Are Ad Blockers Malicious?

Ad Blockers, such as AdBlock Plus, provide an important service to users who find web ads annoying, creepy and sometimes even dangerous. In recent years, how ever, the business models adopted by some blockers present us with a moral dilemma. Recorded LIVE in Black Hat 2019.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Are Ad Blockers Malicious?

Today’s episode is going to be about ad blockers, and some of you might be wondering – ad blockers? In a podcast about malware? Surely ad blockers are not malware? In fact, this was Eliad’s reaction – he’s the show’s producer – when I first brought up the topic.

As many of you know, here at Malicious Life we bring you stories: interesting stories about hacks and malware and data breaches and whatnot. Even though the stories we bring often deal with cutting edge technology and sophisticated malware, they also tend to follow the ancient paradigm that storytellers have obeyed for thousands of years: there are the good guys, and there are the bad guys, there’s an epic conflict, and maybe the good guys win. Good vs. Bad, the basic ingredient of every great story.

Today, however, we’re about Ad blocking, and as you will soon see – ad blocking is somewhat of a gray zone. Sometimes the line between malware and a legitimate, even helpful ad blocker, can get very blurry, and it’s not so easy to tell who’s a superhero and who’s a villain, who’s a good guy and who’s bad.

AdBlock

Our story begins with a Firefox extension named AdBlock that, as its name implies, blocked ads on websites. It was created in 2002 by a Danish student by the name of Henrik Aasted, who wanted to explore the newly added user-created extensions interface in FireFox.
Compared to today, web ads were pretty innocent back in 2002: most were static banner ads, without the annoying animations, pop-ups and creepy tracking tactics that modern ads employ.
Even so, these ads were annoying enough that plenty of users installed Adblock, and the extension became a hit.

But as popular as it was, AdBlock had two major flaws. The first was that although it hid ads from the user, it still downloaded them to the computer. This was an obvious waste of bandwidth, and not an insignificant one: it’s estimated ads constitute roughly a quarter of the data downloaded in a normal browsing session, so avoiding downloading them in the first place saves data and speeds up browsing considerably.

The second flaw was that the user was expected to block ads manually – that is, mark specific domains where he or she wanted ads blocked. This gave the users fine grained control over the software, but it was also tiresome, and it took some time until the program actually began doing what it was supposed to do.

Wladimir Palant is a German developer who in 2003 was one of AdBlock’s early users. He loved the software but, being a developer, he also noticed these flaws and had an idea of how to fix them. He wrote to Henrik, and was surprised to discover that Henrik, now a full time developer and with much less free time on his hands, decided to transfer the ownership of the project to a developer called Rue. Palant tried to convince Rue to implement his idea, and even re-wrote the original Adblock software, but the two developers did not see eye to eye. Eventually, Palant decided to publish his version of Adblock under a new name: AdBlock Plus. AdBlock Plus blocked ads before they were to be downloaded, and used pre-configured filters and blacklists so that it worked right out of the box, with no manual configuration by the user.

Adblock Plus turned out to be a great software, much better than the original. In 2006, a mere ten months after it was released, AdBlock Plus became the most popular FireFox extension, and PC World magazine named it one of the best 100 software products of 2007.

A Serious Topic of Discussion

But AdBlock Pro’s success came with a price. Up until then, AdBlock was used by a relatively small percentage of internet users, and so publishers and advertisers didn’t pay them much attention. AdBlock Pro’s success meant that, for the first time, ad blocking in general was starting to be a serious topic of discussion. Many web publishers condemned ad blocking and pleaded with their readers to consider the ramifications of using AdBlock Pro. For example, Ken Fisher, founder and editor of the popular tech website Ars Technica, wrote an emotional editorial in which he said that ad blocking is devastating to websites. Ironically, those who are hurt the most are technology and gaming publications such as Ars Technica and Destructoid, whose readers tend to be more tech savvy. Half of Destructoid’s visitors blocked the ads on the website, threatening the very existence of the business.

Ken’s arguments can’t be ignored. He’s right: there’s little doubt that ad blocking hurts the online publishing industry. However, as Wladimir Palant and many others argued, obnoxious and annoying ads hurt users. As we noted earlier, the sheer number of ads in a typical website slow down browsing and waste bandwidth. Unnecessary scripts drain devices batteries, and constant tracking threatens privacy. Ads are a security threat as well: since most are served via third parties and not by the site owners themselves, they are sometimes used to serve malicious code to unsuspecting visitors. One can argue that consumers have a right to filter out annoying ads, and ad blockers are just tools that enable them to exercise that right.

