Message from Brian | EFF | Misinfo | How eBay can fix their program A Message from Brian The short version: In the early 2000s, we had a contract with eBay to place affiliate ads on the Internet for their service. Since about 2005, eBay's major affiliates have all included eBay's tracking pixel in the ads — as all online advertising is done now, and as eBay now requires all its affiliates do. But antiquated language in their original 2002 contract paradoxically prohibited this, so in 2006 eBay sued a number of its top affiliates. We countersued them. After 4 years of civil litigation, it became clear that we were in the right, but I was drained of money and had lost my house to legal bills. eBay went thermonuclear and pressed federal wire fraud charges that they knew I could no longer afford to fight. I did what others in the same situation were forced to do: pleaded guilty to a made-up crime to (1) avoid a threatened 7-year prison sentence; (2) avoid a lifelong crippling multimillion dollar restitution order; and (3) protect innocent family members threatened with money laundering charges. Sound hard to believe? Believe it. In addition to being my own story, this is a report that has broad consequences for many Internet businesses. My purpose in writing this obviously includes self-serving correction of a lot of misinformation and slander about me out there, but is also to advise and warn companies engaging in Internet affiliate marketing, and all other advertising, content recommendation, and collaborative filtering web technologies of a potentially devastating legal risk they face based on, in my opinion, terrible laws and gross corporate abuse of the criminal justice system. Far from hiding this little factoid about myself (my conviction has been on my Wikipedia page for over a decade), I take every opportunity to speak on felon issues. Contact me if you're interested in having me speak or joining some panel. My latest news is that I can now add to my resume the title "convicted felon." We make up about 8% of the population. Nice to meet you. Through 2016 I was not able to freely tell my story, or make any public response to the many false charges that have been thrown about. Now I can. This is what happened. The Backstory Before I became a science writer and podcaster in 2006, I had a small consulting business doing FileMaker Pro development. It provided a decent family income. In about 2003 my company partnered with another to form "Kessler's Flying Circus" (a reference to The Great Waldo Pepper, a favorite movie), to give affiliate marketing a try. Mind you, I was initially disinterested in this. It seemed like a cheesy, fly-by-night kind of thing. But my partner pressed hard, and an acquaintance kept telling me how much money he was making. So I said what the heck, I have the skill set, let's give it a try in my off hours. Affiliate marketing is where you place ads on the web, and if anyone clicks those ads and subsequently makes a purchase, you would get a sales commission of some kind. There are a whole variety of models for this: pay per ad impression, pay per click, pay per sale, etc. eBay's model was they would pay a commission from any sales made to someone who had seen an affiliate's ad, and on whose computer eBay had planted a cookie identifying that affiliate. These were trailblazing years for fast-growing companies like Amazon, Google, and eBay; and there was a lot of experimentation. This experimentation included things like having eBay's site appear in a small frame as part of the advertisement; making the page go to eBay when a user hovered the mouse over the ad, or scrolled the page; anything that would allow eBay to write cookies to as many users' computers as they could. To write a cookie to a user's computer, all eBay needed was some connection to that user through the ad, meaning the ad needed something in it that came from eBay's web server, not just our (the affiliate's) web server. Our rep at eBay, whom I will call "K", sometimes gave suggestions on things to try. Most people scroll past ads and may look at them but don't click on them, and in those cases, there is no way for eBay to send them a cookie unless we did something to make a connection to eBay's server through the ad. Typically this is done with a 1x1 invisible pixel called from eBay's site. It is now the standard of almost all Internet advertising, and was even then. But the wrinkle here was Commission Junction, a man-in-the-middle for these transactions. eBay employed Commission Junction to actually write the cookies and make the payments. Commission Junction had a set of rules that were extremely strict, skewed heavily toward security and privacy, and third-party cookies were an absolute no-no. This is good from the perspective of privacy, obviously; but it was terrible for affiliate marketers like eBay, because it minimized the number of cookies they could get onto consumers' computers. eBay clashed with Commission Junction constantly. When we put the pixels in our ads allowing eBay to write cookies, per eBay's instructions, it triggered Commission Junction's security warnings, because they would scan all the affiliates' ads looking for this. K gave me standing orders to immediately report to her any warnings we got from Commission Junction. I did this on a number of occasions, and each time the warnings were erased from our record within the hour. eBay also sent us reports created by Commission Junction's independent security consultants, and advised us on ways to change the ads, or to change the URL attached to their pixel, to avoid triggering these alerts. Let me just say now, and for the record: this should have been a huge red flag to me. I should have gotten out of the business immediately. I was in very deep water, right in between two giant public companies who obviously disagreed with each other. My biggest mistake was ignoring the red flags. I was making a good salary now, and I looked the other way. I figured "Hey, K is supporting us, we'll be all right." I should have dumped my business partner and split. Here is the central problem. The contract we originally signed in the early 2000s — a boilerplate Commission Junction contract — was clear that third party cookies would not be allowed. It was obsolete language because it was already becoming the standard for advertisers to write third-party cookies to track user behavior. eBay clearly wanted this advantage — in fact, it was eBay themselves that actually wrote the cookies. Keep in mind, the affiliate can put a pixel pointing to their server in an ad, but what eBay does with that connection is entirely up to them. They can ignore it, write a cookie, check for an existing cookie, whatever they elect to do. That was completely out of our hands. eBay's choice was to aggressively write a cookie to every connection to their server, without performing any checks of any kind, so far as I know. eBay wanted this pixel in every ad because that's the way user behavior was tracked. Today this is a major privacy issue, but in the early 2000s it was still the wild west, and this pixel allowed eBay to characterize their users' behavior. This should come as no surprise. eBay wanted the pixel in the ads, openly discussed it with us on multiple occasions, and anything said in any article claiming that this was without their knowledge is untrue. Claims that we were "ingeniously fooling them" are without any imaginable merit. eBay knew every detail of what we did for them, including the placement of their pixel, and all the mechanism of cookie writing was on their end, not ours. But I knew we were operating outside of the Commission Junction contract, by putting eBay's pixel in our ads — which gave me some concern; even though eBay approved it, and eBay was the party using it to write cookies. I did speak to outside people about this, because I was afraid of losing our contract. What I learned from lawyers was that whenever your normal course of business differs substantially from an original contract, the Uniform Commercial Code guarantees you a measure of protection. The doctrine of equitable estoppel prevents eBay or Commission Junction from claiming that a deviation from the contract terms constitutes a breach of that contract. How? Here's a simpler example: If I contract to pay you $5 to mow my lawn at 2:00pm every Saturday, but for whatever reason 4:00pm ends up working out better for both of us and that's what you do for several years, I can't come back to you later and demand all my money back saying you violated the terms of the contract. I would have to give you fair and reasonable notice first, and you would have to ignore that notice, because our normal course of business legally supercedes whatever we originally contracted. eBay was an 800-pound gorilla, Commission Junction's biggest customer by far, and theirs was an uneasy relationship. eBay eventually canned Commission Junction and ran their own affiliate program in-house, which freed them from having anyone else try to tell them how their affiliates' ads had to work and how they could run their program. At that point, eBay became a third-party-cookie free-for-all. They were paying out millions of dollars every month, spread over thousands of affiliates; a bargain for all the user data they were collecting. How did this work out for me? Well, the total amount of our contract with eBay US was $5.3 million over several years (less the portion they never paid). Our biggest expense was ad placement. Payroll was our next expense; we had five employees and a major contractor with 10-12 employees that did the bulk of our software programming. And then we had the same overhead that every small business has. I was the second highest paid employee, and over those several years I was personally paid a total about $1.1 million, gross before taxes. A strong 6-figure income, about what a good corporate job would pay, only I got to work at home in a T-shirt. And then, someone, somewhere inside of eBay, apparently decided they didn't like the way the affiliate program was being run. One option would have been to change it, to tell the affiliates they were going to do things differently. To pick up the phone and call us and tell us what they wanted to change. We would have complied, as we did with every other such request they made. But as a public company with an obligation to shareholders, they chose a self-serving ruse: to pretend they'd been "defrauded" and to create outside scapegoats. The End On June 18, 2007, my house was raided by armed FBI agents — a shocking, terrifying, traumatic event that's a whole story in itself for another time. Shouting, running, crying. They had a search warrant from the Treasury