Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- **TL;DR Version**
- 1. Go to the exploits section of this document or search for "drive-by download".
- 2. Advertising is intrusive by design because being intrusive and misleading is rewarded with attention. Being more deceitful/evil can get more attention and profits.
- **Full Version**
- Summary:
- People saying not to block advertisements are unaware of the problems with advertising, side effects, and malicious uses in general and online OR they are willing to risk other users and possibly those users' devices, privacy, reputations, finances, and health.
- While users generally have a choice about visiting a specific site, the nature of online advertising is to be intrusive. The nature of embedded advertisements on normal browsers does not allow users choice of whether to have advertisements transfer and load, what sort of media is used (images, audio, and video that may be offensive or inappropriate for the setting/context) objects are used, what code is run on users' computers, and what information about them is stolen for correlation by marketing companies and used by them and other entities such as information brokers.
- People saying their site (or other project) depends on advertising to survive are contributing to the success and persistence of every problem on this list while probably being ignorant (or negligent), thereby making a request to allow advertisements look like an innocent attempt to do business or keep a site online for free while the real effects can and should be considered dangerous, at least/especially within the field of Information Technology.
- There is no good reason to force people to accept and allow/run/display advertisements and the encounter the problems/risks associated with them; and there are companies that specialize in such outright evil behavior. CPAlead and Solve Media are hereby included as frequently encountered offenders for requiring advertisements be shown and/or requiring users to be exposed to online advertisements to be able to see the original site's content. (Displaying advertisements and allowing their methods generally also requires allowing their browser scripts as well as cross-domain requests, traffic, and associated data leakage.)
- CPAlead demonstrating/confessing at https://www.youtube.com/watch?v=NIe1OZx_bJQ
- Solve Media demonstrating/confessing at https://www.youtube.com/watch?v=f-dZvZasg0o
- Given the nature of advertising and the perspective of this document, the word "reputable" is not suggested to apply to advertisers using the meanings 'honorable, respectable, good, acceptable,' etc. Here, "reputable" is used in quotes with regard to advertising services and instead means that the company and/or domain names may be considered reliable and professional at least to the extent that some users or companies do any combination of the following
- 1. Trust the advertising provider regardless of the content
- 2. Conduct advertising business with that advertising provider/service
- 3. Consider or treat the advertising company/domain name as "reputable" in the normal definition or assume that an advertising provider would already have had to fix or stop their services if they were malicious.
- Outline Points:
- ###1) Advertising in General
- 1. Goal is generally to get/increase profit
- - Normally via marketing/sales (including affiliate rewards)
- - Sometimes indirectly using tactics/partnerships/kickbacks
- 2. Intruding into users' lives (even with unrelated/unwelcome/offensive content) "increases awareness" and is seen as a positive in marketing
- 3. Lies (including exaggerated and false claims) may increase awareness of the product's existence (separate from quality) and sales
- 4. Waste of time and other resources (for consumers)
- + All resources for delivery and presentation of content that users did not ask for and can not put to positive use
- - TV
- * Time to view advertisement
- * Energy of TV/DVR to display it
- * If something is recorded to VCR or DVR with advertisements
- ** The waste includes wasted storage material
- **Original waste is likely repeated again during playback
- **Recorded advertisements quickly become outdated and even less relevant except as record of the claims made by advertisers.
- - Internet
- * Time to view/read advertisement
- * Energy to display advertisement (CPU/browser; mobile platforms may react more noticeably)
- * Transmission of data (Costs/restrictions for data are common on mobile and other connections. Even a quick transmission of undesired content is overhead or waste, especially when data transfer is not free nor instant.)
- + Advertised products and claims generally lack the following thus requiring more effort and resources to verify
- - Reliable statement/records of quality
- - Contact information for relevant questions
- - Contact information for problems with the advertisement
- - Liability/consequences of incorrect information or faulty products/services (read as "do they have reason to care if users/public find out they were lying or have problems") *CAN-SPAM Note
- + Aftermath: While this also applies to good products, consumers who get a faulty, advertised product without checking into it or alternatives are then at the mercy of working with after-effects if something goes wrong, and these tend to be at the discretion of the manufacturer/seller/credit card company. In the case of bad products/companies, these options will be intentionally lacking; and the short goal of profit via advertising with a (bad) product was completed as soon as they were given money.
- - Return for cheaper/alternative better product found later
- - Warranty terms/concerns
- - Replacement
- - Refund
- - Support/repair
- ###2) Online advertising (as undesired content instead of user requesting "show me advertisements for this product/this service/related offers")
- 1. General
- + Waste of screen space
- + Waste of data transfer
- + Waste of storage space in client-side cache
- + Can not realistically be controlled by the user (NSFW/controversial/false information/dangerous products)
- + May interfere with or change the layout of the desired page
- + May block/conceal the content of the desired page
- + May add audio/video or other behavior that can not be seen/controlled properly
- + Such audio/video content may auto-play by default (gif/flash/other)
- + Such audio/video content may have no way to terminate its behavior or change/mute the volume due to errors or [malicious] design (gif/flash/other)
- + There is no function native to browsers to hide most images/objects such as advertisements even once they are done loading. If advertisers implemented this feature, advertisements may be less annoying; but the following would also be true.
- - Every other point here regarding issues of waste, data usage, privacy, etc. would be unaffected.
