December 16, 2017

Has Apple Doomed Ads on the Web? Will It Crush Google?

Recently Apple announced that, for the first time ever, ad-blocking plugins will be allowed in mobile Safari in iOS 9. There has been a large outpouring of commentary about this, and there seems to be pretty broad agreement on two things: (1) this action on Apple’s part was aimed at Google and (2) for publishers this will be something between terrible and catastrophic.

I believe that people are making these assessments based on a lack of understanding of the technical details of what is in fact going on.

For the most part, the public does not appreciate the extent to which, when a web browser visits a typical site, the “page” being served comes from multiple parties. Go to a typical e-commerce site, and you will find pixels, trackers, and content from additional servers, from a few to dozens.  These produce analytics for the site owner, run A/B tests, place ads, and many other things. There is even a service that knows what size clothing to sell. It is these services that are the target of ad blockers.

The reason ad blockers work is that the industry has made a standard method of ad placement, which is trivial to implement for the publishers and e-commerce web sites. Ad serving is fully browser-based, so the publishers have to do nothing more than install a line of code in their html pages that pulls in a javascript file from the ad company’s server. Once the javascript is in the web page, the ad company takes care of the rest: it figures out what ad to display and injects it into the page.

Aside from the simplicity for the publisher, this architecture has an additional advantage for the ad company: they can track users as they go from site to site. Since the web page is pulling in a javascript file from the ad company’s server, that site is able to set a permanent cookie on the user’s browser, which will be sent every subsequent time that user goes to any site that uses the services of that ad company. Thus the ad company is able to accumulate lots of data on users, without most people knowing. In some cases, people’s objection is not to the existence of ads per se, but the secret and unaccountable way in which data is collected.

It is this architecture however that renders the ad vulnerable to the blocker. In fact, ad blockers have existed for desktop browsers for a long time.

So there is nothing really new under the sun, just the growing popularity of the tracker/ad blocking software. If the use of these plugins becomes ubiquitous, only one thing would have to change – the publishers would have to insert the line of code in some way on the server side, and the ad would just look as though it came with the rest of the page. At that point, the browser plugin is useless.

What would be the knock-on effects of this? The ad companies no longer have any way to track users as they move around the web. Absent some way on the ad companies’ part to implement a cross-site evercookie (which would be considered unethical and would quickly be blocked by browser authors if discovered), the ad companies will no longer have a way to connect users on one site to users on another. The ads you’d see on a given site could be based solely on the interactions you’ve had with that one site – which would be a boon to privacy.

This is a change, for certain, but probably not the apocalypse for publishing it has been made out to be. There will be a rush to develop ad-placement technology for the server side as there was on the client, but when all settles down it will be pretty easy for the publishers to implement.

It’s even arguable that in that world of anonymous web surfing, the better web properties would be able to charge higher rates – absent spying on the readers, decisions about the value of ad placements would be based on the demographics of the readers of the site – just as for offline properties.

That being said, if you ever reveal your identity to a web site (for example by entering your e-mail address) that site could set a cookie so as to remember who you are. From that point on, information could quietly be sent to the ad server, perhaps storing all the URLs you visit on that site.

So, in the end, this change actually may be a boon for Google. If it’s really true that tracking users is so valuable for ad placement, Google has an advantage the other ad companies do not: many millions of users using Gmail and the Chrome browser, both of which Google controls. If you use Google’s e-mail, Google knows what links you are getting sent from advertisers. If you click a link in a Gmail message going to a web site with Google serving ads on the back end, you can arrive at the site with Google already knowing who you are. (This can be done unobtrusively using the http referrer header.)

Even if you don’t use Gmail, you may sign in to Chrome to sync your data across devices. This uploads information to Google’s servers so it can be sent to other devices, such as your Android phone. One of the things that can be synced is the browser history. If this is done, Google – and no one else – will have the same information they would have collected with browser cookies.

If Apple is looking to damage Google, their plan may backfire. No one else, not even Facebook, has a chance of matching this.

