Forced Clicks and Stand-Down Violations by Shopping Plugin Phia

randycupertino1 pts1 comments

Forced Clicks and Stand-Down Violations by Shopping Plugin Phia – Ben Edelman

Skip to content

I’ve recently been looking at multiple forms of misconduct by Phia, a fast-growing shopping plugin.  I’m troubled by what I found, and even more troubled by Phia’s misleading public statements about these practices.  Based on my hands-on testing, code review, and other investigative methods, Phia appears to be materially out of compliance with network and merchant agreements.  Networks, merchants, and rule-following affiliates should be concerned, and in my view, all three groups have strong claims against Phia.

Forced clicks

The basic bargain of affiliate marketing is simple: an affiliate earns a commission only if it presents an offer, the user clicks, and the user purchases.  Network rules make clear that shopping plugins, like all other affiliates, are only allowed to invoke affiliate links—setting the cookies and other tracking codes that claim commission—if a user actually clicks an affiliate link.

See the CJ Publisher Service Agreement: "Software may not be used to force clicks [or] perform redirects without an affirmative click by a user".  Rakuten Affiliate Network Policies: "The DSA must not force clicks or ‘cookie stuff’. The DSA must not insert a cookie onto the user’s computer without the user knowingly taking an action."  Awin Code of Conduct: "Publishers only initiate tracking via a tracking link used for click tracking if the user voluntarily and intentionally interacted with the Ad Media or Tracking link."

This is arguably the most fundamental rule of affiliate marketing.  Almost two decades ago, I caught Shawn Hogan and Brian Dunning invoking affiliate links, and thereby claiming commission, without users clicking.  I reported this to eBay, which told the FBI, leading to criminal charges for wire fraud, breach of contract, RICO, and more.  Both men ultimately served jail time.  Details.

Phia appears to be doing much the same thing.  Phia’s iOS app and Chrome plugin both include a setting called enable_coupon_auto_drop that, when active, automatically invokes affiliate links without user action, most often when a user is at a merchant’s shopping cart or check-out page.  See this iOS test video , showing the affiliate link invisibly loaded into a second tab.  (In the video, at 0:05, the tab switcher window screen is opened so viewers can see the second tab loading, but normal users would have no reason to do this.)

Notably, Phia activates the "auto_drop" setting via a "feature flag" that allows server-side control of which devices receive forced clicks (yellow).  In my testing, this feature is always turned off for Chrome users.  But if a user-agent header references iOS (green), the feature flag server replies in the affirmative (blue).  Change the user-agent to a different value, while keeping everything else the same, and the feature flag becomes false.

curl -X POST \<br>-A "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1" \<br>-H "STATSIG-API-KEY: client-..." \<br>-H "STATSIG-SDK-TYPE: javascript-client" \<br>-H "STATSIG-SDK-VERSION: 3.31.0" \<br>-H "Content-Type: application/json" \<br>-d '{"user":{"userID":"...","platform":"IOS_SAFARI_EXTENSION",<br>"appVersion":"1.10.26","platformVersion":"1.10.26"},<br>"hash":"djb2","statsigMetadata":{"sdkType":"javascript-client","sdkVersion":"3.31.0"}}' \<br>'https://featureassets.org/v1/initialize?k=client-...&st=javascript-client&sv=3.31.0&...'

→ HTTP 200, hash_used: djb2<br>→ derived_fields.browserName = "Mobile Safari"<br>→ derived_fields.osName = "iOS"

→ feature_gates["3845139938"] // decodeable to "enable_coupon_auto_drop"<br>"name": "3845139938",<br>"value": true,

Thus, a user who tests only on desktop would never see these forced clicks. In my experience, many affiliate fraud testers test desktop only. That explains why this wasn’t promptly noticed.

Phia first shipped this feature in version 1.9.33 of its app, published on December 13, 2025.  Nonetheless, Phia told Bloomberg "a recent release our codebase was causing misattributions from a subset of users."  I disagree that the problem was limited to "a recent release" of Phia.  There have been numerous intervening releases, making it difficult to characterize this as a problem confined to a single recent release (as Phia’s "a release" claims).  The feature appears to have persisted for roughly seven months, including the 2025 holiday shopping season—a significant period with real economic consequences

In remarks to industry bloggers Kris and Sarah, Phia downplays the forced clicks as a "bug."  That characterization is difficult to reconcile with the evidence.  Phia intentionally built and shipped a feature which they themselves call "auto_drop" and which does what it says.  In no context in affiliate marketing is it ever permitted to "auto drop" an affiliate link and automatically set affiliate cookies.  Deliberately building and...

phia affiliate user clicks feature forced

Related Articles