Is click fraud illegal? Though it has taken many false starts to get an answer, the answer now is yes. Though this has only become absolutely clear in 2020. In Juju, Inc. v. Native Media, LLC, (D. Del., June 15, 2020) United States Magistrate Judge Christopher J. Burke of the District of Delaware held that “click fraud” violates the federal Computer Fraud and Abuse Act (CFAA). Under this law, you can go to prison for up to 10 years.
Despite more than a decade of click fraud actions, this landmark judgement is the first time the treacherous waters of the CFAA have been passed despite many attempts. The case involved an ongoing click fraud scheme led by a Florida-based husband and wife team. The opinion states: “click fraud” can occur when “either a (natural) person, automated script, or computer program, sometimes referred to as a `bot,’ simulates the click activity of a legitimate user by clicking on the Program Data displayed, but without having an actual interest in its subject matter or content.”
The court ruling cements CFAA as a central anti-click fraud weapon. It puts would-be fraudsters on notice with the increasing use of using botnets, sophisticated bot traffic and click farms to invalidate clicks, and hurt advertising campaigns.
Penalties under the CFAA
The penalties under the CFAA are prison terms with maximum limits of 1 to 10 years depending on the extent of the violation The penalties for conspiracy to violate, or for violations or attempted violations are up to $250,000 for individuals and $500,000 for organizations.
The testing of click fraud laws over the past decade
When you think of click fraud, legality naturally jumps to mind. After all, click fraud does have the word fraud in it, and most cases of fraud such as corporate fraud see big cases mounted, however computer cases are different, and click fraud in particular has not always been straightforward.
Before this game changing ruling, previous click fraud cases effectively settled that click fraud was illegal, but it was definitely not clear-cut. In the first place, many cases were settled before coming to court, and therefore avoiding the legal back and forth required to clarify the matter. What is known is courts have denied class certification when alleged click fraud victims took actions against platforms allegedly not doing enough to stop invalid clicks. In one case in 2017, a judge, denying class certification to a case against Google “victims of click fraud”, said: “There is no factual support for the plaintiff’s assertion that Google misrepresented the likelihood that customers would actually incur charges for a significant volume of invalid clicks,” and dismissing the case.
Failure to propel class actions effectively prevents large group of parties from receiving compensation, even if their individual claims are relatively small. It also provided very little incentives, not least among lawyers. However, with the CFAA in play, things are more clear-cut though it has taken more than a decade for the CFAA to take a starring role in click fraud. The CFAA, on the US statute books for decades, makes it illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet— “without authorization” or in excess of authorization. But it doesn’t tell us what “without authorization” means. Saad Gul Poyner and Michael Slipsky of law firm Poyner Spruill, say that with the 2020 ruling, click fraud is now in the same realm as hacking. Poyner and Slipsky, who are experts in computer law, explain that “unauthorized access” relating to click fraud is deemed a key stipulation of the Computer fraud and Abuse Act. The lawyers add that by “directing a stream of unauthorized clicks at the plaintiff’s computers it represents “unauthorized access.”
It has been pointed out that Microsoft (an example of a platform suing against click fraud efforts against its advertisers, see below) was the first to bring a civil action for click fraud using CFAA as long ago as 2009. Daniel Joshua Salinas of Seyfarth Shaw law firm writes: “Microsoft contended that fraudulent clicks at issue violated its terms and conditions, and, thus exceeded authorized access by violating these use restrictions. Unfortunately, no substantive rulings came out of the case as the parties reached a settlement prior to any motion practice.”
The ruling comes as over the years click fraud has consistently been on the rise and is set to cost businesses $23.7 billion in 2020, according to economists at the University of Baltimore.
The bigger brother of the CFAA is wire fraud. This type of fraud is defined as: financial fraud involving the use of telecommunications or information technology and carries a maximum 20-year jail sentence. The only case in the realm of click fraud involving this law involved so-called click fraud kingpin Vladimir Tsastin, sentenced to 7 years in 2016 for running a click fraud scheme for nearly 10 years. Arrested in Estonia and extradited to the US, Tsastin, used malware-infected PC’s to fraudulently click ads on which he would receive revenue. After posing as several publishing companies, the bots were then used to generate fake views, leading advertisers into believing they were receiving genuine views. In total it’s believed that Tsastin managed to make over $14 million dollars from the click fraud scheme. In addition to this, he also had to forfeit $2.5 million dollars in illegal profits.
Other laws covering click fraud
Alongside the CFAA, lawyers arguing invalid click against campaigns are invoking a number of other laws. The complaint by online golfing seller, Motogolf, files in its court complaint unfair business practices legislation; unlawful acts regarding computers; antiracketeering; deceptive business practice laws; intentional interference with contractual relations, intentional interference with prospective economic advantage, and civil conspiracy.
Antitrust law and click fraud
The breaking of competition or anti-trust law, designed to allow markets to function effectively with free and fair competition, could be a crucial next battleground for click fraud. In a case that was ultimately dismissed, a California Federal Judge found that satellite phone company, Whenever Communications did not engage in click fraud. The satellite phone company’s competitor, Satmodo had alleged that Whenever Communications regularly exhausted their ad spend (allegedly clicking on the plaintiff’s home page approximately 96 times within a few minutes, forcing a cease and desist letter to be sent. The plaintiff alleged economic loss of $75,000). US District Judge Anthony J. Battaglia did however, keep intact Satmodo’s claim under US competition law. The decision states: “The crux of plaintiff’s complaint focuses on defendants’ alleged click fraud scheme, which takes plaintiff, one of its main competitors, out of the marketplace for a period of time, all to the defendant’s benefit.” It adds: “These allegations, taken as true, allege unfair conduct that violates the spirit of antitrust laws and significantly threatens competition.”
