What In the Actual #$%@ Is Going On with the Big Publishers’ Attack Against Brave?

By admin | Uncategorized

Apr 09

While Ad Blocking has been a hot topic for the past few months, nothing has fuelled it like the cease and desist letter signed by 17 major US publishers collectively in effort to intimidate Brave. Let’s see what’s wrong with the approach of the said publisher.

headline image from Spirited Away

First and foremost, to use New York Times, one of the signees as an example, major publishers have a major problem in how their sites are being used to unconsciously deliver malware on to user devices[1][2]. This is happening because they allow copious amounts of 3rd-party tracking tags on their sites, including, to be delivered inside every single ad impression[3].

Evidence on large scale ransomware campaign through New York Times and other major publishers was reported widely just weeks after NYT CEO announced that they would enter the anti ad blocking battle “guns blazing”[4]. Shortly after after this some users[5] started to see a notice that gave the option to subscribe or to whitelist.

For those users that would have whitelisted New York Times at that time, or anytime before the coming Ransomware attack, could have been exposed to the Ransomware and either pay the Ransom (1 bitcoin = US$420) or lose their data. For enterprise users the damages would typically be much higher than just paying the ransom.

For European users there is more than just the financial aspect. The way anti ad blocking technologies work, is that it gets in to the browser of the user to test if ads are able to load or not. This practice is specifically prohibited without the user’s consent [6].

Because in the case of the user already using an ad blocker the publisher knows they do not have the user’s content, there seems to be nothing to overcome this issue. It is a violation of the user’s rights plain and simple.

For users inside EU NYT and other publishers engaged in anti ad blocking practice are not only causing financial damage to the user in the case of succesful malvertising attack compromising the user’s device, but are also in direct violation to the their privacy.

For users outside EU, it seems to be more of a case of financial damages, which I believe could make a substantial enough class action lawsuit to drive some of these publishers eventually out of business. Especially in the case of enterprise users, where a mitigation of malware related cyberbreaches may cost tens or hundreds of thousands.

What the big publishers don’t understand, is that they are playing directly in to the hateful propaganda[7] of IAB’s Randy Rothenberg and a select few in adtech, such as Ben Barokas of Sourcepoint. Before joining IAB, Randy was with the Booz Allen Hamilton and Ben Barokas is known to be “very aggressive” even by adtech industry terms. While this helps us understand why they are stuck with their angry fear mongering, it does not explain why big publishers are voluntarily following it.

Where as IAB is in an existential crisis, having under its watch allowed the evoluation of both the biggest cybercrime industry (advertising fraud) and the ad-block-alypse, Sourcepoint and other anti ad blocking companies have very little to lose in the first place. The big publishers on the other hand have everything to lose, and the internet age has proven that even catastrophic losses are not uncommon.


One of the arguments that have been used, namely by the two before mentioned individuals, is that idea of ad blocking being an attack against freedom of expression. While it is clearly understood that such rhetoric is highly effective in inciting others, it does not explain why big publishers are taking the risks they currently are.

http://adage.com/article/digitalnext/ad-blocking-unnecessary-internet-apocalypse/300470/ [8]

If it’s really about freedom of expression, then how come NYT and others are conducting anti ad blocking activities selectively? Not only they are themselves claiming to do so, but this can be easily evidenced for example by going to the same publisher page with different combinations of browser / history / VPN location. I might not understand US constitution enough, but this sure sounds more like making money than upholding the constitution.


The cease and desist letter[9] goes on to complain how Brave is not making it clear how much they will share of the ad revenue with the publishers. This has two issues:

  1. The information is very clearly stated on the Brave website [10]
  2. The way ads are being sold in the formal internet advertising eco-system, big publishers often have no idea about the share of revenue they get from the ad network who is selling the inventory on their behalf

I have never seen any ad network or other platform state its revenue share model as clearly as Brave does on its website:

It is very important to understand that virtually no ad network gives 55% to the publisher. I’ve never heard of one who takes less than 50% for themselves (Brave takes 15%), and there are often many more middle-men between the advertiser’s investment and the publisher’s payout. As it was originally highlighted in the World Federation of Advertisers Guide to Programmatic Media in 2014[11] a typical programmatic buy for example results in 40% or less going to the Publisher.

