Hacker News new | past | comments | ask | show | jobs | submit login
No More Deceptive Download Buttons (googleonlinesecurity.blogspot.com)
706 points by r721 on Feb 4, 2016 | hide | past | web | favorite | 253 comments

Perhaps now that Google has taken steps to block websites that display these ads, Google should take steps to stop accepting these ads onto their network in the first place. Most of the time when I see those DOWNLOAD/PLAY buttons, they're hosted on doubleclick.

I'm not sure they need to. Google's approach here tackles the problem of these ads being created from an economic direction: if nobody is seeing these ads, they won't make any CPM money any more, so their creators will stop running them.

That's a much more sensible approach than doing what you're suggesting—trying to catch specific instances of people doing something nefarious that makes them money. That just causes the people posting the ads to get more clever, such that it gets more and more costly to catch each instance. (That was helpful in the ReCAPTCHA case, since spammers were advancing computer vision techniques in the process. It's not a harnessable force in the general case.)

You're aware that people view websites through browsers which don't run Google's safe browsing software, right? How is leaving them to get tricked into downloading malware (served via Google) "more sensible"?

You're not "leaving them"; making the ROI for an ad 30% lower (given a 30% Chrome install-base) is usually enough to make the advertiser give up on that ad, because they could instead be running an ad that converts ~90% as well and not losing 30% of their impressions in the process.

Now, the advertisers who only run these mal-ads will stick around and continue running them. They're also the ones who would fight tooth-and-nail to make their mal-ads more clever, instead of giving up and switching to regular ads; so they're exactly the ones Google will have a hard time discouraging at the ad-network level.

My hope for those is that other browsers simply copy Google's strategy here. If Chrome, Firefox, and IE all do this, there's pretty much no point in running these ads any more.

The point was made elsewhere, but I think you stated it most eloquently. Here's my question though: does it not benefit the user to enforce some minimum of deterrence through automated policing on the ad acceptance side?

Yes, it's whack-a-mole, but so is SEO, and Google's continually tweaking that instead of giving up. Based on the current rudimentary techniques used by the advertisers (e.g. "DOWNLOAD!" buttons), even eliminating only such blatant examples would go a long way towards cleaning up deceptive ad's.

And as you've noted... it's not like Google doesn't have access to advanced CV techniques and the computational infrastructure to run them...

Google is trying quite hard to stop the download ads. The people running those ads are trying even harder.

It has nothing to do with CV, it is not an engineering problem.

> It has nothing to do with CV, it is not an engineering problem.

Not sure what you mean by this, given that there's a human with eyeballs on the other end of the bad ad and a limited number of keywords to trick that human into undesirable actions (virus,error,infected,download,update,install).

CV is exactly the solution you'd want to use for a first-pass categorization, given that's the pathway by which the ads communicate with users.

It’s an approach that has many casualties, though.

I was going to say exactly the same thing. Blocking/warning about them at the browser level is a great move, especially as it will also work for ads not served by Google. But they should also be working to stop these ads getting published on their network as well.

But that is a more direct threat to their revenue stream so of course not :).

I remember a few years ago AdSense was showing a lot of fake Download buttons (and users would complain about it). I haven't seen them recently, though, so I hope that means they've fixed that problem.

I just checked and the download page on getpaint.net still has a deceptive "Start Download" AdSense ad. That site came to mind because, a few months ago, I tried to be charitable and disabled ad blocking for a few days. That was the site where I decided enough was enough and started blocking again.

You're not being charitable disabling your ad blocking. You're just perpetuating a system where egregious invasion of privacy is 'the deal' for using the internet. I understand that some sites might struggle for income without advertising but if they want me to view their ads they had better find some partners who don't stalk me across the web.

I just went there and saw a fake start download button, but it was with the 'AdChoices' network, not AdSense.

EDIT: I guess AdSense is involved with AdChoices somehow. My mistake.

Pretty sure it's an AdSense ad: http://imgur.com/OBy1PFR

The AdChoices icon is used by many ad networks, not just Google's, to indicate that there's per-user targeting happening. [1] But if you click on that "AdChoices" button and you get an AdSense help page.

[1] http://www.youradchoices.com/faq.aspx

When I click the > I get https://support.google.com/adsense .

The link from the ad is to https://googleads.g.doubleclick.net

I don't see how it can't be a Google-sold ad.

I'm not too familiar with AdSense vs. DoubleClick vs. AdChoices, but when I hover the ad it shows a link to DoubleClick, the little triangle icon points to an AdSense support page, and the JavaScript to load the ad comes from googlesyndication.com. From what I understand, that all points to it being an AdSense ad.

I suspect the reason that kind of ad is allowed (despite being deceptive IMHO) is that it's not just a download link. It also indicates that it's an ad for a driver update site (which makes it even shadier to my eye, but probably not violating any policies).

Nope. We started experimenting with AdX ads a few days ago and immediately saw exactly these ads: https://www.en.advertisercommunity.com/t5/Ad-Approval-Policy...

That post is from 2013. The answer to the question in the title is apparently "not for at least three years".

I'll take Google's concern about deceptive ads seriously when they stop serving those ads themselves.

They are still there. Now in green instead of blue.

I'm not at all against this move from Google - it is good sense. However, to play Devil's advocate, what are the odds this was pushed down by the MPAA/RIAA or similar? This policy more or less directly targets sites that offer free online streaming or torrent downloads of Movies/TV/Music. The sites that wind up with these deceptive ads are typically sites that provide copyrighted content to their users.

Again, this is not a bad move. But I'm curious about the true motivations. If I were the MPAA, and trying to shut down the revenue stream of sites offering free streaming and torrents, this would be one of the ways to do it. That, or Google is simply sick of receiving takedown notices - and this is one method to take these sites out of their listings before even receiving the DMCA.

Download button ads appear on websites providing useful utilities and in particular Minecraft content and add-ons. I'm having to educate my kids on what is and isn't a real download button. Its a pain in the arse.

I would say it hasn't come from the MPAA or RIAA. These deceptive download buttons appear on a myriad of sites which are not related to streaming/torrenting.

Actually when I saw the headline my first thought was sourceforge. You expect these kinds of deep web ads when perusing sites you know damn well are "less than legal" but I've seen them on a number of websites I wouldn't normally expect to, sourceforge being the worst offender in my experience.

In my experience most free online streaming and torrent downloading websites have very small hard-to-find download buttons with a lot of fake "Download Now!" ads. So this would actually make torrenting easier.

By showing a full screen alert ?

There are also a lot of free file hosting sites with tons of those fake download buttons. Good luck downloading from them now.

I mean it makes displaying "Download Now!" banners less effective. You can bypass the alert; Chrome puts the alert if I understood.

Google doesn't make any attempts to pander to the MPAA/RIAA anymore. http://googlepublicpolicy.blogspot.com/2014/12/the-mpaas-att...

It'll be interesting to see if they block people from visiting sites that use doubleclick for ads, or if this is just an excuse for blocking sites that use competing ad providers.

There should be an easy way to flag an ad for inappropriate behaviour (by the user seeing it)

How long would it take before fake "Flag this ad" buttons start appearing on ads?

The little X button in the top right corner of Google display ads already performs this function, no?

I tried to flag a deceptive "Start Download" ad of this kind by clicking on this button a few days ago (which appeared on a site I run, annoyingly). The form I was required to fill out needed me to say where the link in the ad took me. So I"m supposed to click on the link in an ad which is pretty plainly attempting to install some kind of malware, in order to be able to report it? I'm supposed to either be 100% confident there's no vulnerability in my browser, or set up some kind of VM to test with, just in order to report a single, obviously malicious ad?

I just tried it on the getpaint.net site (mentioned elsewhere itt) and it only had an option box set with three options: inappropriate, repetitive, irrelevant.

But you could just right click and copy the ad link. The link would point to the ad network (e.g. googleads.g.doubleclick.net/aclk), but it would be better than nothing. Also, many ads include a domain, sometimes in a tooltip, and usually just the tld, but again, better than nothing.

Admob too serves similar Ads: "Your phone is infected, click here to install Clean Master..."

Because this way they get to charge for the ad and then also not let their users get suckered. They win both ways.

Google doesn't charge for ads, it charges for impressions. If you user doesn't seem it, google doesn't get paid. Get your facts straight.

This "Google Safe Browsing" initiative seriously worries me. It's effectively some unknown, mysterious, un-contactable set of AI algorithms/people/who knows what controlling the internet because Google owns everyone's browser.

One of my websites got tagged as "Dangerous" and having "harmful programs" despite having nothing of the sort. My guess is a silly hiccup of their neural network algorithms. And I have absolutely nobody I can contact about the issue to get an explanation. They just effectively killed the site in one fell swoop.

According to the FAQ[0] of the safe browsing program, they attempt to contact you first, but there is a way to contact them.

  What if you can’t get in touch with 
  the webmaster because they’re not 
  registered with Google Webmaster 

  Every time we add an unsafe site to 
  the list, we make a reasonable 
  effort attempt to inform the 
  webmaster by sending a notification 
  to a standard set of email addresses 
  (e.g., webmaster@[sitename].com; 

  If my website has been compromised 
  and is now unsafe, what can I do?

  We offer advice for webmasters whose 
  sites have been hacked here. It’s 
  best to register your site at Google 
  Webmaster Tools in advance of any 
  problems so that we can notify you 
  promptly and provide more 
  information about the problems we 

  If you don’t want to use Google 
  Webmaster Tools, you can file 
  appeals with StopBadware.org once 
  you have removed the infection from 
  your site. StopBadware.org also 
  offers great resources for 
  webmasters who want to learn more 
  about what they can do to make their 
  sites safer.
[0]: https://www.google.com/transparencyreport/safebrowsing/faq/?...

A while ago I submitted my site for review and provided a contact. I got no response. I also got no such e-mail. In addition it seems they only send you a "notification", i.e. an automatic "We've blocked you" and not a human attempt to resolve the issue. If a human had been viewing my site it would have been 100% clear that there is no malware issue. However, since I do make use of certain HTML5 features after prompting the user, I could see why it causes a trigger if they have some half-baked neural network algorithm trying to identify potential malware based on JavaScript source.

If anyone is wondering, the site is a location-based file sharing app. It makes use of geolocation and file uploading capabilities. Largely a quick experiment, throwing an idea out there just to see if there's any need for such an app. It was running fine for a few months before Google decided to block it.

https://quack.space/ (which gives a malware error now on Chrome)

https://www.producthunt.com/tech/quack-space (ProductHunt page)

As with most things in this world, you could sue them.

Has any site that has been incorrectly de-indexed from Google sued and won? I have no idea, but this would be super fascinating.

De-indexed in search is a bit different from effectively blocked in the browser. If Chrome says your site is dangerous and actually your site is harmless, are they defaming your website? If Google choose not to include you in their search engine, that could still be an issue, but it's probably a lot more nuanced.

Yea, I wonder if stating a site is dangerous would be considered libel in the US...

Probably not, but Google EU is in Ireland and their libel laws are likely to be a lot like those of England, which is to say super pro the person who feels wronged.

How many of the sites that were illegitimately blocked can afford to sue Google? How many can afford to win against Google's top notch legal team?

The real question is

"Is it worth it for google to send their legal team to some small claims court hearing instead of just unblocking the site?"

And contrary to the popular belief, suing people really isn't that expensive if you've got the time to do it.

It wasn't a major or revenue-generating site, so I don't want to spend on legal fees. If it had been though, I would.

Yeah, I've experienced the same and it's really a pain in the ass. Apparently there's tons of orgs that can automatically add sites to that blacklist, I got abuse from some company saying there was a phishing page on my IP because it featured a login page and the text "Amazon" and suddenly chrome started showing alerts when I visited the IP.

As with most of similar systems (spamhaus etc) the people running them are just as bad as the people they're trying to stop.

They'd invoke the first amendment. It would be pretty open and shut.

If the claim that your site is dangerous is demonstrably false and there are demonstrable damages you can indeed be liable for damages or face injunction.


I'm not sure if you know what the "first amendment" is. I'll tell you what it isn't, it's not a magical trump card that lets you say whatever you want.


That seems to be how Google is (successfully) using it.

That's a VERY different situation. Google is claiming there that (essentially) they have the right to put sites in whatever order they want, and US courts are extremely sympathetic to that argument.

Here the issue is that Google is making direct, verbal claims about other sites. That's not to say Google couldn't come up with a strategy to win in court, but the strategy would have to differ markedly.

google is not a government agency. you can't claim first amendment when dealing with private parties. that's like me suing the NFL for not letting me post racist rants on their homepage because of the first amendment.

edit: i dun read gud. leaving comment as an homage to lack of literacy

> Google owns everyone's browser

It doesn’t have to be like that.

It doesn't have to, but that's the way it's trending.

Yes, there's good reason why I'm posting this from https://www.palemoon.org/ which is Firefox without the politics - Chrome is too intrusive and non-transparent about its intrusion to boot.

Firefox uses Google Safe Browsing, like Opera and Safari.

How do they fund their security patches?

fund as in finance?

Yup, to be on top of the security stuff is a really expensive thing to do.

Saw this late: I believe they have a running policy of porting all security stuff from main rep FF and adding additional hardening on top (by disabling semi baked features and removing legacy stuff, like XP support, at a much quicker rate than regular FF releases). But how this is managed in terms of man-hours/pay/etc. - haven't got the faintest: organisational transparency is expensive but would be ever so great to get right for software vendors on the whole!

