?

Log in

No account? Create an account
No Opt In, No Ads
Fueling the resistance
Hijacking affiliate links 
4th-Mar-2010 02:32 pm - Hijacking affiliate links
Skittish Eclipse
I've been given a heads up that has done some excellent sleuthing and investigation into hijacked LJ affiliate links:

What is LJ doing to my links?
What is LJ doing to my links? Part 2
What is LJ doing to my links? Part 3

Expect this post to be update through the day as I find out more and come up with a good summary.

ETA: No good summary, but I feel like I should say code got taken down, etc etc, business as usual.
Comments 
4th-Mar-2010 11:36 pm (UTC)
Yes - not having been in those discussions, that's the best I can explain it. We were told initially that if we got in reports that it had overridden someone's link we'd be provided a way to remove ours. I'm not 100% clear on whether it was known that that would happen for sure or if it was a contingency or how it worked.

However, we'd not been given that ability, nor help troubleshooting the loading issues, as far as I know, so we got permission yesterday to just pull it down. After that was when we discovered it redirected links, as some people have mentioned, so we're not going to continue to use this service.
4th-Mar-2010 11:46 pm (UTC)
What's going to be done about lost revenues for everyone who had affiliate links replaced?

And the loss of trust for yet another sneaky code push that treats all users, paid and ad-supported alike, as something to be farmed out rather than as customers?
5th-Mar-2010 12:06 am (UTC)
Er, well, what *can* be done for the people who have lost revenue from having their affiliate links replaced?
5th-Mar-2010 12:13 am (UTC)
I dunno! That's a good question, isn't it? I'm sure glad I'm not the one who's gonna have to grovel through LJ and DrivingRevenue's databases to figure out who's owed what.
(no subject) - foxfirefey - 2010-03-05 12:44 am (UTC)
(no subject) - shatterstripes - 2010-03-05 12:50 am (UTC)
(no subject) - foxfirefey - 2010-03-05 12:53 am (UTC)
(no subject) - zibblsnrt - 2010-03-05 03:39 am (UTC)
(no subject) - enotsola - 2010-03-05 09:00 am (UTC)
5th-Mar-2010 02:13 pm (UTC)
Well, the terms of service say they don't have to support such practices without prior permission from Livejournal: "You agree to NOT use the Service to:
16.Engage in commercial activities within LiveJournal or on behalf of LiveJournal without prior approval. This includes, but is not limited to, the following activities:
a.Displaying a banner that is designed to profit you or any other business or organization; and
b.Displaying banners for services that provide cash or cash-equivalent prizes to users in exchange for hyperlinks to their web sites." That sneaky bit of "includes, but is not limited to" means they can interpret it to mean affiliate linking as well. Not saying their behavior was wise or fair, but the TOS is written to cover their butts when errors happen.
5th-Mar-2010 04:20 am (UTC)
Reporting that the affiliate was replaced to Amazon, EBay, and the rest might not get the money back, but it might make it harder for LJ to collect it.
5th-Mar-2010 05:28 pm (UTC) - gashing found
from tos:

journal content:

LiveJournal reserves the right, without limitation except by law, to serve any user Content on the web, through the downloadable clients and otherwise. LiveJournal also reserves the right, without limitation, to resell any portion of a user's LiveJournal back to that individual;
You acknowledge that LiveJournal does not pre-screen Content, but that LiveJournal and its designees shall have the right (but not the obligation) in their sole discretion to remove or refuse to remove any Content that is available through the Service. Without limiting the foregoing, LiveJournal and its designates shall have the right, but not the obligation, to remove any content that violates the TOS or is otherwise objectionable, or that infringes or is alleged to infringe intellectual property rights. You agree that you must evaluate, and bear all risks associated with, the use of any content, including any reliance on the accuracy, completeness, or usefulness of such content. Furthermore, LiveJournal reserves the right to limit access to your journal, if found in violation of the TOS, including without limitation the Member Conduct described below, by removing the journal and related user information from the member directory, search engine, and all other methods used in conjunction with finding LiveJournal's users.

member conduct:

Engage in commercial activities within LiveJournal or on behalf of LiveJournal without prior approval. This includes, but is not limited to, the following activities:
Displaying a banner that is designed to profit you or any other business or organization; and
Displaying banners for services that provide cash or cash-equivalent prizes to users in exchange for hyperlinks to their web sites.
4th-Mar-2010 11:47 pm (UTC)
Um... Let me get this straight.

