API tools faq
paste
Guest User

Advertising is Evil

a guest
Jun 19th, 2016
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.72 KB | None | 0 0
raw download clone embed print report
  1. **TL;DR Version**
  2. 1. Go to the exploits section of this document or search for "drive-by download".
  3. 2. Advertising is intrusive by design because being intrusive and misleading is rewarded with attention. Being more deceitful/evil can get more attention and profits.
  4.  
  5. **Full Version**
  6. Summary:
  7. People saying not to block advertisements are unaware of the problems with advertising, side effects, and malicious uses in general and online OR they are willing to risk other users and possibly those users' devices, privacy, reputations, finances, and health.
  8.  
  9. While users generally have a choice about visiting a specific site, the nature of online advertising is to be intrusive. The nature of embedded advertisements on normal browsers does not allow users choice of whether to have advertisements transfer and load, what sort of media is used (images, audio, and video that may be offensive or inappropriate for the setting/context) objects are used, what code is run on users' computers, and what information about them is stolen for correlation by marketing companies and used by them and other entities such as information brokers.
  10.  
  11. People saying their site (or other project) depends on advertising to survive are contributing to the success and persistence of every problem on this list while probably being ignorant (or negligent), thereby making a request to allow advertisements look like an innocent attempt to do business or keep a site online for free while the real effects can and should be considered dangerous, at least/especially within the field of Information Technology.
  12.  
  13.  
  14. There is no good reason to force people to accept and allow/run/display advertisements and the encounter the problems/risks associated with them; and there are companies that specialize in such outright evil behavior. CPAlead and Solve Media are hereby included as frequently encountered offenders for requiring advertisements be shown and/or requiring users to be exposed to online advertisements to be able to see the original site's content. (Displaying advertisements and allowing their methods generally also requires allowing their browser scripts as well as cross-domain requests, traffic, and associated data leakage.)
  15. CPAlead demonstrating/confessing at https://www.youtube.com/watch?v=NIe1OZx_bJQ
  16. Solve Media demonstrating/confessing at https://www.youtube.com/watch?v=f-dZvZasg0o
  17.  
  18. Given the nature of advertising and the perspective of this document, the word "reputable" is not suggested to apply to advertisers using the meanings 'honorable, respectable, good, acceptable,' etc. Here, "reputable" is used in quotes with regard to advertising services and instead means that the company and/or domain names may be considered reliable and professional at least to the extent that some users or companies do any combination of the following
  19. 1. Trust the advertising provider regardless of the content
  20. 2. Conduct advertising business with that advertising provider/service
  21. 3. Consider or treat the advertising company/domain name as "reputable" in the normal definition or assume that an advertising provider would already have had to fix or stop their services if they were malicious.
  22.  
  23. Outline Points:
  24. ###1) Advertising in General
  25. 1. Goal is generally to get/increase profit
  26. - Normally via marketing/sales (including affiliate rewards)
  27. - Sometimes indirectly using tactics/partnerships/kickbacks
  28. 2. Intruding into users' lives (even with unrelated/unwelcome/offensive content) "increases awareness" and is seen as a positive in marketing
  29. 3. Lies (including exaggerated and false claims) may increase awareness of the product's existence (separate from quality) and sales
  30. 4. Waste of time and other resources (for consumers)
  31. + All resources for delivery and presentation of content that users did not ask for and can not put to positive use
  32.  
  33. - TV
  34. * Time to view advertisement
  35. * Energy of TV/DVR to display it
  36. * If something is recorded to VCR or DVR with advertisements
  37. ** The waste includes wasted storage material
  38. **Original waste is likely repeated again during playback
  39. **Recorded advertisements quickly become outdated and even less relevant except as record of the claims made by advertisers.
  40. - Internet
  41. * Time to view/read advertisement
  42. * Energy to display advertisement (CPU/browser; mobile platforms may react more noticeably)
  43. * Transmission of data (Costs/restrictions for data are common on mobile and other connections. Even a quick transmission of undesired content is overhead or waste, especially when data transfer is not free nor instant.)