I always thought it was something like visiting the site with a somewhat unprotected (but virtualized) computer and seeing if anything bad (registry keys changed) happened.

What website?

This is a joke right ? We run Adsense display ads on our site and have to spend significant time every day reviewing and blocking new ads which try to use these deceptive practices.

Since Google clearly has the tech to detect this they should be implementing it at source on the advertisers (malvertisers). Instead they are pushing this down to the publishers and hitting them with penalties.

It's a clever ploy in some ways - Google gets the revenue from the ads and also the kudos from Joe Public for "being on the side of the consumer".

Firstly, this will work on ad networks other than Google, so it''s more broad reaching than anything they could do just within AdSense. This is good.

Secondly, and arguably more importantly, the way to stop these adverts is for them to cost the advertiser (in either money or time) without giving them the reward of revenue. If the ads stop working then people won't have a reason to make them. By stopping the ads in AdSense rogue advertisers would just change to a different ad network. The problem wouldn't stop.

This is a good move by Google.

"more broad reaching than anything they could do just within AdSense"

... as long as you don't care about browsers which don't run Google's Safe Browsing service.

You know another way to stop these ads? Make available an advertising network which doesn't serve them. Website owners who don't want to install malware on their users' computers - which is probably most of us - would prefer that network to the others. As-is, with even Google's network serving up malicious ads, the choice for a website that wants to run display ads appears to be either build out a sales team & manage inventory itself, or accept that some percentage of its users will get scammed.

I've actually built an advertising network[1] that is not focused on serving display ads, but linking to content directly in images. Video demo: https://www.youtube.com/watch?v=8GfKBvs53Ss

The thought is that if "advertising" is actually a feature of a website, then it solves the problem of users trying to avoid being shown ads. If you could hover your mouse over an object on any image on the internet and be taken directly to where you can buy that without all the hassle, I'd see that as a big win.

Note: Just onboarded our first customer yesterday. He's using it to promote iPhone cases based on his instagram feed[2]. Hover over the cases on a desktop, and you'll see what the case is. Click on it, and it takes you directly to the product page.

[1] http://pleenq.com

[2] http://www.obeythekorean.net/pages/instagram-feed

This is the first ad platform I've seen that is innovative in a good way, instead of the usual remarketing/tracking/native/data whatever bullshit. Seriously, awesome idea and execution. Have you gotten any press for this?

No press, just a reddit post[1]. Do you know anyone? :)

[1] https://www.reddit.com/r/Entrepreneur/comments/43qnen/if_you...

This is undoubtedly interesting content for writers and bloggers. I'll think on it and PM you if I come up with anything worthwhile.

That's pretty good. The issue I have with it is that without this prior knowledge, I can't tell what will happen when I click - the URL isn't informative, and there's no alt-text.

What would you like to see it do? I've been thinking of tons of different ways of displaying that to a user, but I figured I'd just put it out there and see what people suggested.

Surely it would make the most sense to build it into both AdSense and Chrome. That way Google know they're not running a network facilitating this, and they are also able to block malicious ads from other networks in the browser.

In my experience as a consumer, project wonderful ad system thingy ads seem to be unobjectionable.

They are paid per length of time, not by click or view, and they are determined by a continuous auction.

I wonder if Mozila will attempt to create a list of scam advertisements and automatically block those...

This does not make any sense. Advertisers paying per view do not get charged for a view if crome prevents the user from viewing the page.

The good news here is we now have official admission by google that allowing adsense ads without filtering is dangerous. And those of us who do not have sophisticated techniques that can detect deceptive ads have no choice to but to block the entire network serving them, if we want to be secure.

>Advertisers paying per view do not get charged for a view if crome prevents the user from viewing the page.

The cost isn't in money, it's in views. By not letting you click a fake DL button, the malicious ad doesn't lead you to the site it wants you to end up on, which is usually plastered with other ads and sometimes has malware lying around on it. The end result is that the malicious party can't make money off their own site's ads and can't redirect you to download god-knows-what onto your system.

Any blockning of "malverts" should arguably just emulate view so it costs the advertiser even more than the lost view. If Google don't want to do that themselves (which would be understandable) they could likely expose it in APIs so plugins like ad blockers can do it.

Why not block it at the source instead? Prevent these types of ads from being submitted to AdSense in the first place.

Google can't do that. It'd be fraud.

I don't think it would be fraud if they did it to ads from non-Google networks. But yeah, they shouldn't fake views on ads that come from their own networks.

It's a necessary but not sufficient step. They should also block all such ads within AdSense.

> By stopping the ads in AdSense rogue advertisers would just change to a different ad network. The problem wouldn't stop.

It would stop the problem on every Google's partner that decided to trust it by displaying its ads.

> By stopping the ads in AdSense rogue advertisers would just change to a different ad network

The sites that "everyday folk" browse are much more likely to be running ads from the AdSense network. Forcing the rogue advertisers to place ads on a smaller network serves to cost them (money or time) without the reward of the revenue they'd otherwise get from AdSense-enabled drive-bys.

It's a good move, but it seems unlikely that they going to block a site that's only using AdSense to serve up deceptive ads. Where is the announcement that adsense/adwords will detect those ads as well?

Spot On.

I run an online media streaming site for public safety communications, and we've noticed that Adsense advertisers often use these exact social engineering techniques to display download/play links that end up having customers install crappy spyware infested "media players" and other software.

My jaw dropped when I saw this blog post.

I'm semi-serious here, but if you noticed that you are serving ads that are harming your users, why would you continue to use ad-sense? Why not switch to a different ad network and let Google know why you switched?

Based on other comments in this thread: does such an ad network exist?

If all your options are terrible, you might as well use the terrible option with the largest ROI, right?

> might as well use the terrible option with the highest ROI, right?

No, thanks. Does The Deck serve spammy, malicious ads? I know they're tightly targeted at the techy/designy crowd, but they're also a great example of high ROI ads that aren't terrible.

You can't just use The Deck, you have to be invited.

Valid point. But I still reject the notion of "that sucks but might as well get mine". Sounds like there's a lot of space for ad networks that don't suck. Or monetization models that don't rely on spammy, useless ads.

> Or monetization models that don't rely on spammy, useless ads.

I'm struggling to find one, any idea?

Build something so good, people will pay for it? It seems to work for companies like Netflix and Toyota.

But not companies like Google, or Facebook, or Twitter...

Nobody suggested there's one solution for everybody. I was just responding to the comment that advertising is the only monetization strategy and that's ridiculous.

> If all your options are terrible, you might as well use the terrible option with the largest ROI, right?

One of the options is "stop running ads". Why is a "site for public safety communications" running ads at all?