Comments

  1. I introduced a colleague to Ghostery recently and he was amazed at how much faster pages loaded, just because of how long it takes for all the advertisers scripts and images to load. On my older iPad the time it takes for the JavaScript to run also seems to be a factor, my Chrome browser is frequently freezing for a second or so while I’m in the middle of scrolling a page. I also object to adverts that have any kind of movement or change, they distract the brain, making it harder to concentrate on the content that I want to read. I use a blocker for these reasons, not quite so much for the privacy aspects; if I never see their adverts they can’t influence me through them anyway, so it matters less how much they (think they) know about me.

    • Mitch Golden says:

      Those of us who are concerned about tracking are worried about what might be going on *beyond* the stuff you see. For example, if you visit job search sites, will your employer find out? Or sites discussing a disease you might have?

  2. The change to server-rendered ads would be technically possible – that is interesting. A switch like that would be catastrophically disruptive for the industry. If people really did undertake server-to-server ad placement integrations on a large scale, the disruption would create new winners and losers, as various parties race to create solutions.

    You’d see a difficult cat and mouse game, as ad blockers would not give up the fight at hostnames; they already develop and maintain filters for URL paths, CSS selectors (such as image sizes)… if, say, 75% of Apple users installed a decently effective modern ad blocker, it would not be a pretty scene for publishers or ad tech vendors, regardless of who could ultimately prevail.

    Publishers and ad networks would fall back to IP+UserAgent tracking if deprived of other options… (https://www.eff.org/deeplinks/2010/01/tracking-by-user-agent).

    None of this has happened so far despite desktop ad blocking being a thing for years. The key assumption is that mobile ad blocking will be more popular, to the point of spurring big changes. It seems reasonable to expect that it will be, due to hardware and network limitations that also reduce the mobile web to such a small percentage of user time on iOS to begin with… but how much so exactly? Has anyone seen stats on adoption yet?

    • Mitch Golden says:

      To reply to these points, in order:

      *) Precisely – there would be winners and losers in such a disruption. My point is that Google is very well positioned to be a (maybe the) winner.

      I want though to point out that I retain the lurking suspicion that all of this spying is not worth all that much anyway. That is, an ad network that was being smart with limited data could do as well or better than what is being done now.

      *) Yes, there would be a cat and mouse game – one that in the end the ad servers would be pretty well positioned to sustain and win. In the current architecture, there’s nothing the ad provider can do to stop the browser from blocking. They mostly don’t try because up til now, most people aren’t bothering to block.

      However, the sorts of things you propose for the blockers would be extremely difficult to maintain in the face of a determined ad company. The ad company can change the CSS – from site to site, from page to page, probably even from request to request. They don’t have to standardize the sizes of the images. Or if they do, they can work with the publisher to make sure the images match the standard sizes of the images on the web pages so that blocking them means blocking the content itself. Once they start doing these things, the level of effort needed to sustain a successful blocker would rapidly become too costly to sustain.

      Moreover, many of the authors of ad blockers would not follow into the exercise you describe. Many of these browser plugins (such as all the ones I use) are focused on blocking *trackers* not ads, such as Ghostery, mentioned in the first comment, or EFF’s Privacy Badger.

      In fact, once the ads are coming from the server, it’s likely that one of the major complaints, that the page load times are lengthened, would be diminished anyway, because of the drastic reduction of the DNS lookups and loading of large javascript files.

      *) It is true that there are various techniques to track identity without the use of cookies. While they work technically, they are not broadly considered ethical. So while a site here of there might be able to use them, a real business attempting to scale and have mainstream clients would not be able to take this sort of risk. As a good example, last year it was discovered that people were being tracked with HTML5 canvas fingerprinting.

      https://en.wikipedia.org/wiki/Canvas_fingerprinting

      It was discovered that the vast majority of these were coming from a company called addthis.com. When they were caught out, they swiftly backtracked, claiming that it was all just R&D, and stopped using the technique.

      http://www.addthis.com/blog/2014/07/23/the-facts-about-our-use-of-a-canvas-element-in-our-recent-rd-test/

      If it is known that anyone is using these sorts of things seriously in the wild, the browser authors would likely change the browser to defeat them.

