Three Reasons Why Everyone Should Consider Using Ad Blocker

May 22

For an internet advertising company to make money, it can only happen because of the internet user. Yet sometimes it seems almost as if the advertising technology industry is at war with internet users.

With more than 50% of savvy internet users in US on ad blockers, and ad blockers being among the most downloaded browser extension in history, there is no better (and more important) time than right now to consider the arguments to why internet users may be better off by using an ad blocking technology.

So what are the three reasons that internet users should consider in terms of ad blocker use?

REASON 1

BECAUSE ADVERTISING NETWORKS ARE USED FOR SPYING

In 2014 Edward Snowden gave a talk [1] on the topic of surveillance to Council of Europe, where he gave special mention to internet advertising. I will highlight the interesting part below:

[1] https://edwardsnowden.com/2014/04/15/edward-snowden-speaks-to-the-council-of-europe/

The first reason why this makes sense is because the data that is collected by the internet advertising industry is gigantic. Making it very interesting. In the AT&T example that has been discussed to the death, there was the number “60 billion events per day” associated with the practice in that case. The programmatic advertising market is at least 200 billion events per day.

When you can witness up to 100 ad or tracking tags on a given page, you can guess there is a very high level of reduncacy within that eco-system in respect to user data. Which means that there are trillions of potential meta-data events to exploit each and every day, some of which may have hundreds of individual variables attached to them. Connecting cookies to identities is trivial in most cases. Some of the most powerful, yet trivial reverse lookups include:

cookie to email
social id to email
email to social ids

It is not only trivial, but there are companies that are specifically focused on providing reverse lookup services for marketing service, fraud detection and other purpose.

The second point on why it makes sense that ad networks are used for espionage and surveillance, is that US government agencies is actually making appeals to adtech companies for not using end-to-end encrypted connections:

FBI Director Asks Tech Companies to At least Don’t Offer End-to-End Encryption
FBI declared War against Encryption. Encryption is defeating government intelligence agencies to detect terrorist…thehackernews.com

These comments leave us with the impression that an ad platform would have to be hacked, so that an authority or other agent would be able to leverage such data. That is not at all the case.

Actually, in the same way as you can spread malware as a customer of an ad network, you can conduct espionage as a customer of an ad network. While the way data is accessed is different, the outcome will be more or less the same.

REASON 2

BECAUSE MALVERTISING IS SPREAD THROUGH AD PLATFORMS

Due to the fact that neither the government, or almost nobody else for that matter understand advertising technology comprehensively , both Snowden’s comments and the recent coverage on FBI Director’s request for keeping ad eco-system poorly encrypted, leave us with a wrong impression of how hard it is at the moment to use ad platforms for spreading spyware or other malicious codes through ad platforms.

It is far easier than almost anyone can think, to use ad platforms for spreading malicious codes

To do this, is as simple as to start a campaign that targets specific groups or individuals. The Million Browser Botnet video shows how easy it is to do this in practice. Basically, it shows exactly how to spread malware using ad platforms.

To understand how bad the problem is, in my view the video just scratches the surface of what is possible technically and how easy it is to execute something like that with almost any ad platform. We also have to consider that between the major ad platforms, especially DSPs, there is massive overlap in terms of available inventory. Just by delivering your malicious payload in one major DSP will give you over 50% coverage of everything everyone else has. That’s more or less 50% of the internet.

Today in 2016 the problem highlighted in the video is only worse.

Once you become the customer of an ad platform, you can start distributing your malicious codes. You can do it either with 1-to-1 targeting, or at massive scale reaching 2 billion internet users in a given day. Targeting is widely supported against things like:

IP address
company name
cookie ID
an alternate fingerprinting ID
location
interest
searches
times of day
version of OS
browser version
device information

Targeting capabilities would make a very long list actually. A single ad platform could have 100 or more of such meta-data variables available to be used as targeting criteria. Data Management Platform’s boast with their ability to connect cookies to user accounts, and some promise personally identifiable information (PII) too.

In short summary, to create either ultra-targeted or massive scale spray-and-pray campaigns to spread your malware, the only thing you have to do, is to sign up with one of the thousands of ad platforms. Using this method, cost of spreading malware can be as low as $0.01 per thousand ad impressions (malicious payload exposures). Infection rates per ad exposure will vary on the overall methodology used. Because things like browser versions can be targeted, infection rates could be very high.

Cyphort reports that malvertising attacks are up 325% from previous year. [2]

REASON 3

BECAUSE OF THE DISCONNECTION BETWEEN INTERNET ADVERTISING BUREAU AND INTERNET USERS

Ad blocking is related to abusive internet advertising and the general disconnection between the internet users and those that are responsible for delivering ads to internet users. Yet public comments from IAB, the supposed guardian of the internet advertising industry, leave one with nothing but more reasons to fight back.

http://www.adweek.com/news/technology/iab-calls-ad-blocking-highway-robbery-and-ramps-its-call-arms-167241

Ad blocking is a reaction to the disrespect of the internet advertising industry in regards to the internet users. When it is argued by the IAB that it had done a tremendous job in developing internet advertising, ad blocking is part of the cost for that same job. In other words, I think internet users are thinking that IAB did not do a tremendous job in terms of developing internet advertising.

http://adage.com/article/digitalnext/ad-blocking-unnecessary-internet-apocalypse/300470/

In the article authored by the IAB CEO Randy Rothenberg, one of the comments is on how ad blocking companies should be sued…

We can (and should) contemplate suing unethical ad-blocking profiteers out of business.

