Home Tachnologies Google search ads spotted in compromising placements

Google search ads spotted in compromising placements

0
Google search ads spotted in compromising placements

Adalytics’ report contains a long list of the advertisers whose Google search ads it reports being able to observe displayed on U.S. Treasury OFAC SDN sanctioned, Iranian, and/or pornographic websites — including the following public bodies, companies, organizations and politicians:

The United States Treasury; the European Commission; political fundraising search ad campaigns for Senator Ted Cruz, Senator Amy Klobuchar, Congressman David Trone, Congresswoman Lauren Boebert, House Minority Speaker Hakeem Jeffries, the National Republican Senatorial Committee (NRSC), Republican National Committee (RNC) and Democratic Legislative Campaign Committee (DLCC), and the Democratic Congressional Campaign Committee (DCCC); the U.S. Department of Homeland Security, Federal Bureau of Investigation (FBI), U.S. Secret Service, Department of Defense (Military OneSource), U.S. Intelligence Community, National Security Agency (NSA), General Services Administration (GSA), and US Centers for Medicare & Medicaid Services (healthcare.gov); U.S. Army, Air Force, Coast Guard, National Guard, Space Force, the British Royal Air Force, the Dutch Ministry of Defense, and the Belgian Ministry of Defense; hundreds of major and Fortune 500 brands, including Apple, Lego, Deloitte, Accenture, KPMG, Microsoft, Amazon, BMW, Home Depot, Uber, Google, Meta, Samsung, Paramount+, TikTok, Pinterest, Snap Chat, and Snowflake; Ad tech vendors such as Human Security & DoubleVerify; non-profits such as United Jewish Appeal, International Fellowship of Christians and Jews, One for Israel, American Cancer Society, St. Jude Children’s Research Hospital, Save The Children, and the British Heart Foundation; several major media publishers, such as the Wall Street Journal, New York Times, Washington Post, The Guardian, The Financial Times, The Globe & Mail, The Economist, Business Insider, USA Today, Axios, Hearst Magazines, and Morning Brew.

If you read that list closely you’ll have noticed that Google’s own search ads were even spotted by Adalytics in compromising placements — which begs the question whether Google’s ad buyers even know how Google’s adtech works?

On reviewing the report, Laura Edelson, an assistant professor of computer science at Northeastern University whose research interests include algorithmic auditing and transparency, agrees it appears as if Google itself may not even have a full view of what’s going on inside its ads black box. “I don’t think that anyone at Google thinks, you know, ‘aha, what a great place to run our ads — an Iranian-state owned enterprise!’ That is not true. So, clearly, they do not have visibility into how their own systems work,” she suggested.

“I don’t know if that lack of visibility is intentional or not. But, one way or another, they have lost the ability to verify their own compliance with U.S. law. And so I think that’s where if they cannot do this — and they’ve demonstrated they can’t — they certainly need to give advertisers, at a minimum, the ability to verify that advertisers are not violating U.S. law.”

Google’s third party ad network may be less well known (and visible) than search ads running on Google.com and other Google-owned domains but the GSP has been criticised as a black box risk before. “The biggest downside is the lack of transparency and control,” wrote Search Engine Journal in an article published last year which proposed to bust some “misconceptions” about the GSP (such as advertisers mistakenly assuming the network would only serve their ads on smaller search engines using Google’s index). “There is limited data about where your ads are displayed and you can’t prevent ads from displaying in placements with poor performance or controversial content,” the author, marketing consultant Amy Bishop, also warned at the time.

Adalytics’ research goes further than informed concerns over potential risks for advertisers — by highlighting multiple, concrete instances where it was able to trigger the display of ads in places where buyers of these campaigns are unlikely to have wanted them to appear. (And, certainly, where Google’s own publisher T&Cs clearly seem to prohibit display.)

TechCrunch was able to recreate some of Adalytics’ findings. For example we observed Google Search Partner ads for consumers goods (diaper brand Charlie Banana); luxury brands (Prada, Burberry); political campaign funding campaigns (Mike Johnson, see screengrab below; Amy Klobuchar); and entertainment and media companies (Disney, the FT, the WSJ) being served through a Google search widget embedded on a number of adult content websites — with obvious reputational risk for associated advertisers. (And, as noted above, per Adalytics the list of brands and advertisers exposed to this risk is a lot longer than the handful of examples we directly observed.)

