REMINISCIENCES OF AN ADTECH OPERATOR
I became interested with the topics of privacy and internet user rights more than 20 years ago in my native Finland, which at the time was toted as the first information society in the world. I was one of the first commercial internet developers, and became fascinated with the user data aspect of the internet the moment I saw awstats for the first time. It was an early server-log based web analytics solution, in the time when there were no tracking tag based solutions available. The idea of allowing 3rd-party tags on websites came later. Today it is not hard to find premium websites with more than 100 such 3rd-party tags.
Shortly after having started one of the first digital agencies in the world, at the time building the first major ecommerce solution in Finland, together with a group of other early innovators I started the Internet Users Association. Our idea was to create something like what IAB is today, but focused on internet users as opposed to internet companies. We saw that the rapid commercialization of internet, that we too now were part of, could later lead to many different kinds of troubles for the internet users and the society.
Around 1995 there had been fundamental discussions about security, and how some authorities and lawmakers felt that security was more important as a civil right than privacy. Critics coined the term “super civil right” to explain what was taking place; constitutional rights were being trampled under the umbrella of supposedly making the society more secure.
Many think that security’s choke hold on privacy started post 9/11, but this is not accurate. It had started half a decade earlier in the advent of the internet, and the popularization of mobile phones. Edward Snowden’s allegations much later, they too largely were part of the debate that started around 1995. There is no better testament to the level of concern and awareness the early researchers and advocates had, than the Europarliament’s report on surveillance and various forms of data collection, published after years of work around the turn of the millennia. What was not clear then, was the connection internet advertising would have with state-level espionage practices. In a 2014 session with European Council, Edward Snowden was the first to shed light in to these practices[1].
“..that is the smallest part of the NSA’s fingerprinting capability. You must first understand any kind of internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol agnostic manner, metadata and content both. And it can be today, right now…This is very common for technicians, it’s not a serious workload – it’s quite easy. This provides a capability for analysts to do things that associate unique identifiers assigned to untargreted individuals via unencrypted commercial advertising networks, their cookies or common tracking measures used by businesses every day across the internet with personal details such as an individual’s precise identity, their geographic location, their political affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests and so on and so forth. There are very few practical limitations to the kind of analysis that can be technically performed in this manner short of the actual imagination of the analysts themselves. And this kind of complex analysis is in fact performed today using these systems.”
Now in 2016, we have reason to believe that similar techniques are being actively used by enemies of US and other states that had likely themselves indulged in such practices since the emergence of the first advertising networks and tracking technologies.
Instead of focusing on my commitment towards a safer, and a more private internet, I became increasingly fascinated with how research and behavioral change methods could be used for exploiting internet users for commercial gains. This practice is widely known as internet marketing today. By year 2000 I had worked on ecommerce, online video, social networking, FORTUNE500 websites, online payments, and even internet porn. The over arching interest I carried forward, was with user data and how to leverage it for learning valuable things about people.
Using the terms of the music genre myself and many others of my generation in Finland were so fond of, punk and hard-core, I had become a sell-out. Like it is the case with all sell-outs, I had no idea that I was one. I genuinely thought that by innovating on ever more exploitative and manipulative communications methods and technologies, I was making the internet better.
Around 2005 or 2006 I became obsessed with user data. I saw that it was the black gold of internet advertising, and that making bets around collection, enrichment and monetization of such data would be the surest way to stay relevant in the rapidly moving internet advertising industry. I did not remember Internet Users Association anymore. I did not even see internet users as people, but as opportunities to create monetizable data.
The first advertising technology business I founded, ignited what was referred to as “the new era in web analytics”. Our competitors, including Google, referred to our platform as the future of web analytics. One of our innovations was a way to tell which other websites the visitor had visited, without having the user disclose it. This and other equally malicious innovations, coupled with an elaborate cookieless fingerprinting method, one that could be made persistent even across devices, meant that we had built the first commercial spying platform. Because we did not store personally identifiable information, we were marketing our platform as privacy compliant.
