Advances in Ad Blocking

Ad blockers represent the largest consumer boycott in human history. They’re also an arms race between the blockers and the blocker blockers. This article discusses a new ad-blocking technology that represents another advance in this arms race. I don’t think it will “put an end to the ad-blocking arms race,” as the title proclaims, but it will definitely give the blockers the upper hand.

The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected. Second, the team notes that there are regulations and laws on the books that give a fundamental advantage to consumers that cannot be easily changed, opening the door to a long-term ad-blocking solution.

Now if we could only block the data collection as well.

Tags: adware, data collection, rootkits

Posted on April 25, 2017 at 12:07 PM • 66 Comments

Comments

My Info • April 25, 2017 12:24 PM

Now if we could only block the data collection as well.

Technological approaches such as https://panopticlick.eff.org/tracker and https://www.privoxy.org/
Follow the dollar. Hope that blocking the ads starves the advertisers / malvertisers for revenue so that it is no longer profitable to collect our data.

Michael Argast • April 25, 2017 12:28 PM

Privacy Badger.

AlexM • April 25, 2017 12:38 PM

Now if we could only block the data collection as well.

That’s the biggest problem. I don’t mind static ads, unless they are not excessive. It’s the fact that several dozen of other questionable sites learn that I visited a page that I have a problem with and why I use ad blockers.

George • April 25, 2017 12:42 PM

I’m very concerned about the recent announcement that Google will add ad-blocking (like) functionality to an upcoming release of Chrome. That’s right: An advertising company will decide which ads websites are allowed to show to you. Where is the DoJ?

Cvnk • April 25, 2017 12:42 PM

As far as I know the internet isn’t subject to a single set of regulations so this technology will only work on sites that are hosted in countries that do force ads to display these identifiers. I have no idea what percentage of the internet that would cover.

Also, the proposed idea of letting ads interact with an invisible copy of a web page while the user sees a cleaned up version doesn’t seem like it would properly protect users from malware. If the embedded code is still executing won’t that be a problem?

Jan Willem • April 25, 2017 1:08 PM

The biggest problem is data collection. I don’t care moderate ads (not popups, just small part of screen) and I don’t care that I will be connected to a website if I click the ad, but I don’t like that just the fact that I visit the page, my data is collected by 3rd parties. Especially the fact afterwards you’re data is sold to others.

Rhys • April 25, 2017 1:37 PM

IMHO- this is not a technology issue. Its a business issue.

Which is why I believe this topic has become somewhat misdirected.

This is no different than CATV/Satellite/ISP providers “bundling”.

The right to “surveil” completely unfettered, forever, assumes that the initial grant of access to view a web page was a bargain well understood by users in the first place.

Then there is no subsequent “opt out” (right of recision). They are “in” in your knickers forever.

I am exploring Princeton’s adblock technology at the moment. Anyone else tried it?

As to exfiltration, my hosts block any outgoing encrypted form that doesn’t meet criteria. (e.g. its not on whitelisted, it cannot be scanned by pattern/filter of sensitive data, destination URL is not whitelisted, cross-scripting active, honey-pot ‘hit’…etc.)

A few servers have R. North-style dis-information.

If the data can be made increasingly suspect, the value will erode. The freebooters will have to find a different route to riches.

Tony Pelliccio • April 25, 2017 2:08 PM

Well you can obfuscate the data collection. I signed up for a lifetime VPN service and my traffic can flow through any point in the world. Of course things like Netflix and Hulu complain loudly when I’m coming in from Montreal but that’s a small price to pay.

Rhys • April 25, 2017 2:24 PM

Mr. Pelliccio, have you tried an “alternate” DNS? And/or defeating “who is my referer”?

Sometimes the ‘compliant’ is a ruse to mask what they know. Leaving you with a confidence that you would not otherwise have.

Much as Sir Francis Walsingham did for Mary, Queen of Scots.

Clive Robinson • April 25, 2017 2:28 PM

With regards,

First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware

I regard all adverts as “malware” as the default position these days.

Secondly I also regard the advertisers as thieves in several ways.

Thirdly I regard having to run “javascript” or any other interpreter for what is compleatly unknown thus untrusted code on my machine to be a Red Line.

Which as I used to be involved with revenue based online services in the past might appear to be supprising.

The reason we have unconstrained advertising in the hands of just one or two major players is in fact due to the failure of economics. Specifically the assumption of Distance Cost Metrics alowing independent markets to form as a result of being distributed thus the local person has a lower cost advantage…

There is no distance cost metric with the Internet that either leaf content suppliers or leaf content consumers see. They just pay a time/quantity not distance rate.

