Matthew Ames

Online advertising has to change

Matthew Ames - 2016-03-16 - 11:41 am

A couple of days ago, I posted about how to enable Tracking Protection in Firefox. While I understand the importance of blocking potentially bad ads, I’d never really been in a situation where I was likely to be caught out by any, especially because I avoid sites which have a greater chance of being susceptible to being compromised. However, today it was announced that many major websites, including the BBC and New York Times were targeted, and their adverts were compromised to server ransomware to US visitors.

Although these sites are not sites which I would normally visit often, they are sites which I would have previously deemed OK, and would have disabled all ad-blocking should the sites request that I do so. After all, these institutions are worthwhile and cannot continue without our support, and if that comes in the form of ads, then so be it.

Now the game has changed, and advertisers need to change their practices, or else browsers and ISPs are going to start blocking all ads by default, stripping them, and the sites that serve ads, all of their revenue. Mobile company Three have already been reported to be working on ad-blocking on the network level, so this technology is not far out.

If the advertising companies can work together with browser manufacturers Google, Mozilla, Microsoft and Apple, I’m sure they can come up with a harmless way of displaying ads. Firstly they need to show only ads which are not harmful to a user, and secondly they need to be able to adhere to user preferences.

Security

One of the major issues with advertising through browsers is that an advert is only as secure as the policies of the advertising company. While some of the big players will check for potential compromises, many do not. It should be a matter of process that any advert is checked for known security issues, especially those written in flash.

Secondly, there is no way of knowing if an advert has been modified somehow to include bad content. Because of this, I propose that all ads should be cryptographically signed. This means that no asset can be downloaded for an advert without it being passing checks, such as confirming the GPG signature. The advantage to such an approach is that a browser can be configured to only show signed adverts, and hide anything else which fails the checks.

User Preferences

A user should be able to chose on the following hierarchy which adverts they would like to see:

  • Video adverts with sound
  • Video adverts
  • Animated adverts
  • Image adverts
  • Text adverts

Such a hierarchy would help those users who are on metered internet, and cannot download too much without facing penalties. A desktop browser should default to Video adverts, and a mobile browser to Image. In my own personal experience, I have had two video ads try to download simultaneously on a site while I was using mobile data. I had checked just before to see my data usage, and was shocked to note that it had gone up by 10M after the page had finished loading. This is clearly not acceptable, and must be stopped. By setting the option it means that, rather than stopping all ads, we can reach a compromise which puts the user in charge again.

Conclusion

At the moment we are behind the attackers when it comes to security, and the weakest link in the chain is the one which is causing all of the problems. With more an more talk of ad-blockers being a protection racket, it’s about time the advertising companies took the time to understand the reasons for the shift in public attitudes — especially in the non-technical who are slower to pick up on technologies such as ad-blockers. Making changes to browsers stopped the scourge of pop-uips, and now it’s time we did the same for inline ads.