LJ accepted third party code onto the site. That monitored outbound links from people's journals, that information handed over to a third party. Then those links were altered to direct referral income to that third party. Said third party promising LJ they would correct any issues where someone's link might be overridden. LJ I assume were getting a cut of referral money. LJ also declined to tell it's customers that this was going to happen.

But it's okay, because they're removing the code now?
5th-Mar-2010 02:22 am (UTC)
Oh dear, was it a third party script? Isn't the address of the script coming from l-stat, so LJ itself? But they had control over it, surely? I just don't get it. GREAT MOVE LJ ... NOT. Oh, and by the way, are they pulling the whole script down then, I can't find any information about it, I r confused.

Also, is there any official explanation about what the script was meant to be doing? Other than "The script in question tracks the use of outbound links on entries to certain major commercial web sites." (reply from one of the staff) and what marta said up there, with making them affiliates and whatnot. WHY then, pray tell, was it redirecting people through this dodgy outboundlink.net website? What the shit.
5th-Mar-2010 03:10 am (UTC)
The code was obfuscated (i.e., made intentionally difficult to read) and the same script is being served up by other sites, too. It's definitely from a third party and I doubt if they even looked at what it was doing before dropping it into their production environment.
4th-Mar-2010 11:55 pm (UTC)
Also, I want to go into why this was... so so so so so so so so so so stupid.

This was an obscufated blob of javascript code apparently included on *all* LJ served pages. One that was evidently not reviewed by anyone competent enough to examine it before it went live. On a major website. To millions of people.

The guy who made that decision has been given an incorrect level of authority.

This thing could have been so much more malicious. It could have been skimming passwords for all LJ knew. It could have been skimming *credit card numbers*.
5th-Mar-2010 12:03 am (UTC)
Chances are it wasn't serving on SSL pages--anywhere that LJ would have somebody enter a credit card number would be on an SSL page. So, skimming credit card numbers is not likely--well, nobody should be entering credit card numbers anywhere else, anyway. (It takes extra work to have something serve over SSL, and there wouldn't be any reason to make this run on those pages.)
(no subject) - barberio - 2010-03-05 12:07 am (UTC)
(no subject) - foxfirefey - 2010-03-05 12:35 am (UTC)
(no subject) - shatterstripes - 2010-03-05 12:19 am (UTC)
(no subject) - foxfirefey - 2010-03-05 12:25 am (UTC)
5th-Mar-2010 01:26 am (UTC)
so we're not going to continue to use this service.

Would it be too much to hope that LJ won't be using any script that isn't theirs from now on?
5th-Mar-2010 01:29 am (UTC)
Yes; many ads contain scripts they come with and some services, such as LJ Messenger, require third party scripts.
(no subject) - celestineangel - 2010-03-05 01:30 am (UTC)
(no subject) - foxfirefey - 2010-03-05 01:33 am (UTC)
(no subject) - celestineangel - 2010-03-05 01:41 am (UTC)
NoScript will help - keristor - 2010-03-05 10:12 am (UTC)
22nd-May-2010 10:29 pm (UTC)
so we're not going to continue to use this service.

I'm a little late to the party. I didn't notice this happening in early March, but I recently noticed a lot of weird browser behavior on my friends list[1], with "Contacting outboundlink.net" regularly showing up in my status bar. So it appears LJ has decided to use this service again.

I found several posts suggesting running set opt_exclude_stats 1 through the admin console and that seems to do the trick. But there's no user-friendly way to opt out.

I don't see any note on news or lj_releases announcing that LiveJournal would start rewriting links. I've been a paid user of LiveJournal for 8-ish years because I think it's a great service and I'm happy to support its operation through money rather than having advertising foisted upon me and my journal's readers. Rewriting links to provide revenue feels a lot like advertising and it leads to a degraded user experience with no upside to the user. I feel such a change should at least be accompanied with an announcement and a way for paid users to opt out. Can we get an explanation?
This page was loaded Dec 14th 2017, 9:08 pm GMT.