- - Some providers would undoubtedly use these proposed Hide/Remove/Close functionality for malicious purposes as already present in pop-ups, malicious software, and the "Any user interface control" section of this document
- 2. Sources
- + Primary site (web site has ads that the owner or designer put in place and/or hosts)
- + Third party (source is a different company/server)
- + Third party (source is a different company/server) also using content from other entities
- 3. Indirect
- + User tracking
- + Privacy invasion/further abuse (impersonation/fraud/manipulation) using collected/correlated information
- 4. Technical
- + Animated (gif/flash) - Generally noteworthy for being more annoying or interactive
- + Hidden/misleading controls and actions (more in "Exploits" section of this document)
- - Volume/mute controls missing/disabled
- - May not be able to stop/pause advertisement audio/video
- - FireFox has intentionally removed the ability to stop gif animations due to Escape key having an unrelated effect for unrelated developers so that offensive gif animations can not be stopped natively.
- - A "close" or "X" button on a pop-up or overlay may not close an offending banner/panel/overlay/component.
- - Any user interface control, especially on an advertisement, can have any effect where these are both true: 1. The programmer wrote a functional script/routine/call (or equivalent) and 2. client-side software (such as the browser/plugin/operating system) was able to complete the request. This includes but is not limited to:
- * Navigating to another page
- * Committing a like/comment on a site such as FaceBook
- * Setting the browser's home page
- * Creating/deleting files
- * Marking "compliance" with any site's license agreement
- * Marking "agreement" with any set of terms/contract
- * Committing a cross-site operation to another domain using the browser and related credentials as the source and making it appear that the user had issued the command. Examples include transactions at bank sites and orders from shopping/market/commerce sites.
- + The same behavior in the above point can be event driven (programmer's choice) using trigger events such as
- * The page loading
- * A banner/frame/advertisement object loading
- * The user attempts to leaving or close the page/tab.
- + Allowing web content to load generally identifies the source of the request.
- - Allowing advertisements provided by the host site to load may not generally disclose additional information unless a feature/plugin is used by that content.
- - Allowing advertisements provided by external sites to load allows them to identify the requesting client software as having been involved with the site that included the advertisement.
- + "Advertising Preferences" - In addition to the lack of content control, the sites and services that claim to allow you to specify ad preferences start off with the stance of using advertisements that may have any other issue on this list AND THEN use cookies or account information to store your "advertising preferences" thus giving them more information for tracking within their sites AND via every site that uses their advertisements since their system will know where your browsers and related accounts have been used.
- 5. Malicious content (technical)
- + Browser & client-side scripting
- - Use browser's identifying information to adjust content for the client software
- - Pop-up alerts/warnings
- - Impersonate messages from browser or OS
- - Change context (right-click) menu
- - Set home page
- - Set bookmarks
- - Set search engine
- - Redirect browser to other sites/pages
- - Plug-ins/extensions
- * Get more information about client-side software and users
- * May intentionally allow more access to the file system
- + Exploits (when some are used successfully, the operation itself is undetectable)
- - Forcefully do anything that could be done with scripting by ignoring user input/confirmations
- - Make client-side software view/download ads (contributes to "click fraud")
- - Make client-side software open/view pages (induced pop-ups; not intended by original site)
- - Make client-side software download and run other software ("drive-by download"; it is not necessary to explain this line in detail. **It should be enough to say that as long as this and other exploits are possible due to advertising, NONE of them are worth the risk, and advertisements should not be allowed to exist/display/run, especially without being able to verify that the content about to be used is safe.**)
- 6. Distribution of malicious (advertisement) content
- + First party, intentional
- (The site desired/visited via a browser serves malicious content.)
- + First party, compromised
- (The site desired/visited via a browser serves malicious content; but it was put there by a malicious employee/contractor or hacker, possibly via server-side exploit.)
- + Third party, basic
- (The advertising host knowingly hosts malicious content among its advertisements or allows its members to create malicious content which it puts into the pool of content to be served.)
- + Third party, "reputable"
- (The advertising host is considered a reliable and professional advertising host regardless of the issues in this document. This host likely has some screening to "prevent" malicious content and may claim to respond to offensive or malicious content and/or offer choices in which ads you receive.)
- + Third party, compromised
- (The advertising host is hosting malicious content; but it was put there by a malicious employee/contractor or hacker, possibly via server-side exploit. If they were already hosting malicious content, the effect is that they are less in control of it while compromised. If the host was "reputable", the content may be considered implicitly trusted among company policies, lenient adblock/web of trust systems, and per-user exceptions. Identifying and reporting the issue are problems because people are less likely to believe a trusted, "reputable" host is serving malicious content, including their own staff members (customer service, marketing, and legal members) who believe the service is "proper" and does not do malicious activity (or activity that their lawyers could not defend).
- *CAN-SPAM Note
- CAN-SPAM e-mails demonstrate how useless a supposed mailing address is for advertising recipients, especially when the content was designed to be misleading. The address can commonly be a P.O box and/or in another state/country. The requirement to provide a method to "opt out" does not mean that the method is practical, functional, or would be honored if attempted. Unsubscribe links have been observed to have the same link target as other objects in the message, and any interaction with the spam message may serve to prove the e-mail was received and opened. An "opt out" procedure means nothing for how the malicious party got an address, is using it, used/sold it, or what they will do with it in the future (ex. attempt to "opt out" immediately releases it to other partners/advertisers).
Add Comment
Please, Sign In to add comment