The internet is a highly unregulated place – which is both great, because it enables innovation and creativity, and also not that great because it leaves plenty of room for legally gray areas. It is precisely in the murky waters of legal grayness that click fraud was born – and resides still, years after the first lawsuits started rolling. Is click fraud illegal, though? Can you go to prison if you commit click fraud? Is there any legal basis you can use to sue someone for defrauding you by the means of generating fake clicks on your Google Ads?
Well, as it usually happens in highly unregulated places (in this case, the internet, and more specifically, Google Ads), both legislation and “pop culture expertise” on the matter are… dubious.
Here’s why click fraud laws are ambiguous (and what you can do to prevent an issue that has cost advertisers no less than $65 billion in 2021 alone).
What Is Click Fraud, More Exactly?
Click fraud is a type of digital ad fraud that involves clicking on pay-per-click (PPC) ads with the purpose of wasting a digital campaign’s budget, to generate financial gains off the backs of unprotected advertisers.
This type of digital fraud happens with pay-per-click advertising and can be done manually, by a real person, or automatically, through computer programs (also known as… bots). The latter variant is, of course, more efficient, as it is automated and requires little human input.
Are All Bots Bad?
If your imagination is now fueled by Hollywood-worthy scenarios, hold your horses for a second. We are, most likely, not on the verge of being taken over by Terminators.
That doesn’t make the issue of click fraud bots any less troublesome, though. As mentioned in the introduction, this is a very painful, very real issue generating billions of dollars of losses in the ad industry. Therefore, getting down to the bottom of the problem is essential for the very survival of pretty much every business running ads on the internet.
To circle back to the question of whether bots are good or bad, the answer is “no”. Not all bots are bad. In fact, saying “bad bot” is a bit odd in itself, as bots are nothing but computer programs. They cannot be “good” or “bad” in the same way villains and superheroes are in the movies. Also, as a side note, the very word “bot” has grown to be an umbrella term for pretty much any software designed to automate a specific task.
Bots can be programmed to do very useful things.They can also be programmed to mimic user behavior. For instance, bots can be programmed to interact with Google Ads in the same way a human would, such as through a script that is querying Google for a specific keyword/ search term, clicking on an ad, and then repeating the same process over and over and over again…ad-nauseam.
Now, when it comes to these bots, we can all agree that they’re bad.
What About More Sophisticated Bots? What’s Up with Those?
The most crucial issue with these bots doesn’t lie in patterns that can be easily detected (and thus, prevented) – like the one mentioned above. Sophisticated bot attacks are far more difficult (and sometimes even impossible) to detect. They usually come in the form of a botnet (a coordinated network of bots or bot software running on an end-user device without their knowledge.) This can take the form of viruses and malware infecting PCs and mobile devices.
You’d think these viruses or malware come into your PC looking dangerous, but that’s also a Hollywood scenario. In fact, sometimes, viruses and malware that generate click fraud can be wrapped up in something as innocent as a mobile game designed for children. While kids are playing on their phones, the app in the background could be generating impressions, clicking on ads, and draining Google Ads budgets.
Just like that. These sophisticated click bots emulate real users’ behaviors because they get exposed to a lot of examples of pre-recorded (or sometimes even real-time) user behavior. Thousands upon thousands of instances of average human behavior, are recorded, repeated, and then used to generate false clicks (and you get charged real money on them).
“Yeah, but, like, there’s machine learning to stop that from happening, no?” – might be your next thought.
Yes, there is machine learning, which is an amazing technology for a lot of things, but not always as a tool you can use to fight click fraud.
Let’s run a quick exercise.
In a nutshell, programmatic (“machine”) learning click fraud solutions work like this:
- Analysis is done by supercomputers over a massive number of variations in the same situation (data sets), where specific criteria is configured as relevant;
- The algorithms find dependencies based on repetition, cadence, and so on;
- They block clicks the algorithm “considers” as malicious.
That’s an oversimplified way of looking at it, of course. But for the purpose of this little exercise, let’s take it up a notch. Think of Android malware (which is scarily widespread and extremely easy to “catch” on your phone), and of how, as mentioned earlier in our article, it can record how people behave when browsing websites. How these people click, scroll, zoom, and swipe – it can all be recorded and emulated on a search page or website.
When the powerful hardware behind “machine learning” analyzes this behavior it does it through the lens of what it “knows” to be real (based on what it had learned) . This means that the “machine” cannot, in fact, determine the clicks generated by a sophisticated bot from the clicks generated by a human – because everything about that behavior is extremely human.
