38 people are looking at this FPP
October 19, 2019 6:02 AM   Subscribe

Security researcher Ophir Harpaz discovers how exactly the "x people are looking at this flight right now" notifications on OneTravel work: by using a random number generator [threadreader].
posted by Vesihiisi (52 comments total) 28 users marked this as a favorite
 
The "x people are looking at this product" has always been fake on any checkout/cart page you've ever seen it. Also if you see a countdown clock? Fake.

These tricks really do improve conversion rates though. In my previous job working on a kind of sleazy e-commerce app, we had real data to back this up. Drop the fake x people are looking at this onto your product page and watch the conversion rate jump almost immediately.
posted by dis_integration at 6:16 AM on October 19, 2019 [21 favorites]


This was one of those "now that you tell me that's how it is, of course that's how it is" moments for me.
posted by escabeche at 6:21 AM on October 19, 2019 [26 favorites]


Customer engagement counts are valuable commercial information. Who in their right mind would give away commercially valuable data for free?
posted by flabdablet at 6:25 AM on October 19, 2019 [12 favorites]


Now I'm picturing a bricks-and-mortar equivalent involving holograms or fake personal shopping robots who are giving you the side-eye as they rush to grab products off the shelf before you can get to them.
posted by clawsoon at 6:32 AM on October 19, 2019 [17 favorites]


flabdablet: Customer engagement counts are valuable commercial information. Who in their right mind would give away commercially valuable data for free?

That's a funny thing about the free market, isn't it? It works better if supply and demand (and the resulting prices) are transparent to everyone in the market, but any time there's profit to be made from hiding that information the profiteers work very hard to hide it. There should be a law against that, but the business classes who profit from hiding how much money they're making will never allow it.
posted by clawsoon at 6:39 AM on October 19, 2019 [13 favorites]


Now I'm picturing a bricks-and-mortar equivalent involving holograms or fake personal shopping robots. . .
I suspect hiring humans would be cheaper. There are a lot of actors in the world looking for work. (Though, the robot or hologram version is more fun.)
posted by eotvos at 7:07 AM on October 19, 2019


"Now I'm picturing a bricks-and-mortar equivalent involving holograms or fake personal shopping robots"

"STORE CLOSING - EVERYTHING MUST GO" (for the seventh year running)

Must be a bunch of holograms shopping with American Airlines-- their blatantly false 'pick an available seat' when booking a flight? Strangely the majority of the non-premium seats are already booked but when you happen to get on the half empty flight, those same seats are oddly vacant. All utter bullshit.
posted by Static Vagabond at 7:25 AM on October 19, 2019 [12 favorites]


This started with one website executive ordering their product manager to add a "X people are looking at this item" display. The product manager orders the dev team to scope the feature, who come up with an unacceptably high number, and eventually the compromise of displaying a random number is settled on for approximately 1/3 the dev time. Implementation takes one day, but the feature add is held back while the remainder of the time is clandestinely re-allocated to more actual functional features and bug fixes.

After rollout, the executives at competing sites hear about how that website executive got an eight-digit annual bonus for exceeding his yearly engagement quota by a few points. They plan their own "X people are looking at this item" feature additions, and unlike the first executive who's happy in their ignorance, these are thrilled to know that random numbers are sufficient because they know the only thing that matters is that a number is displayed and the customer should have no way of checking whether that number's come by honestly.

OneTravel fucked up because the dev team exposed the number generator. It would have been trivial to have the server generate the random number instead and provide it with the page payload, and there would have been no visible tell.

Consider a site that sells 500,000 products and has between 28 and 40 people viewing every item. Whether those items are bestselling novels or OEM parts for a line of room dehumidifiers that were manufactured for three years in the late 1990s, it means that around 17,000,000 people are hitting every single product page on the website every second around-the-clock. There's no way for anybody without access to the workings of the site to sanity-check such an absurd figure.

Meanwhile there are companies that have these client engagement widgets as featured components in their customer monitoring and engagement data suites, but the price seems unnecessary when a random number will do. Unless of course somebody has a problem with being dishonest.
posted by at by at 7:37 AM on October 19, 2019 [11 favorites]


Ah, so that's why people are getting back into server-side rendering.
posted by RobotVoodooPower at 7:43 AM on October 19, 2019 [5 favorites]


Hi! We're an ecommerce site that expects you to do thousands of dollars of business with us every year. Also, we're routinely lying to you, for the dumbest of reasons, every time you visit our site. You're used to this.
posted by phooky at 7:44 AM on October 19, 2019 [40 favorites]


Only rand(1,10) left in stock!!!
posted by tobascodagama at 7:53 AM on October 19, 2019 [25 favorites]


This is the best offer I can make. If you're not interested, I've got NaN other people who want to buy it. A guy from *|CITYNAME|* called me right before you walked in.
posted by sysinfo at 7:57 AM on October 19, 2019 [40 favorites]


Sometimes I think we should have criminal penalties for this kind of fraud, direct to the programmer who actually typed this code. Or licensing software engineers and stripping them of their license when they commit a violation of ethics this flagrant.
Making deliberately false or misleading claims, fabricating or falsifying data, offering or accepting bribes, and other dishonest conduct are violations of the Code.
But we don't license or punish software engineers for malfeasance. And sadly we all just kind of expect this sort of marketing sleaze, shrug our shoulders at it. It's gross.
posted by Nelson at 7:59 AM on October 19, 2019 [8 favorites]


"STORE CLOSING - EVERYTHING MUST GO" (for the seventh year running)

You kid, but there was a store near me that did this for a very long time before they had to close for real (and nobody believed it when they did!)
posted by LSK at 8:04 AM on October 19, 2019 [1 favorite]


I’m interested in hearing how their customer service dept would handle this explanation. I’m guessing they’d try to do something like- the actual number is very close but in order to give you, the customer, our fastest possible page-load times, we’ve resorted to a temporary semi-random (but still very close to accurate!) number.
posted by stinkfoot at 8:08 AM on October 19, 2019 [3 favorites]


I don’t understand why this isn’t a straightforward violation of truth in advertising laws. And by that I mean that I am a lawyer, although I don’t do this specifically for a living so there’s plausibly something I’m missing, and it looks to me as if it is.
posted by LizardBreath at 8:11 AM on October 19, 2019 [9 favorites]


I’m in favor of fines for this kind of thing,but as a programmer I think it’s equally likely that this was proof of concept/demo code that no one bothered to change. Software is a pretty slipshod industry a lot of the time.
posted by freecellwizard at 8:16 AM on October 19, 2019 [1 favorite]


I’m in favor of fines for this kind of thing,but as a programmer I think it’s equally likely that this was proof of concept/demo code that no one bothered to change.

Weird how every major booking site has the same "concept/demo code", huh?
posted by Foci for Analysis at 8:21 AM on October 19, 2019 [10 favorites]


direct to the programmer who actually typed this code

Guess I should be looking at flights to non-extradition countries.

Ethically I get that it’s not the most upright thing, and I did quit the job partly because it made me feel bad, but seems honestly like a kind of venal sin to me.
posted by dis_integration at 8:21 AM on October 19, 2019 [3 favorites]


Also, definitely not a demo. We built this stuff because online marketers demanded it. They specifically ask for the countdown clocks and the x people are watching with the knowledge that they’re totally fake. It’s standard practice, esp. if you’re dropselling cheap crap from Shenzhen on Shopify or Bigcommerce or whatever.
posted by dis_integration at 8:23 AM on October 19, 2019 [9 favorites]


This started with one website executive ordering their product manager to add a "X people are looking at this item" display. The product manager orders the dev team to scope the feature, who come up with an unacceptably high number, and eventually the compromise of displaying a random number is settled on for approximately 1/3 the dev time.
It could be worse than that: they invested the time in developing actual tracking and found that for most items at most times, there isn’t the crush of people they’d hoped for, and “nobody else is looking at this flight” provides not just a lack of urgency but incentive for savvy customers to avoid buying in hopes that prices will go down for a flight that isn’t in demand at the current price. You could quite plausibly do the honest version of this and find your numbers skewing in the wrong direction.
posted by gelfin at 8:25 AM on October 19, 2019 [12 favorites]


