Who's clicking who?

I read this article on The Register with interest this weekend. It seems that the latest version of AVG anti-virus has implemented a "feature" that clicks links on Web pages for you, scanning the resulting pages for malware. In theory this might be considered a good idea. In practice it's a terrible idea. The concept is that by clicking all those links for you (and apparently they're limited to search results, b

I read this article on The Register with interest this weekend. It seems that the latest version of AVG anti-virus has implemented a "feature" that clicks links on Web pages for you, scanning the resulting pages for malware. In theory this might be considered a good idea. In practice it's a terrible idea. The concept is that by clicking all those links for you (and apparently they're limited to search results, but who really knows?), AVG can better protect the user from malware-laden links. The obvious problem is that AVG uses standard browser identification strings to do this, so each click is indistinguishable from an actual user click. Thus, when using AVG 8, you litter logfiles with fake clicks, and cause bandwidth utilization to rise on sites that you aren't even visiting. Website statistics become relatively useless since they're not accurately showing user actions, and perhaps more importantly, it may be that using this tool and visiting your own site can cause clicks on your own Google ads, unbeknownst to you. Further, other users that visit your sites may be clicking on all the ads as well, even though they're not actually clicking them.

I can't yet verify that this is true, however, and AVG has apparently announced that they will stop this practice, but there are millions of installations of AVG out there that will continue performing this operation until they're updated. There may be other applications out there doing the same thing, but with a smaller install base and thus haven't received attention.

If you've been following my Google AdSense account suspension saga, you know that I have no idea why my account was disabled, since I never violated any of their rules. They won't tell me what their reasoning was behind the account suspension, nor will they disclose any information about it whatsoever.

My guess is that my account was suspended for fraudulent clicks. Presumably, that would be a person clicking their own ads to drive up their AdSense revenue. But with "features" like this example in AVG, it seems that no user intervention is required to click those ads. In fact, the user never knows it's happening. If tools like this are clicking every link and supplying a valid browser ID string, Google's AdWords model goes out the window, as there's no way to accurately determine a user-generated click versus an automated click. Thus, advertisers are paying for clicks that never reach the user, and it's entirely possible that AdSense accounts will be disabled even though the owner of that account has nothing to do with it.

I'm trying to figure out if there's a moral to this story, but I'm coming up short. Maybe "Damned if you do, damned if you don't".

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies