As a mid-sized US manufacturer that recently went through a ransomware scare, we contracted with FireEye for remediation and cybersecurity consultation. I was shocked that they recommended we install ad-blockers as a corporate policy. I remarked ads are sometimes useful and that many local companies rely upon them (e.g., the local newspaper). I use an adblocker just to make the internet more useable, but I was reluctant to make that a corporate policy. I couldn't imagine there was any meaningful threat from malware in ads as every company from the Journal to the Times to Nordstrom would be screwed without ads. But FireEye insisted and we now have adblocking installed with the usual image. Wild times. I have to believe this is truly disruptive to the internet as we know it. It seems to me the ad providers would have a huge incentive to counter this narrative and to make damned sure ads are safe. I have no idea why that's not happening.
> as every company from the Journal to the Times to Nordstrom would be screwed without ads.
The ad industry had the opportunity and the ability to address this problem, but (for short-term reasons) they decided not to. This is the long-term result. They did this to themselves, and now they deserve to suffer the consequences, up to and including a fiery death for the industry as a whole.
Nordstrom, etc. don't need to suffer as a result of this, they can simply observe the online ad industry and make a decision about when to stop using it -- perhaps in favor of something new and different, or perhaps not. Print ads still work just fine.
The Times, etc. charge for access, are happy to sign you up via web form, but then force you to call them if you want to cancel. As far as I'm concerned, they shouldn't be running online ads at all anymore. If ad blocking becoming prevalent hurts them, too fucking bad.
Wasn't there some regular company who decided to delete all adsense/ad networks from their sites for a quarter and at the end of the quarter found no difference in ordering/sales, etc.
> Wasn't there some regular company who decided to delete all adsense/ad networks from their sites for a quarter and at the end of the quarter found no difference in ordering/sales, etc.
> Online ads is snakeoil
No doubt in my mind. I helped start a webshop in 2009 and got to see it first hand:
We used a service called Kelkoo and according to their dashboard almost every customer we had came through them.
We were suspicious so we cut them out for a couple of weeks.
Turned out sales hardly dropped at all.
We had good luck with Google ads back then but I don't for a second think Google doesn't happily fleece advertisers:
As I've said a number of times before I have been targeted for scammy dating site ads for a decade, more specifically from around the time I started dating my wife and until our youngest was about a year old.
Google knows fairly well I'm a conservative Christian who has had no problem getting a date the usual way, but has had no issues showing me these ads, probably because they pay most pr impression.
This was back when I felt I owed site owners to not enable adblock all the time so I tried a number of times to report the ads as irrelevant. Problem is, when I reported Polish girls as irrelevant, the next ads was for Ukrainian girls, then Thai girls, Chinese girls, Taiwanese girls, Filipino girls and I don't know what else until it went full circle and started on Polish girls again.
Not a bad word about people from those countries, but I was already married and Google know very well since I look for family
holidays, toys and food ideas for families with kids.
Point is it seems that relevancy doesn't count anything now that advertisers pay for impressions instead of clicks.
>Google knows fairly well I'm a conservative Christian who has had no problem getting a date the usual way...
>...I was already married and Google know very well since I look for family holidays, toys and food ideas for families with kids.
It's interesting you describe Google as "knowing" information about you. Google may have the data, but a human did not read it to develop some understanding of who you are as person. They just ran it through some software based on the targeting criteria they have.
I would guess that advertisers didn't set their ads to exclude married men who are Christian with children, just because that's a very specific profile to care about--they might just set it to target men of any age and be done with it. Or it's possible that married, Christian men with children are one of the most profitable targets for scammy dating sites, and either the site creator or the targeting software are going after them specifically.
Or it's possible someone else in his close circle was using a computer on his network that was looking for things that would trigger those types of ads. Cable DSL routers usually only have 1 dynamic IP.
It's just as likely that nobody was bidding for his target demographic, so the bottom feeding dating sites that take the cheapest of the cheap ad slots bought the top 20% of his screen for millipenny CPCs.
I have given it a thought, but it doesn't make sense to me:
Nobody wanted to target a well paid dev with small kids and holiday plans except the cheapest of the cheap?
The explanations I find more likely is either
- my account got grouped up with a demographic 14 years ago when I worked in an environment that certainly did have those kinds of signals and that signal was too strong.
- scammy dating sites like expensive credit cards pay extremely well and Googled fudged their data to make me fit the criteria.
Lived with my wife and 5 kids, not many visitors, protected metwork. This went on for a decade even despite me trying to trigger other alternatives (search for WordPress hosting).
Thats part of the snake oil. The dating site spent X dollars on ads and the expect people to see them no matter what. Google wants to pretend they have something better than simple TV/Radio mass advertisement campaigns but they don't.
The idea of targeted/effective/meaningful ads and taking as much as you can in advertising dollars from a customer are fundamentally at odds with each other.
I convinced my company with some custom dashboards I made to show with some adjustable slider reports (first react project I think i did) that even with favorable metrics the cost/value ratio just wasn't there. They ended up stopping the spending and of course no change in sales. Saved the company a couple million a year.
Even better than this, large sites have found they actually made more from non-targeted ads [1]. Same for the NYT - revenue continued growing after turning off ad exchanges for European visitors [2].
There's also the question around whether the levels of fraud mean companies buying targeted ads are ever getting what they paid for [3] - Uber cut $120m of $150m ad spend without any impact on installs (which is what they were trying to drive)
It was Uber in it's early days. I recall a blog post from their chief marketing officer(?) at the time.
The gist of it was - they accidentally disabled digital advertising for a few months and found that disabling it had no effect on the metrics they were tracking.
I’d imagine results like yours would vary wildly industry to industry.
For example, any old-people products would greatly benefit from the typical inability of the old to install ad-blockers in the first place (nothing against the old, of course).
I wouldn't be surprised if over the time span of a decade, companies which invested significantly into online ads would have gone out of business entirely, and those that didn't even use online ads would still be around.
As a conjecture, it's possible that online ads is anti-commerce - as in those who put money into it die. Over the last 10 years, it's very obvious that internet focused non-tech companies do very poorly in the long run.
> The Times, etc. charge for access, are happy to sign you up via web form, but then force you to call them if you want to cancel.
Check your state and local laws. It is illegal in California. If they have the means to provide signing up for service via online, they are required to provides the same way for cancellation under California law.
Change your address to California and you should see a section to cancel your subscription.
Advertising is a gross inefficiency on the economy. To achieve market balance you need to make sure consumers are aware of your product - back in the day this was rather difficult since there was no central repository of all knowledge. Now that we've got the internet though... this is unnecessary to achieve a healthy level of company growth.
However, if you want to cannibalize an industry's profit margins to squeeze in front of your competitors advertising in many forms will remain productive. I think we almost need a cartel-like system that says "Okay video card manufactures - enough with the advertising... nobody impulse buys video cards so each sale you gain through advertising is just coming from one of the other company's pockets (or your own)."
If we actually had powerful consumer-laborers (imagine if employers applied to you! Or there was an central labor marketplace and the market cleared! What a foreign world.) companies would have no money left over for ads as they were too busy competing on product quality with low margins.
I'm pretty convinced the marginal value of ads to most companies is shit, but this is a rat race that chronic low aggregate demand has forced them to partake in.
As someone who worked on/with the ad serving stack, I agree with FireEye's stance on this one.
The problem is this: ads are basically browser-injection-as-a-service, as in injecting code into websites of your choice, targeting audiences of your choice. Browsers mitigate this problem somewhat by sandboxing cross-site stuff in the webpage, and ad networks theoretically scan the payloads for malware like miners, but those tests aren't hard to work around. So ads can basically run whatever they want within the little aperture of an iframe that they get.
If there's a zero-day like the Internet Explorer JPEG renderer zero-day (https://www.kb.cert.org/vuls/id/965206), then the ad networks are basically broadly targeted zero-day-as-a-service.
Ad blockers aren't a bad first line of defense for this.
>It seems to me the ad providers would have a huge incentive to counter this narrative and to make damned sure ads are safe. I have no idea why that's not happening.
In the current model they have last second auctions with the ad going to the highest bidder. It's hard to reliably screen them in that kind of situation. I find it quite scary to have someone not very tech smart download software without an ad blocker - you get one proper download link and about 10 ads saying download here linking to malware.
> I find it quite scary to have someone not very tech smart download software without an ad blocker - you get one proper download link and about 10 ads saying download here linking to malware.
Non-tech smart users? It's hard enough on some sites that your average cybersecurity researcher with a decade of experience is going to have a hard time!
FWIW after Sourceforge was sold around 2016 does not have malware anymore and they added scanning to downloads. Also they do not show any ads if you are logged in (though i do not know if this was done before or after the sale).
Good! Unfortunately for them, the world moved on, negative reputations are hard to shake, and they missed the ball WRT keeping up with the status quo of open source community repos.
The last piece of software I occasionally visited sourceforge to get was WinScp, and actual SSH on windows means I no longer need to do that (I was only ever using because it was the easiest way to do it given no CLI option). 15-20 years ago quite a bit was on there though. It was the proto GitHub which wasn't in any position to respond when GitHub came to prominence.
I don't see why it's hard. You screen admission of an ad to the auction "floor". Shady javascript/links? You don't get to compete.
Admittedly, this means you need an army of ad moderators, but that's not a hard problem. Social media giants already use an army of underpaid moderators for moderating their platforms, so seems like it's just table stakes for running a platform. Screening ads should be a cakewalk compared to moderating social media.
That's not how it works. It's hierarchical. Someone with an ad to show doesn't send the ad to the web site that wants to show the ad. Instead it just tells that web site "I'll pay $.005 if you show my ad", then if it wins it serves the ad it wants to show. There's no time at that realtime auction to do analysis. The ad doesn't even need to exist as a fixed thing. It can be dynamically generated tailored to the specific user (think of "Come back and shop with us" ads where they show you things you've looked at).
There is a lot more middlemen involved... and at any point they could make a rule that you can only use a certain set of HTML tags and image formats for your ads (none of which include scripts of course).
That would prevent not only most exploits (especially once you re-encode the images), but also simple badly written ads that drive up CPU usage. But it's easier, and allows more middlemen, to simply allow the next party to hand you arbitrary code that may or may not be put into an iframe that may or may not be sandboxed.
> Someone with an ad to show doesn't send the ad to the web site that wants to show the ad
In fact, they do. Creative review is part of most ad platforms. Contextual categorization isn't possible without knowing what the ad is about (and the content it's going to), to various degree.
In a perfect world yes and any good IT department will lock down systems appropriately. But every sufficiently sized org, and many small ones will have shadow IT. There is also the issue of much of the ware pushed through these channels actively tries to circumvent controls. Its not uncommon to find hapless users with adware on their system that managed to get around UAC and group policy. You can always lock down more but security has to be balanced with productivity and user education will always be an important part.
The ad industry has known about their fraud problem for years, at least since 2015--and they did little to nothing about it. I don't have much sympathy for them.
If the threat you're seeking to mitigate is malicious ads ("malvertisements,") then you could easily pass that burden to the ad networks themselves. I think it's extraordinarily rare for a website to sell "banner space" instead of just throwing in an AdSense snippet or similar.
"They don't have sarcasm on Betelgeuse, and Ford Prefect often failed to notice it unless he was concentrating."
-- Douglas Adams
It turns out that sarcasm is sometimes not obvious to everyone. My apologies.
You are correct. They cannot be trusted. The entire history of advertising and advertisers is evidence that they cannot be trusted. They cannot be trusted to self-regulate, to follow voluntary codes, or even to form an industry regulating body (sorry, UK, you know it's true).
And yes, Google is an advertising agency... which spends up to $20MM a year on federal lobbying.
> I was shocked that they recommended we install ad-blockers as a corporate policy.
It's solid policy. The problem with ads in this regard is really that they allow random strangers to run code on your machine. That's never a good security practice.
Imagine I only visit websites like the New York Times.
If an evildoer with a browser 0-day wants to target me, without an ad blocker any of a thousand companies can pay a few cents to have their javascript served to me. If I run an adblocker, there are a lot fewer ways to get their code in front of me.
A statistical argument, in other words - that being exposed to code from 10 vendors is safer than being exposed to code from 1000 vendors.
Yes, it is. Which is a pretty large problem, and is why I don't allow JS to execute by default. I do whitelist specific things if the need is great enough.
Do you supposed it is possibly more true for ads? There's "well, technically, yes" and then there's "which is the more realistic threat, an ad network or the JavaScript that the NYT serves up?"
My Grandma has DNS level ad blocking enabled. Why? Because her ISP home page (her 20 year strong default as well as login for email/etc) used run ads when a page was left open for a while. She'd unlock her laptop to find full on porn ads running full screen with no way to click away without quitting the browser.
So now she runs ad blockers galore and pihole across all devices. So far no porn ads in her email.
And no I did not ask if any of her browsing behavior would lead to such ads. She's a tiny old blonde Christian lady that...wait also a church donation site gave her porn ads too. Maybe I should avoid checking her history.