Thus there is a global single market which as is the way of these things it’s control falls into the hands of just one or two players.

These players will use their position as with any monopoly to form the market in their favour, by fair means or foul. Usually the latter.

Thus if a major player such as Google say they are going to put technology in their products that at first sight would appear to kick the legs of their financial model you should be asking why? And to treat it as a poison pill untill you know otherwise.

A number of ad-blockers have and still continue to be poison pills, in that they have a behind the scenes agreement to allow “approved advertising” through. The problem is that the “approval aspect” has nothing what so ever to do with checking that the ads are not in anyway harmfull, it’s all to do with payment, that is likewise not checked.

Thus somebody with an exploit can make a payment to some ad-blocker organisations to let their “ad” with exploit inside through. Provided the exploit payload does not make it’s self obvious then there is a high chance that they will not be caught out.

The only protection against this is not to alow the exploit into your system… Which means turning off the likes of javascript and the downloading of image files… You don’t get the malware, but you don’t get much of what the WWW was about without images and other “rich” data, nor do you get some types of functionality.

Personaly I’ve found that turning off javascript is acceptable to me, if a site such as slashdot / utube require it I don’t use the site plain and simple, the loss is not sufficient to tip the scales into me alowing javascript even on a site by site basis.

The fact that Google is making more and more of their services “javascript dependent” should be a major red flag to people. Because it tells you they are giving up on advertising and going for spying as a revenue model…

Which is sort of what has been predicted for some time. But people want to fight the wrong battles, in the same way a dog goes after the stick not the person who threw it and they are now heading off elsewhere unscathed as the dog runs away.

My Info • April 25, 2017 2:37 PM

But people want to fight the wrong battles, in the same way a dog goes after the stick not the person who threw it and they are now heading off elsewhere unscathed as the dog runs away.

A bullet killed the wrong person. So politicians want to ban ammunition. But that bullet was fired from a certain type of gun. So they want to ban the style of firearm that shot that bullet. But oh, no, they can’t ban the person who pulled the trigger….

That’s the red line.

“You see, we have a gentlemen’s agreement in the U.S.A. Street gangs and homeboys are allowed by a wink and a nod to possess firearms, since we depend on them for certain ‘protection’ which law enforcement cannot afford us. But we cannot allow ordinary folks to possess firearms, since then they might fall in the hands of criminals.”

David Leppik • April 25, 2017 2:42 PM

I don’t see this as useful to consumers, since it does nothing to stop tracking or speed up page loads.

I do see it as useful to advertisers. If they can get people (including their employees) to run an ad detection plug-in, they could use it to audit ad networks to make sure that the ads they pay for are getting shown on the page where they are promised.

Wael • April 25, 2017 2:56 PM

Which link points to the paper?

ab praeceptis • April 25, 2017 3:08 PM

Clive Robinson

I fully agree. I also consider ads as spam and actually driving me away from a company.
Moreover I not only, of course, use spam filters, but also have developed the habit of a) immediately closing pages with more than very modest advertising and b( to blacklist companies who are particularly obtrusive or who have particularly nasty ads or who try to enforce deactivation of ad blockers and similar criminal attitudes (that’s how I see them, as criminal intent).

Erdem Memisyazici • April 25, 2017 3:16 PM

Why block ads when you could randomly click them? Here’s an academic thought experiment.

Implement a good random source (secure random + current nanos?).

Detect ads in a browser.

Fire off an “iminterested” thread which clicks and ignores the response of the ads on behalf of the user.

To the user, nothing seems different. They can even go ahead and click the ads should they wish.

What this would accomplish would be to make the value of the data collected worthless, theoretically making the entire purpose unreliable.

Slime Mold with Mustard • April 25, 2017 3:23 PM

@ Wael – Link: http://randomwalker.info/publications/ad-blocking-framework-techniques.pdf

@ Clive – With javascript off, I rarely see ads. The few I see are horribly off target. I does rankle me some times when our valued commenters here link to YouTube without even a synopsis. Slime’s Rule: If it was important, someone typed it out.

Wael • April 25, 2017 3:27 PM

@Slime Mold with Mustard,

Thank you!

Jim Duba • April 25, 2017 3:40 PM

I think a combination of approaches is best. Noscript is essential, I’ve used adblock plus, request policy has been useful, and for years I’ve been modifying my hosts table with this: http://winhelp2002.mvps.org/hosts.htm which may be the best ad blocker of all. I don’t think it will ever be 100%, but I’m not annoyed by ads very often. If I am, well that will be a web site I don’t need to visit.

