The Internet today is crawling with ads, which most people have begrudgingly accepted as the primary financial vehicle for online content. If you’re reading news articles on websites such as Buzzfeed or The Huffington Post, chances are that information exists because those sites display ads.
As someone who makes a living in large part by writing ad-funded words, I have an incentive to say that ads are simply a burden we must bear, the price we pay for supposedly free online content. I could conversely argue, as others have done, that all advertising is a form of pollution imposed by corporations — a smog that inhibits reflective thought and hijacks our precious attention in service to base consumerism.
But the far more pressing problem with online ads has to do with their security or lack thereof. As online publishing has flourished, ads and their surveillance-based business model have made the Internet an exceedingly dangerous place. And most advertisers seem content to keep it that way.
Just last month, Forbes was forced to shut down its website after hackers hijacked its advertising network to serve malware to the site’s visitors. Less than a week later, the same type of attack compromised the ad networks of three of the most heavily trafficked porn sites on the Internet, affecting a combined monthly audience of more than 1 billion users. A month earlier, another malware campaign infected the ad network of Yahoo, which serves an estimated 6.9 billion monthly visitors. The same thing happened in January to Google’s AdSense platform, which generates almost one-quarter of the data giant’s revenue. Before that it was DoubleClick, another ad network owned by Google.
The trend shows no signs of subsiding. While this column was being edited, yet another malware attack infected the ad network of the widely read British tabloid The Daily Mail, endangering its 156 million monthly users.
The strategy has become so common and successful that security researchers have given it a name: malvertising. And the growing frequency of these attacks should come as no surprise. Malvertising is simply a natural byproduct of Internet publishing’s primary business model, corporate surveillance. Much like malware, this ad-centric model thrives in an environment in which everything is trackable and unwanted code can be run without users’ knowledge or consent. In other words, it depends to a significant extent on the Internet not being secure.
Every time you load a news site like this one, scores of ad providers algorithmically compete to show you ads — like a silent auction, except it’s instantaneous and the only thing for sale is your attention. These ads are personalized using data collected by ad trackers, tiny bits of code that follow you across the Web, gathering information about your browsing habits (including clicks, scrolls and how long you hover over parts of a page) as well as your location, gender, age, sexuality, race, ethnicity and pretty much anything else you can imagine. Unless you use a browser extension such as Disconnect, Ghostery or Privacy Badger, a typical news website will load a dozen or more of these trackers and beacons, feeding personal information to data brokerage companies such as Experian (which was hacked last week).
And thanks to advertisers, an alarming amount of this surveillance data is flying around completely unprotected.
Research conducted earlier this year by the University of Toronto’s Citizen Lab found that nearly half the world’s top 100 news sites still don’t deliver their ads over encrypted HTTPS connections, which prevent third parties from eavesdropping on traffic. Zoom out and the numbers get even worse: Of the 2,156 trackers identified by Disconnect, fewer than 11 percent support HTTPS.
This is no surprise to those in the security world, and it is preventing the adoption of secure protocols for the Web. Every time I ask people at news organizations why their websites don’t protect their readers with HTTPS connections, their excuse is the same: advertisers.
That’s because for a site to properly implement the encryption, it needs to be able to encrypt and authenticate all the traffic between the site’s servers and visitors’ browsers. But most ads and trackers are served by third parties, not the site itself, so if the ad networks aren’t interested in using resources to implement encryption, the publisher’s only options are to eliminate ads or transmit everything unencrypted.
Unsurprisingly, most sites opt for the latter.
This makes things much easier not only for advertisers but also for malicious hackers. When traffic is unencrypted, an attacker can eavesdrop on Web activity and inject malware code by modifying the data in transit. A particularly egregious example is Verizon, which quietly launched a program called Precision Market Insights that automatically injects unkillable tracking beacons known as universal identifier headers (UIDHs) into customers’ unencrypted traffic. Because a UIDH works only when traffic is unencrypted, the beacons can be exploited by anyone to track Verizon customers across the Web; in fact, researchers have found various entities doing just that.
On Oct. 6, ProPublica reported that Verizon is now sharing these tracking beacons with AOL, which was bought by Verizon earlier this year and whose ad network covers 40 percent of websites on the Internet. Verizon’s main competitor, AT&T, was discovered injecting similar tracking beacons and even holds a patent that proposes forcing users off secure channels so they can be tracked. AT&T has since stopped sending its trackers, and Verizon now provides a way to opt out. But most customers still likely don’t even know the tracking is occurring.
There is no obvious way out of this predicament. To survive, publishers large and small will continue to rely on advertisers. Advertisers will continue to push for increasingly invasive tracking measures that grow their profits while undermining the Internet’s security. Other companies will see how their customer data can be monetized and make things even worse. And people will continue to resign themselves to the status quo — not because they’re trading their privacy for “free” content and services but because they feel powerless to prevent companies from getting their information.
In the short term, the least we can do is try to make ads behave less like malware than they currently do. That means regulations forcing ad networks to either adopt encryption standards or stop operating, barring invasive tracking by third parties, limiting how long sites may retain data about their visitors and giving consumers effective and intuitive mechanisms for providing consent.
At the bare minimum, it means not shaming people as freeloaders for using technical measures to protect themselves from ads while we wait for things to get better.
It’s terrifying to think we’ve gazed so deeply into the advertising abyss that some of this is too much to ask. But at some point, we’ll need to contend with the fact that advertising — at it now exists, at least — is fundamentally at odds with the privacy and security of the Internet. As long as ads and the websites they sponsor depend on the business model of mass surveillance, these threats will never truly go away.