  44. + Advertised products and claims generally lack the following thus requiring more effort and resources to verify
  45. - Reliable statement/records of quality
  46. - Contact information for relevant questions
  47. - Contact information for problems with the advertisement
  48. - Liability/consequences of incorrect information or faulty products/services (read as "do they have reason to care if users/public find out they were lying or have problems") *CAN-SPAM Note
  49. + Aftermath: While this also applies to good products, consumers who get a faulty, advertised product without checking into it or alternatives are then at the mercy of working with after-effects if something goes wrong, and these tend to be at the discretion of the manufacturer/seller/credit card company. In the case of bad products/companies, these options will be intentionally lacking; and the short goal of profit via advertising with a (bad) product was completed as soon as they were given money.
  50. - Return for cheaper/alternative better product found later
  51. - Warranty terms/concerns
  52. - Replacement
  53. - Refund
  54. - Support/repair
  55.  
  56.  
  57. ###2) Online advertising (as undesired content instead of user requesting "show me advertisements for this product/this service/related offers")
  58. 1. General
  59. + Waste of screen space
  60. + Waste of data transfer
  61. + Waste of storage space in client-side cache
  62. + Can not realistically be controlled by the user (NSFW/controversial/false information/dangerous products)
  63. + May interfere with or change the layout of the desired page
  64. + May block/conceal the content of the desired page
  65. + May add audio/video or other behavior that can not be seen/controlled properly
  66. + Such audio/video content may auto-play by default (gif/flash/other)
  67. + Such audio/video content may have no way to terminate its behavior or change/mute the volume due to errors or [malicious] design (gif/flash/other)
  68. + There is no function native to browsers to hide most images/objects such as advertisements even once they are done loading. If advertisers implemented this feature, advertisements may be less annoying; but the following would also be true.
  69. - Every other point here regarding issues of waste, data usage, privacy, etc. would be unaffected.
  70. - Some providers would undoubtedly use these proposed Hide/Remove/Close functionality for malicious purposes as already present in pop-ups, malicious software, and the "Any user interface control" section of this document
  71.  
  72. 2. Sources
  73. + Primary site (web site has ads that the owner or designer put in place and/or hosts)
  74. + Third party (source is a different company/server)
  75. + Third party (source is a different company/server) also using content from other entities
  76.  
  77. 3. Indirect
  78. + User tracking
  79. + Privacy invasion/further abuse (impersonation/fraud/manipulation) using collected/correlated information
  80.  
  81. 4. Technical
  82. + Animated (gif/flash) - Generally noteworthy for being more annoying or interactive
  83. + Hidden/misleading controls and actions (more in "Exploits" section of this document)
  84. - Volume/mute controls missing/disabled
  85. - May not be able to stop/pause advertisement audio/video
  86. - FireFox has intentionally removed the ability to stop gif animations due to Escape key having an unrelated effect for unrelated developers so that offensive gif animations can not be stopped natively.
  87. - A "close" or "X" button on a pop-up or overlay may not close an offending banner/panel/overlay/component.
  88. - Any user interface control, especially on an advertisement, can have any effect where these are both true: 1. The programmer wrote a functional script/routine/call (or equivalent) and 2. client-side software (such as the browser/plugin/operating system) was able to complete the request. This includes but is not limited to:
  89. * Navigating to another page
  90. * Committing a like/comment on a site such as FaceBook
  91. * Setting the browser's home page
  92. * Creating/deleting files
  93. * Marking "compliance" with any site's license agreement
  94. * Marking "agreement" with any set of terms/contract
  95. * Committing a cross-site operation to another domain using the browser and related credentials as the source and making it appear that the user had issued the command. Examples include transactions at bank sites and orders from shopping/market/commerce sites.
  96. + The same behavior in the above point can be event driven (programmer's choice) using trigger events such as
  97. * The page loading
  98. * A banner/frame/advertisement object loading
  99. * The user attempts to leaving or close the page/tab.
  100. + Allowing web content to load generally identifies the source of the request.
  101. - Allowing advertisements provided by the host site to load may not generally disclose additional information unless a feature/plugin is used by that content.
  102. - Allowing advertisements provided by external sites to load allows them to identify the requesting client software as having been involved with the site that included the advertisement.
  103.  
  104. + "Advertising Preferences" - In addition to the lack of content control, the sites and services that claim to allow you to specify ad preferences start off with the stance of using advertisements that may have any other issue on this list AND THEN use cookies or account information to store your "advertising preferences" thus giving them more information for tracking within their sites AND via every site that uses their advertisements since their system will know where your browsers and related accounts have been used.
  105. 5. Malicious content (technical)
  106. + Browser & client-side scripting
  107. - Use browser's identifying information to adjust content for the client software
  108. - Pop-up alerts/warnings
  109. - Impersonate messages from browser or OS
  110. - Change context (right-click) menu
  111. - Set home page
  112. - Set bookmarks
  113. - Set search engine
  114. - Redirect browser to other sites/pages
  115. - Plug-ins/extensions
  116. * Get more information about client-side software and users
  117. * May intentionally allow more access to the file system
  118. + Exploits (when some are used successfully, the operation itself is undetectable)
  119. - Forcefully do anything that could be done with scripting by ignoring user input/confirmations
  120. - Make client-side software view/download ads (contributes to "click fraud")
  121. - Make client-side software open/view pages (induced pop-ups; not intended by original site)
  122. - Make client-side software download and run other software ("drive-by download"; it is not necessary to explain this line in detail. **It should be enough to say that as long as this and other exploits are possible due to advertising, NONE of them are worth the risk, and advertisements should not be allowed to exist/display/run, especially without being able to verify that the content about to be used is safe.**)
  123. 6. Distribution of malicious (advertisement) content
  124. + First party, intentional
  125. (The site desired/visited via a browser serves malicious content.)
  126. + First party, compromised
  127. (The site desired/visited via a browser serves malicious content; but it was put there by a malicious employee/contractor or hacker, possibly via server-side exploit.)
  128. + Third party, basic
  129. (The advertising host knowingly hosts malicious content among its advertisements or allows its members to create malicious content which it puts into the pool of content to be served.)
  130. + Third party, "reputable"
  131. (The advertising host is considered a reliable and professional advertising host regardless of the issues in this document. This host likely has some screening to "prevent" malicious content and may claim to respond to offensive or malicious content and/or offer choices in which ads you receive.)
  132. + Third party, compromised
  133. (The advertising host is hosting malicious content; but it was put there by a malicious employee/contractor or hacker, possibly via server-side exploit. If they were already hosting malicious content, the effect is that they are less in control of it while compromised. If the host was "reputable", the content may be considered implicitly trusted among company policies, lenient adblock/web of trust systems, and per-user exceptions. Identifying and reporting the issue are problems because people are less likely to believe a trusted, "reputable" host is serving malicious content, including their own staff members (customer service, marketing, and legal members) who believe the service is "proper" and does not do malicious activity (or activity that their lawyers could not defend).
  134.  
  135.  
  136. *CAN-SPAM Note
  137. CAN-SPAM e-mails demonstrate how useless a supposed mailing address is for advertising recipients, especially when the content was designed to be misleading. The address can commonly be a P.O box and/or in another state/country. The requirement to provide a method to "opt out" does not mean that the method is practical, functional, or would be honored if attempted. Unsubscribe links have been observed to have the same link target as other objects in the message, and any interaction with the spam message may serve to prove the e-mail was received and opened. An "opt out" procedure means nothing for how the malicious party got an address, is using it, used/sold it, or what they will do with it in the future (ex. attempt to "opt out" immediately releases it to other partners/advertisers).
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!