Department alleging racketeering, wire fraud, tax evasion, and a raft of other ridiculous charges. I was flabbergasted. For three and a half hours I was blockaded into a corner by armed SWAT team guys and interrogated, as other agents tore the house apart and carried boxes out into vans. They shouted about seizing the house, seizing our assets, bringing in a flatbed to haul our cars away. I knew this had to be some huge misunderstanding, so I talked. I talked and I talked. I told them absolutely everything, thinking I was helping to clear up a misunderstanding. As soon as they left I hired a criminal lawyer who tried to call the US Attorney in charge of the case, and offered to cooperate however I could, but the guy seemed disinterested. For years the AUSA didn't want to talk to us, and we felt secure that I was not going to be prosecuted for anything. Everyone I spoke with agreed there was no cause. Commission Junction closed our account and demanded their most recent payment returned. I wanted to do so and call it a day, but my business partner refused, and they sued us for it. Lawsuits take a long time, and it took about a year, but we finally settled it. Combined with the legal bills, it was a huge loss compared to what it would have been if we'd simply let them have it to begin with. And then, eBay sued us. What? eBay was our ally, I thought. eBay always stood by us, fought Commission Junction by our side, always told me they valued our business even if Commission Junction didn't. According to their lawsuit, they never heard of third party cookies (the cookies they'd been writing for years). We'd been "defrauding" them by allowing them to write cookies through our ads. It made no sense at all! But things soon took an even darker turn. Obviously we wanted to depose K to prove we were doing no more nor less than their affiliate department wanted us to. Turns out K had disappeared with a mysterious, unknown illness, and our investigator could not locate her. When she resurfaced six months later, eBay had transferred her overseas to their London office... out of reach of our ability to depose her. I started to worry I was in very serious trouble. At least two of eBay's other employees made provably false statements to the FBI (and I may file a FOIA to make it legal to reproduce those, or I may get on with my life). eBay is a big company. If they wanted to get ugly with me, they have the might to get very ugly. Fortunately, there were a number of things in our favor. First, eBay had waited more than a year to file the lawsuit, and our contract stated that neither party could sue the other after one year following the termination of our relationship. So we should have been good there. Second, our settlement with Commission Junction discharged all agents, assignees, etc., including eBay, so legally we were already settled with them. We should have been good there too. Their lawsuit failed to actually state a claim against us (because there wasn't one), no dollar amount or any other type of loss, so we had cause to dismiss it for a third reason. And finally, the equitable estoppel issue virtually guaranteed us a win even if it went to trial. We also filed a strong countersuit. eBay never paid us for the final two months of transactions, and that was a substantial sum. It eventually became clear that they would lose the countersuit, because we were in the right. But here is the sad fact. eBay is a wealthy public company, and they had O'Melveny & Myers on retainer, one of the world's largest and most expensive law firms. Clearly the lawsuit was not filed on merits, but simply to drain me of money. It did that very quickly. They buried us in motions for years. All of my savings was gone, I had no retirement investments left; all we had was some equity in our house. And that's when they went thermonuclear. I 2010 I received a criminal indictment for the federal felony of wire fraud. eBay knew I had no means to fight it. It was filed by the very office from which their lead O'Melveny attorney had just transferred; as cynical as it sounds, civil and criminal systems can be very incestuous. Again I thought we were in pretty good shape. The indictment was for a long list of actions that we hadn't done, so we believed we could beat it in court. They said we were doing things like "fooling" eBay by not including the pixel in ads viewed in geographic locations where eBay had offices, running invisible ads, checking for some http header that I don't even understand what's meant; things that were patently false. K and her department had known every detail of everything we did; there was no way they could make an honest argument that we had fooled them or defrauded them in any way. Besides, look at this 40-second video for some pretty stark proof that eBay continued to embrace the writing of cookies through their affiliates' ads without anyone clicking: They sent me to jail; they featured this guy on their Page of Love. So we decided to fight. This meant years of waiting for a court date, years of discovery. For all that time I was on "supervised release", not allowed to travel without permission, like some kind of criminal. What I didn't know then was that 97% of all federal wire fraud indictments end in convictions. 