No glitch in this matrix. Just perfected bot-to-human mimetics that can trick the “machine” itself.
But CAN You Detect a Bot?
Yes, you can. Just know that machine learning may not be a cure to being targeted by sophisticated botnets.
Detecting bots on your Google Ads should be based on monitoring the following:
This means you will have to record any data you can get your hands on which is not actual behavior (it can be, for example, IP addresses). Then, you will have to compare this with previously detected bots to find a pattern (and a potential match).
For instance, if an IP address from a specific country clicks on ads for a specific campaign, browser, and resolution, it is very likely that this is not human behavior, but a bot (as previous knowledge would indicate).
This means recording any type of behavior you can get your hands on:
mouse movements and gestures, scrolling, interaction they have with forms – in short, everything a person does when they are visiting on a website. To figure out what the expected behavior is, you will have to look at behaviors for specific entities (e.g. a single page, a single ads campaign, etc.). Based on this, you will be in the position to detect discrepancies.
Essentially, what all this means is that you will have to create a model (either by manual tweaking or through machine learning) of what expected behavior (human behavior) is across all the criteria – and once that’s done, you will have to look for discrepancies to find the bots.
Time period criteria
This process involves doing everything mentioned above, but in a carefully determined time period. This can be done by manual tweaking or machine learning too.
Overcoming the Challenge of Detecting Bots
Simpler bots are obvious: they originate from a data center, with a static IP address. They’re easy to detect and prevent, particularly because it’s difficult for them to adapt once they have been detected.
Distributed networks, however, are an entirely different affair. In their case, the source of the clicks (IP address, location, ISP, etc) is more difficult to determine. So the next best thing you can do is focus on visitor behavior after the click has ocurred. This enables you to monitor how they’re interacting with the website if they are engaging with the content, if they’re interacting with forms, and so on.
In theory, this sounds simple – but as you have probably guessed thus far, nothing about click fraud is simple. For instance, determining the source of the clicks is not easy and you have to look into post-click visitor behavior, it’s not like there are red flags framed by LED lights pointing to the issue. There are no clear indicators click fraud has occurred, and, to make things even more complicated, there is a very, very thin line between a bot and…a bad lead. Even more, if the visitor hasn’t spent any time on a landing page after clicking an ad, determining whether they were human or bot becomes increasingly harder.
To top it all off, a lot of people use tracking blockers and privacy-oriented browsers. That means their behavior online is virtually untraceable.
Last, but not least, bots are getting increasingly more sophisticated, gets better at emulating normal human behavior. They will land on the site, browse around, click on a few links – all just to fool analytics and detection tools.
In this situation, what you can do is look for irregular patterns that no human would ever be able to achieve (e.g. filling out a form in two seconds, accessing the bottom of the page without any scrolling, etc.). These are all non-deterministic measures, which translates into a relatively easy-to-understand concept: when it comes to click fraud, you can only deal with probability, not certainty.
… And this brings us to the main point of this article: the legality of click fraud.
Is Click Fraud Illegal?
As mentioned in the introduction, click fraud swims in murky legal waters. To understand why, and why relying on a click fraud lawsuit is the worst way to go about this, you will have to understand three main points:
- Click fraud legislation is wildly different around the world
- There are successful click fraud lawsuit stories, but that doesn’t mean you’ll be in the same situation
- Proving click fraud has happened is extremely difficult
Let’s tackle all of these, one by one:
Click Fraud Legislation Around the World
Generally, click fraud can be filed under “wire fraud” or crimes regarding cybersecurity or ‘information technology’. Here are a few examples of how the question of is click fraud illegal is tackled around the world:
Fraud legislation in China
In China the Anti-Unfair Competition Law is commonly used in situations of click fraud. This law is normally applied for issues such as stealing trade secrets and bribery. However, click fraud falls under the category of using unfair advantages for personal gain and hence may include fraudulent clicks.
The European Union
The EU is making a lot of efforts to keep the internet a safe place. The GDPR was one of the first pieces of legislation that tackled the problem of user data and the right of users to control their data.
The European Union also has some strict anti-fraud laws. Fraud protection falls under the responsibility of OLAF, the anti-fraud office. Moreover, within the EU, individual states may have additional legislation that makes some aspects of click fraud illegal.
Click fraud in India
While there is no specific law against ad fraud, click fraud in India normally comes under the 2000 Information Technology Act. This law covers a lot of aspects related to click fraud in India.