Public safety announcement: block all ads to make your browsing much safer. Use Adblock Plus (with so-called "acceptable ads" turned off) or uBlock Origin.

He's not running a public safety institution, he runs a site that has live audio streams from police / emergency scanners.

(incidentally, Lindsay, I've used http://www.radioreference.com to learn a great deal about Software Defined Radio, and I occasionally listen to various Illinois streams on http://www.broadcastify.com - thanks for running these sites!)

> He's not running a public safety institution, he runs a site that has live audio streams from police / emergency scanners.

Thanks for the clarification; that makes more sense.

I'd still echo the comments from elsewhere in the thread about not doing business with a vendor with shady practices just because other vendors do no better.

I don't think I'd be comfortable doing that.

It's a big company, I can imagine the browser guys wanting this but the ad guys saying they "can't" do this and there being a mini-war.

You get the sense that sort of thing happens all the time at microsoft for example, before Ballmer left it felt like the ASP.Net team were pulling in one direction, the Visual Studio team another and the IIS team had gone rabid and were just trying to bite everyone.

It happens when different products have different priorities.

It also happens when one department is perceived as an "expense" like IT or R&D, and starts pushing against "revenue-generating" departments like sales.

Of course, all components of a properly-functioning organization are revenue-generating. An idealized business in some respects would be people giving you money with no money being spent. Everyone knows that's not how the world works, but it's awfully hard to justify on a quarterly statement.

At Google, many departments aren't directly revenue-generating. Sure, Chrome and Android help people browse the Internet, where they view ads, but that's quite removed from actually selling the product, and those are very large projects. Search, maps, and gmail can show ads internally to generate revenue, but that's still a layer removed. Perhaps Google Apps and Drive are loss leaders, and maybe Fiber will make money eventually, but Glass? Calico? Driverless cars? Loon? Seriously, where does the money for these projects come from? I suppose you can answer "AdSense and AdWords", but why do those businesses give them money? And the harder question is how do they generate political and cultural capital to maintain these expenses?

At most of the companies I have been involved with, these projects would have been cut, outsourced, or consumed by the AdWords and AdSense teams. But there's little question that the world is better and the Internet is used more because of projects like Search, Gmail, Android, and Chrome.

How does Google generate this culture? How can other companies replicate this process?

Didn't Oracle reveal recently (maybe I'm totally misremembering this) that Google receives a shitload of revenue via Android?

Yes. To date, Android has generated $31 billion in revenue and $22 billion in net profit.


Counting web ads served to users as revenue generated by the computer's operating system is ludicrous. Oracle is trying to misrepresent the amount of money made so they can sue for damages. The numbers are BS.

> Counting web ads served to users as revenue generated by the computer's operating system is ludicrous.

Why? Isn't that precisely why Google invested so much in Android?

These are very good questions. I have wondered the same for a long time. Can anybody shed some light on this?

There are a lot of pieces to that puzzle. One of them is a stock program that basically guarantees the investors have a voice, but zero actual steering capacity for the company, coupled with a CEO who wants to take risks, coupled with a company track record of risks paying off in bizarrely outsized ways just often enough to keep investors hungry for the stock in spite of the fact that ownership of the stock grants them no control.

In short, the company's founders have the ability to steer where the company's money goes, nobody has the authority to tell them otherwise, and so far benevolent dictatorship is working. To give a concrete contrasting example, Apple ousted Steve Jobs when his leadership became fiscally risky; because of Alphabet's stock structure, there's no legal way for holders to directly oust Larry Page.

Nope. The ads team at Google has been actively working against these types of ads for years. No one at Google wants to serve bad ads.

Most websites seem not to care about the content they deliver to their visitors. When I visit xyz.com, it is xyz.com's job to ensure that it doesn't deliver to me malicious content. I have zero sympathy for xyz.com telling me that it's not their problem, they serve 3rd party ads and if these ads are malicious it's the fault of these advertisers not their.

Sure, this is fine, but Google seems to plan to block sites which show malicious ads served by Google's AdSense. That's idiotic.

This is the second case in a month of Google punishing web publishers for using Google products. (The previous case was Google punishing non-https search results, when in fact many of Google's own web publishing tools don't support https.)

And I'm willing to bet Google will make a special exception for itself. I actually posted a screenshot on my G+ page yesterday of the most recent fake download button I saw online... On a YouTube banner ad, served by Google AdSense.

Do they have a history of making exceptions for themselves? If not, then you winning this bet will be quite a big deal - it'll show them as anti-competitive. They'd be forcing customers to use their AdSense product instead of just-as-good competitors.

Maybe they'll just give this "malvertising" detection software to AdSense who can then filter their own content before it hits websites. I'd be more willing to bet this will be the beginning of Adsense cleaning itself up than what you suggest.

Yes. On last week's story, a commenter mentioned how they decreed that web pages which showed a full-page ad on landing would be penalized in search, yet they themselves continued to show a full-page ad in mobile GMail for the GMail app, and it remained the first hit for "e-mail".

Says someone who has never managed webs on a website.

Exactly this. Ads served through Adsense are flooded with these. We have spent countless hours trying to block all of them but they just pop up again under a different domain. So is Google going to punish publishers who are using Adsense if these ads come through Adsense?

I could only wish that Google will punish their own sites the same too. There are countless ads on YouTube claiming to provide free Minecraft downloads, commonly shown to very young viewers of YouTube. You might even be able to see these right now by turning on Private Browsing and disabling your ad-blocker.

Yep! This is a big issue on pretty much most Minecraft specific content sites & videos. I think these spammers specifically target Minecraft keywords and Minecraft sites through Adwords display ads knowing that kids will click the ads. If your site has Minecraft content and is serving Adsense within that content, you are almost certain to have these types of ads display. Not the fault of the actual content site but an issue with the spammers targeting through Adwords.

It is really common actually on most game content or videos that are geared towards the youth. These Adwords spammers target this category specifically.

Google doesn't control all advertisers. Presumably this applies to sites with non-Google ads too.

Also, if these ads are rejected immediately (or nearly so) by Google, it will provide that much more feedback that malicious advertisers can use to "improve" their ads that much more quickly.

Those download buttons look always the same. Oh wait, they changed their color. After years of blue buttons they are now green. So Goolge can detect your face in a crowd on a photo, but can not detect a download button on small ad?

I too have seriously struggled with this. I recently discovered that you can ban this entire category of ads (mostly). Go to "Allow & block ads", then "sensitive categories" and select "Ringtones & Downloadables." This will remove most of these types of ads.

I agree, I have a personal blog and wanted to experiment with ads, so I put AdSense up there. I reported the "Download" ones but just kept getting more, so i finally removed the ads.

> We run Adsense display ads on our site and have to spend significant time every day reviewing and blocking new ads which try to use these deceptive practices.

This may be a very stupid question, but are there no ad networks that are more trustworthy?

tl;dr no. AdSense sucks, but all other networks are actually worse. (There are tiny ad networks that are actually trustworthy, e.g. Project Wonderful, but they won't make you a living.)

You could look at something like Project Wonderful, but I think they're a little more geared towards small-scale niche advertising (gaming, comics, blogs).

Actually, never mind. I just looked and their top 5 sites are all well under 1,000,000 page views - and 4 of the 5 are webcomics plus Omegle which I think is one of those random chat sites that popped up a few years ago.

Well I used to work for a few Ad Publishers and they are on this list.


I used to have a Firefox add-on which rated the sites linked to in Google ads.[1] I could have deleted the ads, but didn't. Should I bring that back?

It was amusing to run that. Ad quality was much better on some sites than others. Ads on Business Week pages were generally legitimate. Ads on entertainment sites were awful.

Totally deleting ads seems to have won out over merely thinning them out.

[1] https://addons.mozilla.org/en-US/firefox/addon/adrater/

Well, it's a way for Google to throw their weight around to multiple effects.

First, it's positively perceived and accepted by end users, which is good for Google and end-users.

Second, it punishes ad networks that don't spend the time to vet what types of adds are allowed. As an end-user, I'm in favor of this.

Third, it boosts ad networks that do spend time vetting ads to prevent malicious ones. Presumably Google, and other networks, that spend time and resources doing this will see a return on that effort. This is good for responsible ad networks, and as an end-user, I'm in favor of this idea to the extent that it should hopefully reduce these malicious ads overall.

It's easy to see this as a way for Google to boost their own ad network, but I think that's too cynical of a take. They aren't boosting themselves specifically, they are punishing bad-actors and boosting good actors overall.

>>Second, it punishes ad networks that don't spend the time to vet what types of adds are allowed. As an end-user, I'm in favor of this.

It punishes the sites using those ad networks directly, the networks themselves are indirectly punished.

Well, it punished them both. An ad network that can't display it's ads in places it could before is a form of direct punishment. Forcing sites for choosing ad networks that don't vet their ads well is an additional indirect punishment as well, as it may encourage those sites to choose a more discerning ad network.

On one hand it's unfortunate that the site is being punished, on the other hand maybe they deserve some responsibility for not being more selective. I'm not sure.

No, it's not a "ploy", it's the only realistic action google could take. It would be a huge business mistake to ban malvertisers from adsense, because those would move to other networks, which would then in turn be preferred by publishers because that's where the money moves. Adsense would lose, and the consumer wouldn't have won anything.

The publishers aren't innocent at all. They decide to place ads right above, below, and all around the real download button. Because they know that a good percentage of their consumers will be tricked, and so they get payed.

"It's a clever ploy..."

Not really all that clever. Same old story. They take users for fools. Maybe users will stay dumb re: ads, but then maybe not. It's amusing to watch the companies that must jam the ads into your pages to make money claiming they can "make the internet faster" (a previous ploy) or "safer" for users. These companies are part of the problem, not the solution. Unless they find a new "business model". But why bother when this one - being a middleman to people's use of the internet, selling ads and jamming them into every page they can - works so well?

What you are describing is already against Google's policies for advertisers, and they do implement it in a very thorough review process for all ads: https://support.google.com/adwordspolicy/answer/6020955

Do you report the deceptive ads to Google? https://support.google.com/adsense/troubleshooter/1190500?hl...

Google doesn't charge for ads, it charges for impressions. If you user doesn't seem it, google doesn't get paid.

It also seems like a very different tech than trying to determine what an ad script will actually show a user. So it's not easy as if they can do A they can do B. Still doesn't excuse the fact that they should be doing their best to block those kind of ads in their ad network.

FWIW, "impression" means "request". Who knows what the user saw.

Google AdSense is pay-per-click (or some algorithm, based on clicks against and the subject matter's value). In the context of adware rubbish, we are probably talking about AdSense. So no, Google doesn't pay per impression.

DoubleClick (part of Google for some time) may still offer an impression-based product. My experience of them a few years ago was that they'd negotiate on anything if you have enough traffic to make it worth their time.

Are you talking about google paying the website for each click/impression or are you talking about advertisers paying google for each click/impression. Both are termed under impressions (CPM or PPM). And in both cases google loses money in rolling out this feature.

You'd think that Google could use a Bayesian classifier to detect malicious AdSense display ads at setup time. Add an appeal process to take care of ongoing training.

This would negatively affect Google's revenue... which is probably why they haven't done so.

Fits with Google: free consumer services (paid for by advertisers); and Google gets the highest price possible by letting advertisers fight it out in real time (the other advertisers are the bad guys... but Google gets the money).

yes, yes and yes ...

I would expect an ad blocker to block stuff like this.

I would not expect Google to recommend using an ad blocker. They still want you to be able to see the 'good' ads.

They also recommend not do any evil if you do not want it to be posted publicly on the internet (E. Schmidt in particular).

So safe browsing is now blocking pages where the adverts are "often not distinguishable from the rest of the page"?

IMO that covers all of Google's search result pages. Most users don't seem to realise that the top results are paid advertising...

Came here to say this. Most of their above-the-fold "results" are either ads or SEO-ed junk probably full of Google ads.

More broadly, pretending to protect against social engineering is a joke. They won't catch anything other than the most obvious stuff, and they will also block some stuff that many people won't want blocked. Does this feature block Java downloads containing the Ask toolbar? Should it?

Here's a google SERP for "insurance": http://imgur.com/VUqwyPq

Are you saying the bright "ad" lozenge next to the paid results isn't explicit enough?

And anyways, users don't go out of their way to avoid clicking on ads unless the ads are utter crap. Google's whole business is to make the ads relevant to the search and the user, so who's to say the ad isn't actually a relevant result?

Somewhat off topic... but also, it states 1,010,000,000 results on the first page of this query but if I go to the last page, it comes down to 412 results... I can't believe that there is only 412 insurance related pages on the whole Internet... https://www.google.com/search?q=insurance&num=100&safe=off&s...

I think there's some weird pagination happening in your URL. If I take the "num=100&safe=off&start=400" off, it works as expected.

It works as expected according to them if they don't expect you to look at all the results, I guess.

Please tell me what link you have at result #500, because I can't see it even if I remove the URL parameters and use the standard 10 results per page...

That gets me "Portal: Health insurance - University of Bern", on page 52. The url looks like:


I cannot go past page 53 when using the URL that you are referring to (they added some results that can be seen, it currently is 532 but it changes pretty often).

But the behavior changed since yesterday... yesterday it would have said "Page 53 of 532 results" and now it says "Page 53 of about 1,010,000,000 results" but most of them still can't be seen...