So yes, do enforce ad blocking on your network, if able. It will save a few calls and probably embarrassment as well.
I laughed so hard when I read this post. And I assume it is all true. What a sad state of affairs! I can only imagine the amount of spam calls she gets to her phone.
I tried turning off my Adblocker in 2012 to better support newspapers and whatnot. One of the sites I visit regularly immediately loaded something that my antivirus quarantined.
Go to edge or chrome without an ad blocker and do a search for software or something. You will get adware, malware, and outright wrong suggestions for the first ten results. Google AdWords does not directly host malware typically, but the sites behind them do. Fishing is trivial to pull off. I believe, as a matter of actual national security, online advertising that is deceptive or leads to deceptive locations should be illigal. I want to see heads roll when I get fake "download" buttons when trying to actually download an image for work.
I couldn't imagine there was any meaningful threat from malware in ads as every company from the Journal to the Times to Nordstrom would be screwed without ads.
It's almost always not the big sites that have malware in their ads, but the shadier parts of the Internet --- which people may inevitably need to visit at some point, even deliberately.
I wouldn't be surprised if they started recommending you whitelist JS next. That would be really "disruptive to the internet as we know it" --- and might actually make things better overall, as in returning to static text/image ads and pressuring sites that have no business being a SPA to go back to static content. Of course, I suspect the huge company whose name begins with G would not like that at all and will try its hardest to fight against it.
Having client installed malware detection would be the step after blocking ads. Whitelisting JS would make 90% of the contemporary Internet, including essentials like Gmail and Office365, unusable.
It wouldn’t make Gmail and Office365 unusable because they would be whitelisted. Nothing on the top-20 list you can come up with would be affected because those things you can think of from the top of your head would be things IT would also think of from the top of their head and whitelist it. The long-tail of sites is where the real impact would be in my opinion.
I do this -- I use uMatrix and effectively whitelist js. The net result is that you realise how a) websites work, b) fecking annoying cloudfront and gCaptcha are z and c) Facebook is everywhere.
No way in hell I'd recommend this to anyone who isn't tech aware though.
Plenty of organizations run local DNS servers, you'd think it wouldn't be a big stretch to start adblocking at that layer (though doing it on the client does allow for more fine tuning).
> I have to believe this is truly disruptive to the internet as we know it.
Maybe so. And maybe I'm all right with that. The ad-supported internet has turned into the ad-on-every-square-inch internet. We get lots of great content for free, but the amount of ads are overwhelming, distracting, annoying, and eventually disgusting. (Not necessarily the content of the ads, just the volume.)
Back to security: We have come to the place where really interesting content that asks you to turn off your ad blocker is now a phishing vector.
True! But I also feel like local newspapers would be more likely to put the word 'ad' in the name of their advertising jpegs, in which case adblockers would still pick them up.
Why can't the site just show ads directly from their domain? It'd be hard to block ads without blocking content then.
Many websites used to just run ads that were directly negotiated and paid for by the company. eg: Plenty of Fish used to do that and they sold for $575M .
You can add the local newspaper to the adblocker whitelist, if it uses standalone ads like distrowatch, instead of an ad network. But keep scripts disabled there.
> It seems to me the ad providers would have a huge incentive to counter this narrative and to make damned sure ads are safe.
Ad providers? You mean Google which provides the majority of the ads. I’m really surprised Google hasn’t done more here when major security companies are recommending denying Google their primary source of revenue.
I have used Google Ads, and think the ads themselves are quite secure; I am less certain about the advertiser websites (though it seems Google does some sort of link-testing/screening). What are you suggesting Google has failed to do?
I think the problems with ad security are on smaller platforms/networks which are willing to host less-secure ads, and I'm not sure what Google could do about them.
They are the leaders in the industry. To my way of thinking, if the recommendation is to block the entire industry as a whole, they are simply not doing enough.
When I worked at reddit, I refused to run Adblock. I felt like it would be hypocritical to work for a company that made its money from ads, and then block them. Also I wanted to make sure that I had the same experience as the users.
When I left reddit, for the longest time I still didn't run Adblock because as a shareholder it still felt hypocritical.
But a few years ago I couldn't take it anymore -- the web go so awful with ads on it became unusable. And so I relented and went full Adblock. And life got a lot better.
(I did however whitelist reddit and a few other sites that I like whose ads are bearable)
FB allows commenting on ads. This does not go well for certain types of advertisers. Political and religious ads especially. Even the bland corporate advertisers have to spend some time cleaning up the inevitable mess.
What's especially puzzling is that FB allows image uploads as an ad response unless the advertiser was smart enough to disable it.
I am pretty sure I still get comments on my ads. It's almost entirely spam and those comments you think are probably spam it's just a 'good job' response.
Is that the case ? We (rsync.net) used to advertise on reddit quite a bit and we would have sponsored posts that had a proper comment thread and Q&A, etc. - I thought it was fantastic.
I use adblock, makes it so much easier as an experience also surprises me how many companies are tracking me on some of these webpages. But, I am sympathetic to the idea of businesses depending on ad revenue.
I like how some websites e.g. news websites, put up a message that they depend on ad revenue and ask for adblockers to be disabled, I did it for some websites where I like the content, but then I also feel I am perhaps very unlikely to click on any of the ads (at some level I suppose my mind has learned how to focus on the content and ignore the ad space e.g. on google search I remember I had developed a habit of scrolling down and ignoring the first few ad results without actually consciously doing it). So, considering I am way less likely to click on an ad, perhaps I am not actually hurting the business, or maybe actually helping improve conversion if I can go that far :)..
Most clicks on ads are certainly misclicks. The business is to make store owners believe that they are getting exposure, not to actually give them sales.
All of the little guys like me who tried to run a Goggle Ads and Microsoft Ads campaign know that we can spend a few thousands dollars without a single impact on sales.
Then the salesman from Google calls you and tells you it’s because you’re doing it wrong. Try such and such keywords. Link to your payment button to see your ratios! Try to optimize for CTR and EWQ and ASDF (not the strange proximity between those ideas and random letters on a keyword). It must be you. It must be YOU!
The business is to make the business owner believe as long as possible that it will work.
> The business is to make store owners believe that they are getting exposure, not to actually give them sales.
To be scrupulously fair, the business is to make store owners believe that they are getting exposure, regardless of whether they actually get sales. Much like snake oil salemen, it's prefectly fine (nice, even) if the patient improves; that just means a chance to sell them more and 'better' snake oil ("brand maintainence", I think they call it) later.
