August 15, 2018

Striking a balance between advertising and ad blocking

In the news, we have a consortium of French publishers, which somehow includes several major U.S. corporations (Google, Microsoft), attempting to sue AdBlock Plus developer Eyeo, a German firm with developers around the world. I have no idea of the legal basis for their case, but it’s all about the money. AdBlock Plus and the closely related AdBlock are among the most popular Chrome extensions, by far, and publishers will no doubt claim huge monetary damages around presumed “lost income”.

First off, it’s important to understand just how invasive and unpleasant the advertising industry has become. I put together a one hour talk about this, in late 2012, for a conference that was hosted by the Federal Trade Commission. In short, advertisers go out of their way to profile you and learn as much about you as possible. In some cases there’s an auction that occurs in the space of milliseconds to maximize the value of the advertising being shown to you.

There’s a huge ecosystem of companies that sell services to the advertising marketplace, both on the web and on mobile. Those ads you see inside your apps? They’re just web pages, using all of the same mechanisms, but with additional bonus privacy concerns, such as capturing your GPS location or reading unique hardware identifiers from your phone.

Ad blocking technology benefits: Ad blockers, on mobile and on the web, are a simple mechanism that pushes back on this invasive behavior.

Android ad blocks forbid your phone from connecting to specific DNS names, although Android users can add on the remarkably detailed XPrivacy extension or can install a third-party variant of Android called CyanogenMod which includes the user-friendly PrivacyGuard feature (read more on those in a nice article on XDA Developers).

Web browser ad blockers are quite sophisticated. Even when advertisers use crazy obfuscated JavaScript to hide themselves, the blockers just wait for the ads to show up somewhere on the page and then remove them when they appear.

Ad blockers have all sorts of benefits to their users. Turns out that advertising uses a significant fraction of the power budget of your mobile phone. Remove the ads and you get longer battery life (gory details, see: Vallina-Rodriguez et al. 2012, Pathak et al. 2012). But wait, there’s more! A significant number of Android apps request networking privileges solely for the purpose of fetching advertising and it’s getting worse over time (see my own work on this: Shekhar et al. 2012, Book et al. 2013).

The more security privileges an Android app has, the more that minor bugs can be abused to become significant security vulnerabilities. If an app doesn’t otherwise need full network access, why should it have that privilege at all?

Privacy and ad blocking technologies consequently improve a user’s security posture, save power, and improve page loading times. What’s not to like about that?

But, but, but… ad revenues: Yes, advertising pays the bills. Way back when, there was a time that we thought micropayments would solve the problem, but instead of micropayments flowing from users to publishers through some clever cryptographic mechanisms, we instead have those payments flowing from advertising services to publishers, through pedestrian accounting mechanisms.

If users block ads, then publishers can claim “lost revenues”, right? Astute readers will notice that this sounds much like the claim that software piracy leads to lost revenues, and will recognize just how bogus this claim is. For example, if we could reduce piracy on Adobe Creative Suite to zero, would all those graphical design tool users buck up and pay Adobe thousands of dollars? Dream on. They’d instead become aficionados of much cheaper tools, such as the remarkably good Pixelmator. Similarly, people who block advertising are precisely the sorts of people who are least likely to click on ads. If you force them to see ads, they’ll hate you and won’t click anyway. Advertising revenues are largely based on clicks. No clicks, no revenue.

So how, then, can we solve the problem?

The dream world: Right now, web and mobile advertising build on a slew of mechanisms that were never expressly intended for them, and they operate largely without any regulation as to what’s okay and what’s verboten. My proposal is simple. If you want to require me to see your ads, then you need to be regulated as to what information you’re allowed to collect about me, what you’re allowed to do with that information, how much of my power budget you’re allowed to consume, and how visually intrusive you’re allowed to be. For example, in our own work (Shekhar et al. 2012), we considered how Android might offer advertising as a top-level system service that could ration power and avoid privilege bloat from advertising libraries.

In short, we have the technology to regulate advertising and make it operate in a more secure, more power efficient, and more privacy-aware fashion, but that technology needs to be built into the platform if it’s going to have any measure of success. If we’re going to resign ourselves to a world of advertising-supported content, then we need to meet in the middle. User-level technologies like ad blockers or nation-state regulatory authorities can curb the current excesses of the advertising industry, and purpose-built alternatives can provide necessary revenues.

Comments

  1. Nelson Minar says:

    It’s a great essay and I’m firmly in favor of ad blockers myself. But I think you may be wrong about lost revenues. First, there is still an enormous display advertising industry that doesn’t care about clicks at all. Second, there’s also an enormous tracking industry that doesn’t even care so much about displaying an ad as just planting a cookie in your browser to follow you around the Internet; ad blockers disrupt that business. But most directly, I think you’re wrong about pay-per-click ads too. Your hypothesis is that someone who runs an ad blocker would just not click on the ads if they were deprived of that blocker. I suspect you’re wrong about that, advertising is remarkably insidious in getting people’s attention even if they think they are immune to it. I’m just guessing but it’s a testable hypothesis; it wouldn’t surprise me if a company like Google has data on that experiment.

    I think ad blockers do genuinely deprive site owners of revenue. That doesn’t mean we should prevent ad blockers. Advertising is fundamentally a consumer-hostile business and consumers should have the right to protect themselves.