In countless demonstrations of the platform and our user right violating innovations, with the biggest agencies, brands, advertising technology companies and venture capitalists, the legitimacy or morality of our proposition was never seriously questioned. While the technology itself never became a commercial success, those that saw or heard about it, could not stop singing its praise. Today many of these techniques are widely used in advertising technology, and are considered a standard way to operate.
For the next 8 years or so, everything that I did was somehow a continuation of that platform. For example, I feel somewhat responsible for the wide spread use of 3rd-party tracking tags inside online ads here in APAC. A practice at the center of many of the problems we're talking about here today. While the practice was common in more developed markets, before mainstream adoption of programmatic advertising in 2012, clients and agencies in this region were not aware of such a capability.
We can’t go on talking about 3rd-party tags without talking about the growing malware epidemic and the role internet advertising generally, and 3rd-party tags specifically have to do as causes of the epidemic.
Number of new identified malware is not the only indicator of the dramatic shift that is taking place in the security of society over the past few years. Where the early malware often did little less than spread, to showcase the capability of person or crew creating it, the latest uses of malware exhibit a far darker intent. The Stuxnet attack on Iranian nuclear facility, the recent Ukrainian power-plant attack and widespread ransomware attacks affecting millions of people all around the world. Ransomware attacks can and have also been targeted against authorities, where for example police in various states in US had to pay ransoms to regain access to their data. Such an attack is trivial to conduct using almost any internet advertising platform.
Malware delivery have been found to be increasingly associated with online advertising, and this is not a surprise. Standard internet advertising targeting capabilities, such as operating system, device model, browser version, IP address and organization name, make ad delivery an ideal way to conduct both untargeted and targeted malware attacks at any scale. As hard as it may be to believe, this can be done as simply as signing up with any one of the thousands of ad platforms, and starting a campaign. Because buyer representatives are insisting on having 3rd-party tracking tags inside ad calls, while platforms are not only allowing it but making it very easy to do, those with malicious intent simply follow this standard practice.
One of the pioneers of Javascript, the most widely used technology in the web today, Douglas Crockford argued that the most reliable and cost-effective method to inject malicious code on to a user’s device is to buy an ad. I don’t know a single researcher who disagree with this claim. Actually, because of the way 3rd-party tags can, and are commonly being nested one inside the other, more than one malicious code can be injected in a single ad delivery.
According to the IAB, malvertising, the practice of using ads for malware delivery, is a problem costing over $200 million dollars in lost ad revenue. In fact, this year up to $500 billion dollars will be lost due to cyberbreaches, with many individual organizations suffering damages well over $200 million dollars due to lost revenue and other factors. With malvertising attacks growing 300% last year, cyberbreaches can be increasingly connected directly to successful malvertising campaigns.
Perhaps the most common use of malvertising is related with advertising fraud, the single largest cybercrime. Even by the most moderate figures, reporting ad fraud at roughly 10% of total investment in to internet advertising, it is as large in revenue as the next five biggest cybercrime combined. Because of the intimate connection internet advertising has with consumer spending, and therefore with national economies, damages from ad fraud are far greater than the reported revenues.
My concern is that it is this disconnection between the comments made by the IAB and most recently the Culture Minister of UK, and what is actually reported to be happening, that will make it increasingly hard for the regulators to not step in. There seems to be no reason to believe that authorities and lawmakers have the understanding or motivation to be able to add to what is a poorly understood situation even with the industry’s key decision makers. On the contrary, the fear I share with many of my peers, is that intervention at this volatile time could have devastating effects on internet adverting. Because of the before-mentioned connection internet advertising has with national economies, I’m afraid the society would suffer from this as well.
If we go back about 10 years, we can find that ad blocking is simply the second phase in what appears to be internet users seeking remedy for structural failures in internet advertising.
At the time when popup blocking had became a standard feature, users shifted their interest in to blocking ads. The fact that leading security influencers, such as F-Secure’s Mikko Hypponen, are advising users to stay safe by using ad blockers, suggest that the future of ad blocking has little to do with poor quality creative or invasive ad formats. Motivation of users have already started shifting from mere blocking of annoying ads, to blocking malicious codes delivered potentially inside any ad.