I tried for a week. When my CPU melted I switched back to old.reddit. But I use the mobile app (which is basically the new interface) for about 50% of my redditing, so I sort of use both. But always the old interface on the computer.
This has to be the most misunderstood comment. Honestly eve tho I don't work for an and centric company I do feel what you went through. Because of how much YouTube helped me, I couldn't bear myself using an ad blocker. Then things like Patreon and sponsorship deals came along and I decided to treat myself a nice ad blocker. Still couldn't do the full thing, so I went with one called "fair ad blocker" that actually let's in some no -intrusive ones so it's a little light on my conscience. Still using it. It let's in some annoying pop ups too sometimes, but such is the price.
I once tried not running an ad blocker or noscript on a work computer. That lasted for a couple months until the day I got a redirected to a porn site from an innocuous search result. There are too many ways to weaponize a site to let your guard down. If the site operator can't or won't vet all of the code they send you then you should feel no obligation to execute it.
I've been in a similar situation. For me it was a different type of struggle... More, I need to be informed about the space.
I am a firm believer that there are ways to do ads in a manner that respects the end user, is not obnoxious as well, and isn't privacy invasive. And this applies to both buy and sell sides of the industry.
But much of the space is garbage and in some cases malicious, so I block ads with a prejudice, run NoScript on Firefox on desktop and mobile, etc. It's a PITA, but a better experience overall.
It is a bit amusing to watch the changes Reddit is making to "improve the user experience" though, when to people in the industry, it seems like fairly transparently telegraphing development of surfaces for new ad placements or signal collection for targeting models.
What pisses me off is Reddit leadership can't seem to just be transparent about it.
I really wish reddit would begin to pay small amounts to its moderators. I feel like it would be a basic income experiment and kinda neat since the mods do most of the content and user moderation for reddit and spend thousands upon thousands of hours there.
I disagree. If income was paid out Reddit would then be sending out 1090s or W2s to every mod. Analytics and time tracking would be put in place. An entire team would need to be stood up to oversee mod management. Mods from certain regions of the world would be disavowed, and the barrier to enter would naturally be higher for new mods.
I say mods should be either full employees or volunteers, you can't mix between the two.
Subscriptions? Could be a local thing but in my country newspapers have always been paid with them.
News has never been assumed "free" until the internet came around. In fact the first newspapers all the way back to the 17th century were intended for diplomats, nobility and merchants.
Free news is usually shite anyway.
I have subscribed (and might still be subscribed) to several news magazines and papers, though not my local. It's kind a circular drain of "lower pay > lower quality > fewer subscribers > lower pay".
So subscribe and pay them directly. From all metrics I've seen direct payment is the most efficient vs merch, super chats, and views themselves. Pay for premium.
I've never had it explained to me what's wrong with hypocrisy. None of us live by our high ideals, do we? It's funny when a comedian points that out, but why should we do as we say?
Hypocrisy is usually dishonest ("I'm going to tell you a lie in hopes that you believe it; my behavior shows that I don't actually believe the lie") or unfair ("I'm going to try to convince you to play by a more restrictive set of rules than I do so I can get an advantage over you (or just avoid having the drawbacks of those rules myself)", both of which are bad things.
Moreover, just because you're not capable of perfectly adhering to a set of principles doesn't mean that it's not worth trying. "Oh, I know that I'm not going to be able to uphold every single commitment I make, so I'm not going to worry about upholding any of them."
Yes it might be a hint that you don't believe what you say, but that shouldn't detract from you saying being potentially correct. After all the truth value isn't affected by who says something. I bet there were smokers who were part of discovering that smoking is unhealthy.
The thing about pointing out hypocrisy is that you're actually lending authority to the person you criticize, you're saying that you believe in the side he's revealed to actually support.
I did the same when I worked on Google Ads; I felt it was important for me to have the full ad experience. It was easier back in the early 2000s though, before the Web ad ecosystem got so horrible.
Now I block ads and trackers with great zeal. Google's most of all. Surveillance capitalism is bad for almost everyone. Advertising is a mind virus.
My experience of ads is that they're much better than they were in the early 2000s. Back then major websites would have literal scams advertised on their site. Things like you're the 1 millionth visitor click here to collect your prize. Now I rarely see that sort of thing.
Perhaps scams have a high selection pressure to evolve to be less detectable (while we are also being trained to detect them better). You might be seeing plenty of scams, but they are just camouflaged far better?
Not really the same. The implied agreement when you visit an ad based site is that you get the ads. Otherwise if no one got them, the site could not exist. It’s a form of payment for what the site provides to you, not the product itself.
There's no implied agreement - a product is offered at no cost, and I'm under no legal, ethical or moral obligation to look at anything. I'm a weirdo who still buys the paper newspaper. I throw out the Thursday auto advertisements and the Sunday ads.
Content producers made a conscious decision to aggregate their screen real estate and outsource ad placement to unrelated third parties. The result is a cesspool of awful, low engagement content. Its so bad that they enter into awful agreements with aggregators to repackage their content for pennies. That's their problem, not mine.
On the flip, I live in a state capital, and when the legislature is in session, interest groups spend 10x what they spend on useless online ad spots to buy full-page or panel ads in the printed newspaper. Presumably they aren't doing that in an effort to set money on fire.
>"I'm under no legal, ethical or moral obligation to look at anything"
That would depend on you moral theory of choice; applying Kantian (deontological) moral theory, your behavior violates the principle of 'universalizability'.
Seems like an absurd leap to me. Am I obliged to read the sports section of a newspaper?
What does it mean when a entire category of commerce is so toxic that government security officials recommend that civilian agencies preclude employees from seeing it?
>"The precise meaning of universalizability is contentious, but the most common interpretation is that the categorical imperative asks whether the maxim of your action could become one that everyone could act upon in similar circumstances."
>"For instance, one can determine whether a maxim of lying to secure a loan is moral by attempting to universalize it and applying reason to the results. If everyone lied to secure loans, the very practices of promising and lending would fall apart, and the maxim would then become impossible."
If everyone were to block ads, the publications that you're reading would not be able to pay for the content they publish. Note that 'universalizability' requires a somewhat static analysis, and usually doesn't look at how systems might adapt to changed circumstances, though this is not a big problem here, as you have voluntarily chosen to interact with ad-supported publishers under the current regime.
Content on the web was much better before the scourge of advertising took over. I very much wish everybody would universally block ads. Appealing to the current situation in a static sense is a cop out that lets you condemn what would be a welcome reversion.
Say what you actually mean rather than just invoking a nebulous condemnation of "privilege".
The information on the web used to be of much higher quality. Within the first page of search results you'd usually find a no-nonsense website full of painstakingly curated information. Who had the means to access that information is orthogonal to its quality.
Take a moment to consider how expensive and exclusive access to the internet was "back in the good ol' days" and maybe you'll be able to connect the dots. If you still can't there's nothing I can do for you sorry.
You might be arguing that privileged people make better websites, or implying that the other person is saying that, or some variant, or...?
mindslight is not saying we should revert everything back to those days, such as the internet being expensive and exclusive. They want sites to stop using ad revenue. Those two things are not tied together. Unless you're arguing they are tied together, in which case again you need to explain yourself.
I can infer several arguments that you could hope to be implying. But I'm not going to guess at the specific one you're trying to make just to argue with myself.
In general: Correlation is not causation. As I said, the quality of information was orthogonal to who could access it. And furthermore, even in modern times advertising does not pay for Internet access nor computing devices.
> Note that 'universalizability' requires a somewhat static analysis
Sounds very convenient. You are allowed to make one logical step (everyone blocks adds => publishing companies go bankrupt) but are not allowed to make the equally sound step of (everyone blocks adds => publishing companies will seek other revenue sources such as paywalls).
But if you say i’m not allowed to argue the second one let’s talk about the first kind.
So universal add blocking puts those companies who keep clinging to add supported operation into bankruptcy. Goodridance. It is not like one must have free-as-in-beer services to have a coherent moral compass. They go bankrupt and we will manage without them. Totally consistent.
Similarly you wouldn’t say that the idea of punishing murderers lacks ‘universability’ just because it would shut down the Assasin’s Guild.
But you seem to want to read the publications with ads...
If I extend your (unreasonable) murder analogy, I'd have to say that you were hiring the Assassin's Guild, but refusing to pay because you don't like their terms.
> The implied agreement when you visit an ad based site is that you get the ads.
That's not the agreement that ad companies think is being implied, though. The ad companies think the deal is "Looking at this website gives us permission to spy on you across the web".
> The implied agreement when you visit an ad based site is that you get the ads.
They are putting stuff out on a server for public consumption. The implied agreement is that I'm allowed to view it, or not view it, in whole or in part. Their business plan is their problem.
One should also try out the alternatives as well, regarding the GP, I personally believe there was an equal obligation to experience it without the ads to determine the impact.
Likewise it would be nice for the alcohol producer to experience drinking every day, as well as being the only person at the party not drinking. Even being the allocated driver and seeing the consequences of their product up close. Perhaps they would gain some insight or perspective regarding their product.
I would find it hypocritical if someone who worked at an alcohol producer joined MADD, or someone who worked at a candy company joining a PAC that supports soda bans.
But no, they don't need to consume the product daily.
Yeah I think Phillip morris execs should be forced at gunpoint to smoke as many cigarettes a week as the global median. Might lead them to think twice before advertising poison.
The reasoning here is not the dissonance in behavior, but dissonance in belief.
A person can believe alcohol is not harmful to humans health without consuming alcohol, therefore it's morally acceptable if an alcohol producer does not consume alcohol.
But if they don't consume alcohol because they believe alcohol is harmful, while advertising (explicitly or implicitly by helping the alcohol company) that it is not harmful, then that is dishonesty. Because in this case, the person purposefully acts like they believe something for personal benefits, but actually they don't.
I used to work on sports gambling apps and yet I never once gambled using the real production app. Because I saw the data. And behind those data points are real people having their lives ruined by some growth hackers and psychologist PMs trying to increase session length. I know how the sausage is made. I practically have the gambling addiction hotline number memorized because it was required to be on every screen.
Pretty much everyone I know gambles on sports and for most of these guys its like a $50 bet, not a lot of money. No more than a few beers these days at a bar. People get addicted to anything, lets work on having people receive treatment if things become a problem rather than ban everything that most users are using responsibly. Might as well ban video games of you really want to get some people out of some deep holes.
I happen to know a handful of people who started pet food companies, albeit boutique ones. (California.) They all taste their pet foods. I've tried some of the treat biscuits, and they aren't half bad, though I wouldn't necessarily reach for them.
I'm not an expert on cat or dog digestion. But I think anything they can eat, humans can, too. (Just not the other way.)
Growing up in California, one thing we were taught as kids is that pet food is safe for human consumption, and can be used for food after an earthquake as emergency rations.
It won't taste good, but it will prevent starvation!
This is false in general, and dangerously misleading at best. In particular, some dog foods contain ingredients (bone meal IIRC, but don't rely on that) that can pretty much destroy a human's intestines (which are much less hardy than most animals's because coevolution with cooked food allowed cost-cutting). Pet food sold in California might (might) be required to be safe, but that's dangerously unreliable at best.
Well, when I search human consumption of bone meal I get results saying it might be good or might be bad. There's a risk of intestinal blockage but that takes a whole lot and would happen in dogs too.
Searching is not suggesting any other particularly dangerous ingredients, other than to say it's not great long term. But on a level like "be careful not to get scurvy", not "will destroy your intestines". And that you should watch out for bad storage and still probably avoid raw meat.
If I work for purina then my _dog's_ gonna eat that dog food, by golly. And maybe I'll at least give it a sniff.
Speaking of the devil, I had to carry somebody's stray dog home (again) when I was on my jog this morning, and man that was a fat dog! Dunno what he eats, felt like krispy kreme and quarter pounders. Maybe I oughta start me a dog food company. Too many fat dogs in this danged town.
Do alcohol makers try their own products to ensure consistency day-to-day? I would hope so. I would certainly hope candymakers do too. Those are particularly bad examples.
ask yourself if you're willfully misconstruing what i'm saying in order to low brow dismiss my point.
jedberg claims he consumed ads every day in order to empathize with this customers. the obvious implication is that everyone at such a company has the obligation to "try their own products".
Your analogy is weak, so I pointed it out. Reddit created their experience a certain way; why would you go out of your way to avoid seeing your product the way your users do?
You haven't presented a single argument as to WHY an employee of a software company shouldn't experience their product as their users do.
Talking about product testing is a deliberate red herring, though. Nobody was talking about some web designer using adblock during the process of implementing ads on a site. That would be a very difficult hurdle to put in front of yourself.
Jedberg, who I know for a fact ran Reddit's infra singlehandedly for a while, claimed he consumed ads as a matter of understanding the user while holding the job. Apparently he grew a brain and decided to block ads after that job, as smart and well informed users tend to do.
I suggest turning off JavaScript for most sites, which keeps the ad blocking tasks to a minimum. Blocking trolling users is another matter entirely.
