The Ad Blocking Conundrum: Stealing or a Sound Security Practice? | Tripwire

The Ad Blocking Conundrum: Stealing or a Sound Security Practice?

Posted on January 11, 2016
The Ad Blocking Conundrum: Stealing or a Sound Security Practice?
Is using ad blocking software stealing or is it a sound security practice? On one hand, many websites and content creators make money from advertising. They certainly deserve to be compensated for their time and effort. On the other hand, advertising – at best – can be annoying, and at worst, can serve up malware, suck up bandwidth and redirect confused users to websites without their knowledge. People have been attempting to block online ads ever since the first banner ad appeared on October 27, 1994 – an AT&T banner on HotWired.com, the online version of Wired Magazine.
ad-blocker.jpg
AT&T publishes the first banner ad on October 27, 1994
Back in the 90’s, people used manual methods for blocking ads, such as DNS filtering on proxy servers and manually entering known ad network domain names in the local HOSTS file. Internet Explorer, Chrome, Firefox and other web browsers started blocking the most hated form of online advertising, the pop-up ad, about 10 years ago, but left other forms of web advertising intact. Shortly thereafter, ad blockers that operate as browser extensions were developed and proved to be the most effective form of ad blocking. Not only are they incredibly easy for the end-user to install but also don't require the user to maintain lists or perform maintenance of any kind. The more popular software packages, such as AdBlock, AdBlock Plus and uBlock, are automatically updated and provide a nearly ad-free browsing experience. In 2015, web browsing on mobile has exceeded browsing from the desktop. This presents new opportunities for advertisers and also draws ire from those who find online advertising intrusive or see it as a security risk. Content blocking, including ad blocking, is now available in the release of Apple iOS 9 and in some Android-based web browsers. Ad blocking software on mobile devices has gone mainstream, and with more and more web traffic originating from mobile devices, this can significantly cut into the bottom line for content creators.

The pro ad blocking argument

The most enduring pro-ad blocker argument is one of security. Malvertising (a portmanteau of malware and advertising) has been a staple for many years on less-than-mainstream sites but attackers have been persistent in finding ways to get their malvertising on trusted sites. Savvy internet users often have their guard up for malicious links and software when browsing less-than-mainstream sites. However, users have a tendency to trust larger, more well-known websites. Users have an expectation that these sites screen their ads carefully for malware. However, several recent incidents of malware being served up on mainstream sites have caused Internet users, who previously may have never considered ad blocking software, to install and use them.
  • In August 2015, the New York Times reported that Yahoo's advertising network was infiltrated by hackers and used to serve out malicious software to unsuspecting people. The fraudsters purchased ads on Yahoo's sports, finance and news sites. The ads they purchased contained malicious code that targeted Adobe Flash on visitors' PCs. Adobe Flash has many significant vulnerabilities that attackers can use to compromise machines.
  • In April 2015, malware was served through a Hugo Boss ad on Huffingtonpost.com and other sites, such as Zillow.com. The malware used a Flash exploit and installed the Cryptowall ransomware on victims’ computers. Ransomware encrypts files on the computer’s hard drive and prompts the user to pay a ransom to decrypt it, hence the term “ransomware."
  • One of the largest incidents to date occurred in April 2015 when an advertising partner of Google, Engage Lab, started redirecting a large number of web users to sites attempting to infect their computers with the Nuclear exploit kit. The exploit kit can infect users of Flash, Silverlight, PDF readers and many others software packages. The payload is flexible, ranging from additional malware to ransomware.
Bandwidth is another factor that might compel users to install ad-blocking software. In a non-scientific experiment, I loaded up a popular security news site on my smartphone. On the front landing page, I was served one full-page ad with video. When I let the ad play out, it closed automatically and I was then served a half page ad with video and static ads on the side. Consider that most mobile phone users have around a 2GB monthly data download quota. Ads like this can quickly use the majority of the quota when all I wanted to do was read a news article that can be measured in kilobytes. An ad blocker blocked all of these elements when I tested the same page from my desktop.