The lozenge is not enough. I had a user last week who googled "<ispname> email" wanting to get to her email. Instead of clicking the official link a few results down she clicked on of the ad links at the top. This took her to a page which started beeping, playing a virus alert message, and creating JS popups telling her that her computer was infected and she needed to call the phone number on the screen.

When there isn't a single result on that whole screenshot that isn't an ad? No that's not enough!

>the bright "ad" lozenge next to the paid results isn't explicit enough

Yes, it is not explicit enough. The tiny yellow box is just a noise present on every search page. As any noise it will be ignored. Especially when everything else in these ads tries to look exactly as a valid search result.

So what should Google do then? If a "tiny yellow box" is just noise, isn't a larger yellow box just more noise?

Go back to a different background for ads, for instance.

Or simply put ads only in the right-hand column that is now entirely populated by ads. "Do you want the results our software comes up with? Then read left. Or do you want the results people pay us to show you? Then read right." This would be an honest business model, and if advertisers had to provide more value to searchers than Google's algorithm with their keyword bids, they might actually do something smart and useful.

Google has more options than just the size of the box: for one thing they could make the box surround the ad (that is a common UX design to show related elements) and put the word "ad" around the entire border or the box, like police tape. That would make it a lot clearer that it was an ad.

No, it's not good enough. It's a bizarre colour that is too similar to the white that they use to write 'Ad' in it. A website with white-on-yellow text would be painful to read.

Also, they don't even bother putting it next to each ad. On the right hand side, there's just one 'Ads' at the top and then everything underneath is an unlabelled paid ad. Why?

Google ads started out quite distinct, but they have gradually made them blend in. They used to have a stand-out background colour, then they had a very pale background, and now there is no obvious 'advert box' at all. Google know that many people are misled into clicking on the adverts, but they don't care because of the $$

This is what it should look like (and used to): http://i.imgur.com/jdOGdTI.png

It's absolutely not enough. After watching tons of seniors use computers (and having to degunk them), it seems Google's ads in search are the primary malware distribution method on the Internet. Phishing sites are always atop searches for banks, malware links are always atop searches for drivers and software, and normal users see that top ad as the 'first result'.

Users placed their trust in Google, and Google betrayed them.

I'm surprised of the negativity towards this action, but I guess I shouldn't be. A lot of you are in a very different situation than me and this will affect you directly. However, warning people away from being potentially tricked by these deceptive ads is a very good thing.

Tons of sites out there that turn a blind eye to such ads and that's bad. Yes, there will be some unfortunate pain for sites that responsibly attempt to block these ads as they come up. Assuming the blog post is correct and Google has implemented this correctly, it should be minimal for those sorts of folks since they claim the penalty will only occur if users are consistently getting social engineering ads. (I suspect Google will ratchet up the rate over time though, assuming these ads become less common as a result of this and similar efforts).

EDIT: See below. I'm convinced and with y'all now. Google--this is a step in the right direction and I support this action, but you do need to get your own house in order too!

> I'm surprised of the negativity towards this action

Its pretty basic. A lot of people are not happy that Google is serving these ads that they are telling you they will stop at the browser-level with a warning that makes the site owner look guilty. They want Google's Ad network to stop serving the ads in the first place.

Thanks for that.

So can anyone point me to an ad served by Google that is as bad as the examples in the blog post? I thought Google had previously cracked down on such ads from the serving side too, although less deceptive ones were still allowed, no? I'm happy to be better informed!

I got served a "Click here to update your Windows drivers" ad on Youtube.

I clicked around for a while but couldn't find a way to report it.

getpaint.net is mentioned elsewhere itt. Perhaps not quite as bad, but still at least mildly deceptive.

Gotcha. Yeah, I see one there. Big green button with a down arrow saying "GET IT NOW" lots of whitespace below and then a smallish rewaterpressure logo. Because of the whitespace, the button very much looked associated with the paint.net download text above, not with the rewaterpressure logo below.

I also received the less bad (but still bad) text-based "start download now" one the same page. You convinced me. Editing my parent post above.

EDIT: for those curious, here's what the page looked like on the page load mentioned above: http://imgur.com/SisOXNT

They were all Google served ads.

I feel like something needs to be done about these sort of ads, I'm happy the Chrome/SafeBrowsing teams are taking these steps. But it's so hypocritical, because most of the times I see these ads, it's from Google's network!

I'm not happy that they punish the publisher/webmaster with no accountability for the advertiser or ad network. I can use Google's AdSense on my website, and unless I continually make an effort to manually review ads, it's very likely it will begin display these sorts of ads. And then because AdSense doesn't care, Chrome will begin flagging my website as malicious to users?!?

I'm surprised they're not doing this as well as making an effort to purge these sorts of ads from AdSense. That way, I could feel comfortable that my users aren't being shown scummy ads, which would be a huge advantage over other ad networks. Now instead, running ads on a website will either become a liability, or an extra added effort to make sure I don't get screwed over by Google.

Also, while a noble goal, there's no details of how they detect and classify these ads. I've had an entire Domain flagged and blocked off by SafeBrowsing because a single page on a subdomain was displaying an ad (via DoubleClick) which linked to malware.

> I'm surprised of the negativity towards this action

I'm not. This site is filled with grey-hat folks who would do anything to make a buck on the web. I mean, it's a forum hosted by/affiliated with a VC firm, and look at the comments here. A bunch of people angry that google would dare do this, because they might/will be targeted. People were also pissed when Google stopped using meta keywords, and when they stopped reading text that was made invisible in CSS, and really any grey- or black-hat way to get more visitors/ad impressions.

"You may have encountered social engineering in a deceptive download button, or an image ad that falsely claims your system is out of date."

Weeeellll...I see 99% of these in Android in-app ads. So - a) this should be the end of it, or b) someone is being a bit hypocritical here. I sure hope for the former.

This is really important. One step closer to killing ad tech companies who only make money off my grandma and little brother.

You mean Google? I see a tonne of deceptive advertising propagated by Google's ad network.

No. I mean the companies whose sole business is to get you to download bundled malware, change your search engine, push ads to every site you browse using extensions etc.

Source: I've worked at one of those.

Surely the companies that advertise via Google to try and deceive you to into clicking their download button or whatever fit the bill? And surely Google, by actively enabling them, is also part of the process. As stated elsewhere on this thread, if they can detect deceptive sites, they can detect deceptive adverts.

So they implement detection, and remove these ads. The scummy advertisers then permutate their ads until they get past the detection and the game continues.

We're getting pretty good at image classification, but I don't think that extends to maliciously crafted inputs.

That or they manually verify each ad submission. If that violates their business model of high-volume low-value automated processes (and it obviously does) then you have to take account of that when decide how you view company. Automation and the inability to verify at the scale that they operate doesn't somehow absolve them.