  2. Josh Tauberer says:

    Hey,

    On most platforms, there’s nothing that requires you to see ads. As with most of the pernicious problems in privacy (if not the world at large), users choose to use apps and websites that have ads because, on balance, and to the best of their understanding, it’s a net benefit for them. The problem here isn’t that things are being imposed on consumers. (I mean, certainly that happens too, but that’s much less common.) It’s that the information available about privacy consequences, and things like awful permissions UIs, are so bad that the deck is stacked against consumers.

    The argument for regulation stands on its own. You don’t need to make it contingent on a (false) requirement to view ads.

    Also, I don’t think ad blocking has anything to do with regulation. Unless you want to regulate ad blockers too. If a publisher agrees to serve privacy-protecting ads, maybe the consumer should agree in return to not block the ads?

  3. I’m worried that the first link to the softpedia article looks very much like a native advertising.
    Their link to AdBlock is simply a link to their own page with download links, probably infected with other ads.

  4. Mihai Christodorescu says:

    You said:

    “If you want to require me to see your ads, then you need to be regulated as to what information you’re allowed to collect about me, what you’re allowed to do with that information, how much of my power budget you’re allowed to consume, and how visually intrusive you’re allowed to be.”

    Let us say new regulation is drafted for this. The regulation would necessarily included some hardcoded limits on information collection, on PII processing, on power usage, and on visual intrusiveness. Can you give some examples on what regulated levels would be acceptable to you? I am primarily interested to hear about non-trivial examples (i.e., zero collection, zero PII, zero power, zero intrusion are not useful answers).

  5. David Evans says:

    I don’t really get this — seems like you are saying that as a content user I’ve made some implicit agreement with the content provider to support their revenue model by allowing my browser to display ads embedded in their content. Since their actual revenues depend on clicks (at least for many advertising models), am I obligated to also click on my fair share of the ads they display? Ultimately, the revenue base for advertising depends on the effectiveness of ads changing consumer behavior, so I really should be obligated to actually buy something from their advertisers. According to your argument, I’m relieved from that obligation because the advertisers are mostly unregulated, but if they were regulated a bit (how much more regulation would be enough?) then I’m back to being required to give my attention to and click on their ads.

    I’d much rather a simple argument that says people have the right to control what software runs on their devices and do what they want with packets coming into their device (including drop them if they so desire). There should be laws limiting what we send out into the outside world, but we should have freedom to do what we want with things we own and packets that are sent to them.

  6. The underlying cause for using ad blockers is the lack of respect to users from advertisers & publishers, and everyone in between (i.e. the data collectors & brokers). When users are the product and are bombarded with very intrusive ads, it was just a matter of time until the ad-based model that funds the free web breaks down completely.

    At Stands we’re trying to build a different model where the user is respected and the publishers don’t have to “fight” the user and/or sell him to advertisers. We’re flipping the model so that advertisers have to “sign” the user’s terms of service if they want to advertise on her browser. They have to agree to use “polite” ads, so no pop ups or ads that hide the content, and they agree to sponsor the cause the user chooses (and no tracking!).

    So for example, if I’m vegan I can donate to animal-rights organizations every second online since I have Stands on my browser instead of an ad blocker, I don’t have to spend a dime doing it, and my browsing became much more pleasant and secure(i.e. private). The Stands extension makes sure I’m not being tracked, it pays the publishers from the ads that I see, and it pays the causes I chose to support – it’s a win/win/win.

    Check it out here: http://imagine.standsapp.org/animal-rights/

  7. Simple.
    If the ads come from “freedom-to-tinker.com” instead of “plaid-suit-salesman.com”, I would not bother to try to filter them.
    This could be done via proxy, but there might be a problem with tracking and cookies.

    Ads can be great. There are things which could really improve my life I don’t know about.

    Instead, I get ads for irrelevant things (given that I’m a male with proper anatomy, certain products I have no interest in), or a site where I’ve gone to and already have things in my cart echoed in redundant ads.

    I don’t think I would have a problem being subjected to a relevant ad to support a site.

    Instead I’m subjected to annoying and irrelevant content (I’ve not been fed actual malware or exploits). fed from strange site that uses flash and javascript and makes it take a minute to load from the dozen sites (maybe requiring HTTPS and zapping certs for the ad providers would help).

  8. Hello it’s me, I am also visiting this website on a regular
    basis, this site is in fact nice and the viewers are actually sharing nice thoughts.

  9. John Millington says:

    ” If you want to require me to see your ads, then you need to be regulated as to what information you’re allowed to collect about me, what you’re allowed to do with that information, how much of my power budget you’re allowed to consume, and how visually intrusive you’re allowed to be.”

    Quid pro quo, the basis of civilization.

  10. I am one of those people who will not click on an ad. I also have always been security conscious. Way back in the day when the web was new, I refused to accept cookies. Then as the advertising driven business model took hold, it became impossible to function on the web without accepting them. Ads are at best a colossal annoyance, at worst a spear phishing attack and anyways any rational person would get creeped out with the level of intrusion required for targeted ads. I have no hope that advertisers will stop trying to get me to do something that I have good reason to consider a threat and so I just choose not to see them.

  11. I’ve found that NoScript already blocks about 90% of ads, while also making my browsing experience much safer. But that’s because the advertising industry has a “must take everything” approach that can only be fulfilled by running a dozen tracking scripts on every website.

  12. Marvelous, what a web site it is! This web site gives helpful facts to us,
    keep it up.

  13. Hey there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My weblog
    looks weird when viewing from my iphone. I’m trying to find a theme or plugin that might be able to fix this problem.
    If you have any suggestions, please share. Cheers!