crosses the line from helpful to intrusive. Spyware cookies are not interested in making your surfing experience better; the sole interest is to gather free marketing data to promote a sale of a product or service. Spyware cookies are placed on your machine by a consortium of websites that track your movement from one website to another.

Spyware cookies can track your every click and record all information you enter into non-encrypted online forms [...]

So I don’t know where the jackass from “” got his education in online technology, but a cookie is a text file. I will personally pay someone $100 if they explain to me how a TEXT file can track your every click and record all information you enter into non-encrypted online forms. But really, what IS the proper definition? Well, I don’t like any of the three above, so why not throw in an academic’s perspective while we’re at it — namely here’s a quote from Ben Edelman’s site:

[...]“spyware” software — programs that monitor user activities, and transmit user information to remote servers and/or show targeted advertisements. As distinguished from the design model anticipated by’s definition of adware (“any software application in which advertising banners are displayed while the program is running”), these spyware programs run continuously and show advertisements specifically responding to the web sites that users visit. Companies making programs in this latter category include Gator (recently renamed Claria), WhenU, and 180Solutions. Other spyware programs include keystroke recorders, screen capture programs, and numerous additional software systems that surreptitiously monitor and/or transmit users’ activities.

Wow, similar, but yet again, different! Ok, so since everyone and their mother seems to define spyware, I will too! I see a couple key themes: shitty, intrusive, advertising, personal information, communication, uberpowerful. So here goes!

Spyware, an uberpowerful software application that provides rather shitty and intrusive advertising on a desktop computer which communicates your personal information to some shady 14 year old in a basement in Oklahoma.

Spread the word! I won’t be the one to put this on wikipedia, but I dare someone to try! In all seriousness though — if we as an industry can’t get together an actually define what ‘spyware’ is, how can we stop it?

Punch the monkey!

March 1st, 2007

We’ve all seen this ad… it loudly proclaims “Punch the monkey to win a free _____”, fill in the blank with whatever is new and out today. A ps3, an xbox, maybe even an iphone (which hasn’t even been released yet). It’s perhaps one of the strangest phenomenons of online advertising, and I have yet to meet a person not in the industry who understands how these make money.

So lets look at an example I just saw on

So, if I hit this monkey ten times, I’m going to get a FREE PS3!!! OMG that’s awesome, I’ve always wanted a ps3 (or not.. had it been a ‘free wii’ ad I would have been much more likely to click)! But wait… someone told me once, “There’s no such thing as a free lunch.” Ok, so what’s the catch? Somebody is paying somebody here right? And how can I possibly get a ps3?

So, lets walk through the ad and follow the money. First, we gotta hit the monkey (kind of fun actually). GOT HIM!

Monkey hit!

Ok, so this takes me to, where I see that I actually have a CHOICE of the free gift I can get… life is getting better! Now, at this stage, no money has exchanged hands yet. Publisher hasn’t gotten paid, and advertiser hasn’t made a penny.

landing page

Now entering in my zip on this page takes me to the next page which is some sort of registration form:

reg form

Ok, seems harmless enough. Why don’t we try filling this out? Before we do, lets take a look at the ‘terms and conditions’ (conveniently hidden at the bottom of the page). Hrm…

By participating in the programs offered on the Site (each, a “Program”), you signify your express consent to receive information from Company in electronic format. You will need a computer with browser and Internet access to receive such electronic records. Electronic records may include terms and conditions, agreements, privacy policies, Gift redemption voucher(s) (each, a “Gift Redemption Voucher”) and other items.

Translation — We can send you any email we like if you fill out this form.

In attempting to become a Member, you agree to provide your personal contact information (you must provide your full legal name, postal address, land line or mobile telephone number and valid email address) in order to receive solicitations, marketing materials and other communications from us and third party advertisers and marketers (collectively, “Third Party Partners”), via e-mail, telemarketing, direct marketing, mobile marketing and any other method, as set forth in the Privacy Policy. In addition, you agree to participate in the Programs in exchange for the chance to receive a gift or other promotional offer from Company (“Gift”).

Translation — We will be sending you a lot of email/regular mail since you just agreed to it

Well, that doesn’t seem too bad. This is the first interesting piece. By filling out this form, you are now ‘converting’ on the very first step of this offer, namely, providing personal information. As you can see from the terms and conditions, this company is going to (with your consent) sell your personal information to various marketers. If you do continue, expect to see a large increase in the amount of email you get — ok… lets be honest, spam email, as even though you consented and opted-in to this, it’s not the type of email you’ll be reading. So how much is this information worth? It really depends on who you are and how much info you provide. Last I heard, an name and email address was worth about $1.00, whereas full registration information (address, phone, etc.) was worth more like $2.50 – $5.00. So if I fill out this form, somebody is going to make a couple bucks!

Ok, well, I REALLY want that FREE ps3, so lets do it! I can handle a bit of ‘bulk email’. So, what do we see now:


Surveys? I don’t want surveys, I want my free PS3!!! Ok, skip this.. it says I must answer truthfully to get my free PS3.. Ahhh… it just keeps asking me these questions!!! Where is my free PS3?


Ok, lets take a look at the Program Requirements. How many questions do I have to answer??

2. For this promotion, Playstation 3, you must complete a total of 10 offers as follows: Page 1 – complete any 2 offers; Page 2 – complete any 2 offers; Page 3 – complete any 6 offers to get your gift. [...] If you do not correctly, and fully, complete the number of Offers required on each page, you will not be entitled to a Gift. If you have any questions, please contact us.

I have to complete 10 offers? Holy shit. What’s an offer? Well, after finally getting through the survey, I get to ‘page 1′ of the official offers, and they aren’t the kind of thing to sign-up for on a whim. I see Netflix, Blockbuster, a Discover card? (who has a discover card anyways?).

First offer page

Ok, so lets get to the point, can I get a free ps3? If so, what’s the catch, and who gets what?

The offers that this marketer has are all pay-per-lead based. For example, one of the offers I can signup to fullfill my requirement of ’10 offers’ is a Netflix subscription. Netflix probably pays somewhere between $50-$100 for a new user, bam, marketer makes money. Other offers are credit cards, book clubs, and a whole assortment of random stuff. For every ‘offer’ that I sign up for the marketer makes money. If I actually do go out and fill out 10 offers I’m guessing the marketer is making between $300-$1000, depending on what I signup for. How much is a ps3? Exactly, the fact is, even after sending you a ps3, they still make money! Not to mention the money they make from selling your personal information and from all the users that only completed one to nine offers and didn’t fully complete the process.

Interestingly enough, the advertisers behind the offers don’t mind this at all. There are ample choices of offers to choose from, which means that if you signup for Netflix in an attempt to get a ps3, you’re probably somewhat interested in Netflix already.

Is it worth it? Hell no. Most offers are subscription based, which means that once your’e done with this whole process and get your PS3 you have to go back and cancel all 10 before you get charged up the a$$ in fees. I would personally just spend an extra month or two saving and go buy the damn thing in the store. Although — If you do go through the process, at least go for the free wii =).

So why do you see so many of these offers when you browse the web? As you read above, the payout happens early in the process, when you giveup your personal information. This is a very easy thing for users to do and many do it without realizing what they’re signing up for, and hence, these offers can pay high CPMs. Also, since there is no ‘marketing budget’ here, the money will simply keep flowing as users continue to signup.

There is also a good lesson here for more ‘traditional’ marketers. There can be huge value in a user’s personal information. I’m not saying to go out and start selling it, but instead of aiming on getting users to signup for your deal directly after clicking on your ad, why not start by just asking him about who he is and what he likes? You can then easily send more information or retarget the user (more on that later) in future campaigns. The less impulsive the purchase, the harder it is to get someone to signup.

Interested in reading more? Wired has a great article here.

So, time and time again you see people rant and rave about how your privacy is being seriously compromised by the use of cookies. I must say, if you just read around on google, advertiser cookies are one of the most misunderstood beasts out there. Nowadays, practically every spyware removal program flags advertiser cookies as ‘SPYWARE/ADWARE’. Try it, google up tribalfusion cookie, or yieldmanager cookie, etc. etc.

Take this SpywareNuker page:

Some of the components are listed below. The list is compiled as a reference. The list might not be complete and it doesn’t represent instructions for manual removal. We DO NOT recommend manual removal. Incorrect removal of certain software might make your computer unstable or even unusable.
Removal of adware component might affect the related ad-supported software.

Sorry to say, but this is total bullshit.’s cookie doesn’t infect a thing and can be removed easily and safely by yourself. So what are adserver cookies and what’s stored in them? The most basic information that most adserver will want to know is:

  • which ads you’ve seen, and how many times you’ve seen them
  • which ads you’ve clicked on
  • which ads you’ve converted on

Yes — that’s right, adservers know when you buy things after clicking on an ad — but that’s another post. Now more advanced behavioral companies will also want to track which sites you’ve been to and what behaviors (or segments) you belong to. Allowing adservers to track you using cookies means you won’t repeatedly see the same ad, and you should see more relevant ads to your interests as you continue your path along the internet.

So how do companies store this information? There are two ways — client-side or server-side. Client-side involves storing all the information about you in your cookie whereas server-side the cookie simply stores an ID and all information about you is stored on some database somewhere. Doubleclick as seen in the below screenshot seems to have gone the server-side route and simply stores my “id” which maps to some data they have on me in their databases. The server-side route is great if the advertiser wants to store a lot of data since there are size limiations on cookies and you don’t necessarily want to transfer 10kb back and forth on every ad call. It’s not so great as it requires some serious database infrastructure to handle 10-100k read/writes per second to a single database.

Doubleclick Cookie

Burst seems to have gone the client-side route and stores all ads I’ve seen from them directly in my cookie files. It’s actually interesting to note that the cookie data from Burst is not-encrypted (big nono!).

Burst Cookie Files

Ok, so what does this all mean for the end-user? Well, indeed, there are companies out there that are tracking most of everything that you do online. Ad companies like Tribal Fusion know what you’re interested in and what you like to browse for. Hell, if Google succeeds in pushing Checkout to the world they’ll know everything you’ve bought, how much you paid for it and much more! All in all this sounds scary but it really shouldn’t be. Why?

First off, none of the information _should_ be personally identifiable. Cookies are tied to your computer, not your name. So if you switch machines often, or clear your cookies, all history is immediately erased. Now, some argue that if your browsing history is stored it should be possible to figure out exactly who you are. Lets be honest, why go through all the trouble if there are much easier ways of figuring out what you’re doing online? If you’re worried, go download an anonymous browsing tool (there are plenty), or visit the little known-of ‘opt-out’ pages that almost all online advertising companies have. Some examples: Opt-out, Yieldmanager Opt-out, Doubleclick Opt-out. If you do go the opt-out route, don’t clear your cookies because that’s the only way they’ll know you don’t want them to track you!

So whichever route you take, don’t forget that the websites you visit can provide you with free content because of the money they receive from advertisers. Cookies are one tool that advertisers use to help track revenue and regularly clearing them can cost your favorite sites money. My personal choice? I clear my cookies every month or so but am perfectly happy to let companies track my behavior to show me more relevant ads. Hell, I’d much rather look at an ad for some new tech gadget than ‘punch the monkey’!