Yeah, basically Google is looking for any way to avoid actually reviewing the ads they broadcast. Probably because advertising becomes drastically less profitable for them if they do. I feel when this sort of conflict of interest is occurring, where it's profitable for Google to continue shipping malware to users, they should be held legally accountable for their failure to police what they distribute.

Interesting that when I read "these buttons", I thought " which buttons?" because my brain's spam filter initially made them invisible to me!

I hope they'll include a "Stop the nanny" flag in chrome://flags as well.

I mean you can't even change the new tab page to a custom .html, without Chrome nagging you at every launch if the settings are correct. If you make a manifest.json and load as an unpacked extension, it will moan about that.

FFS, I know what you're trying to do with Joe/Jane Noob, but at least give me something to skip that if I know what I'm doing.

[edit] This wouldn't be even needed if new tab page was customizable. Now it it's just a Google billboard.

The hard part here is that, wherever you'd decide to persist a "don't bug me any more about this" flag, malware could also potentially write that same flag to that same place. For example, Windows UAC is frequently set to the "don't bug me about this, just auto-elevate" setting by malware.

> The hard part here is that, wherever you'd decide to persist a "don't bug me any more about this" flag,

Build a new binary - offer users to install a "developer" build of Chrome which is exactly the same as the mainstream "release" build, except it allows disabling the protections.

You don't actually have to go that far; there are plenty of Chrome settings controlled by command-line options, and that's usually safe enough—it's actually really hard for malware to "sneak in" command-line options (if the user is a regular user, while the the Chrome shortcuts in the Start Menu et al were installed under elevation, which is the usual case.) There's a command-line option to Chrome that entirely disables the sandboxing protections, for instance.

My distinction was just that there's absolutely no way to have a UI-based mechanism for disabling nags, since behind any UI is a persisted flag. If you're up for editing your shortcuts to add command-line options, that's fine.

> (if the user is a regular user, while the the Chrome shortcuts in the Start Menu et al were installed under elevation, which is the usual case.)

Nope. Windows allows deletion of "protected" shortcuts e.g. from your desktop and launch bar.

You mean shortcuts placed in the All Users Desktop/QuickLaunch/StartMenu folders? (I'm guessing it's just "hiding" them with a Desktop.ini entry, rather than truly deleting them?)

That's probably fine, actually, as long as the user (i.e. malware) isn't allowed to create their own shortcuts to replace the deleted ones. I assume there's a GPO to disable the per-user Desktop/QuickLaunch/StartMenu folders, so that only the results from the All Users ones show up?

Adding a command line option that allows disabling the nags via a UI would be solution.

So you're saying we should just obey Big Brother Google and not try to do anything it doesn't approve of?

As the old saying goes, "Those who give up freedom for security deserve neither."

At least theoretically, it should be possible to build Chromium with such customizations; you'll lose the benefits of the Google walled garden, but you'll gain a bit of user freedom as well (probably won't be point-and-click, alas).

Sadly Chrome sync is one of the major thing that keeps me on Chrome, it just works and syncs everything.

I wonder if it would be possible to build an open-source Chromium sync plugin? (Self-hosted, ideally). Is anyone already working on this?

Chromium syncs with your Google account, but in my experience is a bit buggier, at least on Linux.

Sourceforge, download.cnet.com and friends won't like this... also many of the streaming/OCH sites will be affected.

Imagine the fit the various torrent sites will throw about it.

This is really awesome. I was so excited I actually clicked the fake download buttons to try to install it. So when does this role out?

I'm so glad that I'm not the only one! haha

This blog post is not talking about those Adsense Download buttons, is it?

I wonder if those ads that push you to install certain product with half-truths and lies are considered deceptive as well. You know, "Install Chrome for better experience".

Sounds good to me.

I'd like to see Google take this one step further: author and publisher (as in advertising network) accountability.


Advertising providers, and advertising _publishers_, who forward "bad ads" are given a time-out.

Perhaps 10 minutes for the first instance, but increasing durations for repeat ocurrences. Days, weeks, and months for repeated gratuitious violations.

Ad providers and publishers who find they're being timed out for violating standards are, likely, going to clean up their acts, and find ways to ensure that mistakes _don't_ happen. Including direct vetting of content.

If Google don't block ads, I will.

Oh, wait, I already do that. But the rest of the Net is still catching up.

Hmmm, I just went to google.com and typed "Chrome for Windows" Of the 10 links that appeared, at least 4 or 5 were for malware infected versions of Chrome. I followed the links, the download buttons on those pages are still shown. Maybe I misunderstood

Does that mean they're taking down SourceForge?

It just got sold to BIZX, which I think promised to stop some of the practices.

Let's put Google's Youtube behind a deceptive site screen immediately! http://i.imgur.com/cXf5dwJ.png

My AdWords account was suspended a few days ago because of, I presume at least, this: https://www.rackforms.com/rackforms-express-for-wordpress.ph...

A popup in AdWords says I've violated "Unsupported content free desktop software". RackForms Express is a free version of my flagship product, that one actually being advertised.

You're feelings may very well differ, but if I've clicked on a link, organic or ad, and I get offered a solution to the problem I was seeking an answer for, that seem like a pretty good deal. If nothing else, this differentiation may well be the difference between getting a sale or not.

The appeal process is to fill out this form: https://support.google.com/adwordspolicy/contact/advertise_s..., but from my reading in Google's product forms this doesn't always work. If this fails, the end result will be to remove free software from the net.

We're all for blocking those horrible "Download Firefox" ads, but this change, and the resulting aftermath, feels...I don't know, dangerous. If the end result is small companies like mine pulling valuable resources from the web, I think we all loose.

Fingers crossed my appeal goes through.

Also, ideally Google should implement this within their search algorithm itself, by punishing the sites which indulge in such practices by pushing their search results much further away.

So if a site is using Adsense and doesn't require all ads are reviewed then as site owners appears we run the risk of another part of Google telling visitors that the site is malicious. Hope that the site owner tooling referred to is good enough that it can identify the advert, at worst the network otherwise only option would be to remove Adsense code.

I tried to manually review all ads. But my experience was that this is not possible with the given tools. It would take hours per day.

I will take programs like this seriously when Google stops bundling Chrome installer with unrelated software like Adobe Flash.

Flash is unrelated to a web browser? I mean I hate flash as much as the next guy... but how can Flash not be related to a browser?

You want to install Flash for Firefox, it will install Chrome by default.

I did not install flash in FF, and I do not miss a thing. Sometimes there is this warning that not all content could be displayed, but I would not have a clue what functionality is missing.