No, but if an alcohol seller practiced temperance because they felt alcohol was deleterious to people, wouldn't it be rather hypocritical? He was not actively consuming ads, he was just not seeking to avoid them.
Well, about pharma: I believe at least one person with veto power at FDA should try the pill personally. And the pharma company management should be able to take it. This would have helped with OxyContin, among others.
Tobacco firms were notorious for expecting their employees to be tobacco users.
My mom was a sales clerk for Macy's and one of her friends was a sales clerk there who later became a tobacco company rep who went to convenience stores to manage the marketing displays.
She smoked like a chimney. After my dad died and her friend got divorced, her friend moved in a for a while with my mom and got my mom smoking again. My mom hid it from everybody and we found out only after she died from a cardiovascular event because we found a pack of cigarettes, one half-finished, in the cupboard.
I used to be in ad tech, and I did the same thing. I didn't use an ad blocker so that I could understand what the users were seeing.
A few years in though, it started to get bad enough that I enabled the ad blocker on my personal stuff and kept a browser session for work where the ad blocker was off.
I see. But then you continue to willfully see ads after you left Reddit. I presume you viewed ads everywhere not just on Reddit?
Still strikes me as absolutely bizarre to do this. On one hand it’s commendable that you’d like to empathize with users, but on the other hand you’re working at Reddit who earns revenue by glueing people to their endless feed of ads. Expecting anything else is foolish.
From a practical point of view, the only thing it broke was Ad sponsored results on Google, so I had to teach my wife to go for the normal results, or search directly on Amazon or Wayfair or wherever. What broke for your wife's online shopping?
You're not alone. I took out my partner's online calendar by mistake with a PiHole. I think I blocked all her productivity SaaS tools too. Found out in under 5 minutes.
My dad had an outdoorsy distribution list that shoved all links through an ad domain, like straight up as if it was clicked on a site. He was able to copy and paste the text just fine...
My next firewall will have some kind of machine/port/etc filtering that allows me to whitelist where say my tv/etc can communicate. Even if I have to write it myself because i'm not aware of anything 1/2 as user friendly as the 3rd party "Windows X Firewall control" applet that works on a network level. Yes my current firewall can do this, but it requires me hand entering ip/port/etc combinations in a UI that is terrible.
So, while I use an adblock list with my unbound caching DNS server, it only works with devices which honor the local network DNS settings, which are becoming fewer and fewer thanks to the efforts of the major players to _HELP_ everyone with DOH. A protocol without an easy way to MITM/filter the requests even when the user wants it.
> So, while I use an adblock list with my unbound caching DNS server, it only works with devices which honor the local network DNS settings...
I co-develop a FOSS DNS + Firewall for Android that prevents apps from doing their own DNS over HTTPS / TLS / QUIC by blocking all connections to IPs that the DNS client (embed within the firewall) hasn't resolved itself or the TTL of whatever answer it once resolved has expired. Something similar to this could and should be implemented by other firewalls, too. The result of such a blanket setting is devastating though, as some apps (like Telegram) refuse to do plain-old DNS and hence refuse to connect at all (so, one may have to selectively allowlist certain IPs / apps). This also has a happy side-effect (or annoying side-effect, depending on how one looks at it) of breaking apps connecting to static IP endpoints (ex: Orbot connecting to Tor bridges).
To be fair though, being able to MITM the DNS is kind of a massive security hole. One you are abusing in a productive way but one that many others abuse in very non-productive ways.
I don’t think that is fair at all. It is architecturally appropriate for every site to run DNS resolvers and most of them do outside of the residential space. This isn’t a man in the middle attack and selectively blocking queries according to local preferences doesn’t make it one.
I just tried googling "mitmproxy chromecast" and found a bit of a rabbithole of hacks and tweaks that can be done to Chromecasts to alter their behavior in ways they were definitely not intended for :)
I expect there are probably umpteen different ways to block ads with a little digging, although I can't vouch for any as I don't have a Chromecast (or TV) myself.
FWIW, a while back I reached my eye-twitch limit with Raid: Shadow Legends (deeply impressioning irritating ads: ...why...?), and so I stared at YouTube's load process to try and figure out if I could viably block everything.
The technique I ended up using exploited the fact I was running within a Chrome extension and overloaded JSON.parse (lmao), and was specific to the HTML delivered for desktop, but has worked for months.
I reckon it's quite possible the data sent to Chromecasts is similar enough that you could viably block it by MITMing the device then rewriting the JSON (or possibly gRPC) responses being sent to it.
Using YouTube Vanced on a no-name Android TV stick might be an alternative. (Untested but should presumably/theoretically work.)
I don't feel like rewarding a company for grabbing a monopoly on short form streaming video then making their service borderline unwatchable through aggressive, increasingly unskippable ads.
Plus (getting back to the topic at hand), having adblock for all your devices is so ... pleasant. You forgot how jarring and upsetting (and LOUD) advertisements are. Having them puncture your DNS adblock while using Chromecast is like getting a wet slap in the face.
I already run my own DNS server; is there some way to fetch the pihole DNS blacklist so I can use it myself? A brief look at their github account didn't turn up anything that looked obviously like "this is the blacklist repo".
I run my own resolver (unbound) that I point all of my networks/devices to.
That resolver has, as its upstream, my nextdns.io account address. nextdns has the pihole/ublock lists built-in.
So you get to run your own DNS server, you don't have to implement any of the blocking yourself, and you just point your upstream to the address you get when you sign up.
It used to be easy to do this, I used to download the list to my Ubiquiti router and massage it slightly to work with dnsmasq. More recent releases of pihole include regular expressions as part of the list specification so you can't flatten the list easily any more.
DNS + MITM proxy is what I use. When I'm away from home I still VPN back in and go through the proxy. Besides adblocking, it also applies various page filters to make a few frequently-used sites more usable.
It's enlightening when you see all the crap that all the devices on your network are doing. You can take things a step further and isolate IOT devices on isolated subnets, with additional firewall/security rules to create a choke point for all traffic.
Only a matter of time before applications begin to roll their own encrypted forms of DNS in order to circumvent ad blockers.
That's when the apps start embedding(pinning) certificates and completely ignoring any additional root certs you might want them to accept from the OS.
That's when you start injecting your own certificate into the certificate verification APIs... one of the amazing powers you get when you're root and actually have full control of your device, no wonder it scares big (ad)tech for users to have that power.
I think this is the biggest piece that gets overlooked by many. I still remember the first time I ran pihole and saw all the stuff attempted and blocked. It is one thing to know all those connections are made in theory. It is so radicalizing to see it first hand on your home network.
