That sounds like "competence" to me. A more relevant question regarding "evil" would be about its attitudes toward fraudulent practices that exploit its applications. Recently I asked Google and Yahoo about the use of ads from their syndication networks on typo-squatted domain placeholder pages; neither company responded.
This makes it difficult to rule out evil as a motivating factor, but not having conducted trials by fire or other tests I have no proof.
Unfortunately, its common and often reasonable in the security business to assume that everyone out there is without scruples. Google has stepped into one of these hornets nests with respect to click fraud, that is, the use by advertisers of fraudulent clicks on their ads on Googles AdSense network.
I havent been all over this issue, but various malware vendors and analysts have asserted to me that there are botnets out there doing fraudulent clicks on ads. Its an interesting idea. I can see how it could be done, even done well and in such a way that it would be difficult to detect. Therefore, it must be the case, right?
Clearly theres some click fraud going on out there. The only questions are what the percentage is of invalid clicks, what percentage is significant and what Google is doing about it.
The percentage of invalid clicks is a point of hot contention: Third-party monitoring services have attempted to track the problem and have come up with numbers that Google considers high. According to the Google report (PDF), bad technique and bad analysis has led many of the third parties monitoring click fraud to overstate its true impact. The report mostly focuses on false assumptions of extra clicks for events like page reloads that Google says do not, in fact, generate a click.
The report also discusses sampling techniques used by monitors that do not permit scrutiny, by leaving out details such as the total number of clicks. In one case, Google cites a study of click fraud that was actually a study of perceptions of click fraud; it didnt really measure clicks, just peoples impressions of the extent of the problem.
Of course, the whole process is a black box. Google doesnt share enough data for third parties to do accurate analysis and there are no real standards for defining invalid clicks. Google says it is working on these problems. Well see.
Theres only one answer to this problem: transparency. All the major ad networks need to find a way to provide enough data in an auditable fashion so that advertisers can have confidence that theyre not getting ripped off. All of the major networks have said that they would work on standards over the next year through the Interactive Advertising Board, an industry group. Google has also created a tool that allows advertisers to see their own invalid click numbers, but the company isnt providing aggregate data from it, implying that to do so would give assistance to the fraudulent clickers.
Incidentally, Ive been mixing the terms "invalid" and "fraudulent," but Google makes a distinction. Invalid, to them, includes fraudulent clicks as well as those that are not done with malice but that should not be charged to an advertiser, such as an accidental double-click on an ad.
With all the data it has, Google is in a position to perform retrospective analysis to identify these, and the company says it takes these issues very seriously.
It seems unfair and unreasonable to assume that Google wants to profit from invalid clicks, or, in other words, to be evil. Theres so much profit to make in this business of being not evil, and reputation counts for a lot. If I were Google Id want to shake out the fraud problem. And nobody knows as much as Google about whats really going on. But what does it really know? There could be fake clicks going on that Google didnt detect as fake.
But the "competitive information" argument isnt going to cut it much longer. Advertisers have every right to expect more information about how their charges were calculated. Maybe Google needs to make its philosophy "be forthcoming."
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]