However, there was a problem with this last argument, specifically with AdBlock Plus, that could not be so easily tossed aside. There’s little doubt that users have the right to block annoying ads, but by implementing built-in filters and blacklists, one can argue that Palant took the decision making power away from users. Palant was now deciding which ads were sufficiently annoying, not the users themselves. Is that still moral? What right did Palant have to decide, on behalf of millions of users, which websites would be hurt by ad blocking and which would be spared? Who made him the cop of the internet? Who shall live and who shall die? Who by fire and who by water?

This power that Palant held made many publishers very, very angry. So angry, in fact, that one of them even went as far as threatening to block all Firefox users from browsing his website, since AdBlock Plus was a Firefox extension.
Palant held his ground. For him, AdBlock Plus was part of a bigger vision: of making the web a better place. In fact, he stated so explicitly: “We want to make the Internet better for everyone,” he said, “purging bad ads is a good start.” And hurting some publishers in the process was a kind of ‘necessary evil’. In fact, these threats did him a great service: major publications such as the New York Times picked up his story, and Adblock Plus’ popularity skyrocketed to tens of millions of users by 2009.

So, in this present point in our story, we still have a relatively clear idea of who the good guys are and who the bad guys are. AdBlock Plus obviously hurts some publishers financially, but it was all for the better good: trying to goad publishers into showing better ads to their users. But things were about to change.

“Acceptable Ads”

As AdBlock Plus became more and more popular, Wladimir Palant realized that he was rapidly becoming a fat target for lawsuits from corporations whose revenues he was hurting. He also knew that when the first such lawsuit hit, it would mark the end of his life’s project: AdBlock Plus wasn’t making any money whatsoever, so Palant was in no shape to fight such a lawsuit in court.

And there was one more problem. By 2010, Palant was a married man with a full time job, and it became obvious that he no longer had the time to maintain his AdBlock Plus hobby. Major releases of the software became less and less frequent, and he needed to find a way to make AdBlock Plus his full time job. That, or the project would come to an end.

Luckily for Palant, a supportive businessman helped him raise enough money for two years of working full time on Adblock Plus. In 2011, Palant and another businessman created a company called Eyeo, and hired two more engineers to help develop the software further.
This made Palant’s day-to-day life a bit easier, but also made his financial problem more urgent, because a commercial business needs to have a business model if it wants to survive. Palant had to find a way to make money from blocking ads.

And so he and his partner came up with an idea: “Acceptable Ads”. AdBlock Plus would no longer block all ads by default, but would allow some ads to pass through and be displayed. Which ads were to be blocked, and which displayed? There were two criteria. First: only non-intrusive, respectful ads, which don’t hurt the user’s browsing experience. Second, and definitely more problematic: ads from advertisers that paid Eyeo would be allowed through, no matter what.

This changed everything.

Some in AdBlock Plus’ user community were enraged by this new move. Eyeo’s blog was flooded with comments like: “Good to know you can be bought”, “So are you going to rename the project ‘AdBlock Sometimes’ or ‘AdBlock Minus’”? and “Thanks for selling out.”

Really, this response was to be expected. Palant argued that not all ads are bad, but for some users all ads are bad, and so allowing some ads through – even those which are respectful and non-intrusive – was a deal breaker.

“An extortion-based business”

The real fury, however, came from the publishers and advertisers. Naturally, even before the introduction of Acceptable Ads, there was no love lost between AdBlock Plus and the people who rely on advertising to pay their salaries. But Acceptable Ads turned this dislike into full-blown hatred; the kind of anger and outrage rarely seen in business rivalries. For example, when Eyeo’s CEO and the CEO of Interactive Advertising Bureau, an online advertising company, were invited to participate in a public panel, the advertising company’s CEO refused to be on stage with Eyeo’s CEO, and even refused to shake his hand. When it first went public with the Acceptable Ads plan, Eyeo was served with six simultaneous lawsuits from publishers and advertisers in Germany, lawsuits it eventually won.

On the surface, Eyeo’s decision to display some ads seems to be for the benefit of publishers. So what made them so angry?

This is what Interactive Advertising Bureau’s CEO said on stage in the said event: “I have no argument against anybody using ad blockers because there is a kernel of right when it comes to the impedance of user experience, [but] this is an extortion-based business.”

That is the crux of the matter: extortion.

Imagine there’s a road in your neighborhood with a speed limit of 10mph, and a police officer who enforces this speed limit. 10mph is slow and annoying and you’d much rather driver faster and get home earlier. But a law is a law, and a speed limit is ultimately for the greater good.