Google Search Partners ads for Mike Johnson displayed on a porn site

An ad for Congressman Mike Johnson showing on a Russian porn website alongside a NSFW pop-over that the site displayed next to Johnson’s ads which we’ve pixelated for viewer safety. Screengrab: TechCrunch

During testing, we were also repeatedly served pre-scripted search queries on (random) topics on pop-unders triggered when we clicked on the Google-powered search widget embedded on a number of adult content websites. (Note we did not have to type anything in the search box for this to happen — a simple click on the embedded widget triggered a pre-filled search query that was opened in a separate, concealed (pop-under) browser tab.)

Examples of pre-filled search queries we were served in this way included “seo audit services”, “companion pet insurance” (see below screengrab) and “dmp program” — topics which are entirely unrelated to the contents of the porn site serving them but appear to be popular keyword terms for buyers of Google’s search ads.

The latter two pre-filled search queries returned links to Google search ads for insurance firms Fannie Mae and Felix Cat Insurance (see below), among others.

Example of a pre-scripted pop-under triggered when using a Google search widget on a porn site

Example of a pop-under, pre-filled with the search term “companion pet insurance”, which was served by an Iranian porn website (visible in the browser tab to the left) after we clicked on an embedded Google search widget. Screengrab: TechCrunch

These pre-filled pop-unders look like naked instances of attempted ad fraud by a GSP — where users of the porn site in question would not even have typed a relevant query to trigger the display of search ads. (Presumably the intent is that the user will subsequently, either accidentally and/or out of curiosity, click on one of the ad links and, in so doing, generate ad revenue for the publisher.)

The automatic re-direct being deployed in the above instance was to the following URL: “search.howtolosebellyfat.shop/search/” — the choice of term used in the link presumably also selected for its potential to lure attention — a web property that Adalytics’ report confirms uses the Google Custom Search Engine.

It’s worth noting that we were unable to reproduce (nor did we attempt) all of Adalytics’ findings — for example, searches we tried on some of the flagged GSP websites for a number of major consumers goods brands (including Apple) did not yield display of their Google search ads. Whereas Adalytics says it was able to trigger Apple ads in problematic spots.

Adalytics report showing an Apple ad appearing under a Google search widget on on a pornographic website

Image Credits: Adalytics

Its report, which runs to 219 pages, contains scores of screenshot examples featuring major brands — including an instance of Apple search ads being served on gpsm.ru, a Russian website Adalytics notes is explicitly mentioned on the OFAC SDN sanctions list; and another of Apple search ads being served on iasco.ir, the aforementioned Iranian steel company’s website it says is also explicitly on the OFAC SDN sanctions list. It also recorded several instances of Apple iPhone search ads being served on adult content websites.

Adalytics suggests discrepancies between the search ads it was able to observe and document in the report vs what we could verify subsequently, via our own testing, could be related to the fact of its research bringing the brand safety issues to light. It posits that the report, which was shared under embargo ahead of publication with a number of its industry contacts, as well as with journalists, may have been passed to affected advertisers and/or to Google — which could have led to implicated actors doing damage limitation by curbing display of their search ads to problematic sites (such as by opting out of the GSP) ahead of the report going live.

“We already see sites being taken down/de-monitized,” Adalytics founder Krzysztof Franaszek told us last week.

Once Google was informed of Adalytics’ upcoming research Franaszek also reported further instances of sites identified in the report having their search ads (and, indeed, their embedded search functionality via Google’s widget) blocked server side — including adult content sites pornobaza24.top, Forum Porn and comixxx.pro. (Google subsequently confirmed to us it had taken action to remove sites violating its publisher T&Cs against adult content once it was made aware of them.)

Ad campaigns can (and do) also change. So it’s possible some of the ad campaigns that were running on GSP when Adalytics carried out its tests were no longer live when we checked — such as, for example, if an advertiser’s campaign budget had already been maxed out.