OpalH • April 25, 2017 4:30 PM

The most effective way to block data collection is to make it meaningless to the advertisers. Providing aliases for PII is a good first step, so your name and SSN doesn’t float in someone’s Excel.
Pushing towards this way, they will be forced to hone their efforts in making the ads meaningful. Hence, we’d all be getting a valuable service, which doesn’t happen that often. And whether we like it or not, marketing works!

Full disclosure: I work on a product that generates online profiles: AlterEgo

Daniel • April 25, 2017 5:48 PM

@Bruce, “Now if we could only block the data collection as well.”

Says the person who proudly runs Windows 10.

Clive Robinson • April 25, 2017 6:18 PM

@ Erdem Memisyazici,

Why block ads when you could randomly click them?

It’s not a good idea.

Firstly to have any real effect you would have to click on quite a lot of the ads. This would have a detrimental effect on your bandwidth at the very least

But further because clicking on an ad is not necessarily “risk free”. Just assume for a moment that there is some kind of malware behind the click action. If you never clicked you would not suffer the consequences if you randomly click there is a probability that you would be effected. That probability increases the more ads you click on.

Systate • April 25, 2017 6:56 PM

@ Clive Robinson
lol i always love reading your comments.That literally cancels out a lot of the internet. Then how will i get my cat pics? lol. What changed your perspective after working for an ad based company?

Inventing new technique to blocking ads is good but it doesnt solve the problem which is what gives them the right to track my online habits? .Its like playing whack a mole and the mole can come out through millions of holes. While the user is a tired old man. He cannot compete with the mole.

This issue goes back to the heart of the internet. If google business model is survaillance and we do not change the current economic model we are fighting a losing battle. We see this with the internet and we are seeing it with computers.. ahem…intel…

Richard Stallman must be getting tired of repeating himself

Clive Robinson • April 25, 2017 7:12 PM

@ OpalH,

And whether we like it or not, marketing works!

Sorry, that’s “magic umbrella thinking” at best.

People in marketing say such things more as self affirmation and justification for their parasitic ways and faux sense of entitlement than as an honest appraisal of their worth to society.

Take fast food outlet leaflets as an example, nearly all rational studies have shown that more money is spent on printing and delivering the leaflets than is gained by any extra business that is actually generated by them. And that extra business is mostly “luck of the draw” in that people who habitualy order fast food do it from outlets they have always used irespective of leaflets. Thus it is those who are either new to the area or don’t habitualy order fast food that use the first leaflet to hand if they do not use a local directory enquires service to get the details for a branded chain they have used before.

Similar arguments exist for other forms of marketing.

In fact there is an increasing percentage of people that are now taking a contrarian position where they take care not to purchase from those that market in certain ways. As noted above, ad-blockers on the internet is a very clear sign that marketing is not wanted which is why it has become the consumer boycott it currently is.

In the UK there are plans to charge people for taking away some types of refuse like paper. The likely result of this will be a kick back against marketing leaflets and free local newspapers. This has brought up a discussion in the same light as “charging for plastic bags” where some people are saying that all inserts in newspapers and magazines as well as leaflets delivered by the mail services etc should pay 5pence per item to cover the environmental clean up of such leaflets…

Thus little by little marketing people are being increasingly regarded by the general public as parasites at best and anti-social boardering on criminal if not actually criminal.

Clive Robinson • April 25, 2017 7:34 PM

@ Slime Mould… With a touch of piquance.

With javascript off, I rarely see ads.

Yup it’s not just more restfull, it also saves a lot of bandwidth as well. I realy object to bandwidth thieves such as advertisers, I have a dislike for them as much if not more than those early morning or late night door rattling leaf-litterers, who apparently speak no English and appear to be organised by “Gang Bosses” to disturb the peace of the honest (I’ve never been sure if you could get the varmints under Human Rights legislation about the right to a peacful home life, and get the lot of them deported to one of those atols the French use for testing nukes ;-).

smellynewbie • April 25, 2017 7:50 PM

@Clive
I am thinking of getting a new device.
The current one that I have is about $50 bucks. I get hacked A LOT. The intruder repeatedly left hints he/it had hacked me. What can I buy for less than $200?

Clive Robinson • April 25, 2017 8:02 PM

@ Systate,

What changed your perspective after working for an ad based company?

It was not ad based, it was subscription based.

I did some post graduate research into payment methods for raising revenue for academic search services getting on for twenty years ago.