The Anti-ad blocking argument

Ad blocking opponents argue that ad blocking equates to stealing. The majority of websites that publish original content generate revenue, either in part or wholly, from ads. The actual algorithm and computational power used to serve up ads are surprisingly complex, but in simple terms, advertisers pay websites to have their ads displayed to visitors. There are three primary ad revenue structures:
  • Cost per impression: The advertiser pays every time an ad is viewed
  • Cost per click: The advertiser pays every time an ad is clicked
  • Cost per order: The advertiser pays every time an ad is clicked and results in the user ordering a product
Most advertising schemes use all three at the same time; every impression costs a very small amount, clicks cost more, and finally, an order usually results in a commission. Ad blockers work at the very top level – they block all impressions. Ads are never displayed, so advertisers aren't the ones losing money. The content publisher – the website – is losing out on all the revenue generated from a single website visit. It may seem like small change (after all, we're talking about an average of $2.80 of revenue per one million impressions but the numbers do add up. According to a Reuters-sponsored report, 47 percent of US-based respondents reported that they use ad blockers. That number will likely grow in 2016, with easy-to-use ad blocking software hitting the market and the rise in well-publicized compromises continuing to drive fear of online ads. In May 2015, an op-ed by Avram Piltch was published in Tom's Hardware Guide, a popular website that publishes news, articles and reviews for high-end computing hardware. The title of the op-ed was blunt: “Why Using an Ad Blocker Is Stealing.” In the op-ed, Piltch writes:
"…most Web publishers rely on advertising to pay the bills. Some charge subscription fees, but for the most part, readers have shown that they aren't willing to pay for access to Web content. Even if they earn revenue from subscriptions or e-commerce links, few sites can turn a profit without running a substantial number of ads."
He also referenced a controversial business practice that some ad blockers are engaged in. For example, websites can pay AdBlock Plus to circumvent the block and display the ad anyway. Users can still manually blacklist ads from showing up on a site but it's an extra step. Piltch described the practice:
"Services like Adblock Plus, which recently launched its own Android browser, are no different from a lock-picking kit for burglars or a lead-lined bag for shoplifters. Even worse, every time you use one of these services, you're enabling an extortion racket where ad-blocking companies charge content providers money to let their ads through the filter."
In a well-documented experiment In 2010, science and technology website Ars Technica claimed that more than 40 percent of their users were using ad blocking technology. The site derives revenue from CPI (cost-per-impression), so the editors made the argument the revenue loss was substantial. On a Friday evening in March 2010, Ars Technica started blocking content for users that were using ad blockers. Essentially, if you were using an ad blocker, you got a blank page when you visited the website instead of content. It was controversial – it was done without warning or explanation, so many people thought the website was down or their computer was malfunctioning. However, the stunt worked – it got people talking about the issue. In a blog post about the incident, Ars Technica editor Ken Fisher wrote:
"My argument is simple: blocking ads can be devastating to the sites you love. I am not making an argument that blocking ads is a form of stealing, or is immoral, or unethical, or makes someone the son of the devil. It can result in people losing their jobs, it can result in less content on any given site, and it definitely can affect the quality of content. It can also put sites into a real advertising death spin. As ad revenues go down, many sites are lured into running advertising of a truly questionable nature. We've all seen it happen.”
Ars Technica no longer blocks visitors that use ad blocking software, but other sites have taken up the mantle. In late December 2015, Forbes.com implemented a carrot-and-stick approach to the problem. When ad blocking software is detected, the user is redirected to a page that shows the following message:
ad-blocker-2.jpg
Message displayed to Forbes.com visitors when ad blocking software is detected
As an incentive to disable the ad blocker and continue to the requested article, the site will give the user an “ad light experience.” The ad light experience displays very few static ads and no video or full-page ads. Presumably, when the 30 days expire, the users’ experience will revert back to the regular version of Forbes.com, which is laden with ads: static, video and full page.

What to do?

Most security experts will advise users to use ad blocking software, despite the fact that many people in the field are content creators themselves. It’s the single best tool for average users to defend themselves against malware. It is even more effective than anti-virus software, which can easily be circumvented. The arguments on both sides are compelling but it is ultimately a personal decision of whether or not to install the software. However, one thing is clear: the firms that develop ads and run ad networks must recognize this as a malware problem and not a user problem. It’s human nature to want the best web browsing experience, free of intrusive ads, fake download buttons and malware. Content creators who continue to use the bully pulpit to shame users into disabling ad blockers should really take aim at the advertisers themselves. When ads are not properly vetted and monitored or rely too heavily on technologies like Adobe Flash that is easily exploitable, everyone suffers – Internet users and content creators alike. When ad networks create an experience that is safe and enjoyable, users will follow.  
security28.jpg
About the Author: Tony Martin-Vegue is a 20-year Information Security veteran with expertise in network operations, cryptography and risk management. He’s worked for large global organizations, leading cyber-crime programs, enterprise risk management and security programs. He is a blogger and host of The Standard Deviant Security Podcast, a podcast that, with candor and cleverness, holds up a mirror to industry truths.Tony holds a Bachelor of Science in Business Economics from the University of San Francisco and has many certifications such as CISSP, CISM and CEH. He can be found on the web at www.thestandarddeviant.com and on Twitter @tdmv. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock    
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!