Because “unethical” is mentioned, where does that leave Google? There is evidence that among other things, Google is perpetuating the botnet problem by charging clients for video views when Google knows its a bot[3]. If everyone already agrees that there is at least a 10% exposure to ad fraud in the market, does it mean that 10% of Google’s revenue is from ad fraud? Does it mean that there should be contemplation among the advertisers to sue advertising technology companies? Or when we speak about morals, how about all the malware peddling through ad platforms, should internet users contemplate on suing for neglect in regards to keeping

While suing ad blocking companies seems far fetched at best, there is clear precedence for at least the two kinds mentioned above, both legally and in terms of filing complaints to various interested parties (FTC, EC, etc.), I just don’t think that by suing each other we will get far.

If indeed the IAB is suggesting (as it seems) that suing companies is a good approach if business ethics are in question, then different ways of suing should be fairly evaluated.

With tobacco for example, this approach did not go well. Tobacco kills just as much as before, and other tax payers pay for those deaths and the other illness that comes with tobacco more than ever before. Tobacco companies, with every possible restriction in place, not only do better than ever, but also consistently outperform most other major categories. Making money first at the expense of others, so that you can later buy yourself out of trouble can’t be the right way to do business, or live life.

One thing seems clear thought, self-regulation has not worked. Otheriwise it appears unlikely that the adblockalypse unfolding as it does.

http://www.iab.com/news/rothenberg-says-ad-blocking-is-a-war-against-diversity-and-freedom-of-expression/

The latest episode, in a series of too many to cover here, in the IAB’s Leadership Summit few weeks ago, further statements were made about ad blocking. Ad blocking, is somehow a war against freedom (of expression).

Aaand…..where do we go from here?

If you read the entire keynote, is worrying that it is basically saying how great of a job IAB has done. Ad fraud is mentioned as a sidenote to say that IAB’s spin-off TAG is the leader in countering ad fraud. On the contrary, TAG’s many members continue to be the greatest economical beneficiaries of ad fraud. This can be proven very simply. All the while there is zero evidence that there is any improvement in ad fraud, where as there seems to be strong claims towards malvertising being up.

Advertising technology vendors almost without exception make money from commissions, so when fraud traffic is sold, or malware is being spread, it is not the publisher (website) who takes most of the money, but the ad network who acts as a conduit in the transactions. Google Display Network is the largest of such ad networks and is known for taking more than 50% of the revenue.

[4] http://www.thedrum.com/news/2016/01/15/iab-un-invites-adblock-plus-its-annual-conference

What I did not understand, is how can IAB at this stage afford to exclude the leading ad blocking company from the leadership summit in such a blatantly and outright arrogant manner.

From the keynote talk it becomes clear that IAB was more interested in glorifying itself than anything else, and the event was built around the idea of “Next 50 billion”. In other words the agenda is “here is how we make $x per every internet user”. We will probably have have an average internet user rate of 3,5 billion for that period of time, so in effect IAB is saying:

the next $14.28 per user per year
the next $0.04 per user per day
the next 40 ads per user day (at $1 per CPM)

Which is kind of hilarious, because everyone knows, even the most tentative of financial sector analysts looking at “digital” that even IAB seized to exist right in this moment, the next 50 billion will come fast.

What I was hoping to hear was something like “here is how we make the internet x times better for internet users, maybe at this point even at our own expense”.

SUMMARY

IS IT THE RESPONSIBILITY OF INTERNET USERS TO USE AD BLOCKING?

As long as ad networks are used for spying, and normal use of ad platforms remains a principal mean of spreading malware, it is very hard to argue against if internet users should consider using an ad blocker or not. Not using an ad blocker leads inevitably to more malware infected devices, which in turn leads to botnets and many other problems because of that. If IAB and the advertising technology vendors make a sincere effort in securing their systems, which first and foremost means that it becomes much harder to get 3rd-party ad tags in to ad calls. I’ve never met another researcher who does not agree with this point.

At the moment, Ad blocking, and ad blockers, are one of the most effective ways to protect yourself from malvertising activity. Very importantly, it is a technology that even less savvier internet users can embrace. Also because it is free, there is no barrier of entry in that sense. You should not use ad blocker to block ads, you should use ad blocker because it is your responsibility as an internet user to do what you can to make the internet safer and better.

In the long term, the way to block ads is to stay away from the sites that show the kinds of ads you don’t want to see. If you don’t want to see any ads, support ad free sites. That’s where the good content seems to be mostly anyway. If you want to get the latest scoop on Kim or Don, then you probably should be ready to see ads too. If today a site that you love specifically nags you about ad blocking, make the choice of either supporting the site you love, or stop using it.

For the internet we are in now, ad blocking provides the single most effective way to fight back against the negative effects internet advertising is currently having on the internet. And with the internet, on civil society and wider human culture.

If you liked this article > please share it < in medium or elsewhere on the internet.

For more like this: @mikkokotila

REFERENCES

[1] Edward Snowden speaks to the Council of Europe
https://edwardsnowden.com/2014/04/15/edward-snowden-speaks-to-the-council-of-europe/

[2] Malvertising Attacks Up 300% Last Year
http://go.cyphort.com/Malvertising-Report-15-Page.html

[3] Google Charges for Bots when it Knows They Are Bots
http://arxiv.org/abs/1507.08874

[4] IAB un-invites AdBlockPlus from the leadership summit
http://www.thedrum.com/news/2016/01/15/iab-un-invites-adblock-plus-its-annual-conference