      *) As I stated, there’s nothing new about ad blockers. They just seem to be becoming more accepted and popular. I don’t know any statistics, but I have read that they are quite popular in the Apple app store.

  3. This is a very thoughtful article. Thank you. With respect to it being unethical, potentially, but not illegal. Companies who are not ad server technology companies have been frustrated historically by ad server technologies possessing the ability to aggregate user behavior and therefore construct a user profile across sites. Without in depth knowledge of specific browser implementations of cookie handling, a single cookie to track you delivered by the ad server to the server being interacted with by the browser seems rather simple. As users move from site to site, those sites with the same relationship to the ad server could read the cookie and deliver the information to the ad server.

    Apple may have given companies leverage to better negotiate the exchange of data to facilitate this and therefore increased the distribution of an individual’s profile. How this is unlikely given competency of ad server companies. If Apple, or anyone, is to succeed in preventing profiling it must lobby.

    As for the display ads, preventing retrieval from other sites is so brittle that it is not likely to succeed given the way sites are built today.

    Perhaps this is all much ado about nothing.

    • Mitch Golden says:

      When I say cross-site evercookies are considered unethical, I am referring to this view: If someone expresses the desire not to accept a cookie, the server should not make use of various technical loopholes (such as the ones David and I discussed above) to try to accomplish the same thing by alternate means.

      I believe that the browser authors would consider the ability to do this as a security hole, and would respond accordingly. Firefox in particular has been quite out front on these issues, even in the cases where no desire not to accept cookies has been expressed.

      I don’t know precisely what the legal situation is with respect to these things, and I suspect it’s likely different in the EU than the US.

      One note: perhaps I am misunderstanding you, but you appear to be saying that all the sites using a particular ad server can share the same cookie. That is not possible with an ad blocker in place. The ad blocker prevents the cookie from being set by the ad company itself, and the different sites can’t read each other’s cookies.

  4. No. I crushed Google and all online advertising industry.
    Being structured advertisements search for people by themselves, based on their profiles of structured data – the ads search for you within your computer, you DON’T search on Internet! That guarantees you 101% privacy!
    How?

    I discovered and patented how to structure any data. (For more details please browse on my name ‘Ilya Geller’.)
    For instance, there are two sentences:
    a) ‘Pickwick!’
    b) ‘That, with the view just mentioned, this Association has taken into its serious consideration a proposal, emanating from the aforesaid, Samuel Pickwick, Esq., G.C.M.P.C., and three other Pickwickians hereinafter named, for forming a new branch of United Pickwickians, under the title of The Corresponding Society of the Pickwick Club.’
    Evidently, that the ‘ Pickwick’ has different importance into both sentences, in regard to extra information in both. This distinction is reflected as the phrases, which contain ‘Pickwick’, weights: the first has 1, the second – 0.11; the greater weight signifies stronger emotional ‘acuteness’; where the weight refers to the frequency that a phrase occurs in relation to other phrases.
    So, data is structured for personal profiles, any information and ads.
    Google and all search engines, advertising agencies on Internet are over.

  5. The industry crushed themselves by making websites so painful to load on phones.

  6. it’s been easy to block ads on android for years. all you need is Firefox which supports adblock extensions.

  7. Tezuka / http://www.computershowto.pro says:

    The single biggest problem in apple’s and adblocker’s minds is TRACKING. Well then, first of all, tracking is UNNECESSARY on niche sites, meaning that client-side serving of ads is simply stupid. If I have a site about auto tuning , motorcycles, and such, it’s likely that I can have a few server-side ads from the local tyre shops, or national tyre shops, that would obviously be a good match to my site’s content. I’m prepared already for the time when Google realises this, and gives up the tracking practices. Ads are ok, are necessary, and I’m not just talking about the publisher’s revenue here, not having ads and expecting any economy to function is plain stupid. Ads KEEP THE ECONOMY, businessess, jobs, in existance. Killing them (the ads) kills millions , hundreds of millions of jobs worldwide.