My xbox turns itself on all the time entirely randomly. Most mornings its already turned on. I will be in the next room and hear the startup beep go off. I don't know if its a faulty switch or maybe I should put on a tinfoil hat.
> This and I combo it with restricting DNS lookups to the actual LAN servers.
This won't prevent OPs concern with apps doing DNS over HTTPS, would it?
> No way to bypass the DNS at that point via the firewall.
Some apps do not even do DNS and connect to static IPv4s and IPv6s straight-away. Even if IPv4 is limited, plenty IPv6 to go around than an ip-table can handle.
Yeah kinda sounds like they are using 'ad blockers' to prevent tracking of their, presumably quite large and trackable, userbase rather than blocking the banners on google search.
Plus the fringe benefit of blocking malicious domains that may execute code in browsers of course. The real headline is probably - The NSA and CIA Blockers Chunks of the Internet Because the Internet is So Dangerous.
The most dangerous thing about email is that it can send you to a malicious website. The troublesome thing is that you can’t (in general) choose who sends you emails. Ads are similar, you may choose to visit a site that you trust, but you don’t choose the ads that are served by that site to you and these ads can be malicious. The site owners that you trust may not even know the ads that are being served to their visitors.
Any reasonable email reader will allow you to turn off HTML, execution of Javascript, and any resolution of outside URLs. That render email pretty safe. It's how I've been doing email for decades.
Yes, plaintext email is awesome! Too bad most major providers hide the option (or straight-up don't have it).
I'll just plug https://useplaintext.email as a great resource. The main recommendations are... opinionated (this site is run by Drew Devault, after all), but the instructions are very useful. I personally use thunderbird.
On the one hand, this isn't surprising. An plain description of how the ad market works demonstrates why - one way of looking at it is a mechanism to run your code on random peoples' machines.
On the other, policing, controlling and maintaining healthy markets is a primary government function. When the cops are afraid to look at a market for fear it will interfere with their jobs, that strikes me as a government failure reinforcing a market failure rather than attempting to fix it.
I worked for Google for almost 10 years--nearly 7 on Chrome--and found the internet unusable without uBlock origin installed on my laptop. On my workstation I basically just didn't use the web unless it was obviously pertinent to the problem in front of me.
Nowadays, I use Safari with Ghostery lite and Adblock Plus. I won't go back to web without a blocker.
Scrolling through some of the comments here, I haven't read anything that praises ads. Which begs the question, why do we still tolerate ads? If employees from Ad companies themselves use adblock (!!!), something must be fundamentally wrong.
Isn't it about time we change the financial model of the internet? Or should we just let humanity suffer through this non-value adding ritual?
Personally I've never bought anything directly because of web ads. I understand that some people do and that some people find them beneficial. But I believe the cons outweigh the pros this time.
I don't claim to have a solution, but it annoys me when we all agree that something sucks yet do nothing about it.
I think this happens when nobody likes the current solution oh, but all the other Solutions are worse. Do you know what people hate more than ads? Paying for things, self hosting, or doing additional work themselves.
Blocking ads works better than it used to. I've had third-party cookies blocked for everybody for a decade, and most ads blocked. Years ago, that broke some sites. Now, it doesn't break anything important. I hit the Admiral ad-blocker detector now and then, and go to some competing site that doesn't use Admiral.
You definitely want to block Google Backdoor™, a/k/a Tag Manager, which allows ad vendors to inject Javascript onto the pages of others. This is a known attack vector.[1]
When I bought a new laptop a few years ago, the first thing I did on it was install Firefox and browse Reddit. After about 20 minutes, an ad (I'm guessing) tried to serve me a drive-by download. So yes, ad blockers are essential. If a malicious ad does damage to you, you have essentially zero recourse.
I've been preaching safety thru adblocking for 15 years. I had locations that went from multiple infections per week to zero over 6 months - after implementing edge blocking (DNS & Squid).
Yeah, when I worked at a company in the internet ads space, one of the security engineers mentioned his team's regret they couldn't mandate ad blocking for optics reasons.
Ads wouldn't be a security/privacy risk if they didn't try to track people across multiple sites and build profiles on people. If ads were served from the same site as the publication and aggregate statistics were kept locally, I'd have no problem seeing them and they'd be more likely to be relevant. It isn't ads that I want to block, it's cross-site tracking. Advertisers need to figure out how to adapt or fewer and fewer people will see their ads.
I'd also be surprised if the nsa and CIA don't do things like public internet web browsing inside disposable thin client/remote desktop virtual machines.
This is how you end up with three layers of VMs for browsing the internet. Some gov organizations go a little into the deep end of security in the security-usability continuum.
on disposable VM reached via thin client remote desktop software on an air gapped PC in a windowless room in the basement behind a locked door with a warning sign: beware of the leopard
As far as I can tell there are two classes of ad blockers: 1) Those that sit outside the browser and provide a proxy that blocks requests to known-bad domains or similar filtering, and 2) Those that integrate with the browser and have full control over every page, in order to neutralize any HTML or JS or CSS that looks like an ad.
It seems to me that the latter type open up a vast new attack surface. These addons have full access to every piece of data flowing through a logged-in webpage. All your Gmail, all your bank, all your Hacker News.
How am I supposed to believe that these addons are themselves not sources of malware and vulnerability? They need to have the same standard of transparency and testing and supply chain security as the browser itself.
I’m willing to believe that Mozilla and Google and Apple will not willingly introduce vulnerabilities into their browsers, but the vendor of BlockUrAdsPlus or whatever? No way.
Yes, ad-blockers get access to All The Things (except in Chrom(e/ium), where they've intentionally been neutered so Google can keep serving you ads), so you should treat them as any other piece of software, and get one you trust. The current gold standard is uBlock Origin, which is open source[1], highly performant, and whose author (gorhill) has a stellar reputation in the community.
Everyone thinks ads don't work on them. Everyone. Its like that meme about people on 40k worrying about taxes on billionairs. Ads are about the most dangerous thing you encounter on a daily basis. They make you eat badly and stress you out and damage your self worth.
Definitely curious about the negative reaction to NoScript - I did some digging and there appears to have been (or still is?) some controversy around the NoScript author displaying 'dubious' ads? Not sure I've even seen a NoScript-injected ad, but I'd definitely be interested in why HN doesn't like recommend it anymore. One commenter on an older HN thread said that all script blockers eventually 'give in' to some form of monetary gain in exchange for ads - I wasn't aware that NoScript was in that category.