But there is another piece of relevant legislation - the Indian Penal Code (Section 420), which covers most practices related to fraud. This mix of law is currently helpful for tackling click fraud in India.
USA anti-fraud laws: Ad fraud and other cyber crimes fall under "The Computer Fraud and Abuse" (CFAA). This was set up to cover national security and personal data, but it is being constantly amended as new click fraud lawsuits are happening.
Successful Click Fraud Lawsuits
Although legislation is ambiguous (to use a mild term), successful click fraud lawsuits have happened before.
For example, in 2006, in the Lane’s Gifts and Collectibles vs. Google class-action lawsuit, 70 plaintiffs asserted that Google misled advertisers on the specific steps they take against click fraud. Eventually, Google settled for $90 million but publicly stated they are doing everything to prevent fraudulent clicks, as well as reimbursing advertisers if illegitimate clicks occurred on their campaigns.
Methbot is another ad fraud story with a “happy” end. Throughout its activity (which started being tracked in 2015), Methbot generated more than $7 million worth of losses to advertisers. However, in 2019, Aleksandr Zhukov was caught and extradited to the U.S. and in 2021, he was found guilty on several counts, including money laundering, wire fraud, and fraud conspiracy.
Even more recently, in the click fraud lawsuit known as Juju, Inc. vs. Native Media, LLC, (D. Del., June 15, 2020) United States Magistrate Judge Christopher J. Burke of the District of Delaware decided that click fraud violates the federal Computer Fraud and Abuse Act (CFAA).
This is the first judgment that gives such a clear sentence and could change how we answer the “is click fraud illegal” debate from now on.
This case involved an ongoing click fraud scheme led by two US-based spouses. During the trial, click fraud has been defined as a situation when “either a (natural) person, automated script, or computer program, sometimes referred to as a `bot,’ simulates the click activity of a legitimate user by clicking on the Program Data displayed, but without having an actual interest in its subject matter or content.”
These stories are, however, the outliers of a massive problem that keeps on oozing billions of dollars out of advertisers’ bank accounts. Most click fraud victims do not get the justice they deserve – and that’s partly due to faulty legislation as well as the fact that…
…Proving Click Fraud Has Happened Is Difficult
In fact, proving click fraud has happened (in a way that is admissible to any court in the world) is near impossible. The high level of sophistication some of the botnets show these days makes it incredibly hard to bring any kind of evidence in front of a court.
You can record the data and interpret it, but unless you have witnesses and documents that prove malicious intent, you can’t prove click fraud has actually occurred.
It is impossible to prove intent on anything – mostly because nobody has a crystal ball and mind-reading is for Hollywood movies, not real life. For instance, you can use on-site behavior data to conclude your ad was likely clicked on by a bot. However, unless the bots you’re facing are incredibly unsophisticated (e.g. they will “behave” in ways no human ever would), you can’t actually prove the clicks on your ads were illegitimate (i.e. generated by a bot, not a human). Chances are that no digital forensic expert (assigned by a court, for example) would ever be able to agree that your evidence is 100% relevant.
…And even if they would agree that your data shows unusual behavior, you still can’t prove the intent behind it. Your targeting may be flawed. Your audience may be erratic. Your leads may be of low quality. A lot of other things could’ve happened – things that would have nothing to do with botnets, but the disparity and oddity of human behavior in general.
So, in Conclusion: Are Botnets and Click Fraud Illegal?
Well, yes. They are, as they can be classified as wire fraud, digital fraud, or abuse, for example.
Also, no. Because there is not yet any kind of clear legislation to stipulate click fraud is 100% illegal.
And even if there were, bringing court-admissible evidence to support a lawsuit would be extremely difficult (provided that you are not the victim of a very simple click fraud attack, which is very often not the case.)
So you might want to change the question from "is click fraud illegal" to "what can I do about it"?
What is there left to do, more specifically?
Prevention. It’s the only sane, measurable, and legit way to stay away from click fraud (and all the monetary loss that comes with it).
At ClickGUARD, we use advanced post-click forensics to help our customers spot unusual behavior on their Google Ads campaigns, so they can create automated rules that block bad clicks – and protect you from wasting precious PPC budget on traffic sources that will never bring in the ROI you need.
Curious to learn more about us? Check out our extensive explanation on click forensics, or jump right into booking a demo meeting with us. We’re here to help you. Really. 🙂