For the record, in our tests last week, we were unable to reproduce Adalytics’ findings related to ads being shown on the website of the sanctioned Iranian alloy steel company mentioned in the report — such as FBI and U.S. Army jobs ads. We also couldn’t reproduce its finding of U.S. Treasury (aka U.S. Mint) ads being shown on the website of a Russian company that’s under U.S. Treasury OFAC sanctions under U.S. Presidential Executive Order 13685.

But we were able to observe FBI jobs ads being served on a Iranian website called Arshad Sara (see screengrab below). We also observed FBI careers ads being served on the far right news website, Breitbart.com.

Google Search Partners FBI Jobs ad displayed on an Iranian website

An ad for FBI career opportunities being served on an Iranian website. Screengrab: TechCrunch

Reached for a response to problematic placements of its ads documented in the report, a spokesperson for the FBI declined comment — saying we should direct questions to Google “regarding its platform and systems”.

“High-level vetting failure”

“When I look at this report, the first question I ask is why is this happening? And what it really looks like is that whatever due diligence process that Google has for the program to run these ads, clearly, the vetting is not working,” Edelson continued in a phone call with TechCrunch to discuss Adalytics’ findings. “There are websites on here that are the websites of directly sanctioned entities — and, here, I’m thinking particularly of the Iranian state-owned enterprises — so that is just incredibly clear cut. There’s no way maybe someone misunderstood what that website was. It’s not really borderline. That’s just a matter of U.S. law. There’s actually no getting around it.

“There are other websites where Google has made representations to advertisers about where their ads will and will not appeal. And, clearly, the process to verify that is not working either. And this is why it really appears to me to be a very high-level failure of vetting on Google’s part.”

“Google makes a lot of representations that advertisers and users should trust us,” she added. “But I think this is where you really see the problem of the lack of transparency of their systems. Because they’re asking people to trust them and clearly, clearly, that trust is not warranted.

“Not again, when entities which are on a U.S. sanctions list are able to run Google search ads. So I think that’s where something in their processes has clearly gone very wrong. And if Google wants to start rebuilding trust with the U.S. government, with the public, with advertisers, they need to be a heck of a lot more transparent around where their ads are running, who their partners are, and who they’re doing business with. Because whatever vetting they’re doing has clearly broken down on a very deep level.”

The findings could force regulators to rethink their hands-off approach to the adtech sector, suggests Edelson — who previously served as chief technologist in the U.S. Department of Justice Antitrust Division. “The credulity that regulators have given tech companies — it’s no longer sustainable,” she argued. “We’re not talking about a niche player making a very obvious mistake, as this is; we’re talking about the largest distributor of ads in the world.

“If Google can’t get this right, if Google is not getting this right — and let me say that: Google could get this right, they’re just not — that’s where Google has decided, somewhere along the line, they didn’t invest the money they should have invested in compliance. And these very obvious kinds of mistakes are happening.”

“The black box of adtech has meant that companies just haven’t had to invest a lot of time and money in regulatory compliance. I know they talk about how much they do… but whatever they’re doing it’s not working. And they’ve been able to hide that because of a lack of transparency of all kinds of adtech systems and that’s where we need to start demanding transparency.

“Regulators need to demand transparency, advertisers need to demand transparency. Of course advertisers have very little power in this equation. So that’s where, I think very clearly, regulators need to step in.”

“This is where you really start to see the power that Google as a dominant firm, can exact on the ad market,” Edelson also told us. “Because if you talk to advertisers, and say, hey, are you happy with the lack of transparency that Google provides? Are you happy not knowing where your ads run? I challenge you to find someone who says yes… This is not something that customers want. This is something that Google has the power to decree — because advertisers don’t really have a choice.”

Asked whether the findings suggest there’s been a failure by antitrust regulators to tackle the scale of the power imbalance in the adtech market Google has dominated for decades, she responded by describing it as “certainly a consequence of when antitrust enforcement is not brought to bear on a market that has clearly gone wrong”. “I think it gives weight, at least, to antitrust enforcement, that is currently in progress,” she also said.

“If you want to say what is the cost to advertisers, what is the cost to consumers of Google’s very dominant position in this market, it is not only measurable in prices,” she added, referencing the standard of harm competition authorities have traditionally focused on. “It’s measurable in things like this — that [could] lead to us sending dollars to the Iranian government. I think that that’s a cost beyond, you know, fractions of a penny to advertisers — a cost that all of society bears and we should think very carefully about.”

For its part, as well as claiming it can find no evidence of ad revenue being shared with sanction entities identified in the report, Google says it’s committed to complying with all applicable sanctions. Although it also suggests it’s been challenging to keep up with the rate at which Russian parties specifically have been added to sanctions lists since the invasion of Ukraine in February 2022. (On ads, Google also says it has paused ads serving in Russia since the Ukraine invasion — including for Programmable Search Engine (ProSE) with Adsense for Search, which implies it’s not currently possible for Russian entities to generate ad revenue via Google’s partner programs.)

The adtech giant also told us it maintains a variety of measures to prevent, detect, and remediate unauthorized abuses of its services that violate its policies, including sanctions policies — without providing any detail on the types of measures it applies. 

Google’s publisher terms, meanwhile, are written in such as way as to imply an outsourcing of compliance responsibilities by requiring advertisers and publishers to affirm compliance with applicable sanctions and export regulations — and to agree to not cause Google to violate these regulations. If it finds an account that violates its policies Google adds that it takes action to revoke access to its tools.

Brand safety and bot fraud in the frame

Also discussing Adalytics’ findings in a call with TechCrunch, Jamie Barnard, CEO of Compliant, a SaaS pitching brands and digital media buyers on tools to support compliance across the media supply chain, predicts the report will trigger a wave of advertisers (at least temporarily) turning off Google search ads as a contingency measure — to shrink their immediate risk of exposure to reputational concerns while they assess next steps.

“Ordinarily, I think, brands would have assumed a degree of brand safety — because, essentially, Google is running that. But, if Adalytics’ research is right, then there are clearly sites — and not just one or two but scores of sites — within the Google Search Partner Network which advertisers would not want to buy media on,” he told us. “When the report is published brands’ first question is going to be have we switched off the Google Search Partner Network? If we haven’t, then we need to switch it off immediately while we investigate the potential safety risks.”

“This is a brand safety issue fundamentally,” Barnard added. “An issue of transparency and brand safety — and quite a serious issue. There are unintended consequences of buying on Google search.”

There’s a further risk for Google’s media buyers to consider which he also highlights — related to an automated ad campaign type Google offers that utilizes its AI technologies to design, target and serve out customers’ marketing across its suite of online properties. This product, which is called Performance Max (or PMax), lets customers run a single ad campaign across all Google’s ad inventory — including search ads. And including the GSP.

Currently, there appears to be no way for media buyers of PMax campaigns to opt out of the GSP.  So the report raises an apparently unavoidable reputational risk for customers of Google’s fully automated ad offering.

“There are implications for brands using Performance Max ads. Or at least considerations,” suggested Barnard. “It’s an alarming situation for an advertiser. So I would imagine they will seriously have to rethink their next move… The fundamental issue here is it’s black box media… Because you don’t know who’s in the [GSP] network, and you can’t verify who’s in the network after your ads run, then you’re compromised. You have no idea where your ads are going to go.”

The research could force Google to — at least — provide more transparency for advertisers over where their ads are running in order to assuage brand safety concerns, Barnard went on to suggest. “Otherwise, advertisers will simply opt out,” he predicted.

He raises additional concerns about how Google designs the choices it offers advertisers — saying he already knows of a number of advertisers who have opted out of Google search ads over brand safety concerns only to be opted back, inadvertently, via PMax. While, even for more vanilla Google search ad campaigns (i.e. that aren’t submitting to Google’s fully automated solution), he describes the process of opting out of the GSP as “still quite hard”.