You come down to three basic ideas based on the actual service,

1, Annual or shorter subscription.
2, Invoice for number of searches
3, Pay as you go per search.

As online newspapers and other PayWalled services are finding the first and second models don’t work very well if at all.

The third method needs a new payment method to work. Currently nobody has a universal micro/nano payment system that works without some very strange assumptions.

This then gave rise to looking at secondary revenue raising. The simplest of which would be advertising. Well as many are discovering it does not pay service or content providers. The reason is the disparity between what an advertiser pays to the likes of Google and the sum the service or content provider receives from Google. Thus the only way to make money is to get the advertisers to come directly to you rather than through the likes of Google. Major content providers like the Guardian Newspaper have tried other sources such as syndicating content through the likes of Google and Apple via Instant Articles but are finding it to be unbenificial which is probably why they have just stopped using both Google and Apple.

The real problem that nobody wants to talk about is how to stop the Internet becoming “A winner takes all single market” which is de facto a monopolistic or cartel marketplace.

Drone • April 25, 2017 9:12 PM

I’m working on a Browser that displays ONLY the ads. The output of that browser can then be subtracted from the output of a normal browser, thereby returning your life back to you 🙂

John Smith • April 25, 2017 9:29 PM

Tony Pelliccio wote:

“Well you can obfuscate the data collection. I signed up for a lifetime VPN service and my traffic can flow through any point in the world…”

I abandoned one VPN service after I discovered that it was routing all DNS queries through Google servers. It didn’t matter where the VPN server itself was located.

It didn’t matter how I configured DNS lookups. The VPN server (or should I say VPN Master) overrode any independent DNS service I selected. All queries went to Google.

If Google is collecting your DNS lookups, you can run, but you can’t hide.

Patriot COMSEC • April 26, 2017 12:59 AM

@ OpalH
@ Jim Duba

Good stuff. I’ll have a HOSTS file going before sunset. Alter Ego looks very cool, but I have not figured out how to use it yet. It is a promising idea.

Patriot COMSEC • April 26, 2017 1:03 AM

@ John Smith

I start to despise Google.

I am going to get as many people as I can away from them.

Chris • April 26, 2017 1:49 AM

Hello,
why not turn it the other way round and charge them for using your data for ad´s? Making money out of it will make it less attractive for them!

Regards,
Chris

Thom • April 26, 2017 3:26 AM

Ublock origin.

I used to have adblocker – but they have since started letting shit through, or even replacing it with their own adverts,. not acceptable.

i’ve been blocking ads because obviously blinking flashing shit on my screen is not cool,. and second it kills a lot of potential virusses – no matter how many guarantees the sites give that they check their advertising companies.

nowadays i see a lot more “we see you’re blocking our ads :(” beg banners,. those just encourage me to keep blocking tbh.

Thom • April 26, 2017 3:29 AM

On a more malicious note,. you could fire a random thread to click 1.000.000x on annoying adverts,. the hosting company will then either:
– have to pay the advert the site is shown on.
– burn through whatever google ad funds are linked to it.
– get the advertiser blocked off the site due to click fraud.

Keith Glass • April 26, 2017 5:38 AM

. . . I will turn off my personal ad-blocker ONLY if a site agrees, and accepts indemnity, for any damage caused via ads served. I’ve had to deal with entirely too many infections caused by malicious payloads in ads. And they can’t claim federation on ads: if they agreed to serve the content, either directly or by proxy, then it’s their responsibility for that content.

As for my business ad-blocker, that’s my employer’s decision.

Ph • April 26, 2017 6:14 AM

“The Federal Trade Commission regulations require advertisements to be clearly labeled so that a human can recognize them, which has created a built-in advantage for consumers and, now, ad blockers.”

I seriously doubt that FTC regulations apply to more then 10% of the existing adservers in the world.

Just use the basics, there is no one all fix.
– Selective javascript
– Adblocker in browser
– DNS level blackholes
– Common sense clickrestraint

Bart • April 26, 2017 8:13 AM

I am a bit surprised that nobody in this thread has mentioned the brave browser (and concepts behind it).

I have been using it for a while now instead of using Chromium or Firefox with multiple add-ons or plugins. It is not yet a finished product, but for me works a lot faster than browser + add-on.

Just as with browser + add-on this only tackles data collection by third parties via the browser and not other ways of data collection.

