So effectively what you're saying is that we should eliminate ad networks. There is no reasonable way to screen every ad before it is shown when using an ad network. So in order to be safe from lawsuits, publishers would have to go back to directly contracting with advertisers for every ad. Certainly there would be some benefits to that in terms of reduced low quality ads. The problem is, the added overhead of doing so would put many small publishers out of business. Dealing with individual advertisers is a huge job, with massive economies of scale; it just doesn't make sense for websites that are orders of magnitude smaller than Forbes and Yahoo.
Do newspaper work with individual advertisers, or do they work mostly through local marketing firms? The answer is again the same as above. Buying a news ad is commonly done through a marketing firm and the news paper is always responsible for what is printed.
Very few publisher in any media deals with individual advertise clients, and yet it works. Responsibility is done through contracts, through professional liability and standards, and as last resort through business insurance. As a result, its quite uncommon to see illegal ads on physical newspapers, on TV, on busses, and on other physical objects.
Now, they do also do more manual vetting, but they can afford to, because again, the ads cost more. Maybe online ads need to cost more too. It just means that some fraction of the current legitimate advertisers will no longer have sustainable business models.
Or you could have ad networks that only circulate carefully vetted/curated ads.
Imagine if you had an ad network that was picky and only allowed ads that were clever/interesting, short, not annoying, and didn't lead to malicious/fake products!
Also, even if you could catch everything with manual human vetting of every ad, it would be cost-prohibitive. (Either you would have to pay less to publishers, or charge more to advertisers. The latter would likely be a non-starter, because it is already difficult for most small advertisers to run positive ROI campaigns. The former would put further pressure on publishers, making them even less likely to accept the risk of these proposed lawsuits.)
I would love to see online advertising improved, and I think there are certainly possible ways to go about it. I'm just trying to illustrate that it's not as easy as, "don't let people publish or distribute bad ads."
To borrow the analogy from the article, we couldn't stop spam by going after the email providers for allowing it through.
No, you make it simpler than that
you simply forbid ads to be interactive or to contain any code
eg. you do only static ads like text, image, video
no code, no way to hide nasty stuff
Basic incentives - until they're fixed nothing will change.
Or they would be forced to seek agreements with ad networks to cover such faults. Insurance, in some form.
Isn't that what google did when facing the need to monetize their search engine ?
Surveillance is not the leading cause for adblock, it's because people don't like ads and a 1-click install to remove them is incredibly easy.
Advertising online will always have some sort of tracking because that is the benefit of advertising online - to know the real metrics of who has seen and clicked and engaged with an ad. If you're worried about real privacy issues, you should focus on Facebook/Google and government agencies.
The difference ? Adblock plus can be extended to block trackers by adding block lists to the default, while ublock origin has those lists activated by default. Then adblock plus let through some ads they whitelist for money and supposedly good behavior, ublock origin has no such policy for the reason that ublock is the work of an individual who wants a better online experience while adblock plus is now the product of a commercial company.
In my case at least, "surveillance" doesn't factor into it. If I were to see ads, I'd actually prefer they be targeted to my interests.
Right now (and without ad blockers): Go to homedepot.com, search for toilets, and view one toilet product page. This marks your interest. facebook.com will show you ads for toilets for the next month.
If you don't think anti ad blocker is a problem, where is this article coming from? Hmmm, afraid that more websites would follow the trend so less content to read? The attitude that this is only websites and advertisers' problem is not as constructive as the author might presume.
£1 a day for The Times - very nearly the cost of the actual paper. $1 daily to access Wired. Don't make me laugh. No one consumes all their news from a single source any more.
If my usage pattern is anything near representative, 2-5p a day for the Times and .5p a day for Wired, based on how often I visit equivalent sites and how many stories I read whilst there.
Seems like unless it's something very specialised (medical journal or similar), or the FT charging as though it was our sole news source just demonstrates how out of touch they are.
Sure, charge me £1-£2 a day for consumption, but that would have to be spread across 50-100 sites daily, some of which I've visited just once in the last year, for one article. AND, if I am going to be willing to be micro-charged I want a way to NOT pay a specific site (perhaps I visited and the content was poor). Make that happen I'll subscribe today.
Ask me for £1 for your shitty site daily and you'll wait forever, but good luck with your greed - that's what caused the adpocalypse in the first place.