About 10 years ago, I was in a meeting with our security czar and I asked him what he was 'fiddling' around with in his browser toolbar. He replied, "NoScript. Highly recommended." Ever since then, I've become adept at picking out the 'minimum' amount of JS required to enable as much website functionality as I require and don't think about it much anymore (unless I'm visiting a new site). Highly recommended!
I run in the mode of deny everything. And it is annoying. If I whitelisted it probably would be a lot easier. I think there are maybe 2 sites where I did that. I have gotten pretty good at picking out the bare min too. But every once and awhile you have to pull out the 'allow all' just to get a site to work. Usually it is some sort of redirect and the redirect is doing some weird bit of JS and by the time you get to it it has already failed and the GUI has no idea what to show you.
My thinking of 'deny all' is something like facebook where everyone seems to like to embed little bits into their pages. But I used to also use facebook. So if I made it work for one I would accidently make it work when I did not want it to on external sites.
I have been using it like this for so long I hardly even notice it anymore though. But that is just me. If I give this sort of solution to anyone I usually just give them an adblocker. That gets most of the silly things.
Half the web you don't really want to use... the majority of sites I come across in search results etc. are perfectly fine being static content, and if they somehow require JS to show that content, then I'm more likely to go find the same content somewhere else (i.e. the next search result.)
It seems to be getting a lot worse lately. I've been browsing with no-script for years both on mobile and desktop but I think I have caught a case of no-script fatigue.
HN is one of my main news sources and due to its link submission nature I frequently visit sites I have never visited before. It seems like 90 percent of submissions need at least one round of whitelisting just to see the text content. And frequently a second or third round to get embedded code snippets or other relevant content to load.
It's tiring and I noticed that I frequently just give up and copy paste the url into an alternative browser without blockers.
Yep. Somewhere a long the line running executables arbitrary third parties sent you became common practice instead of something you warn people not to do.
Without ads, the web will become unhealthy (Mozilla and Google say ads are needed for a "healthy" web). It might die out. Someone please tell the NSA and CIA. Save the web! "Ads are the only way to have that web everyone loves. There are no other options. We tried all them, they dont work. Well, we didnt but who cares. Trust us." - Tech bro (Disclaimer: "I do not speak for my employer. I depend on my employer who depends on ads for money, but that doesnt matter. No one cares anyway. I dont even know the reason why disclaimers exist, I just copy other tech bros.")
What's the best ad blocker these days? Should I be trying to block ads at my router level at home instead? I've seen some ad blockers render some sites almost unusable.
We've thought a lot about this issue. We have a page in our docs written up about it: https://www.ethicalads.io/surveillance-advertising/ -- there's definitely a small but growing movement of folks building a better advertising industry. It's a long road though..
I think there have been cases in the past, but that hardly matters. When you visit a site you run the risk that it has been exploited to spread malware. Would you want to also run the risk that one (or more likely a dozen) other sites running code on that page have been exploited as well?
I don’t know if Google ad networks specifically have been compromised in the past, but it’s certainly happened to networks used by major sites. nytimes.com is one such example. At a minimum, any ad served by a third party network on a site you’re visiting should be considered a security threat. You gotta draw the line somewhere, but I think it’s reasonable to at least consider only first-party content from the site you’re visiting as reasonably safe. Perhaps blocking even JS unless it is absolutely necessary.
Any site you visit could be compromised, but since the only 100% safe course of action is to completely disconnect from the web, blocking the most obvious vectors entirely seems appropriate. Of course, not only are ad networks vectors for malware, they don’t even serve a useful purpose to you that might justify the risk.
Imgur had a couple of periods were trojans were being delivered through ads. The ineptitude of that place was staggering as it happened multiple times from 2010-2015 at least.
Conceptually, yes. Big vendors in this space have teams to detect malicious activity in their advertising network, but any team that claims to detect 100% is merely detecting 100% of what they know of.
Browsers have gotten better and updates have gotten much faster, so less of that is drive by virus infections by exploiting the browser, but there's still cases of "Pick some users that you think are (a) real users and (b) naive enough" and serve them a exe download that contains a virus.
This is part of the reason the Google Safe Browsing project was created. At the time there were a lot of malicious sites either trying to get high SEO or paying for ads. The goal was to make it safe(r) to go to google and search (and click!) on things.
For a project that didn't directly make money (there are some 'cloud' offerings now), Safe Browsing probably was a very high return on investment.
I've instructed all of my users to never, ever, click on a Google ad when they've searched for something. Its been a couple of years now since someone has shown be a screen with a tech support scam on it.
I had one user that was hitting tech support scams monthly. He would go to Google, search for Amazon, then click the first link on the page (which always had the little Ad word next to it).
I wish companies would go back to the old-fashioned process of selling advertising directly to other companies, skipping the middle-men and the need to aggregate user data at all, except maybe at the unique visitor level. There wouldn't be all the hoopla about making sure they weren't gaming the click-through system or whatever, so they wouldn't need javascript. Just an image. I wouldn't have to worry about being tracked, and I wouldn't have to worry about potentially dangerous javascript running on my machine. The ads could be served from the same machine that serves their other images, and I wouldn't feel the need to go out of my way to block them.
I know that's incredibly naive, and simple wish fulfillment, but damn the ad industry has made the web into a nightmare. I'm tired of playing the game of trying to decide which domains I need to temporarily allow to see the content they put out there for free without being tracked across the web. I'd rather go back to the "Punch the Monkey" days of online advertising.
How the ads are sold is entirely unrelated to the need to do user tracking to defeat gaming the system. If you're paying for ads on the internet you have 2 choices; live with (possibly crazy amounts of) fraud or do user tracking with JavaScript.
Edit: or 3, use a metric for campaign success which doesn't rely on knowing how many impressions your ad got
I'm talking about, for example, a company that sells sports apparel contracting with a company that sells sports equipment to put an ad on their website. No advertising company involved, no worries about fraudulent clicks. No javascript needed, just an anchor tag with a specific url around an image tag. The apparel company wouldn't worry about almost all the normal metrics, just how many actual jerseys did they actually sell through this ad on average per time period. If it's more than they paid for the ad, then it was a good deal to have made. It's easy to check for fraud in this scenario. They paid for the ad to be visible for a specific period of time. All they have to do is take a peek at the website to see if they are being defrauded or not. And no information about any users (other than those who actually paid for apparel) needs to be known by anyone.
The tracking is not just for measuring success of the campaign, but also for measuring the level of service provided by the ad network. Did they put your ad on 1'000'000 websites like they promised? Or just 100?
To describe Mozilla as a "rival browser maker" is to fundamentally misunderstand both Mozilla and Google. One, a non-profit, the other, one of the biggest corps on the planet.