Types of click fraud prosecutions
There are of course different scenarios of click fraud case where action can be taken, using such laws. These are Advertisers vs Platforms; Advertisers vs Networks; Advertisers vs Advertisers; Clients vs Agencies; and Platforms vs Click Fraudsters.
Advertisers vs Platforms
When an advertiser experiences click fraud on an ad network, their first step will be to contact the platform to investigate and platforms in many cases refund invalid click payments. One of the biggest lawsuits involving advertisers and networks is a case from 2006. This was a class action lawsuit involving advertisers which involved Google and several advertisers, with 70 objections in total (the case was settled, and certification of the lawsuit never occurred). Nevertheless, the suit was filed by Lane’s Gifts and Collectibles on behalf of all Google advertisers who had used the service since 2002. In a $96 million settlement, Google gave advertising credits that were the equivalent of a $4.50 refund on every $1,000 spent in its advertising network during the previous four and a quarter years. In a blog at the time, Google said: “We have said for some time that we believe we manage the problem of invalid clicks very well. We have a large team of expert engineers and analysts devoted to it. By far, most invalid clicks are caught by our automatic filters and discarded *before* they reach an advertiser’s bill. And for the clicks that are not caught in advance, advertisers can notify Google and ask for reimbursement. We investigate those clicks, and if we determine they were invalid, we reimburse advertisers for them”. Other platform settlements include Facebook which agreed a $40 million settlement with their advertisers for inflated video metrics in 2019.
Advertisers vs Advertisers
Sometimes click fraud disputes often arise when an advertiser clicks on other advertisers’ ads depleting their ad budget. This is being thrashed out in the ongoing case of Las-Vegas based Online golf equipment retailer Motogolf.com (2020), in the US District court of Nevada. The sports retailer sued a competitor, alleging they violated federal and state law (the CFAA and Lanham Act) by repeatedly clicking on Motogolf’s pay-per-click online Google ads. They allege that once viewers have clicked the set number of ads in a given day, the ads become “exhausted” and no longer visible for potential customers. Beyond the immediate cost of the problem, Motogolf also claims it is losing “valuable demographic data about prospective customers”. The problem cost the company at least $5000, according to Motogolf. The golf retailer alleges in its complaint that its competitor employees used various electronic devices to intentionally click on Motogolf’s online pay-per-click ads “in an illegitimate manner calculated to cause damage to Motogolf.”
Clients vs Agencies
When it comes to digital marketing and pay per click, often agencies manage their ads. Sometimes clients can feel like they have been let down by the agency and have not got the best return from their investment. Although this can be down to a number of reasons, some clients accuse agencies of purposely deceiving them. In a recent case, the global taxi firm Uber has sued its ad agency Fetch Media Ltd for alleged click fraud and deception, and affiliate fraud. Uber claims that Fetch improperly billed Uber for fake online ads and downloads it had nothing to do with. Uber is looking for a reported $40 million in damages. The case is ongoing.
Platforms vs Click Fraudsters
Platforms also act against those found to be engaging in click fraud. In January 2006, Microsoft filed a $750,000 lawsuit against Eric Lam, a Vancouver resident, and two others, accusing them of trying to exhaust competitors’ ad budgets with bogus clicks and boost traffic to their own ads. Microsoft eventually settled the case and its terms are sealed, according to the Wall Street Journal. In 2005, Google won $75,000 in a click fraud case against former AdSense participants Auction Expert International. Google claimed that they hired several employees to click the ads and generated over $50,000 in ad revenue. In this case, Google managed to recover their losses and pass them back onto advertisers, which resulted in a significant victory for Google. In 2019, Facebook filed lawsuits against two app developers accused of generating fraudulent revenue, LionMobi — based in Hong Kong, and JediMobi — based in Singapore — generated “unearned payouts” from Facebook advertising. Facebook also took action against iLike Ad Media deceived people into installing malware compromising people’s Facebook accounts and running deceptive ads through “cloaking”, disguising the destination of the link in ads by displaying one version of an ad’s landing page to Facebook’s systems and a different version to Facebook users. In April 2020 Facebook took court action against Basant Gajjar, for software and services running deceptive ads, including scams related to COVID 19 and cryptocurrency.
Proving click fraud is hard
However even for enterprises, which face a large problem from click fraud, proving how it happened is harder as botnets increase and cybersecurity knowledge is increasingly required to unpick the complex details. knowing that click fraud is illegal is one thing. Proving that click occurred and showing the mechanics of how it happened can be difficult. Milwaukee criminal defense attorneys of Hart Powell, S.C. explains: “It is always important to remember that in the criminal justice system, the defense must merely establish doubt as to the defendant’s guilt. There are many ways that this can be done in a click fraud case. Most notably, it is difficult to prove precisely who committed the crime, when it was carried out, and from where. Being able to challenge these issues may be sufficient to lead to an acquittal or a reduction of charges.”
Protect Your Ads From Fraudulent Clicks
Suing ad networks and competitors for alleged click fraud can be a costly and time-consuming process. Not to mention there is no guarantee you will win the case or even get any money back. CHEQ for PPC is the first solution to block invalid clicks across multiple platforms. Up until now, invalid click solutions have focused exclusively on Google Ads and have only detected basic invalid traffic through the use of outdated IP blacklists. In contrast, CHEQ for PPC is the first to eliminate invalid clicks across all major PPC platforms including Google, Facebook, Instagram, Baidu, Bing, LinkedIn, Snap, Twitter, Pinterest, Yahoo, Yandex and more. Get your free demo from the leader in PPC protection today.
Want to protect your sites and ads? Click here to Request a Demo.