It is effectively a way to price the information, how much should be paid for your view. Note in print days, you still pay your subscription, yet you get shit loads of ads. And you have a variety choices of publishers.
So why this is the worst model ever?
The article is laughable that it gives no solution, but asks publishers to evolve into oblivion, which I think they won't.
Some people are so pissed that publisher got anti ad blocker in place, yet claim they won't pay to their shitty articles whatsoever. But then again, if you don't read those shitty articles that much, why are you so pissed in the first place?
After all you need to pay what you consume, and ad is one way of it. It is not perfect, nor evil. Your call then.
That's always going to significantly limit paywalls online. Too much competition from hobbyists and non profits that see their goal as helping people rather than selling their work.
"By converting unsafe flash-based ads to safe HTML5 ads, they lower the risk of infection from a hostile ad." is laughable at best
An Ad Network is one of the fastest way to deliver a payload to a lot of users
Don't fool yourself, Operating Systems, Browsers and HTML5/JS also have a hell lot of CVE that can be exploited
It's funny how a company like Google making Billions from ads, having ton of smart engineers, have never figured out during the last decade how to "scan ads for malware".
It's not like anyone can upload an ad to those big network, or that they don't QA the ads before delivering them ...
Imagine this unlikely scenario: malware delivered by HTML5/JS
I guess we'll all have to run for the hills if that happen
Truth hurts? Adobe Flash and Microsoft Silverlight are common exploit paths because they have new critical exploits every few days. Here's the CVE list for Flash -- notice how many critical exploits there are? It averages to about 1 every 3 days. https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...
In contrast, JavaScript itself has been pretty stable for years. I think the last vulnerability related to JavaScript ES5 impacted old Firefox browsers. http://www.cvedetails.com/cve/CVE-2015-4516/ https://www.cvedetails.com/vulnerability-list/vendor_id-452/... (Two JavaScript exploits for Firefox in 2015, both low risk.)
And HTML5? Extremely stable. There may be specific plugins or specific browsers that are vulnerable, but the underlying HTML5 specifications are very safe and have been safe for years. https://www.cvedetails.com/google-search-results.php?q=html5...
If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information. You wrote, "Browsers and HTML5/JS also have a hell lot of CVE that can be exploited". I say: Prove it. Cite your sources.
Edit: Adding links to Firefox exploit CVEs.
"If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information"
man, you are so full of it
want proof ? no problemo
1. CVE are organised by vendors and products
HTML and JS does not show as products, only browsers
see http://www.cvedetails.com/top-50-products.php
look #3 Firefox, #4 Chrome, #8 IE
that explains why you will never see a specific HTML and/or JS CVE, that does not mean they don't exists.
Also in term of volume, browsers have more CVE than Flash, it's all here in the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on Flash 713 CVE.
Just that it make your whole argument biased, the part "JavaScript itself has been pretty stable for years" is ridiculous, search for JS blackhole exploit, Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in CVE but they are here and exploitable.
It's better to think than JS is secure looking at that http://www.cvedetails.com/vendor/10288/Javascript.html
yeah no exploit in JS, none, we are all safe LOL
this for example http://www.cvedetails.com/cve/CVE-2015-0817/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 https://www.mozilla.org/en-US/security/advisories/mfsa2015-2...
you don't see it show up under the tag "JavaScript"
2. Number of CVE listed do no equals CVE exploited in the wild
so you say "It averages to about 1 every 3 days", that's completely false
1 vendor patch for a particular product can close numerous CVE at the same time so it's more like "we squashed 50 CVE in 1 day"
look at http://www.cvedetails.com/cve/CVE-2015-8449/
follow up on https://helpx.adobe.com/security/products/flash-player/apsb1...
that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details
"These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type patched and closed at the same time
Also look the "Acknowledgments", numerous security team reported all those CVE for them to be patched, there is no indications they were exploited in the wild.
Saying such things as "oh 30 CVE discovered in 1 month, so that means there were 1 CVE per day" is totally misleading, even more misleading to assume all those CVE were exploited by default (eg. "could lead to").
At best it indicates that they (Adobe and other security team) are more serious about discovering and patching those CVE and so they close more of them more often.
Google claims they are doing just that :
https://googleblog.blogspot.fr/2016/01/better-ads-report.htm...
