Otherwise, obviously, the server could just maliciously record impressions/clicks.
Then, logically, if uBlock Origin doesn't remove the ad, but does successfully remove the mediator's script, the server can never book the impression. So why waste precious bandwidth (actually INCREASING the cost of ad delivery for the publisher) delivering an ad you can never be paid for? Boggles the mind.
Embedding the ad into the video is more akin to a native ad, which is generally understood by the advertiser to not have measurable conversion and to be strictly context (as opposed to user) targeted.
We are going full circle--that is, back to the beginning--of ad technology.
There's no point to client-side JavaScript: The baddies just write JavaScript that rewrites basic objects using Object.defineProperty so that document.visibilityState always says so (and so on), or that lie to the visibility sensor. Or they just make a whole fake web browser that runs on a Server. You are in an arms-race, and verification companies simply can't/don't do a very good job.
> Otherwise, obviously, the server could just maliciously record impressions/clicks.
I offer ads† to publishers server-side via XML or JSON, and they can stitch them into the page however they want, and I've been doing this for years.
My publishers often get paid by click, but some of the more valuable ads are paid on referral. Occasionally I see a CPM/CPD deal go through, but it's usually to a larger publisher that I can understand how they get their traffic. I won't help anyone do a CPM/CPD deal unless I understand their traffic.
You're right that it's much too easy to buy traffic from e.g. Google and spray it at my impression and click trackers, which is why I don't rely on them: Adblock and uBlock can remove the trackers all they want, but their users still get ads from my platform, and my publishers will still get paid.
†: Strictly speaking: I offer a platform for publishers, and often help my customers get introductions/recommendations/connections to advertisers who believe in data-driven online sponsorship.
> Embedding the ad into the video is more akin to a native ad, which is generally understood by the advertiser to not have measurable conversion
Server-side stitching can be done in realtime, bespoke, and with standard VAST tags. Not everyone is doing this, because dash/HLS are simpler and still "good enough".
> and to be strictly context (as opposed to user) targeted.
I've worked with several (big) brands who have done completers and demo-guaranteed video campaigns. There is absolutely user-targeting in video.
I agree it's an arms race, but why do you think it favors the attacker? Bot/spam detection is incredibly important, and the folks I've worked with in spam detection are really good at what they do.
(Disclosure: I work on ads at Google, though not in spam. Speaking only for myself.)
You cannot overwrite javascript properties in frames from another domain, right? Am I missing something?
A fake webbrowser requires a lot of IP addresses. Wide-spread abuse seems hard to me, especially when combined with Google's hidden "I'm not a robot" thingy.
I don't suppose I understand why clientside JavaScript is needed here. The serverside code could simply generate a unique hash for every visitor, and include that in the campaign link. Then, server-side code on the receiving end can read this hash, record a unique hit, and monitor the user on the campaign landing page to see if a lead is generated.
This seems obvious to me, but I don't actually work in advertising. Where is the break in this system? What am I missing that allows this to be exploited, in a way that only clientside JavaScript can fix?
EDIT: In context, I've realized that my proposed solution might work for clicks, but would do nothing for tracking impressions. Hrm. I'm not really sure if that problem is solvable. Then again, I'm also not a fan of impression based ad tracking (it feels creepy) so maybe I don't mind if it remains broken.
- Video advertising is not happy with only impressions and clicks metrics. In general, advertiser will want to know if their video played while in view from a human (or at least in view on a screen), and for how long it has played (or at the very least a rough estimate, like say how much midpoints).
- The concept of "impression" itself is often not very well defined, but counting it at "the server served a request with the video payload" is really a too optimistic view of things which leaves big holes exploitable by fraudsters. Having client side javascript playing at least requires additional software running, aka additional costs (if minimal) for fraudster.
- You can't really "just" monitor the user on the campaign landing page, since it's different sites involved, it involves different cookies, and actually reconciliating them is doable, but it'd require some work that the advertiser may not be willing or able to do.
* The ad server outright telling lies to get paid for nothing.
* The ad server not being trusted to validate that views are legitimate.
Client-side JavaScript can probe the DOM and execution environment for abnormalities indicative of automation.
I guess they will end serving ads and "content" from the same site, but this site will be controlled directly by the advertisers, not by the publishers.
I'd imagine that advertisers would just bake it into the cost of the impression like they do today for click fraud. In fact, I think this type of fraud is much preferable to click fraud.
Also video players with embedded ads have been around for years. The technology is already more advanced this and is just starting to roll out. Despite what you might think, there are plenty of checks against fraud and any publisher that does such blatant video fraud will get caught very quickly.
then people might actually find out what is and isn't ad.
