Editor's Note: The following is a guest post from Timur Yarnall, entrepreneur and former CEO and co-founder, MdotLabs.
The ad trades will periodically run stories about botnets* and conclude that they are a very serious problem in digital advertising, usually attaching an amount that they are costing unsuspecting marketers.
While I started a company that identified botnets and have no love for them, I think that their impact and cost to the industry is often overstated. Below is a simple checklist I use to fact check the press reports I do see.
The report must include a credible estimate of revenue impact
It is inaccurate to state that a botnet attempted to generate a fake impression and was successful 100% of the time. It is also inaccurate to say that it was paid on that impression 100% of the time. Some bot-driven impressions are blocked pre-delivery, and some payments are withheld due to post-campaign screening. Many botnet stories ignore this issue and simplistically calculate the revenue impact as attempted impressions multiplied by industry average CPMs.
But to estimate true success of a botnet you would multiply by two additional key variables: the fraction of ads actually served and the fraction of payments actually made. This reflects that only some percentage of bot impressions are served ads or receive payment and results in a realistic albeit lower and less headline-grabbing number.
An incorrect estimate of the impact also undermines the credibility of the company disclosing the botnet. Honestly, any verification firm should be able to confidentially alert their customers, track the chain of payments and ensure that the true scope of the revenue impact is understood.
Industry peers should be alerted in advance of any press disclosures
A number of recent botnet disclosures gave only a day or two notification to IAB and TAG members before stories were published, which resulted in strongly conflicting views of the botnet's effectiveness and contributed to industry confusion about their true bottom-line impact.
Ideally peers and key partners should be notified in advance, as Microsoft did when taking down parts of the Zeus botnet.
Let's not overreact to early estimates of the size and scope of botnet reports
The initial Methbot report described it as "one of the largest" operations in history. However, many other companies, including Google, later commented after review that the impact of Methbot was relatively small in comparison to many other ad fraud schemes.
In fact, a botnet scheme with a thousand nodes (infected computers or data center computers in use) is quite small relative to many botnets tracked today that may have tens of thousands of nodes.
If the report recommends blacklisting IP addresses, is it 'amputating an arm to remove a finger'?
Blacklisting sites is a common reaction to botnet attacks. However, IP addresses often are used as shared resources from customers using that data center or even by various data center companies. The effect of blacklisting may be to block traffic from a botnet but also to prevent legitimate traffic coming from players that happen to share the facility or data center network.
Hope you are sitting down: Digital ad fraud may not be a crime
Recent botnet stories have also referred to criminal authorities being called in to investigate, but have ignored a clear issue: bot fraud may not be a prosecutable crime.
Installing malware on a user's computer without their permission is clearly a crime, as is bank wire fraud. But misusing data center resources to impersonate human web surfing behavior is not a crime according to several attorneys I've interviewed. It may be a case of contract fraud, which is a civil offense and notoriously difficult to litigate. Simply characterizing botnets in the press as "cybercrime" without any substance or detail simply adds to the hysteria around the issue.
It is my hope instead that this post provides a valuable checklist that will lead to rational analysis, transparency and constructive dialog.
*Botnets are most often created via malware that infects a user's PC taking over the system's web browsers to divert fraudulent background traffic to certain online advertisements. Recent stories have also alluded to botnets using data centers to generate traffic instead of personal PCs. In either case, a botnet that impersonates millions of browsers will be able to generate a massive amount of fake traffic for ad fraud.