Now when did they start doing it is also a relevant question.
The mafia comparison feels much more like a stretch when talking of ad blockers than when talking of the bulk of the world's news sites secretly (unless inspecting network traffic or HTML code) using a common few advertisement agencies.
I think the recent cookie laws feel pretty useless, especially since cookies aren't nasty by themselves. "Hi! This site uses cookies! Click here to learn more." It doesn't tell me anything. It doesn't imply that the site is evil nor good. However, give me a law requiring web sites to say "Hi! We are part of a tracking network where your behavior on this site will be registered." Then we're talking. Where the link doesn't lead to an explanation by the publisher, but be required to lead to a link on an external part with an easily digestible, up front explanation of what an ad tracker does and can do. I'm honestly quite fed up that this offensive behavior can keep going on behind the scenes. All people see are photos of a new car model. A normal ad that is anything but normal.
For as long as there is this World Wild West on the publishers' sides, I'm not going to change my behavior on defending myself. Because I look at this as a form of defense. It's simply like running antivirus tools on Windows. I wouldn't want a trojan horse to be downloaded that uploads my browsing behavior to some server either. The difference from what these guys are doing seems razor-thin.
The mafia comparison is targeting adblock plus for their "do your ads as we say, give us a 30% cut of the money you make and we may whitelist your ads (only if you're big enough as in at least 10m ad impressions)" feature[3].
[1]: http://www.nextinpact.com/blog/97835-pourquoi-next-inpact-ar... [2]: http://www.nextinpact.com/publicite-partenariat [3]: http://www.theguardian.com/technology/2016/feb/25/adblock-pl...
The implementation is current broken largely due to a lack of regulation and enforcement in the industry but this can easily be fixed by having better opt-out mechanisms online (3rd party cookie removal went the opposite way). This would allow you to get more generic ads if that's your wish.
I'm not sure where these numbers come from, but unless you are in fact running a spam site, and likely even then, revenue per click is going to be higher than a fraction of a cent. As a random data point, it looks like the combined revenue per click from Adsense on our sites is around 30 cents per click at the moment.
That's pretty optimistic, on some ad networks representative CTR's are lower by an order of magnitude or two.
So now the other end of the ad is not faceless/identiti-less. If the ad is found to serve malware, there's someone to ban/take action against (like banning from a good-paying ad-audit job for life). Ad-networks that require the golden rule can be white-listed by blockers, and become trusted. Networks that don't are considered malware haven.
Could this work? In the current ad-blocking war, the use of ad-blockers will only rise-and-rise, and something has got to give.
This all happens in real time. So the point is, when you get a report of a bad ad on your page, it's almost impossible to even know what network it came from. The networks themselves don't know if they ultimately served you the ad, because maybe they got it from someplace else. And no one can search for it based on the url anyway.
Now, none of those things is unsolvable, although it would take significant new regulation. For instance, when an ad is served through a network, there should be a standardized way to add metadata to the ad to state that it was served via that network. In cases where it is passed through several networks, it would carry each of their metadata, in order from the original source through the various levels until the network that actually serves the ad to the publisher. That would at least allow savvy users to make an informed report to a publisher when they get a bad ad. Something else to look at might be requiring that either 1) the target url of an ad points directly to the eventual landing page, or 2) if a redirect is made, the original url be encoded either in the new url (as a fragment id perhaps) or at least as metadata in the page. There are probably plenty of caveats there. But if a user clicks on an ad and finds themselves at some page, there should be some way to figure out what ad took them there. That isn't currently the case.
Identifying the networks an ad has passed through would be the responsibility of those networks (with a standardized way of doing so). Avoiding or identifying redirects would be the responsibility of the advertisers, but networks would have to be required to periodically test ads for compliance.
An analogy is financial-auditors -- a human has to be present and sign even if the report is for a company behind 10 shell companies.
If I happen to click on an article from facebook on my phone, the resulting page shouldn't be something I can't even scroll/read because it's so riddled with ads.
Another part is an extension of what TFA says... they should be held responsible... current techniques are iframes, and when a timeout occurs or it bounces to another ad network, another layer of iframe and tracking scripts runs... if an average ad is 3 layers of iframes, and an average page has 5-8 ads, that'd 15-24 complete extra browser contexts just for ads...