In the current situation, it seems that at the very least we are going to see an increased use of ad blockers, resulting in further damage to internet advertising and national economies. At worst, we’re going to see a further escalation towards more sophisticated “muting” technologies, where the user has the opportunity of blocking branded keywords, mentions or entire messages across all screens and their entire digital user experience. This would have an even greater negative effect on internet advertising, one of the significant drivers for healthy national economy and GDP growth.
I know I’m not alone when I say that only few things have the potential of speeding up such progress, to the extent as comments and actions directly undermining internet users’ right to protect themselves from malicious codes delivered inside ads. It is not only the right of the internet users to keep their devices secure and free from malware, but it is their civil duty as responsible members of the internet age society.
Fighting against ad blocking, particularly by trying to forcefully deliver ads to those users who have decided to block ads in the first place, can be argued to fall only so much short of forcing malware, and espionage, on internet users. Unless something is done about the underlying structural failures first. In some way, it seems that “war against ad blocking” as it has been described by those most aggressively against internet users deciding to block ads, can and have been considered by some as a war against internet users.
We have not even touched the more widely discussed topic of quality of advertising, and the potential harms that come with online advertising even without malicious codes being inserted in to users’ devices. I can only say that force-feeding advertisement on internet users in itself, is a questionable practice.
For the advertising technology industry to act in a way that is evidenced to cause harm widely to internet users and companies, because of malware being spread through online ads, puts the pressure on us to take action swiftly.
In order for things to become better, two kinds of behavior change are required. One is where the advertising technology industry creates a safe and efficient environment where advertisers can invest on media, without being affraid of further alianeting internet users, or supporting large scale cybercrime and espionage. The other is where the internet users have reasons to trust the internet advertising industry, to the extent where ad blocking is no longer seen a necessity. It is very important for us to understand, that when internet users think about internet advertising, they think about the companies they see in the ads. Few can make the distinction between advertisers and vendors in this case.
Unless we take drastic measures in applying the right kind of pressure on the IAB and their members, it is not likely that we see the needed behavior changes take place. I hope my personal story helped you to understand how difficult it is for an advertising technology operator to do what is right for the internet users and the society. In order for behaviour to change, there needs to be reminders, motivation and ability coming together to faciliate for the change. At the moment it is clear that the wider advertising technology industry is lacking in all three.
Again I want to remind you that ad blocking is not a problem related with ad formats or quality of creative. It is problem arising from, and perpetuated by the experdience of the advertising technology industry, and what seems like a complete disconnection from the interests of the interent users, and the society. Before this issue is genuinly addressed, internet users have no reason to reduce ad blocking use and the current problems will continue to grow both in magnitude, and complexity.
As long as it only takes a standard configuration account in a common advertising technology platform, including all of the major ones, to be able to deliver malware at scale using standard targeting capabilities such as browser version or organisation name, cybercriminals and enemies of state and state-level spy agencies will continue to engage in such practices.
Because of what I have shared with you, I feel a great sense of urgency. If we let the current situation to persist, even without it becoming worse, it is truly a lose-lose situation. At the same time, I have no doubt that if we act as a unified front, and we do so promtply, that we are able to make some progress in the short-term, and ultimately come to resolve the underlying structural problems over the coming years.
These structural issues, namely the ways in which 3rd-party tags are allowed on ad calls, and the way tags are allowed to live inside other tags in a nested manner, are at the heart of the threat the advertising technology industry now finds itself as the basis for. These two practices are almost as old as the industry, and it is time for us to stand up against it. We must expect more from those that sell internet advertising and related services to your companies. It is the buy-side that has all the money, and therefore the power, and ultimately the responsibility, to ensure that reuqired structural changes take place in a timely manner.
I feel that this is a topic that should somehow be a consideration in discussions covering any other topic about the current state of advertising, and especially its increasingly internet centric future. As the share of internet advertising over all media investment increases, left unchecked, so do the problems and threat we’ve spent the last 20 minutes covering.
I was able to go through my personal transformation from being part of the problem, to actively fighting against it simply by respecting myself more as a citizen and a human being. A member of the global community with a real chance to make things better here today, and for generations to come. I’ve come here to ask you to join me in this fight, because I’m certain that only by joining our forces, we can and will prevail.