For me the most interesting concepts behind the brave browser apart from ad-blocking are:

the user choice for active anonymous payments to websites based on visits and usage
future possibility of allowing targeted non-traceable-to-the-person ads based on the local browser data (under user control)

I am interested to hear other people’s opinions on brave.

@Bruce: yes, my visits here will contribute a fraction of my monthly contribution towards you … unless I visit other websites a lot more 🙂

CallMeLateForSupper • April 26, 2017 9:54 AM

@Thom
“nowadays i see a lot more ‘we see you’re blocking our ads :(‘ beg banners,”

I get those too from time to time, even though I do not, and have not ever, used an ad blocker. Javascript is permanently DISabled here and Privacy Badger is always on duty, but no ad blocker(s). So, such banners are doubly annoying. I would like to inform those sites that they do not, in fact, know what they say they know, but dialoguing with a web page is impossible. There is no choice but to remain falsely accused… and steer clear of the site thereafter.

Fellow • April 26, 2017 9:56 AM

@Erdem Memisyazici

Not really. Most of those advertisements contain malicious javascript and other executable code. There is no secure environment to run it on a commodity PC with a commodity O/S without risking total system compromise.

Thom • April 26, 2017 10:04 AM

@CallMeLateForSupper – and Flash is uninstalled, obviously.
That software needs to die a quick yet agonizing death.
Luckily even Adobe seems to be abandoning that ship.

K.S. • April 26, 2017 10:13 AM

Online advertisers need to take security more seriously, it shouldn’t be possible to infect systems via ad network. When not blocking ads is equivalent to 80s issue of leaving random floppies in the drive during reboot, you will have dire consequences teaching non-technical people to avoid it.

War Geek • April 26, 2017 12:32 PM

The only upside I can see on this Chrome feature is the possibly of Google calling out when one’s ISP alters web pages with new or changed ads.

Were Google to make that wholesale mutilation of websites more visible to random US citizens, perhaps those citizens would feel a little more interested in the FCC privacy sell out.

Chris • April 26, 2017 1:17 PM

Hi Bart, and the rest of the gang, ive tried to install that Bart browser on Mint
and I didnt succeed, i havent dig into what went wrong but it seems it doesnt work
when you have removed executive rights from /tmp which might or might not be a good sign…
//Chris

Chris • April 26, 2017 1:46 PM

Hi Bart, regarding that Brave browser, sry for the previous typo.

Anyhow i reinstalled it just out of curiousity and the same thing happens this time

An uncaught exception occurred in the main process Uncaught Exception:

Error: /tmp/.org.chromium.Chromium.fqbr6W: failed to map segment from shared object

cat /etc/fstab

tmpfs /tmp tmpfs noexec,nodev,nosuid,mode=1777 0 0

//Chris

Cvnk • April 26, 2017 2:21 PM

@John Smith: wouldn’t Google be seeing DNS queries as coming from the VPN provider rather than you? Why wouldn’t the source of DNS traffic be just as obscured as all other traffic?

Cvnk • April 26, 2017 2:25 PM

@Bart I’ve been using Brave on my Android phone for a while now and it’s probably the best, most stable Android browser I’ve tried. I don’t use it on my desktop because I can get most of the same features via Firefox and plugins plus I can use NoScript.

Bart • April 26, 2017 2:36 PM

@Chris

Yup. I am running a less strict secured Mint, and it does seem to need execute rights on a number of temp binaries in /tmp.

I’ll shoot an issue on that into github. 🙂

Bart • April 26, 2017 3:19 PM

@Cvnk

I use several browsers, including Firefox with NoScript. For the last few months I have been using Brave because I like the concepts behind it. Especially the novel way of paying for content in an anonymous way instead of doing subscriptions and/or being forced to accept ads. It is my hope -foolhardy or not- that a large enough group of users will be willing to pay for content in such a way in exchange for no ads and no data collection. It might be a way forward.

Having said that, I have been stupefied that platforms (Google and others) have not flipped the current revenue system. Now the publishers get paid by advertisers and the users are made to give up their privacy, while at the same time asked to trust the platform (Google et al). Why not have the customer as the ‘client’ serve them with commercial offers that fit their needs and wishes while still keeping the same revenue system. Instead of the advertiser paying to reach consumers, advertisers would pay for consumers that reach them. More or less the same difference. The exception being who you serve as a platform and see as your client.

This would also show the consumer that they can be in the drivers seat: tweak your data > get better fitting offers. Ah well, might be to much to wish for.

albert • April 26, 2017 5:59 PM

It not -just- ads, it’s everything! I’ve seen sites 15 or 20 scripts (listed by NoScript). This is insane. Many sites will not work without at least their own site scripts enabled. Most use third parties for ‘Comments’, and an alphabet soup of others, God only knows what they’re for.