97%! Is it possible 97% are guilty as charged? I certainly wasn't. In fact, when we received the first draft plea agreement, the US Attorney wrote in it, following the long list of actions I had not done, "I am checking to see how much of the foregoing applies to Mr. Dunning." They had indicted me without even checking to see whether I'd done anything wrong, and were ballsy enough to even say so outright. That was one of my lowest moments. My family and I could not believe this entire nightmare was real. It was really going to happen. Well, everyone pleads guilty, of course. That's why it's 97%. In the movies you can bargain with them. Not in reality. The first offer is the best. Argue, say you're going to trial, negotiate the terms, point out errors, and the offer gets worse. They threatened me with 7 years if I didn't sign the plea agreement. They accused my wife of money laundering, because she'd grocery shopped or paid bills with our evil "ill-gotten gains" — fortunately for us this was an informal accusation; in many other cases, they actually formally threaten to indict spouses, and often do. I told them to give me a plea agreement I could truthfully sign. And so they finally did, more or less. I wouldn't have written a lot of the language in the same tone, but they finally stripped away the untrue claims and left it at "received payments for revenue actions for which I was not entitled to be compensated under the terms of the APTC and/or PSA [the contract]." Even my criminal plea agreement acknowledges that this was a civil contract dispute, at best. One that I could have won, if I'd had resources, because I was in the right. Nevertheless, I felt I could honestly sign this agreement, and I'm able to make peace with having pleaded guilty, because it was to a very specific action that I've never disputed. Yes, we absolutely had that pixel in our ads, like almost all ads; and never made any representation otherwise. On August 4, 2014, the judge sentenced me to 15 months incarceration, beginning September 2, 2014. Even in his sentencing, he said things that indicated he didn't understand the case. He thought it was pay per click, or pay per impression; models where it's possible to "game the system" with robots making fake clicks or otherwise obtain payments without delivering any value in return. Not in this model. Every penny eBay ever paid was a commission off their profit from a sale made after someone viewed one of our ads. We legitimately advertised to every one of those customers before they bought. No reasonable argument can be made that eBay lost a penny, or that they paid us a penny for which agreed value was not delivered. At the same time I pleaded guilty, I also settled eBay's bogus civil suit. If I didn't, I would have owed criminal restitution, which would have made my life much harder going forward. The terms of the settlement are confidential, but I will say that my business partner (who was never charged, for reasons only he and the government know — but was still a party to the civil suit) left me high and dry, and I had to personally pay the entire amount, including his half. He knew I was screwed and had no choice. The prospect of a settlement forced eBay to name a number they "calculated" they had "lost" due to my "fraud" so they said $200,000-400,000, or 4-8% of the total amount we ever earned. I can imagine no worse Earthly torment than to drive your spouse and best friend to a federal prison, leave them there, and then drive away. That's exactly what my wife had to do on September 2, 2014. If you know her, give her a hug. Despite all that transpired over the past 8 years, my marriage reminds me every day that I am the luckiest guy on Earth. Today In the federal system you must serve a minimum 85% of your time, and at some point you transfer to a halfway house and can begin working and spending time at home. That's all behind me now, and I've been back at work since about June 2015, happily running my nonprofit, producing awesome free science education media for educators. Please, when you see newspaper headlines like this one from Business Insider, exercise some skepticism. (Also, I hate that picture of me.) No, nobody ever suggested that any significant portion of the $5 million was ill-gotten; not the government, not eBay. And no, I never "faced 20 years" or anything in the neighborhood of it; by the dollar figure eBay gave, the federal guidelines say 29 months. To say nothing of the fact that one employee does not personally receive an entire company's gross sales. There was no "ingenious scam". But it's my permanent Internet tattoo. I have to live with that, along with all the other permanent disabilities of a felony conviction. A company like eBay is not a single-minded monolithic entity. Certainly there are (or were) people at eBay who were consciously dishonest and who know that I was (in my opinion) profoundly wronged, and my wife and children were tormented horribly for 8 years as thoughtless collateral damage. I believe the majority of eBay employees are good people. I believe then-CEO Meg Whitman was probably deceived when she approved the lawsuit. I still use eBay's auction service. I know it's unrealistic to expect anyone at eBay to backpedal their actions in any way, but I do hope that some of them learn a lesson from this.

Brian Dunning @BrianDunning

facebook.com/briandunning ©2014 Brian Dunning Message from Brian | EFF | Misinfo | How eBay can fix their program