Chapell & Associate's president gives background on the current state of click fraud and advice on how to minimize it.

After representatives from Google and Yahoo! sat down to discuss click fraud at the Search Engine Strategies New York conference this March, the issue seemed squarely back on the front stage. Maybe it never left, but it's clear that an increasing number of online marketers are expressing concern about the money they've spent on search ads.

But no matter how concerned these marketers are, it's principally a business problem, right? What in the world, you might be asking yourself, is a privacy guy doing talking about click fraud? Bear with me-- I'll get to that in a moment…

I think most people probably have a general understanding of what click fraud is, and Michael Caruso of ClickFacts does a good job of explaining what it is and how it manifests itself. I'll try not to repeat what others have already said on the issue.

We might need a little bit of background, though. As many of you may know, Google recently settled a class action suit with online retailers over click fraud for $90 million. That $90 million is meant to cover all U.S. claims, which makes it -- at least according to Danny Sullivan -- an "especially cheap" deal for Google. Given Google's revenues, click fraud would have to constitute somewhere below 1 percent of all search ad clicks for the settlement to be strictly equivalent. Most credible sources, however, estimate that click fraud is over 15 percent for tier 1 search engines (i.e., Yahoo, Google) and even higher for tier 2 and tier 3 search engines.

So at some point -- and some might argue that we're already there -- click fraud is going to so significantly eat away at the market cap for search engines, that they are going to be forced to address it in a meaningful way. Of course it's easy to say that something should be done. The real question is figuring out what that something should be. We can start, though, by outlining some of the current strategies for dealing with click fraud. 

Who -- or what -- is clicking on your ad?
One suggested approach involves filtering out any and all clicks made by non-humans or "bots." It's anyone's guess how many automated bots are out there -- some researchers estimate 75 to 100 million -- but it's clear that many are used to fraudulently click on ads. So if the search engines could figure out how to count only the clicks that come from actual people -- thereby weeding out the fraudulent bot clicks -- they'd be on their way to a solution.

Unfortunately, this won't affect the growing-- and harder to detect alternative: click farms. By hiring individuals in India, China or former Soviet satellites to click on ads for $2 an hour, these farms can provide a lucrative source of income for those running them. In fact -- and if I can put on my Oliver Stone hat for a moment -- click farms could have an even larger impact. If one were to set up a big enough network of farms, they could start to manipulate the stock prices of the large search engines. It's well known that certain online companies like to click on the links of their competitors in order to drive up their marketing costs, so I'd be surprised if this hasn't crossed the minds of those running the click farms.

Customers don't grow on farms
Bot clicks follow patterns-- but human clicks often don't. So the relatively simpler fraud detection processes often used by search engines can have harder time figuring out which people are clicking fraudulently are which are not. 

A number of analytics firms (such as ClickTracks or Zedo) have started offering more in depth analyses of click-stream data. By using information such as the IP address and geographic location of the clicker, these firms can begin to provide marketers with some amount of transparency. And this additional transparency might help weed out some of the fraudulent clicks. The assumption seems to be that if you're buying search terms for a U.S. search portal, most of your customers will be based in the U.S. When there's a surge in clicks from, say, Belarus (all bounced through a set of proxy servers) something is probably amiss.

It must be said, though, that this sort of traffic analysis is relatively new and would seem to be a partial solution at best, since click-stream analysis occurs after the fact. So a marketer would presumably have to weed through all this data and make their case to the search engine after the clicks have been paid for.

The elephant in the room
Which leaves me with one thought-- it would seem that the best answer (perhaps, ultimately, the only answer) lies in authenticating clicks. As I've just mentioned, some analytics firms are providing a basic level of authentication by looking at IP addresses and geographic data. If we're really going to get at the root of the click fraud problem, however, we're going to need to understand more about who's clicking.

In theory, this would be similar to some of the strategies being implemented to address spam. Simply put, many of the anti-spam initiatives out there are designed to provide a level of transparency-- both to email recipients and those, such as ISPs, whose responsibility it is to prevent spam from entering recipients' inboxes. In other words, once email senders can be identified as real and legitimate entities, this helps to weed out senders who use fraudulent means of identifying themselves. It allows for the enforcement of standards for email senders as a whole.

Authentication applied to click fraud might work in much of the same way. For example, let's say that before a search engine could count a click as "real" it would have to authenticate that it came from a "legitimate" web surfer. Instead of marketers having to go in after the fact and ask, "Hey, is this really a potential customer?" the search engine would only receive payment for authenticated clicks. Seems reasonable enough, right?

Yet here's where privacy issues can start to arise. To "authenticate" a click implies having to look closely at consumer data. To make this work, the search engine would need to collect a good deal of information about the click -- and clicker -- that is being authenticated. It might even require that the engines reference a profile of past searches and clicks as a sort of reputation score. After all, this is part of how email senders are authenticated, too.

And that, my friends, is the elephant in the room.

One way or another, dealing with click fraud is going to mean weeding out the legitimate from the illegitimate clicks. And at its heart, this probably means knowing something about what or who is doing the clicking. So it shouldn't come as a surprise that there will be some privacy implications in the process. If we're going to be in the business of collecting consumer data to authenticate clicks, we're going to need to take the necessary precautions to ensure that this data is used properly and responsibly. 

If you have any thoughts on the matter, please shoot them my way…