Are there any other lawyers who can tell me what takes this outside the Lanham Act? (And blaming the programmer seems silly to me — they’re not giving the orders.) “Everything must go!” is puffery, but once you’re naming numbers that’s a lie.
posted by LizardBreath at 8:27 AM on October 19, 2019 [9 favorites]


> Guess I should be looking at flights to non-extradition countries.

Ethically I get that it’s not the most upright thing, and I did quit the job partly because it made me feel bad, but seems honestly like a kind of venal sin to me.


Can’t tell if serious...
posted by stinkfoot at 8:27 AM on October 19, 2019


67 people are looking at flights to non-extradition countries right now
posted by flabdablet at 8:39 AM on October 19, 2019 [50 favorites]


One time in the 1980s I went to what the English call a "boot sale", which is basically a popup open air market selling everything from fruit & veg to antiques and crafts and whatnot. One of the stands sold knife sharpeners, and the chap who was selling them put on a huge show, first dulling a bunch of knives by hitting blades on rocks and scraping concrete and whatnot. He would prove his knives were dull by trying and failing to cut his throat with them - very dramatic. Then he would use the sharpener and voila, easy to cut up lettuce and carrots and tomatoes. At this point he would start asking if anyone wanted to buy one, or 2 at a discount. A kid jumped up and said "I want 3!", handed over the money and ran off with the sharpeners. This guy would cycle through this spiel every half hour or so with no variation... including the kid, who was obviously a shill but got the selling going. It was fascinating to watch. And he sold a lot of sharpeners!
posted by chavenet at 8:40 AM on October 19, 2019 [9 favorites]


When I was a kid, I saw 2001: A Space Odyssey in the theater on opening day. And I still remember when HAL said this: "The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information."

As a kid, I was impressed by this and it became my mission statement.* Never deliberately distort information! When I became a programmer, it was my mantra: never distort information. The data is what it is.

but seems honestly like a kind of venal sin to me

Sorry, pal, but it's mortal. You're going to Robot Hell.

*I also don't open doors for people.
posted by SPrintF at 8:45 AM on October 19, 2019 [11 favorites]


Oh I'm not fully serious about imprisonment for the software engineer. Although France does have a similar kind of personal liability; see the manslaughter conviction of John Taylor, the mechanic whose work contributed to the Concorde fatal accident.

I think software engineers have ethical responsibilities not to write code like this. Even if their boss tells them to. I'm not certain what the legal framework for enforcing those ethics should be. Maybe the engineer has a responsibility to file a formal objection and/or report to a regulator when asked to write fraudulent software. If they don't report then they have personal liability. Actual jail for a small-time grift like this seems unlikely, but a fine or a suspension from the profession seems reasonable. As software engineers we have immense power because we have skills that are in high demand and difficult to learn. We should use that leverage to push back on unethical software.

Imprisonment is a gentler penalty than my first instinct, which was to break the engineer's fingers so they can never type again. I recognize that is a little harsh.
posted by Nelson at 8:45 AM on October 19, 2019 [1 favorite]


Now I'm picturing a bricks-and-mortar equivalent involving holograms or fake personal shopping robots who are giving you the side-eye as they rush to grab products off the shelf before you can get to them.

"Maximum 4 per person" rules are actually this. Like maybe not the 99 cent paper towels, which people actually might stock up on like crazy, but think "Royal Wedding Commemorative Soap Dish for two easy payments of 33.95, if you call in the next 10 minutes. Maximum 4 per order." are designed to make you think they can't possibly keep these things in stock if they just let people buy as many as they wanted, and lots of people WOULD buy more than 4, so you better snap up 4. These things will be valuable one day!"
posted by If only I had a penguin... at 9:32 AM on October 19, 2019 [6 favorites]


The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information.
If you’ll indulge me a little parsing here, Hal follows with, to the best of my recollection, “we are all, by any practical standard, foolproof and incapable of error.”