Maybe even programmatically allowing the upload of images or videos? (Maybe even ADsafe [0] scripts?)
The greater problem is that the ad industry is too unregulated and greedy which has led to a tragedy of the commons with malware and poor UX everywhere, leading to adblockers installed by many who otherwise wouldn't mind.
If you want to make sure you get paid for your content, put it behind a paywall. Yes, the number of users will drop, but you can't have your cake and eat it, too.
Otherwise, ask nicely for donations or Patreon support or do old-fashioned sponsored content, obviously with full disclaimers that the content is sponsored, so people can decide whether they want to watch it or not.
Specifically talking about video ads, look at what Glenn Fricker from Spectre Media Group does on his Youtube channel. He often gets demonitized because he tends to swear a lot. So he asks people to "spend a buck, give a fuck" on Patreon, and he does short sponsor midway interludes in his videos. It's always a short clip of himself talking about the product or service in question, and it's always something he uses himself, he won't advertise something he can't vouch for. So you don't get the jarring cuts to some random ad agency's standard BS video that runs on thousands of un-related videos.
That's how to do it. Part of and related to the channel's content, but also clearly demarcated and made fully clear that it is sponsorship/advertising. And most importantly: No tracking!
The malware stuff is a cherry on top, but not the main issue.
However I suspect it would be fiendishly difficult to work out the effect over anything other than the immediate short term (i.e. impression to click to sale).
If anyone knows of some good experimental work on this I'd love to read it.
The other part of that is those kinds of ads (dumb ads as you say) are going to be mostly useful for branding. Which is fine when you are Apple or Coke, but if you're a smaller player, you'd rather make sure your ads only get in front of the right eyeballs.
Ish.
The key problem that made me give in and start blocking is the lack of accountability/responsibility and the fact that one bad player (or hacked player) can affect many sites at once. Too many times I saw drive-by install attempts, camera/mic access attempts, pop-ups/unders, and so forth, on large popular sites via their adverts. imgur.com was one of the worst offenders at the time, and the final straw, but it was far from uncommon elsewhere too. I got tired of the official response being either "yeah, our ad partners had a problem, nothing we could do, it won't happen again, until next time" or simply complete ignorance.
At least with server-side insertion on the site/apps own servers it gives them more control (and forces them to take responsibility). If they serve a malware ridden ad from their own resources then they are responsible, no one else, and had the control to not do it. They are no longer trusting a 3rd party to be safe without having any audit rights to make sure they are. Currently they add JS/iframes/both from the ad provider and have no control over what goes in there. The ad provider is probably a "network" which farms out the content via redirects/other to yet another party, who may include content that they themselves haven't properly checked. There is no practical way to make that safe, but I'm not willing to accept the risk by not blocking the ads. Server-side insertion may be the practical alternative. It doesn't solve all the privacy/tracking issues of course, the site/app can still collect that data and forward it back to the advertiser, but current ad blocking can't stop that anyway and SSAI does take a hit at the malware & UI dark-pattern issues (from their PoV by giving them better control of what their site serves and from our PoV by meaning use of the shitty "it was someone else, our server did nothing" is even less defensible so they have to use that control to be better if they want to be trusted).
Of course there is a problem with this that I'm sure the ad industry will jump on if CSAI becomes problematical: MitM SSAI. The ad network provides a CDN which your viewers connect to instead of you directly and that inserts the advert/tracker/malware/other on the way through. I'll cost them more due to bandwidth requirements, but it would work for sites/apps that aren't massively latency sensitive, and would let them try enforce exclusivity if the method becomes a common one (by refusing to accept or make connections to other MitM SSAI providers they could reduce in-page competition). Though again, to get around SSAI blocking they still have to keep the source close to them, reducing the farming out of responsibility that we currently see.
You're greatly overestimating how much publishers care about security. If they're already willing to embed arbitrary scripts from ad networks (which has full access to the page), why wouldn't they go one step further and proxy it from their servers? It's not like it's giving additional access. I also don't buy the "additional responsibility" aspect. At the end of the day, it's still an ad network, and unless they're manually approving each ad, the risk of malware/scams isn't going to change, and if they happen to display such an ad, they can still deflect blame to the ad network.
https://www.adblockradio.com https://github.com/adblockradio/adblockradio
(Disclaimer: I built this)
That cannot be done reliably without machine learning.
Not that any server owner should do this (giving over control of your website ultimately to the ad-network? fuck that), but as ad-tech becomes more desperate, shouldn't these types of MITM setups get pushed more?
