It’s Not The Ad Blockers That Are The Root Of All Evil

malwareImage yourself walking into a store at a mall. It’s one of the few stores that sells what you like (but not the only one, of course). The contents of the store are limited, but interesting. You decide to have a good, long look around… but before you even reach the first shelves, someone starts tugging at your sleeve, and before you’ve even half turned around to see what’s going on, the sleeve-tugger starts yelling at you about these amazing deals he has in stock for you. By golly, you’re the one-millionth person to walk into this store, and there’s a special prize, just for you, just for that!

While he’s distracting you with his product-pushing antics, someone hidden behind him reaches out and steals your wallet, copies the numbers and security-codes from your credit cards, then stealthily places the wallet back in your pocket, with a dash of anthrax powder added for good measure.

You wave off the sleeve-tugging screamer, and go on to peruse the store’s actual contents, mildly wondering if you might be coming down with something.

By the time you get home you’re too sick to even wonder why a store-owner would allow such practices to take place in his property…

After a lot of medical attention (and learning first-hand that such a near-death experience sure does leave its marks), you find that the store’s actual contents are too interesting to just pass by… but you sure as hell ain’t gonna get caught off-guard like that ever again.

So the next time you walk into that store, you wear a sleeveless shirt and some industrial-grade earplugs, and your wallet has been secured to your person in a locked pouch neatly tucked away under your shirt.

And then, while you’re browsing through all the interesting stuff, someone starts yelling at you through the store’s PA system about you needing to stop stealing his revenue, because the sleeve-tugging guy complained about not having been able to get through to you with either tugging or yelling.

And that, my friend the website owner, is the experience people have when visiting your website during the transition process going from “normal visitor” to “ad-blocking asshole”.

But who, in this scenario, is the actual asshole?

That, my friend the website owner, would, undeniably, be you.

Let me explain to you why you are the asshole.

See, the problem is not that we refuse you the right to make some money. It’s a free world (well, for most a lot a fair few of us, anyway) after all.

Fact of the matter is that you refuse to see the ad-blocking business as anything but a fight between yourself and the low-life scum that is ad-blocking revenue thieves.

In reality, there’s more than two sides to this story… and the problem lies in your failure to realize this. The analogy I started this story with is apt, much more so than the one pulled out by ad-pushing website hosts around the world, which goes something like this:

  • Store owner: Hey, thieving visitor, why are you eating this product without paying for it?
  • Visitor: Because I hate your ads, so nyaaaaah!

The thing is, though… that’s really not how it works. If I (speaking for myself, not the 6.999.999.998 other people in this world) object to a store’s practices, and I have alternatives, I will simply not visit the store. And I sure as shit don’t go around stealing physical properties from said stores because I don’t like how they do business. It would make me as bad as (or worse than) them.

As a website visitor, it’s not my evil masterplan to make sure you end up in the poorhouse. My plan is to read contents that have raised my interest, preferably without having my computer come down with the internet-equivalent of an STD, or, worse yet, my identity or financial data stolen… or held ransom by the Russian Mafia

But but but, you stammer, I don’t do that sorta stuff!

And my answer to that is: yes you do. And before you can even start to ask me how, I will tell you that it is because you open the floodgates to my system by letting in ad-networks through some innocent-looking script on your website, without verifying that they do 100% vetting on all the ads they stream through.

But but but, you stammer, how can anyone do 100% vetting?

To which my answer is: nobody can, and that is why I use AdBlock+ and NoScript.

As I mentioned, there’s more to this than your (most definitely not god-given) right to make money and my cunning plan to disallow this (which really isn’t my plan).

What we have here is failure to comprehend the intricacies and hidden trapdoors of ad-revenue networks.

See, you think you’re just “placing an ad to make some money”.

And the ad-publisher makes some money by letting an advertiser place their contents.

And the advertiser makes some money when people see or click the ad.

Right?

Right, I guess. But unfortunately, somewhere along that stream, anything can happen:

Like the attacks spotted last week on Yahoo! sites, the malicious ads silently load, through a chain of web redirects, script code that attempts to exploit software vulnerabilities in the visiting PC to install either an adware package or the CryptoWall ransomware.

(From The Register: You’ve been Drudged! Malware-squirting ads appear on websites with 100+ million visitors)

Emphasis and underlining in the above quotation are mine.

Of course, I could install some good malware blocking software on my system.

And of course, I could also include some antivirus software.

Neither of which, by the way, are capable of detecting and protecting me from zero-day exploits, but that’s not the issue here… the issue is actually twofold:

  1. I should not have to protect myself to insane degrees just to read an article on a legitimate, legal website, but, much more importantly:
  2. The responsibility to protect my system from bad actors on a self-proclaimed legitimate website should not lie with me in the first place.

So here’s the short and sweet:

  • YOU publish content for me to see;
  • YOU want to use ad-publishers to make an easy buck;
  • Then YOU have the responsibility to make sure that whatever is advertised on YOUR website does not cause my computer harm.
  • And when YOU can guarantee, 100%, in writing, on a disclosure on your website, that the ads placed on YOUR website are malware– and exploit-free, then I will whitelist your site, so that your revenue-stream isn’t interrupted any longer.

So, my friend the website owner, are you willing to put up a disclosure/guarantee like that on your website? No ifs, and or buts allowed – just a solid guarantee that the ads on your site will not cause my system to be exploited or hijacked, and the promise that you will take due responsibility if that promise is breached.

My disclosure is at the bottom of this article, by the way.

And if you insist that you cannot make such a promise, then you need to find a way to ensure that you can.

You do not get to blame the people simply protecting themselves from whatever the internet throws at them, and not come up with a feasible solution to the problem, without proving beyond a doubt that you are the asshole in this story.

You are the publisher. You are the one who decides who gets to advertise with you, and how this is done. And if the advertiser does not want to be held accountable,  tell ’em you’ll be taking your business elsewhere.

Someone, somewhere, has to start taking some responsibility for the cluttered mess that is online advertising. If not you, who else?

Some more food for thought on the subject:

Susiso.nl advertising disclosure:

Susiso.nl does not make use of advertisements, because its owner has a full-time job and pays for the hosting and bandwidth out of his own pocket. Susiso.nl keeps track of available security-updates for its publishing platform, and performs said updates whenever available. Should advertising ever become necessary, than susiso.nl’s owner will make sure the advertiser is reliable and trustworthy, and will actively ensure that no malicious scripts will be executed through the advertisement system.