Glad to hear Flash is dying; good riddance!
Java and javascript need to go now.

@Bart, etc.,

Brave is based on Chromium? Does it have one-key Java disable? Like Opera used to have, before they drank the Kool-aid and went to Chromium. Google doesn’t -want- you to easily disable JS, or anything else.

I recommend to anyone running Firefox to select ‘View, Page Style, No style’ on your favorite sites. It’s interesting. Also on Linux, try Links2. Text based, with images. They ditched Java a while back. It’s command-line based, with a plethora of options, and command characters* to use with the program.

“links2 –help”
Scroll to near end, the select the text, ctrl-shift C to copy.
. .. . .. — ….

John Smith • April 26, 2017 10:09 PM

Cvnk wrote:

“@John Smith: wouldn’t Google be seeing DNS queries as coming from the VPN provider rather than you? Why wouldn’t the source of DNS traffic be just as obscured as all other traffic?”

Good questions, and I’d like to think the answers are yes.

You’d think that a VPN provider would, say, run a DNS caching server; all queries from the VPN to Google servers would be anonymous; and those queries would not identify your VPN-assigned IP address or anything else.

But the fact that I couldn’t choose an independent DNS server – all queries went to Goggle – seemed creepy and suspicious to me. At the time, I was evaluating a number of VPN providers, so I had a basis for comparison. This was the first time I had encountered a situation which forced all queries to Google.

Then I considered this possibility: hypothetically, if DNS queries to Google identified my VPN address, could Google learn to identify me? Could Google learn to identify VPN users, if it wanted to, if it logged all DNS activity and didn’t discard it?

Well, like most people, I’m a creature of habit. I go to certain special-interest sites at certain times of day. I often pick a VPN server in a foreign country, out of my time zone, and use it when traffic is light, there. My web browser (one of them) has bookmark folders, and I often select “open all”, generating a habitual and distinctive pattern of URL lookups in quick succession.

So yes, I think Google could learn to identify VPN users if it wanted to, and if the VPN provider colluded. Do Google, and this particular VPN provider, have commercial incentives to collude in this way?

Yeah, I think it possible. So I abandoned that provider, given its creepy behavior.

Patriot COMSEC • April 26, 2017 10:31 PM

@ John Smith
“This was the first time I had encountered a situation which forced all queries to Google.”

It is a very interesting and important post. I think Google colludes with just about anyone they need to. It really is like a war. They are fighting for data, and every trick in the book is going to be pulled. Google has deep pockets and lots of smart folks. What I particularly object to is their use of deception.

VPNs and their DNS resolution is a big deal that we need to be aware of.

Patriot COMSEC • April 26, 2017 10:53 PM

@ Mr. Robertson

“Thus somebody with an exploit can make a payment to some ad-blocker organisations to let their “ad” with exploit inside through. Provided the exploit payload does not make it’s self obvious then there is a high chance that they will not be caught out.

That was grim reading. I wonder if there is a way to cut Google off at the knees.

Adam • April 27, 2017 5:54 AM

It should be easy for most large-ish sites to defeat adblockers.

Adblockers work off patterns. Patterns that match by domain/path in urls and patterns in css.

Url pattern matching can be defeated by delivering content through the main domain itself and with paths indistinguishable from content. Paths can also be randomized to some extent.

Blockers may also hide css elements. So again, change the layout frequently, mix the ads in with content and randomize stuff like classes & ids in the layout.

Then add code to detect if elements don’t exist or have the wrong visibility or cookies don’t get through. The code can flag the end user or call back to the site allowing it to live-monitor how effective its ad blocking countermeasures are.

If every major site did this, each in its own way then ad blockers would become very ineffective. Perhaps someone would make the effort to defeat ad blocking on one site but it wouldn’t work on the next.

George L • April 27, 2017 6:04 AM

What if, theoretically, the “ad war” is won by the consumer, and websites stop making revenues from selling ads. How would that change their operation model? Would they still have an incentive to collect as much personal data from their visitors? Curious to hear your thoughts.

Clive Robinson • April 27, 2017 7:51 AM

@ George L.,

Would they still have an incentive to collect as much personal data from their visitors? Curious to hear your thoughts.

As I mentioned above to Systate, I looked into revenue raising models getting on for twenty years ago. And suprisingly little had changed apart from things have become more polarized and cartel controled.

The real problem that caused this mess was that there was no sensible way to do “micro/nano charging” for content access.

Untill that arrives the only way to raise revenue is by some form of pre-payment –be it subscription or usage token– or by turning the content viewer into a commodity to sell on to others at the maximum possible price.

Now that the “you are the product” model has been established for the cartel they are going to do whatever they can to,

A, Keep it churning in the cash.
B, Prevent legislation against it.
C, Prevent alternative revenue methods becoming available to others.

If you accept that this is the case then there are a number of options open to raise revenue from the “you are a product model”.

Firstly you have the Facebook method, where you provide a method for “the products” to hemorrhage personal information about themselves. This includes the likes of LinkedIn and job sites as well. Also the likes of free blog sites, which the cartel scrape with their robots or tools like discus etc. Oh and don’t forget those “like buttons” and similar on web pages, in most cases they do an ET and “Phone Home” to twitter facebook etc etc, irrespective of what you do (youl’d have to turn off both javascript and image downloading to stand a chance).

If you don’t play those games then there are the likes of free EMail and Twitter, where your links to others and things that interest you can be fairly easily determined. This includes all that “colabarative working” nonsense via Google Gadgets, I dread to think how much valuable IP goes that way. But Google are preying on the young in a quite sick way, through their various schools and student initiatives. The same applies to Microsoft with Office 365 and just about any other online service wich requires a “middle point” of some form.

Which takes us from the relms of direct data analysis into the more creepy world of Traffic Analysis. Thus even if everything you do is encrypted they see connectivity paterns between you and others. Humans being human will make mistakes and from these they can put names and thus faces, habits and interests to identifiers.

As has been seen recently[1] the likes of IP address spoofing is not that effective and that mobile app developers can overcome the deleating of the app and still track the user[2] as well as using other numbers that are unique[3] within a device or PC.

But it does not need to be just unique numbers it can be combinations of numbers/data that when combined make a near unique fingerprint of a device or PC. Worse even quite common combinations can still be tracked if a geo-spatial or temporal element is involved. That is say 1% of smart phones have the same combination, when you add the cell tower and time of day data it becomes more or less unique again.

Whilst there are things you can do to limit this, the level of OpSec required is significantly more than most people can reasonably be expected to do. Thus even though you might achive the level of OpSec required another person you communicate with might not, and you inherit their failing and become visable through Traffic Analysis…

As far as I can see this is the direction the likes of Google are going to go. Thus their ad-blocker initiative can be seen as a way to despoil others revenue models, and by reducing the oppositions market share increase their own as well as moving from a cartel to a monopoly, thus vastly increased profit.

The only fly in the ointment is that ISPs in the US now have abilities Google do not. Thus it will be interesting to see what Google does with respect to them.

[1] https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

[2] https://www.theregister.co.uk/2017/04/24/uber_cloaked_its_spying_but_apple_gave_it_a_wrist_slap/

[3] https://www.theregister.co.uk/2017/04/25/uber_sued_lyft_hell/

Anselm • April 27, 2017 11:29 AM

Facebook has 1.5 billion users or so. In theory, if every user paid a mere $1/month for the privilege of using Facebook, the company would have an annual operating budget of around $18bn. With that sort of money in hand, they could easily do away with all the spying and tracking and privacy violations and obnoxious in-stream advertising and concentrate on providing a great service to its customers (us!). But that doesn’t happen.

The main reason that this doesn’t happen is that we are too cheap to pay that $1/month. Chances are that if Facebook told its users tomorrow that from 1 May 2017 they were going to charge $1/user/month in order to be able to make the service ad-free, the day after tomorrow Google+ would be the most popular social network on the planet. In fact, “Facebook will start charging soon” comes up as a hoax every so often and generally results in outrage.

mere mortal • April 27, 2017 5:01 PM

@Clive Robinson

“Personaly I’ve found that turning off javascript is acceptable to me…””

Me too – 99% of the time …which leads me to this general question:

Is there material privacy/security value in blocking (e.g., youtube) scripts most of the time – but every once in a while – temporarily allowing (i.e., NoScript “Temporarily Allow”) just those scripts required for the purposes of watching a youtube video that one time? Or will my very few instances of running Google’s scripts be all they ever need?

That is, with regards to blocking a given site’s scripts, Is it all or nothing?

Haroun • April 27, 2017 5:05 PM

@Clive Robinson, @Anselm:

From what you’re saying, seems like the consumer is at fault here. I love the $1/month Facebook fee example. why are people outraged at the thought of making that insignificant payment to Facebook when they spend five times that amount every day on snacks?

