Call me naive. I was surprised to read that sponsored links on search engines are far more likely than conventional “organic” links to lead to hostile sites.
The study, by researcher and activist Ben Edelman and the McAfee SiteAdvisor team, found that 8.5 percent overall of sponsored links on Google, Yahoo, Microsofts MSN, AOL and Ask.com point to sites rated as “risky” by SiteAdvisor.
Specifically, these risky sites merit either red or yellow status by SiteAdvisor, and its worth repeating the exact definitions:
- “Red” rated sites failed SiteAdvisors safety tests. Examples are sites that distribute adware, send a high volume of spam or make unauthorized changes to a users computer.
- “Yellow” rated sites engage in practices that warrant important advisory information based on SiteAdvisors safety tests. Examples are sites that send a high volume of “non-spammy” e-mail, display many pop-up ads or prompt a user to change browser settings.
My first inclination was to ask whether the SiteAdvisor ratings of the 8.5 percent as risky was trustworthy, but Ive dealt with Ben Edelman enough to trust his judgment on it. The guys not perfect, but hes scrupulous. Plus their methodology is all there in the article and seems, at first glance, to be reasonable. Add to that the fact that, as far as I can tell, the search companies havent disputed his results, and its pretty easy to draw conclusions.
I dont usually pay much attention to the sponsored links. I tune them out. But theyre there for a reason. Somebodys clicking them, and those users are not generally expecting a scam or to be infected with malware. Note that the study showed that 6.5 percent of the risky 8.5 percent were rated red, making them genuine bad guys, not just arguably aggressive marketers.
Tricky Click
The whole click-based economy seems strange and illogical to me, and this sort of bizarre situation is one of the results: scammers and purveyors of malicious code advertising in supposedly legitimate venues. Nobody taking responsibility. This isnt right.
According to the study, “Users cant count on search engines to protect them; to the contrary, we find that search result rankings often do not reflect site safety.” I dont think this is an acceptable situation.
The way I see it, theres a difference here between sponsored and organic links. Engines should do what they can for organic links. It would be good and probably to their competitive advantage to provide some warning about trustworthiness of a target. But engines dont get paid for that, and theres a tradition that they should be neutral in a sense when generating these results.
With sponsored links, as far as Im concerned, the search engine is implicitly endorsing the target of the link. They took money to put it up there, and that makes an important difference. Its disingenuous for them to disclaim any responsibility if a user follows one of these links and incurs damage as a result.
Perhaps our standards for what we see on the Internet have dropped to the point where nothings really wrong anymore. Its not hard to find spam-quality sponsored links. Do searches for “arthritis medicine” and “erectile dysfunction” and look at the sponsored ads.
The “erectile dysfunction” search on Google is especially illuminating: The first page of organic links is entirely made up of legitimate medical sites: the NIH, the Mayo Clinic and legitimate pharmaceuticals. I wont repeat the sponsored links, but they look like stuff youd read on the walls of a high school boys room.
MSNs and Yahoos results are no better. Ask.com, which had the worst overall performance in the study, had more respectable results in my queries. But why should a query for “American Idol” generate this sponsored result: “Disguise Your Caller ID—Change Your Caller ID At Will! Works From Any Phone”? Mind you, I havent even tested for malware at the target sites, just looked for obviously phony and offensive material.
Forget for the moment my argument that sponsored links amount to an endorsement and think of them as what they obviously are: advertising. If you went to a store after reading its ad in the local newspaper and the store robbed you once you got there, wouldnt you expect the newspaper to do something about it? Dont most newspapers have policies about running ads with actual offensive material in them? Its not like theyre responsible for a robbery, but if they ignore warning and continue to run the ads, then they are complicit.
The SiteAdvisor/Edelman report is such a warning. Who knows how many users are willing to click on a link that brings adware to their system because Yahoo or Google or MSN listed it? Its going to mean forgoing advertising revenue, so I dont expect them to, but the search engine companies need to start paying attention to whose money they take.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer