The Dark Side of Web Push Notifications

the-dark-side-of-web-push-notifications

The Dark Side of Web Push Notifications

Web push notifications (also known as browser push notifications) let websites send messages to their users, even after a user has closed a web page.  This can be handy – consider an online calendar that reminds you of your upcoming meeting, or a band that’s able to tell you about their new album.  But it also has the potential to deceive.  A web push notification could pretend to be from someone else – could promise tech support the user doesn’t need, could tout a deal that may or may not even exist.  Predictably, some marketing affiliates found ways to use web push notifications to claim commissions they haven’t fairly earned.

Confusion for users

Web push notifications are particularly tricky because they are counter to the original design of the web.  Many users had a decade-plus of experience with the web when Chrome version 42 introduced web push notifications in 2015.  Even if web browsers had user manuals, and even if users read them, this is a strange enough change that most users would struggle to understand.

Web push notifications are also confusing to users because the notification arrives separate from the site that sent it.  Returning to our band example: A user might have last visited the band’s web site months or even years ago.  But if the user granted notification permission, the web push notification will still get through.  Even more confusing, most browsers show web push notifications separate from the browser window.  When a web push notification appears as a “toast” popup in the corner of the screen, near the taskbar and clock, it looks more like part of the operating system, and less like a message from a web page.

Compared to email and chat, web push notifications are particularly straightforward for users to enable – just a single click when browsing a publisher’s web site.  For example, if the user presses “Allow” once, in the screen shown below, the listed site will be able to send the user web push notifications indefinitely.

Because users struggle to understand what web push notifications are, these notifications are correspondingly more difficult for users to ignore or prevent.

Legitimate web push notifications in marketing

Many web push notifications are legitimate forms of marketing.  We mentioned the prospect of a band communicating with its fans.  So too for a store announcing promotions, seasonal specials, or other genuine news.  

Aggressive marketing via web push notifications

The same factors that make web push notifications useful to marketers – easy opt-in, high visibility, confusing opt-out – make this format attractive to aggressive marketers and, frankly, scammers.  Because users struggle to figure out who is sending a given web push notification, attackers lean towards aggressive tactics – be it click fraud, cookie-stuffing, or other misconduct.  

 

Web push notifications have proven a particularly good match for tech support scams, security software, web browsers, and system maintenance tools such as registry cleaners and system optimizers.  Because web push notifications look more like operating system messages than part of a web page, a web push notification is well positioned to claim to be part of the operating system – then to deliver a message claiming that the user must install a security update, pay a fee, or call tech support to protect his or her device.

 

Some affiliates use web push notifications.  In the most innocuous implementation, affiliates send web push notifications with genuine offers for legitimate brands.  In this case, the core violation is use of web push notification – a promotional method that most merchants don’t allow.  

But if an affiliate thinks its web push notification methods are unlikely to be scrutinized by affiliate merchants or affiliate networks, it can invoke additional methods to increase its profit.  For example, an affiliate can stuff cookies within a web push notification – not just promoting a merchant, but claiming the user already clicked through to that merchant, so the affiliate gets paid if the user then makes a purchase.  As usual for cookie-stuffing, this harms the advertiser (which faces additional zero-ROI marketing expense) as well as legitimate affiliates (whose commissions get diverted).

 

Beyond marketing expenses, merchants also lose brand reputation when affiliates use web push notifications.  Overall, users find web push notification advertising to be annoying, invasive, and unwanted.  Rare is the brand that wants to associate with those methods.

How VPT can help

Visible Performance Technologies (VPT) supervises affiliates to make sure their conduct meets merchants’ rules.  As to web push notifications, we “allow” myriad web sites to send us their notifications, then we examine each notification for unwanted affiliate links.  If we find these problems, we promptly notify merchants by adding the incident and evidence to our reporting dashboard.  Sound like a good fit?  Get in touch.

Post Tags :
Prev Post

Next Post

Visible Performance Technologies (VPT) develops technologies and services to detect affiliate fraud and abuse and protect global brands.

What We Catch

Copyright © 2025. All rights reserved.