Foolproof. Meaning, even a fool cannot commit an error while using this tool.

But later Hal also says, ”it can only be attributable to human error. This sort of thing has happened before and it has always been due to human error.”

Nothing specifically relevant to the topic at hand, but I find it fun that Hal’s own boast is thus itself a distortion of information.
posted by gelfin at 9:56 AM on October 19, 2019 [10 favorites]


So how does software engineer personal liability work with offshoring? I just adds to the existing cost disparity and moves more dev work to cheaper countries, right?
posted by ryanrs at 10:06 AM on October 19, 2019 [1 favorite]


LizardBreath: Are there any other lawyers who can tell me what takes this outside the Lanham Act?

I've been wondering the same thing. It looks like an open-and-shut "false or misleading representation of fact" under Lanham Act § 43(a) and an open-and-shut "deceptive act[] or practice[]" under §5 of the FTC Act.
posted by grimmelm at 10:50 AM on October 19, 2019 [1 favorite]


Are there any other lawyers who can tell me what takes this outside the Lanham Act?

Not my field, but in the absence of applicable caselaw, it seems like a defendant could make some hay out of the "materiality" requirement. (Also, in the absence of meaningful federal oversight, you'd need a competitor who would think that such litigation was a better idea than just copying the same technique themselves.)
posted by Not A Thing at 10:58 AM on October 19, 2019 [2 favorites]


you'd need a competitor who would think that such litigation was a better idea than just copying the same technique themselves.)
posted by Not A Thing


Eponysterical.
posted by biogeo at 11:36 AM on October 19, 2019 [6 favorites]


In other design and engineering disciplines with legal liabilities (and the insurance to deal with it) the concept of “responsible control” is important to determining fault. So it might not be the guy who typed in rand() but the manager or executive that asked for the feature and is responsible for overseeing implementation. This is why having a license is so important in structural and civil engineering- it allows you to take on this kind of responsibility and thus has real value in the industry.
posted by q*ben at 12:45 PM on October 19, 2019 [4 favorites]


truth in advertising laws Do they still exist? My experience would suggest not.
posted by theora55 at 1:56 PM on October 19, 2019 [1 favorite]


Materiality, plain and simple. You would think that anything a company invested in lying about would be presumptively material (otherwise why would they even do it? and who knows better than them what's important to customer decisions?), but that's not the way the case law reads.
posted by praemunire at 3:33 PM on October 19, 2019


Also if you see a countdown clock? Fake.

The Humble Bundle clock too?
posted by 922257033c4a0f3cecdbd819a46d626999d1af4a at 5:20 PM on October 19, 2019 [2 favorites]


I'm sure the click wrapped purchase agreement indemnifies them in the same way car dealers do with their paper contracts. Courts have been loathe to interfere, mostly being persuaded that the UCC allows contract language to redefine otherwise illegal practices as mere puffery.

The exceptions have all involved knowing misrepresentation of specific aspects of the nature or condition of the good, not general statements of worth, desirability, or demand.

Obviously, there is nothing stopping an enterprising attorney and sympathetic judge from putting an end to the use of contracts to rewrite the law in the future, but there is little sign of any appetite for change within the legal system itself. Public outcry could change that attitude, but more likely we will have to pass laws if we want anything to be done about our legal system's tolerance for petty fraud, so long as it is wrapped up in certain clothes.
posted by wierdo at 6:07 PM on October 19, 2019


Also if you see a countdown clock? Fake.

The Humble Bundle clock too?


If a shop really does do time-limited sales, then it's probably real. But countdown timers are usually just another trick for improving conversion rates. In a sense, that's what's going on with the Humble Bundle as well, except the sale really does end when the timer is done. Woot.com (and now, meh) have a similar principle.