Many of the programmatic buys actually involve an ad network in addition to the exchange (as in the above model), which means that the publisher may end up getting 20% or less.


Unlike it is the case with ad blocker companies, big publishers have the opportunity of seeing Brave as a partner. Big publishers create real value in the eco-system, and Brave is not denying it, but clearly aknowledging it with its generous 55% revenue share, itself keeping less than 1/4 of the share for example Google keeps from the same publishers. Unlike many of the parasitic middle-men that are now eating the publisher’s share of the of media investment dollars, Brave is creating substantial value for internet users. In addition to this, there are three primary arguments to why publishers should consider Brave as a partner, and not an enemy:

  1. As opposed to plain vanilla ad blocking that just kills the publisher’s revenue, Brave has the potential for making the publisher money.
  2. Brave users will not be suing the big publishers later for damages caused by malvertising attacks perpetuated by the uncontrolled adtech tag eco-system[12]
  3. Brave users, while still contributing to the cost the big publishers bear from producing content, are not compromising the security of their devices, and with their devices the security of their work places and ultimately the society

In the light of these points, while the big publishers, IAB and the advertising technology industry are helpless with the growing malvertising epidemic, it seems fair to argue that Brave is the best thing that could have happened to the internet advertising industry, and responsible internet users, at this difficult time.

To highlight the disconnection between what is happening in respect to malvertising actually becoming a major vector for malware delivery, including ransomware, and the internet advertising industry taking the needed actions to mitigate gate it, I feel responsible to share an insightful anecdote. Just two weeks ago in a conversation with IAB Sweden’s CEO Charlotte Thur, it came out that she did not know what malvertising is. Yet IAB Sweden had already committed to the first-in-the-world member-wide anti ad blocking program[14].

Publishers aggressively fighting against ad block usage, while malvertising attacks are going through a period of explosive growth, is in effect making their own society less secure and more economically ineffective. For example ransomware attacks have been effecting police stations[15], hospitals[16] and even critical infrastructure[17].

For malvertising based ransomware attacks, the only systematic protection available today is ad blocking, total blocking of Javascript, or using Brave browser. Out of these the only one that makes sense to the big publisher in both the short and long term is Brave. While for the same publishers, plain vanilla ad blockers or total script blocking make none in any timeframe.

The fact that Brave is built and led by the person who founded Mozilla and invented Javascript is a massive bonus, as its very unlikely for the big publishers to see a better “offer” coming along anytime soon.

If you liked this article, it would be really great if you can share it by hitting one of the share buttons (or other way). Thank you very much.




[3] https://blog.malwarebytes.org/threat-analysis/2016/03/large-angler-malvertising-campaign-hits-top-publishers/

[4] http://www.adweek.com/news/press/new-york-times-might-ban-users-who-use-ad-blockers-stuff-not-made-free-169828


[6] https://www.linkedin.com/pulse/geste-starts-illegal-war-readers-alexander-hanff

[7] http://adexchanger.com/ad-exchange-news/why-i-hate-the-ad-block-profiteers-iabs-randy-rothenberg-details-ad-blocking-counterstrike/

[8] http://adage.com/article/digitalnext/ad-blocking-unnecessary-internet-apocalypse/300470/


[10] https://www.brave.com/about_ad_replacement.html?brave_placeholder

[11] http://www.wfanet.org/media/programmatic.pdf

[12] http://thankyouforadblocking.com

[13] http://botlab.io/malvertising-a-serious-threat-to-internet-users-business-and-society/

[14] http://digiday.com/publishers/swedens-publishers-gearing-block-ad-blockers/



[17] http://www.ibtimes.co.uk/israel-electricity-board-crippled-by-ransomware-cyberattack-causing-widespread-panic-1540615

About the Author

Leave a Comment:

Leave a Comment: