That's a much more sensible approach than doing what you're suggesting—trying to catch specific instances of people doing something nefarious that makes them money. That just causes the people posting the ads to get more clever, such that it gets more and more costly to catch each instance. (That was helpful in the ReCAPTCHA case, since spammers were advancing computer vision techniques in the process. It's not a harnessable force in the general case.)
Now, the advertisers who only run these mal-ads will stick around and continue running them. They're also the ones who would fight tooth-and-nail to make their mal-ads more clever, instead of giving up and switching to regular ads; so they're exactly the ones Google will have a hard time discouraging at the ad-network level.
My hope for those is that other browsers simply copy Google's strategy here. If Chrome, Firefox, and IE all do this, there's pretty much no point in running these ads any more.
Yes, it's whack-a-mole, but so is SEO, and Google's continually tweaking that instead of giving up. Based on the current rudimentary techniques used by the advertisers (e.g. "DOWNLOAD!" buttons), even eliminating only such blatant examples would go a long way towards cleaning up deceptive ad's.
And as you've noted... it's not like Google doesn't have access to advanced CV techniques and the computational infrastructure to run them...
It has nothing to do with CV, it is not an engineering problem.
Not sure what you mean by this, given that there's a human with eyeballs on the other end of the bad ad and a limited number of keywords to trick that human into undesirable actions (virus,error,infected,download,update,install).
CV is exactly the solution you'd want to use for a first-pass categorization, given that's the pathway by which the ads communicate with users.
EDIT: I guess AdSense is involved with AdChoices somehow. My mistake.
The AdChoices icon is used by many ad networks, not just Google's, to indicate that there's per-user targeting happening.  But if you click on that "AdChoices" button and you get an AdSense help page.
The link from the ad is to https://googleads.g.doubleclick.net
I don't see how it can't be a Google-sold ad.
I suspect the reason that kind of ad is allowed (despite being deceptive IMHO) is that it's not just a download link. It also indicates that it's an ad for a driver update site (which makes it even shadier to my eye, but probably not violating any policies).
That post is from 2013. The answer to the question in the title is apparently "not for at least three years".
I'll take Google's concern about deceptive ads seriously when they stop serving those ads themselves.
Again, this is not a bad move. But I'm curious about the true motivations. If I were the MPAA, and trying to shut down the revenue stream of sites offering free streaming and torrents, this would be one of the ways to do it. That, or Google is simply sick of receiving takedown notices - and this is one method to take these sites out of their listings before even receiving the DMCA.
I would say it hasn't come from the MPAA or RIAA. These deceptive download buttons appear on a myriad of sites which are not related to streaming/torrenting.
There are also a lot of free file hosting sites with tons of those fake download buttons. Good luck downloading from them now.
But you could just right click and copy the ad link. The link would point to the ad network (e.g. googleads.g.doubleclick.net/aclk), but it would be better than nothing. Also, many ads include a domain, sometimes in a tooltip, and usually just the tld, but again, better than nothing.
One of my websites got tagged as "Dangerous" and having "harmful programs" despite having nothing of the sort. My guess is a silly hiccup of their neural network algorithms. And I have absolutely nobody I can contact about the issue to get an explanation. They just effectively killed the site in one fell swoop.
What if you can’t get in touch with
the webmaster because they’re not
registered with Google Webmaster
Every time we add an unsafe site to
the list, we make a reasonable
effort attempt to inform the
webmaster by sending a notification
to a standard set of email addresses
If my website has been compromised
and is now unsafe, what can I do?
We offer advice for webmasters whose
sites have been hacked here. It’s
best to register your site at Google
Webmaster Tools in advance of any
problems so that we can notify you
promptly and provide more
information about the problems we
If you don’t want to use Google
Webmaster Tools, you can file
appeals with StopBadware.org once
you have removed the infection from
your site. StopBadware.org also
offers great resources for
webmasters who want to learn more
about what they can do to make their
If anyone is wondering, the site is a location-based file sharing app. It makes use of geolocation and file uploading capabilities. Largely a quick experiment, throwing an idea out there just to see if there's any need for such an app. It was running fine for a few months before Google decided to block it.
https://quack.space/ (which gives a malware error now on Chrome)
https://www.producthunt.com/tech/quack-space (ProductHunt page)
"Is it worth it for google to send their legal team to some small claims court hearing instead of just unblocking the site?"
And contrary to the popular belief, suing people really isn't that expensive if you've got the time to do it.
As with most of similar systems (spamhaus etc) the people running them are just as bad as the people they're trying to stop.
That seems to be how Google is (successfully) using it.
Here the issue is that Google is making direct, verbal claims about other sites. That's not to say Google couldn't come up with a strategy to win in court, but the strategy would have to differ markedly.
edit: i dun read gud. leaving comment as an homage to lack of literacy
It doesn’t have to be like that.
Since Google clearly has the tech to detect this they should be implementing it at source on the advertisers (malvertisers). Instead they are pushing this down to the publishers and hitting them with penalties.
It's a clever ploy in some ways - Google gets the revenue from the ads and also the kudos from Joe Public for "being on the side of the consumer".
Secondly, and arguably more importantly, the way to stop these adverts is for them to cost the advertiser (in either money or time) without giving them the reward of revenue. If the ads stop working then people won't have a reason to make them. By stopping the ads in AdSense rogue advertisers would just change to a different ad network. The problem wouldn't stop.
This is a good move by Google.
... as long as you don't care about browsers which don't run Google's Safe Browsing service.
You know another way to stop these ads? Make available an advertising network which doesn't serve them. Website owners who don't want to install malware on their users' computers - which is probably most of us - would prefer that network to the others. As-is, with even Google's network serving up malicious ads, the choice for a website that wants to run display ads appears to be either build out a sales team & manage inventory itself, or accept that some percentage of its users will get scammed.
The thought is that if "advertising" is actually a feature of a website, then it solves the problem of users trying to avoid being shown ads. If you could hover your mouse over an object on any image on the internet and be taken directly to where you can buy that without all the hassle, I'd see that as a big win.
Note: Just onboarded our first customer yesterday. He's using it to promote iPhone cases based on his instagram feed. Hover over the cases on a desktop, and you'll see what the case is. Click on it, and it takes you directly to the product page.
They are paid per length of time, not by click or view, and they are determined by a continuous auction.
The good news here is we now have official admission by google that allowing adsense ads without filtering is dangerous. And those of us who do not have sophisticated techniques that can detect deceptive ads have no choice to but to block the entire network serving them, if we want to be secure.
The cost isn't in money, it's in views. By not letting you click a fake DL button, the malicious ad doesn't lead you to the site it wants you to end up on, which is usually plastered with other ads and sometimes has malware lying around on it. The end result is that the malicious party can't make money off their own site's ads and can't redirect you to download god-knows-what onto your system.
It would stop the problem on every Google's partner that decided to trust it by displaying its ads.
The sites that "everyday folk" browse are much more likely to be running ads from the AdSense network. Forcing the rogue advertisers to place ads on a smaller network serves to cost them (money or time) without the reward of the revenue they'd otherwise get from AdSense-enabled drive-bys.
I run an online media streaming site for public safety communications, and we've noticed that Adsense advertisers often use these exact social engineering techniques to display download/play links that end up having customers install crappy spyware infested "media players" and other software.
My jaw dropped when I saw this blog post.
If all your options are terrible, you might as well use the terrible option with the largest ROI, right?
No, thanks. Does The Deck serve spammy, malicious ads? I know they're tightly targeted at the techy/designy crowd, but they're also a great example of high ROI ads that aren't terrible.
I'm struggling to find one, any idea?
One of the options is "stop running ads". Why is a "site for public safety communications" running ads at all?
Public safety announcement: block all ads to make your browsing much safer. Use Adblock Plus (with so-called "acceptable ads" turned off) or uBlock Origin.
(incidentally, Lindsay, I've used http://www.radioreference.com to learn a great deal about Software Defined Radio, and I occasionally listen to various Illinois streams on http://www.broadcastify.com - thanks for running these sites!)
Thanks for the clarification; that makes more sense.
I'd still echo the comments from elsewhere in the thread about not doing business with a vendor with shady practices just because other vendors do no better.
You get the sense that sort of thing happens all the time at microsoft for example, before Ballmer left it felt like the ASP.Net team were pulling in one direction, the Visual Studio team another and the IIS team had gone rabid and were just trying to bite everyone.
It happens when different products have different priorities.
Of course, all components of a properly-functioning organization are revenue-generating. An idealized business in some respects would be people giving you money with no money being spent. Everyone knows that's not how the world works, but it's awfully hard to justify on a quarterly statement.
At Google, many departments aren't directly revenue-generating. Sure, Chrome and Android help people browse the Internet, where they view ads, but that's quite removed from actually selling the product, and those are very large projects. Search, maps, and gmail can show ads internally to generate revenue, but that's still a layer removed. Perhaps Google Apps and Drive are loss leaders, and maybe Fiber will make money eventually, but Glass? Calico? Driverless cars? Loon? Seriously, where does the money for these projects come from? I suppose you can answer "AdSense and AdWords", but why do those businesses give them money? And the harder question is how do they generate political and cultural capital to maintain these expenses?
At most of the companies I have been involved with, these projects would have been cut, outsourced, or consumed by the AdWords and AdSense teams. But there's little question that the world is better and the Internet is used more because of projects like Search, Gmail, Android, and Chrome.
How does Google generate this culture? How can other companies replicate this process?
Why? Isn't that precisely why Google invested so much in Android?
In short, the company's founders have the ability to steer where the company's money goes, nobody has the authority to tell them otherwise, and so far benevolent dictatorship is working. To give a concrete contrasting example, Apple ousted Steve Jobs when his leadership became fiscally risky; because of Alphabet's stock structure, there's no legal way for holders to directly oust Larry Page.
This is the second case in a month of Google punishing web publishers for using Google products. (The previous case was Google punishing non-https search results, when in fact many of Google's own web publishing tools don't support https.)
Maybe they'll just give this "malvertising" detection software to AdSense who can then filter their own content before it hits websites. I'd be more willing to bet this will be the beginning of Adsense cleaning itself up than what you suggest.
It is really common actually on most game content or videos that are geared towards the youth. These Adwords spammers target this category specifically.
Also, if these ads are rejected immediately (or nearly so) by Google, it will provide that much more feedback that malicious advertisers can use to "improve" their ads that much more quickly.
This may be a very stupid question, but are there no ad networks that are more trustworthy?
Actually, never mind. I just looked and their top 5 sites are all well under 1,000,000 page views - and 4 of the 5 are webcomics plus Omegle which I think is one of those random chat sites that popped up a few years ago.
It was amusing to run that. Ad quality was much better on some sites than others. Ads on Business Week pages were generally legitimate. Ads on entertainment sites were awful.
Totally deleting ads seems to have won out over merely thinning them out.
First, it's positively perceived and accepted by end users, which is good for Google and end-users.
Second, it punishes ad networks that don't spend the time to vet what types of adds are allowed. As an end-user, I'm in favor of this.
Third, it boosts ad networks that do spend time vetting ads to prevent malicious ones. Presumably Google, and other networks, that spend time and resources doing this will see a return on that effort. This is good for responsible ad networks, and as an end-user, I'm in favor of this idea to the extent that it should hopefully reduce these malicious ads overall.
It's easy to see this as a way for Google to boost their own ad network, but I think that's too cynical of a take. They aren't boosting themselves specifically, they are punishing bad-actors and boosting good actors overall.
It punishes the sites using those ad networks directly, the networks themselves are indirectly punished.
On one hand it's unfortunate that the site is being punished, on the other hand maybe they deserve some responsibility for not being more selective. I'm not sure.
The publishers aren't innocent at all. They decide to place ads right above, below, and all around the real download button. Because they know that a good percentage of their consumers will be tricked, and so they get payed.
Not really all that clever. Same old story. They take users for fools. Maybe users will stay dumb re: ads, but then maybe not. It's amusing to watch the companies that must jam the ads into your pages to make money claiming they can "make the internet faster" (a previous ploy) or "safer" for users. These companies are part of the problem, not the solution. Unless they find a new "business model". But why bother when this one - being a middleman to people's use of the internet, selling ads and jamming them into every page they can - works so well?
Do you report the deceptive ads to Google?
It also seems like a very different tech than trying to determine what an ad script will actually show a user. So it's not easy as if they can do A they can do B. Still doesn't excuse the fact that they should be doing their best to block those kind of ads in their ad network.
Google AdSense is pay-per-click (or some algorithm, based on clicks against and the subject matter's value). In the context of adware rubbish, we are probably talking about AdSense. So no, Google doesn't pay per impression.
DoubleClick (part of Google for some time) may still offer an impression-based product. My experience of them a few years ago was that they'd negotiate on anything if you have enough traffic to make it worth their time.
This would negatively affect Google's revenue... which is probably why they haven't done so.
IMO that covers all of Google's search result pages. Most users don't seem to realise that the top results are paid advertising...
More broadly, pretending to protect against social engineering is a joke. They won't catch anything other than the most obvious stuff, and they will also block some stuff that many people won't want blocked. Does this feature block Java downloads containing the Ask toolbar? Should it?
Are you saying the bright "ad" lozenge next to the paid results isn't explicit enough?
And anyways, users don't go out of their way to avoid clicking on ads unless the ads are utter crap. Google's whole business is to make the ads relevant to the search and the user, so who's to say the ad isn't actually a relevant result?
Please tell me what link you have at result #500, because I can't see it even if I remove the URL parameters and use the standard 10 results per page...
But the behavior changed since yesterday... yesterday it would have said "Page 53 of 532 results" and now it says "Page 53 of about 1,010,000,000 results" but most of them still can't be seen...
Yes, it is not explicit enough. The tiny yellow box is just a noise present on every search page. As any noise it will be ignored. Especially when everything else in these ads tries to look exactly as a valid search result.
Also, they don't even bother putting it next to each ad. On the right hand side, there's just one 'Ads' at the top and then everything underneath is an unlabelled paid ad. Why?
Google ads started out quite distinct, but they have gradually made them blend in. They used to have a stand-out background colour, then they had a very pale background, and now there is no obvious 'advert box' at all. Google know that many people are misled into clicking on the adverts, but they don't care because of the $$
Users placed their trust in Google, and Google betrayed them.
Tons of sites out there that turn a blind eye to such ads and that's bad. Yes, there will be some unfortunate pain for sites that responsibly attempt to block these ads as they come up. Assuming the blog post is correct and Google has implemented this correctly, it should be minimal for those sorts of folks since they claim the penalty will only occur if users are consistently getting social engineering ads. (I suspect Google will ratchet up the rate over time though, assuming these ads become less common as a result of this and similar efforts).
EDIT: See below. I'm convinced and with y'all now. Google--this is a step in the right direction and I support this action, but you do need to get your own house in order too!
Its pretty basic. A lot of people are not happy that Google is serving these ads that they are telling you they will stop at the browser-level with a warning that makes the site owner look guilty. They want Google's Ad network to stop serving the ads in the first place.
So can anyone point me to an ad served by Google that is as bad as the examples in the blog post? I thought Google had previously cracked down on such ads from the serving side too, although less deceptive ones were still allowed, no? I'm happy to be better informed!
I clicked around for a while but couldn't find a way to report it.
I also received the less bad (but still bad) text-based "start download now" one the same page. You convinced me. Editing my parent post above.
EDIT: for those curious, here's what the page looked like on the page load mentioned above: http://imgur.com/SisOXNT
They were all Google served ads.
I'm not happy that they punish the publisher/webmaster with no accountability for the advertiser or ad network. I can use Google's AdSense on my website, and unless I continually make an effort to manually review ads, it's very likely it will begin display these sorts of ads. And then because AdSense doesn't care, Chrome will begin flagging my website as malicious to users?!?
I'm surprised they're not doing this as well as making an effort to purge these sorts of ads from AdSense. That way, I could feel comfortable that my users aren't being shown scummy ads, which would be a huge advantage over other ad networks. Now instead, running ads on a website will either become a liability, or an extra added effort to make sure I don't get screwed over by Google.
Also, while a noble goal, there's no details of how they detect and classify these ads. I've had an entire Domain flagged and blocked off by SafeBrowsing because a single page on a subdomain was displaying an ad (via DoubleClick) which linked to malware.
I'm not. This site is filled with grey-hat folks who would do anything to make a buck on the web. I mean, it's a forum hosted by/affiliated with a VC firm, and look at the comments here. A bunch of people angry that google would dare do this, because they might/will be targeted. People were also pissed when Google stopped using meta keywords, and when they stopped reading text that was made invisible in CSS, and really any grey- or black-hat way to get more visitors/ad impressions.
Weeeellll...I see 99% of these in Android in-app ads. So - a) this should be the end of it, or b) someone is being a bit hypocritical here. I sure hope for the former.
Source: I've worked at one of those.
We're getting pretty good at image classification, but I don't think that extends to maliciously crafted inputs.
I mean you can't even change the new tab page to a custom .html, without Chrome nagging you at every launch if the settings are correct. If you make a manifest.json and load as an unpacked extension, it will moan about that.
FFS, I know what you're trying to do with Joe/Jane Noob, but at least give me something to skip that if I know what I'm doing.
 This wouldn't be even needed if new tab page was customizable. Now it it's just a Google billboard.
Build a new binary - offer users to install a "developer" build of Chrome which is exactly the same as the mainstream "release" build, except it allows disabling the protections.
My distinction was just that there's absolutely no way to have a UI-based mechanism for disabling nags, since behind any UI is a persisted flag. If you're up for editing your shortcuts to add command-line options, that's fine.
Nope. Windows allows deletion of "protected" shortcuts e.g. from your desktop and launch bar.
That's probably fine, actually, as long as the user (i.e. malware) isn't allowed to create their own shortcuts to replace the deleted ones. I assume there's a GPO to disable the per-user Desktop/QuickLaunch/StartMenu folders, so that only the results from the All Users ones show up?
As the old saying goes, "Those who give up freedom for security deserve neither."
I'd like to see Google take this one step further: author and publisher (as in advertising network) accountability.
Advertising providers, and advertising _publishers_, who forward "bad ads" are given a time-out.
Perhaps 10 minutes for the first instance, but increasing durations for repeat ocurrences. Days, weeks, and months for repeated gratuitious violations.
Ad providers and publishers who find they're being timed out for violating standards are, likely, going to clean up their acts, and find ways to ensure that mistakes _don't_ happen. Including direct vetting of content.
If Google don't block ads, I will.
Oh, wait, I already do that. But the rest of the Net is still catching up.
A popup in AdWords says I've violated "Unsupported content free desktop software". RackForms Express is a free version of my flagship product, that one actually being advertised.
You're feelings may very well differ, but if I've clicked on a link, organic or ad, and I get offered a solution to the problem I was seeking an answer for, that seem like a pretty good deal. If nothing else, this differentiation may well be the difference between getting a sale or not.
The appeal process is to fill out this form: https://support.google.com/adwordspolicy/contact/advertise_s..., but from my reading in Google's product forms this doesn't always work. If this fails, the end result will be to remove free software from the net.
We're all for blocking those horrible "Download Firefox" ads, but this change, and the resulting aftermath, feels...I don't know, dangerous. If the end result is small companies like mine pulling valuable resources from the web, I think we all loose.
Fingers crossed my appeal goes through.
* How about updating the radio buttons that appear when you "report this ad" to include "deceptive" as the reason for the report
* DoubleClick (by Google) serves the majority of these "Download now" ads that I've seen on sites that cater to the general public. Don't let advertisers run these ads. Do. Not. Allow. Many of them have "start download" in the plain text of the ad unit, and others are easily found by a bit of OCR on an image ad unit.
Please do not give me a Google-branded poncho (telling me how amazing it is with an infomercial about its revolutionary Dry Living Experience™) when you could patch the leaky roof to truly create a Dry Living Experience.
More likely, TPB stops running these particular shady ads, because chrome is such a popular browser.
This is a broad statement. Taken at face value, this covers all native advertising - with articles/images/videos/thumbnails/etc intended to fit in with the content of the site/app.
There's been a setting for this stuff forever.
I kinda like this darker, more free-for-all, wild wild west side of the Internet.
There's a reason the Wild West didn't stay wild.
I still like designing personal websites, but it seems like a waste of time now.
What next? "This site contains controversial views"? Or "Politically incorrect website ahead"?
Warning users of phishing and warning users of speech that it finds objectionable are 2 different things entirely.
And of course Google can easily integrate it's own ad blocker in Chrome if it chooses so.
What we really need is an open pledge of non-deceptiveness, give it a catchy name, and then advertise sites as conforming to it.
Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself.
What you describe is annoying and perhaps exploitative of humans desires, but in the end no different from normal advertising and far less evil than the ads described in the quote above. You want a full ad-blocker. Perhaps you're already using one and want to justify it.
I'm kidding of course but seriously comparing blocking these buttons and deceptive elements is not censorship, it's Google saying to these publishers that if they don't get their shit together, that they will dissuade traffic from visiting their sites. The only way to get the attention of bigger publishing companies is to grab them by the revenue stream, you all know this.
I'm in the former group. This mollycoddling is just going to lead to more users who can't decide for themselves whether something is suspicious or not and are thus easier to deceive, which might be exactly what Google wants, but I certainly do not think it is good for the Web as a whole (or even society in general.) Being able to make these sorts of decisions of trust is an important part of growing up in general, and I'd even say "finding the right download button" could be considered a sort of right of passage to being an effective user of the Web, and not just a consumer.
- It's usually smaller and less prominent than the fake ones.
- Mousing over it doesn't show a huge long URL to some external domain that sounds ad-like.
Using adblock probably gets rid of a lot of the fake ones too, but the general principle here is if it looks too good/easy to be true, it probably is. The buttons that seem really enticing are the ones you don't want to click, and it's that odd, not-very-attractive one that you want.