Sites that pay to have their links pop up on search engine result pages are nearly three times more likely to harbor spyware or adware, or hassle users with spam than URLs generated by the engine's algorithms, research released Friday claimed.
And search engines are cashing in, reported McAfee's SiteAdvisor service. By its estimate, the search industry made $1.1 billion from risky sponsored links last year.
The study, which evaluated Google, Yahoo, MSN, AOL, and Ask.com search engines using 1,300 different keyword searches, found that about 5 percent of the links served up in the first five pages can infect computers or plague users with spam. That figure, about one link per search result page, is more than double SiteAdvisor's Web average of 2 percent.
"Most people use search engines as their gateway to the Internet," said Shane Keats, a market strategist with SiteAdvisor. "Search engines are the highway, and you gotta use the highway. We're just pointing out the potholes."
There isn't a significant difference between search engines' results when it comes to putting users at risk, Keats argued. "They're not enough for consumers to pick one over another," he said.
But SiteAdvisor's research concluded that MSN had the lowest percentage of risky sites -- those SiteAdvisor color codes red or yellow -- of the five engines it tested: 3.9 percent. Ask.com's percentage, meanwhile, was almost double that: 6.1 percent. Google, Yahoo, and AOL fell in the middle, with 5.3, 4.3, and 5.3 percent, respectively.
Still, one of the most remarkable conclusions gleaned from the study was that non-paid results are safer than sponsored links, those paid for by advertisers, and the major revenue source of Google and Yahoo, which together account for nearly three-quarters of search market income.
"Organic" links, or the ones cranked out by the engine's algorithms, are much less likely to lead to dubious sites, said Keats. Only 3.1 percent of organic links were judged risky, compared to 8.5 percent of paid links.
"People tend to think that there would be additional vetting of paid links, since advertisers have to go through a process to get on the Web," said Keats.
By SiteAdvisor's results, the opposite is true.
"Search engines sell ads to sites that send users literally hundreds of e-mails per week," the SiteAdvisor report said. "Search engines also sell ads to sites that infect users' computers with adware programs that open numerous annoying pop-up ads."
The latter, in fact, is the foundation of a pair of class-action lawsuits filed recently against Yahoo. In both suits, plaintiffs argued that Yahoo turned a blind eye to spyware companies amongst its ad affiliates.
The high percentage of risky sites among search engines' paid advertisers puts some serious green into company coffers as it makes users' lives miserable, SiteAdvisor said.
"In 2005 Google earned approximately $6 billion in revenue from advertisers," said Keats in a follow-up e-mail to TechWeb. "We have no reason to think unsafe advertisers are paying more or less than other advertisers, so suppose they're paying, on average, the same as other Google advertises. Then Google earned approximately $510 million ($6 billion X 8.5 percent [risky sites]) from these sponsored sites."
Using the same math, Yahoo, which reaped $4.6 billion in ad revenue in 2005, earned approximately $391 million from sponsored sites.
"[So] the total annual search engine revenue from [risky] sponsored sites is about $1.1 billion," said Keats.
Some search engines have made progress in weeding out risky sites from for-fee links, Keats noted, highlighting Google's recent crackdown on online pharmacies as a good example. "But we'd love to see more vetting," Keats added.
"We're not comfortable telling the search engines what to do," he said, but then went on to catalog the risks users face from risky sites, including the admittedly rare drive-by download where a site exploits unpatched bugs, usually in Microsoft's IE browser, to silently install spyware or adware.
The threat's real enough, Keats said, that the average Web user will click through to a risky site about once every 15 days, and to a dangerous site -- which SiteAdvisor codes in red -- once every 21 days.