“I imagine there will be scores of advertisers out there who didn’t know that they were opted in [to the GSP]; don’t understand the Search Partner network; have no idea who’s in it; think that they’re buying media on Google websites,” he suggested. “In fact, a lot of their media will be appearing on non-Google sites. And not just non-Google websites — evidently non-Google websites that you wouldn’t want to be buying media on. And this is not just global multinationals; any local sole trader who’s buying Google Search [ads] to promote their local businesses was probably expecting to appear [only] on Google’s websites.”

How Google designs these choices for ad buyers could attract attention from regulators in the European Union, he posits — noting: “The European Commission is getting deeply concerned about dark patterns in general.”

“I think the most likely place that action will happen next is Europe,” Edelson also predicted on the likelihood of regulators stepping in.

The Commission oversees Google’s compliance with two recently implemented updates to the bloc’s rulebook for web firms: Namely the Digital Services Act (DSA), where Google Search has been designated a very large online search engine (VLOSE), meaning it’s subject to rules including algorithmic transparency and accountability provisions; and measures combating the use of unfair dark patterns; and the Digital Markets Act (DMA), where Google is designed as a gatekeeper and regulated core platform services include its ads delivery system and search engine.

The EU has extensive powers to sanction violators of these regimes, including the ability to levy fines of up to 6% or 10% (or even more) of global annual turnover, respectively. Although the deadline for gatekeepers to comply with the DMA doesn’t kick in until early March. But the DSA has been in force on VLOSE since late August.

The bloc’s lawmakers are also in the process of hammering out agreement on a risk-based framework for applications of AI which the Commission proposed back in April 2021. Where adtech uses of AI should fall on the planned high risk (i.e. triggering some legal obligations) or low risk (just self regulation) axis is one question Adalytics’ findings might help to reframe. As it stands, the draft EU AI Act doesn’t look like it would do much to put guardrails on ad placement algorithms.

Responding to concerns highlighted by Adalytics’ research, EU lawmaker Paul Tang, a Member of the European Parliament, urged the bloc’s regulators to bust out powers they already have as a result of their new oversight role on Big Tech — calling for them to audit Google’s ad algorithms. “Google’s advertising algorithms demand scrutiny,” he told TechCrunch. “The EU Commission must wield its audit powers to demand transparency and accountability about the secret $10.5BN* in ad spend every year through PMax and other ad bidding algorithms.”

Offering an industry perspective, Giovanni Sollazzo, CEO of demand side platform Aidem — which bills itself as a “privacy-first”, safety-focused DSP (and also claims to differentiate its offering by delivering “radical transparency” for its ad-buying customers) — describes Google’s push into “fully automated AI” (aka PMax) “without any oversight capabilities” as “a nightmare”.

“It should be impossible to place ads on websites affiliated with nations and entities under US sanctions, such as Russia and Iran,” said Sollazzo, responding to questions via email. “The fact that this is happening without advertisers’ knowledge point to a deficit in monitoring and reporting capabilities provided by Google.”

“If I were the FTC/DOJ, I would investigate how Google’s defaults are enabling this whole mess; and Google’s market dominance allow Google to push it to unwilling advertisers,” he added.

Aidem was already not running GSP ads due to the lack of reporting transparency clashing with company policy, per Sollazzo. “We never run ads without placement level reporting, and GSP provided no domains report,” he noted, adding: “As additional step, we have advised all our clients to stop all PMax campaigns due to the concern of having GSP hidden in the PMax mix.”

Steps he suggests Google could take to clean up shrink brand safety risks with the GSP include reverting it to opt-in, instead of opt-out across all Google Ads — including PMax. It could also require publisher KYC (Know Your Customer) before placing ads on GSP when there’s no linked AdSense account to the publisher GSP account. Additionally Sollazzo calls for “full transparency with advertisers about domains where their ads are placed; and providing domain blocklists capabilities”; as well as: “A comprehensive audit of the GSP network to identify and remove any publishers that violate the brand safety guidelines or are on sanction lists.”

Media buyer Robert M. Kadar, director of marketing for the City University of New York, also didn’t sound surprised after reviewing Adalytics’ findings. But he points out that Google is not alone in offering a third party ad network in a bid to extend the reach and revenue generating potential of its ad business.