There are literally dozens of them on the Shopify app store
posted by dis_integration at 7:59 PM on October 19, 2019


I've been wondering the same thing. It looks like an open-and-shut "false or misleading representation of fact" under Lanham Act § 43(a) and an open-and-shut "deceptive act[] or practice[]" under §5 of the FTC Act.

IANAL but they are not misrepresenting anything about the actual product.

I used to work on food advertising photo shoots. If you're photographing cereal, it has to be the actual product that would come out of the same box a consumer would get. But the food stylist will open 1000 boxes and pick the best ones with tweezers. And they'll substitute wood glue for milk, since that doesn't instantly make the cereal soggy when you put it in front of the camera. They're not selling milk.
posted by bradbane at 8:38 PM on October 19, 2019 [3 favorites]


It would have been trivial to have the server generate the random number instead and provide it with the page payload, and there would have been no visible tell.

Give me a few thousand hits with a scraper and I bet I could determine that the number was random.
posted by axiom at 9:53 PM on October 19, 2019 [1 favorite]


I'm sure the click wrapped purchase agreement indemnifies them in the same way car dealers do with their paper contracts. Courts have been loathe to interfere, mostly being persuaded that the UCC allows contract language to redefine otherwise illegal practices as mere puffery.

This is not accurate. Neither the FTC Act nor the best-known state consumer protection laws generally allow representations in a contract to outweigh misrepresentations in advertising (and if they did, they wouldn't need the UCC to do it). And, at any rate, as any bright-eyed young person fresh off their bar course could tell you: the UCC applies to goods only.

A private plaintiff bringing a consumer-protection claim would usually have to show both materiality and injury. Materiality I mentioned above; injury is challenging in cases in which the consumer received the good/service paid for at the expected quality. Many state AGs do not have to show one or the other, depending on the state, but of course they all have their own enforcement priorities.
posted by praemunire at 11:27 PM on October 19, 2019 [2 favorites]


A few years ago I was talking to somebody that worked at a local furniture store that had an inventory clearance sale every freaking weekend. I jokingly asked him why they hadn't gotten better as forecasting inventory needs in the 10 years I had lived there. He explained they really did have an inventory clearance just about every weekend - but it wasn't them that was the problem. It was Lazy-Boy or whatever manufacturer that had just dropped a bunch of excess inventory on them at 80% off wholesale, which let them sell it at 70% off retail and still make a killing.
posted by COD at 8:09 AM on October 20, 2019 [3 favorites]


I'm sure the click wrapped purchase agreement indemnifies them in the same way car dealers do with their paper contracts. Courts have been loathe to interfere, mostly being persuaded that the UCC allows contract language to redefine otherwise illegal practices as mere puffery.
I don't think it's quite that bad of a Stephensonian hellscape... yet...

Yes, there are contracts that would appear to "make illegal things legal", but that language is often in there not because it actually carries any legal weight, but to discourage employees/customers/people who don't know better from suing. Sort of like a legal magic charm or having a "protected by Foo Security" sign when you don't have a security system.

When it actually gets to court is another matter. Contracts don't have unlimited power to make crimes legal, and often the reason that they have language that appears to is simply because it's never actually been tested in court. Game theory: if the rest of the contract endures even if a provision is found to be unenforceable, the smart play is to put as many provisions in it as possible! (Solution: pass a law making contract enforceability binary: it all holds or none of it does. And watch contracts slim down over night...)

To tie back to the article: I suspect the reason that stuff like this is "legal" is: it's not... but nobody has actually gone after sites for doing it yet. The FTC is kinda (deliberately?) overburdened.
posted by -1 at 10:00 AM on October 20, 2019 [1 favorite]


Yes, the legal reasoning differs from the practical state of the law I described. It's not that contracts literally make the illegal legal, it's that the contract says in black letter language that you agree that what they did was engage in puffery and make general statements as to the worthiness of the good or service being sold.

