by

Let’s Turn Off AdBlock.

Watching internet advertising is an experience that is likely to give you seizures: Popups, animated GIFs, auto playing videos and similar abominations all increase the risk of you ending up convulsing on the floor. And while you’re laying on the floor, the ad services are busy stomping on your privacy by tracing your steps around the internet and hustling to fill your computer with viruses and malware by using vulnerabilities in Adobe Flash and your browser.

The solution is an ad blocker, a browser plugin that, as you probably can deduce from its name, blocks ads. I’ve been using AdBlock Plus for a couple of years now, and with the plugin activated, surfing the internet is a much better experience: Safer, more private and much less maddening for your brain. At least as long as you refrain from reading any online comments – but that’s a whole other topic.

While ad blockers are great for those of us who are consuming content on the internet, it’s turning into a major headache for those who are creating the content we consume. According to a recent study by PageFair, ad blocking is estimated to cost publishers nearly $22 billion during 2015 – and that number will only increase as we move forward: In the UK, ad blocking grew by 82% in 12 months up to June 2015. In the US, ad blocking grew by 48% in the same period.

Because of this, content creators are scrambling to find ways to fight ad blocking. Some are moving their content away from the free (as in gratis) internet and putting it behind paywalls. Others are simply refusing to show their content to ad block users. We’re also seeing a rise in the amount of paid content on many sites: The article you’re reading to, say, do a bit of research before you buy a new car, might be heavily biased towards the particular car model the article is about because the it’s paid for by a car manufacturer. The rules and regulations dictating how this kind of content should be tagged and labeled differs around the world and it might not be obvious that what you’re really reading is an ad created by a professional advertisement agency – not an article written by a neutral journalist.

I prefer that the content I read to be as neutral as possible. I’d also like to continue to enjoy a free/gratis internet, without the need to swipe my credit card whenever I type a URL in the address bar. If there was one site that covered all my needs for a particular topic, e.g. news, I’d might consider subscribing to that site. But that is far from ideal: Since I’m paying for a service, it’s likely that I will use that service more often than other, similar services. For news, that means I’ll get most of the stories and insights from one source. News is not something you should get from a single source. The same goes for most information in general. Going back to the new car research example I used earlier, should you do all your research on a single site? Of course not. You should get your information from as many sources a possible.

The content creators arguably brought ad blocking on themselves by disrespecting their user’s online privacy and security, while at the same time continuously trying to fry our eye balls. But ads are still a necessary evil if we want to keep the internet free/gratis. Realizing this, I’ve stopped using ad blockers. Still, I’m browsing just as private and safe as I was with AdBlock Plus turned on.

What about security?

The Adobe Flash browser plugin has long been a favorite among content creators and advertisement agencies. Flash provides a versatile platform for interactive ads, videos and audio, and due to its popularity for browser based games it’s installed on virtually every PC connected to the internet. This has also made Flash a favorite among hackers. Flash has been around for almost as long as the internet, and making the software secure doesn’t seem to have been a priority until recently. Because of this, Flash is a massive security mess and if you follow internet security news, you’ll hear about a new Flash 0-day vulnerability at least once a month: Having Flash installed is like removing all the doors to your house and putting a huge “This Way For Treasure”-sign on your lawn.

The only real defense against hackers using Flash to take control of your computer is to uninstall it. I did that a long time ago. Internet security researchers have been praying for the death of Flash for years and we’re now seeing browser manufactures taking take action against Flash. Insecure versions are quickly being blocked and in some browsers you actively have to click on a Flash object on a page to activate it. This will make Flash a much less interesting way to serve ads and with a little luck it will vanish within a year or two.

As the popularity of Flash is slowly decreasing, advertisers will start to look for new ways to achieve Flash-like advertisements. A likely option is to use JavaScript. Every major browser supports JavaScript and together with the features of CSS3 and browser video support, the agencies can create pretty much the same kind of advertisements they could with Flash. Unfortunately, JavaScript can also be used by hackers to exploit security vulnerabilities in your browser. Because of this, you should only allow JavaScript from sources (i.e. domains) you trust. With an ad blocker, this was handled automatically. But there are other browser plugins that can do this for you. I’m using NoScript. With this plugin, you can white list sites you trust, and only these sites are allowed to run JavaScript in your browser.

Blocking JavaScript is good practice in general, not just to keep yourself protected from malicious ads. Block everything by default, and only white list the domains you trust.

What about privacy?

If you’re familiar with my PRISM Break series of posts, you know that I’m a guy who value my online privacy. It’s not that I have anything to hide, I just prefer my privacy to be honored. With online ads, that’s, more often than not, far from what’s happening.

Most ads are delivered through ad networks, one of the major ones being Google AdSense. AdSense will show you advertisements based on web site content, your geographical location, and other factors. One of the other factors is the sites you’ve visited earlier. How does AdSense have this information? Because you’re being tracked on all sites using AdSense. AdSense is not the only advertisement network that work this way – they all do. And many sites doesn’t rely on only one advertisement network to cover their needs. This means that you’re continuously being tracked by numerous advertisement networks when you surf the internet.

The good news is that most of this advanced tracking is done with JavaScript. This means that using a plugin like NoScript will prevent most of the advertisement agencies from blocking you.

For the rest, there is the EFF‘s brilliant Privacy Badger. Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. It’s different from, say, AdBlock Plus in the way that it learns as you browse. If, as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger will block that source. This prevents the advertisement networks from tracking you across multiple sites.

So how is this different than running ad blockers?

The big different us that I give the content creators an option. With ad blockers, I blocked every single ad. Period. Now the content creators have the option show me non-intrusive, safe advertisements: A simple image with a link to whatever product or service is being advertised. This is how things were back in the days, when the internet was young and the internet ad was born. Since I can’t be tracked and profiled, I will not be the most lucrative visitor – targeted advertising is not possible, and I’m not as valuable to advertisers.

But at least I’m not just a leech.

Write a Comment

Comment

CAPTCHA ImageChange Image

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. HTML5 is the new flash, uses more memory and is virtually unblockable unless you like reading blank web pages. How would a zero day Flash exploit be delivered? The hacker would have to hack every website you visit to ensure that you get it.

    • Is HTML5 technologies really using more memory and resources than Flash? I’d be interested in seeing some sort of comparison if you have any. JavaScript is an important part of the HTML5 stack, so blocking it isn’t really that hard: NoScript or native JS blocking will suffice.

      Zero day Flash exploits are relatively easily used by creating bogus ads containing the exploits and then distribution the ads through commercial ad networks. There’s no need to hack anything.

      • on windows flash has always been hardware accelerated. Hence purpose built for video. HTML5 is basically a clusterfuck sandbox of tech thats trying to catch up to stuff that we could do in flash 10 years ago. I’ve started seeing web pages with loading screens and I’m like wtf? is this 2002? Every time I load up a youtube video and try to skip back to a point I recently watched it starts loading again. Promises really, but yeah flash sucks on a mac because steve jobs never really wanted anybody to tap into his monopoly.

  2. I consider whitelisting ONLY when ALL of the following are true:

    * ad is static
    * ad is not active content
    * ad is FIRST party hosted

    The third party ad networks facilitate Privacy Rape as the income source. This is entirely unacceptable.

  3. I also hack all mobile apps offered as free to remove the malware (adware) to render them actually free.

    Mobile markets need three app categories:

    * without any cost(s)
    * malware
    * paid