Clive Robinson • April 27, 2017 5:58 PM

@ mere mortal,

That is, with regards to blocking a given site’s scripts, Is it all or nothing?

It is not all or nothing, but it is highly nonlinear. Look at it this way a single point gives little or no information. Two points however can be compared for similarities. Thus the more points the more a signal comes out of the noise. In effect each point falls on a power law curve which starts below a threashold point. The first few points don’t make it even close to the threashold point but subsiquent point bring it more rapidly not just to the threashold but straight through it.

@ Haroun,

why are people outraged at the thought of making that insignificant payment to Facebook when they spend five times that amount every day on snacks?

Because the fee is not insignificant when viewed against an individual snack cost.

It sounds mad but that’s just the way the vast majority of people view things. Thirty chocalate biscuits for 1USD will sound better to the majority of people than 1month of Facebook usage even though that’s on average thirty days worth.

The 3USD muffin from Starbucks with the 5USD coffee will sound better / more convenient than six equally good muffins for the same price from your local Sainsburys etc.

It’s just the way people are…

mostly harmful • April 27, 2017 8:22 PM

@mere mortal

Is there material privacy/security value in blocking (e.g., youtube) scripts *most of the time* – but every once in a while – temporarily allowing (i.e., NoScript “Temporarily Allow”) just those scripts required for the purposes of watching a youtube video that one time? Or will my very few instances of running Google’s scripts be all they ever need?

You assume google/youtube’s scripts are required. But the desired parts of their functionality can frequently be replaced with scripts of your choice. For example:

http://quvi.sourceforge.net/

https://rg3.github.com/youtube-dl/

http://cclive.sourceforge.net/

Patriot COMSEC • April 28, 2017 12:37 AM

@ Michael Argast

Thanks. It was good to learn about that. Also, they have an amusing name for the tracking that Google does and Ghostery allows: “non-consensual tracking” –yikes!

Patriot COMSEC • April 28, 2017 12:41 AM

@ Thom

“On a more malicious note,. you could fire a random thread to click 1.000.000x on annoying adverts…”

How do I do that? 🙂 Address is at the link.

Wayne • May 4, 2017 8:08 AM

My favorite ad blocker is Lynx.

Any time I read an article that whines about me blocking their stupid ad networks, I just load it up in Lynx and read the article without any problems. It also has the benefit of not running any Javascript, so there are no, “I see you’re using an adblocker…” messages.

Anonymous Coward • May 13, 2017 7:26 PM

@Bruce Schneier

Ad blockers represent the largest consumer boycott in human history. They’re also an arms race between the blockers and the blocker blockers. This article discusses a new ad-blocking technology that represents another advance in this arms race. I don’t think it will “put an end to the ad-blocking arms race,” as the title proclaims, but it will definitely give the blockers the upper hand.

I haven’t seen any browser extensions that actually seek to block or otherwise boycott advertising.
There are many that work like antivirus software to prevent the execution of unknown or known-dangerous code, such as various JavaScript/Java/Flash/ActiveX applets, but I’ve never seen one that blocks or otherwise interferes with safe ads, such as text links and image links.

The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected.

There was an advertisement program implemented as a rootkit/bootkit(made to hide its location from the user and to prevent uninstallation of itself) in some laptop[1], but which “ad blockers” do such things? I tried but couldn’t find any.

1: http://ion.icaew.com/itcounts/b/weblog/posts/lenovosuperfishrootkit

Acheron • May 17, 2017 3:19 AM

Maybe as a first step we should stop calling it ad-blocking and start calling it tracker-blocking. Like some other commentors, static ads are ok – bandwidth is often not longer a problem. It’s the tracking that makes a lot of people use blocking tools.

Nes • August 19, 2017 6:41 PM

In regards to the boycott on ads and how to make money elsewise; microtransactions work. Most places don’t do them right, but in video games, or say something like secondlife (or one of its many competitors) providing an easy to use currency, procurable through multiple means… it simply works, and works well.

Erdem Memisyazici • January 6, 2018 6:27 AM

@Clive Robinson
But further because clicking on an ad is not necessarily “risk free”

@Fellow
There is no secure environment to run it on a commodity PC with a commodity O/S without risking total system compromise.

Browsing in general is not “risk free”.

The point is to generate human like ad traffic, something which cannot be filtered out of the genuine click. Most advertisers don’t have CAPTCHA tests either, well, nobody would take the time.

If you cannot block the data from being collected, the best you can do is to corrupt the data being collected.