“I turn off all ‘network’ and ‘partner’ placements across all ad platforms. Google, Meta, and LinkedIn all provide the option of placing your ads outside their ecosystems so the advertiser can reach larger audiences. The problem, as these platforms must be aware of, is that bad actors game the system using websites combined with bots and click farms to gain ad revenue,” he told TechCrunch via email.

“Bots not only click ads, they also fill lead forms. The deeper problem is that the advertiser gets fake phenomenal results — meaning huge amount of cheap clicks, leads and great click through rates that never convert to customers — creating a negative feedback loop between bad actors where everyone is incentivized to continue the chain of fraud.”

“The people hurt by this are the business owners who want to build an authentic brand and grow sales from ads,” Kadar suggested, adding: “Google entices the advertiser to use networks because according to them it will deliver better results. Not giving the advertiser transparency on where your ads appear is wrong. Google should provide brand and bot safety, and eliminate the opportunities for ads to be gamed. I doubt that there is an incentive for Google and other platforms to eliminate ‘network’ placements because it is extremely lucrative for them.

“The more people that realize the problem, the ad platforms will be less incentivized to do the wrong thing.”

Google responds

Google was contacted for a response to Adalytics’ findings. We also sent it a long list of questions regarding the GSP — such as whether it manually vets partners and its approach to enforcing its publisher policies on these third parties. We also asked how much revenue the GSP generates and requested data on how many partners it has removed from the network for violating its policies in recent years.

The adtech giant did not directly engage with any of our questions. Instead it responded with the following statement, attributed to Dan Taylor, its VP of global ads:

Adalytics has established a track record of publishing inaccurate reports that misrepresents our products and make wildly exaggerated claims. We’ll of course review the report but our analysis of the sites and limited information already shared with us did not identify ad revenue being shared with a single sanctioned entity.

The examples shared are from our Programmable Search Engine (ProSE) product (a small part of our Search Partner Network), which is a free search tool we offer to small websites so that they can present a search experience directly on their sites. Ads may appear based on the user’s specific search query; they are not targeted to, or based on, the website they appear on. Websites who merely implement ProSE do not get any ad revenue from those ads.

Moreover, ProSE represents a miniscule [sic] amount of our Search Partner Network. Adalytics’ revenue implications related to small sites like the examples we’ve reviewed are frankly absurd.

In further attributable background remarks briefed to TechCrunch, Google confirmed that AdSense publishers which use ProSE may apply to it to claim a revenue share — meaning there could be instances of ProSE users earning ad revenue. But, of the examples shared with it ahead of the report’s publication, it claimed virtually none of the sites identified by Adalytics had the ability to earn a revenue share for clicks on ads displayed on their sites. (So some of the sites in the report presumably could earn ad revenue.)

As well as attacking the credibility of Adalytics, Google sought to play down the significance of its research by contending that ProSE represents a tiny piece of the SPN. The majority of impressions on the SPN come from popular sites like YouTube, according to Google. It further claimed that for an average ad campaign which includes SPN in its reach the spend lands overwhelmingly on Google Search, not on the third party network.

Google did not respond to questions about how much revenue it generates from the SPN.

Its spokespeople were unable to confirm whether or not the use of its ad-supported search widget by sanctioned Iranian entities would, in itself, constitute a breach of its publisher T&Cs — i.e. regardless of Google’s contention that no ad revenue generation was shared with the sanctioned entities as these Iranian sites were using ProSE without AdSense.

*Adalytics briefed contacts with a guesstimate figure of $10.5 billion for the amount of revenue Google might generate through the GSP, which is what Tang is referring to here. It said it extrapolated this figure based on a large set of search ad campaign data it received from brands it audited — which allowed it to determine what percentage of their ad spend went to the GSP network when they ran a search campaign. It then says it applied that as a multiple to Google’s annual search ads revenue for 2022 ($162.45 billion) — which was disclosed in a public SEC filing — doing a multiplication of the percentage spent on the GSP x Google’s total annual search revenue to arrive at an estimate of how much revenue might be going to the GSP