Courts have proven reluctant to look through such shams, and attorneys aren't terribly interested in taking cases involving such behavior on contingency precisely because they are unlikely to succeed, which means no justice for most people.
posted by wierdo at 10:32 AM on October 20, 2019


Yes, the legal reasoning differs from the practical state of the law I described. It's not that contracts literally make the illegal legal, it's that the contract says in black letter language that you agree that what they did was engage in puffery and make general statements as to the worthiness of the good or service being sold.

This is quite literally part of how I make my living and I and my colleagues routinely obtain settlements where the company had some kind of disclaimer language in the contract. I don't know how much more practical you can get than that.

Lawyers rarely take individual consumer cases on contingency because the amount at stake is very often too small to pay their fees.
posted by praemunire at 2:47 PM on October 20, 2019


Ok, the long line of cases dismissed on grounds that boil down to what I described that I have read with my own two eyes don't actually exist. Good to know that your legal knowledge extends to all aspects of commercial law.
posted by wierdo at 6:57 PM on October 20, 2019


Ethically I get that it’s not the most upright thing, and I did quit the job partly because it made me feel bad, but seems honestly like a kind of venal sin to me.

I think a lot about the frog-boiling implications of the casual acceptance of this sort of thing.

Sure, there may be applicable laws that say the retailer shouldn’t do that, or shouldn’t say they are selling something at 50% off a price that nobody ever charges, but do you really expect to see widespread enforcement? Look how badly JC Penney got beaten up when they tried to get away from the sorts of sale nonsense that the department stores regularly engage in.

Another similar one that you’ll see is the ‘someone from Wherever bought a Whatever‘ pop ups. I’d be surprised if there isn’t just a specific category of Shopify/WooCommerce/BigCommerce/etc add-ons with variations on this theme.
posted by jimw at 9:55 PM on October 20, 2019


Ok, the long line of cases dismissed on grounds that boil down to what I described that I have read with my own two eyes don't actually exist. Good to know that your legal knowledge extends to all aspects of commercial law.

"Actually get relief for consumers in these specific kinds of cases" does, in fact, trump "I read some case law which may or may not actually be on point" when it comes to understanding how these matters actually play out.
posted by praemunire at 10:51 PM on October 20, 2019


While I am quite happy to hear that you have had better outcomes, that means fuck all to the literally thousands of people who have not had such success, some of whom even had seemingly competent attorneys.
posted by wierdo at 5:29 AM on October 21, 2019


I feel like the lawyerly discussion here (and elsewhere) would be a lot more illuminating if it were accompanied by the occasional link to authority, analysis or commentary. Not only for substantiation or further reading, but just to help avoid misunderstandings by clarifying what is actually being discussed.

Like if one were to write that the FTC Act does not provide a private right of action (PDF), to take a random example not in dispute.

I understand the cultural and cost-benefit reasons why that often doesn't happen, but.
posted by Not A Thing at 5:31 AM on October 21, 2019


Also if you see a countdown clock? Fake.

While some countdowns are real (Humble Bundle and various other sales come to mind), there are sites that have countdown clocks that reach their end... and then just rollover and restart.

Found that out when I followed a Tumblr link to a rainbow-geometric backpack (I've since lost it) that was "on sale" for $35, down from $70, for five more days. I was recently unemployed and couldn't afford it; I decided that if I got a solid lead on a job that week, I'd come back and get it. I left the tab open.

I did not get hired that week, forgot about the backpack until I was flipping through tabs, deciding what to close... where I found it, still $35, now "on sale" down from $90, with nearly two weeks left on the clock.

I have a new job. I have not yet bought the backpack. (Also, it's now on Amazon for $27; it wasn't, when I started looking.)

I suspect some of the fake "on sale" claims could be prosecuted as a form of fraud - offering a value that doesn't exist in order to encourage purchase, especially a quick impulse buy. But wow, that'd be a very troublesome lawsuit; it'd probably need to be a class action suit against a specific company.
posted by ErisLordFreedom at 1:22 PM on October 23, 2019


« Older Satire props up what it should destroy   |   Riots in Santiago and soldiers in the streets. Newer »


This thread has been archived and is closed to new comments