But then the cop announces that if you pay him $10, you can drive faster–say, 30mph. And now you’re thinking: wait a minute! Didn’t we just say that driving fast is dangerous? Isn’t it why all of us were made to drive slowly? Why does paying $10 suddenly make it okay to drive faster?

It makes you think, doesn’t it? Hearing this scenario playing out the way I just described it to you, it’s quite obvious that this is a sort of extortion: if you want to get home early, if you want to display ads to users, you have to pay the cop. And it’s the very fact that this is a cop – someone who presents themselves as being on the side of law, order and justice – which makes this whole thing so enraging in the first place. I mean, Lex Luther is a villain, so it stands to reason that he’ll do villainous things. But if it’s Superman doing the extortion…well that changes things completely, doesn’t it?

Reading about Acceptable Ads even made me think about my position as a publisher in the podcasting world. As some of you know, I own a podcast network, which utilizes ads in podcasts as a revenue source. What would happen if Spotify, for example, were to implement a feature in their app that cuts out the ads in my podcasts? And then, if they had the nerve to offer me the option of playing my ads, but only if I pay them? I’ll tell you what would happen: I’d hate their guts, that’s what would happen. I’d never stop telling anyone who would be willing to listen how awful and crooked company they are. I’d be mad.

And so the publishers and advertisers were mad about Palant and AdBlock Plus, but there was almost nothing they could do about it, because AdBlock Plus – and ad blockers in general – were in a very powerful position. In essence, they had complete control over what content the user gets to see in their browser. They were so powerful, in fact, that even Google and Amazon – two giants of the internet – had no choice but to pay Eyeo. And pay they did: tens of millions of dollars each year.

“It’s Hard Not To Sell Out”

Some publishers restrict access to their content for users of ad blockers, but this strategy is rarely successful: more often than not, many viewers move on to the next site, rather than disable their ad blocker. AdBlock Plus’ position as a trusted middleman in the browser made for a very simple equation: either you pay them, or you’re out of the game.

Palant and Eyeo have tried to prove to the public that they are not misusing this enormous power. For example, Eyeo only charges money from bit advertisers: those with 10 million or more ad impressions per month. Smaller advertisers get the licence for free – assuming, of course, that their ads pass the Acceptable Ads criteria for non-intrusive advertising. This criteria is decided by an independent committee erected by Eyeo in 2017. But when you realize what power Eyeo have, it’s easy to be suspicious of every action that it takes. As Palant himself wrote that, “Given the market value of the position [Eyeo is in], it’s hard not to sell out.”

These days we’re left with a much more complicated situation. As I said in the beginning of the episode: most of the time, in cyber security, we have a very clear notion of what malware is, and who the bad guys are. If, for example, AdBlock Pro would have changed the browser’s default search engine and homepage, as some malicious extensions do, without the user’s consent – we would obviously consider it malware, because that counts as hurting the user. Here we have a software that not only does not hurt the user, it even provides them with a better browsing experience. Viewed from a different angle – that of the publishers and advertisers – it is quite possibly a malware: its business is founded in a tactic that resembles extortion.

Wladimir Palant vows to keep his company, Eyeo, deeply on the side of the good guys. He speaks about the company’s culture as being based on transparency, open discussion between employees and management, and valuing the user’s interests over profit. In 2018, however, he quit his title as CTO of Eyeo, and went back to being a “regular” developer. How long will his position and influence as the “moral compass” of the company last? Who knows?

Online publishers, meanwhile, are struggling with their ad-based business models, without any viable alternatives. Subscription-based models, for example, are only good for sites with many thousands of visitors–insufficient for smaller publishers.
One possible solution is what’s known as “Native Advertising”, where editorial and advertising content are mixed together: for example, paid-for blog posts that are mostly indistinguishable from original, not paid-for content. Ad blockers will not be able to block these ads – but Native Advertising is a slippery slope for publishers, as it tends to erode audience trust.

Epilogue

So, to conclude our story, we saw that ad blockers were born as a tool to improve the user’s browsing experience, even as part of an ideal better web. But as ab blocker became more successful, and big money started to be involved – ad blockers changed, and not for the good.

And so, with every passing year, the waters of the online advertising and ad-blocking industries only get murkier and murkier. It’s getting harder and harder to tell the difference between honest developers who want to make the web a better place for all of us, and nefarious businessmen who opt to exploit website owners and advertisers to steal their hard-earned money. Harder to tell the difference between noble motives and business needs. Harder to tell the difference between heroes and villains…

X

Want to hear our bonus episode?