Chrome has Flash built-in. Shipping Chrome with Flash is inane, because if you install Chrome, you don't need Flash. o_o

Adobe Flash is a browser plugin. Chrome is a browser. How are they unrelated?

If you install Adobe Flash plugin for a different browser, Chrome gets bundled with it. Even if you don't want Chrome.

Chrome doesn't use/work with the Flash browser plugin.

Here are some more proactive approaches that would support their desired perception of caring about the browsing safety of their users:

* How about updating the radio buttons that appear when you "report this ad" to include "deceptive" as the reason for the report

* DoubleClick (by Google) serves the majority of these "Download now" ads that I've seen on sites that cater to the general public. Don't let advertisers run these ads. Do. Not. Allow. Many of them have "start download" in the plain text of the ad unit, and others are easily found by a bit of OCR on an image ad unit.

Please do not give me a Google-branded poncho (telling me how amazing it is with an infomercial about its revolutionary Dry Living Experience™) when you could patch the leaky roof to truly create a Dry Living Experience.

The first thing they should do is harshly penalize websites with a lot of ads in their search results.

I hope they block Sourceforge and their deceptive "Download" buttons as well.

I tend to enjoy these type of announcements and discussions regarding Google, because it seems to remind the general population that while yes, Alphabet is a diversified technology powerhouse, at its core, its most primal competency is that of an advertising firm. A very successful advertising firm. Sort of like how Jerry Jones was a very successful oil business tycoon before diversifying his interests by way of purchasing the Dallas Cowboys and 'business-ing' it up to a multi-billion dollar brand. No oil, no Cowboys for Jerry. No ads, no self-driving cars for Google.

Awe man guess I can't use chrome to browse The Pirate Bay anymore...

> Awe man guess I can't use chrome to browse The Pirate Bay anymore...

More likely, TPB stops running these particular shady ads, because chrome is such a popular browser.

Too late google. I already intsalled ad blocker on every computer in the house years ago because my parents would accidentally click "play" or "download" in deceptive ads.

So who decides what to flag? Is google analyzing the behavior of chrome users and then automatically flags websites? Or can users flag websites? I disabled "Automatically report details of possible security incidents to Google" and "Protect you and your device from dangerous sites" in the settings, will my chrome browser still report these websites (in case it ever did)?

I don't see the difference between "Buy this Pill to lose weight" and "Download this codec".

"Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself."

This is a broad statement. Taken at face value, this covers all native advertising - with articles/images/videos/thumbnails/etc intended to fit in with the content of the site/app.

If we can get rid of native advertising too, I'm all for it. Native advertising is a special kind of evil.

It's a laudable initiative to protect average Joe from himself, but I don't feel like Google (or any other company) deciding for me what is dangerous. They should at least provide this feature as an opt-out option. Still, better option would be to educate more people of ad and script blockers.


There's been a setting for this stuff forever.


First of all, it's only through their browser. There are alternative browsers you can use. And they already filter search results, quite extensively.

I hate using free hosted download services that some people use, especially on forums, because there are ads with download buttons and real download buttons and it's nearly impossible to tell which button needs to be clicked to initiate a download.

Despite all the legal attacks in the UK and elsewhere, this is probably the biggest blow to piracy sites so far. When one gets taken down another spins up, but if you turn your adblocker off they all have these awful adverts.

For organic traffic pirate sites, the biggest blow was Google's algorithm change. For websites which used a freemium model, the biggest blow was PayPal, Visa and Mastercard banning file sharing websites from using them. Todays announcement was merely a nail in the coffin for those sites.

Welp, hopefully they will make it optional and we can turn it off.

Amazing idea. It will save so many people form mal-links but even sophisticated users from trying to figure out which is the real "download" button

I know these fake ads all suck and everyone hates them but somehow getting rid of them feels like cutting off a little piece of what makes the web the web.

I kinda like this darker, more free-for-all, wild wild west side of the Internet.

Me too man, I remember the internet back then where everything was unique and not a cookie-cutter bootstrap boilterplate. Want a nostalgia trip? Download Opera (one of the early versions) - it'll pluck at your heart strings and make you yearn for times when you had more personal responsibility and Google wasn't there to infect everything with it's nanny browser. Hell, even Firefox the last bastion of Freedom on the web, is following Chrome.

Mostly because there's more benefit to be gained in making the web usable by non-experts than in preserving the current status quo.

There's a reason the Wild West didn't stay wild.

This. More specifically, the Wild West got wild for a few years - during a massive population influx - while the entire system was unstable (which also means interesting, in most senses of the word). The metaphor leaks, but is close enough.

I agree, but it still sucks that it seems you're being sold something at every turn. Websites are no longer there, just to be there. It's always about the upsell or agenda.

That's one reason why I'm a little annoyed personal websites went mostly the way of the Dodo and you can only expect friends to check things out if you give them direct links to some trusted site from a site they use all the time, like a link to a Youtube video from Facebook, or your Medium or Tumblr entry from Twitter.

I still like designing personal websites, but it seems like a waste of time now.

Google should detect and block the buttons, not display full-screen warnings.

What next? "This site contains controversial views"? Or "Politically incorrect website ahead"?

Google can't block elements on sites it does not control.

Warning users of phishing and warning users of speech that it finds objectionable are 2 different things entirely.

A deceptive button does not equal phishing. It just might (and most often does) open a non-malicious popup with some ad. (non-malicious in a sense it won't install ransomware to your PC)

And of course Google can easily integrate it's own ad blocker in Chrome if it chooses so.

It can in the browser they control...

They've already said they'll start shaming non-https sites.

More censorship... no thanks.

This is a great move. Computers are extremely difficult and deceptive for those who can't remember the myriad of rules and gotchas.

What we really need is an open pledge of non-deceptiveness, give it a catchy name, and then advertise sites as conforming to it.

It's about time google crack down on these ads. The download button is just one of the many tactics. Any ads that show a guy with biceps three times the size of his head should also be banned. Yahoo is infested with these "sponsored" ads, and pretty much any other site that lives on ads revenue only.

    Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself.
These are deceptive tactics, intended to confuse and trick.

What you describe is annoying and perhaps exploitative of humans desires, but in the end no different from normal advertising and far less evil than the ads described in the quote above. You want a full ad-blocker. Perhaps you're already using one and want to justify it.

There's an unexpectedly large number of commenters who seem to think that this falls under free speech. Do I need to explain that the crap these ads usually download when clicked is responsible for a ton of support calls, many of which go to innocent kids on weekends just trying to unwind from school? :)

I'm kidding of course but seriously comparing blocking these buttons and deceptive elements is not censorship, it's Google saying to these publishers that if they don't get their shit together, that they will dissuade traffic from visiting their sites. The only way to get the attention of bigger publishing companies is to grab them by the revenue stream, you all know this.

As I write this, the ranking of the comments here is... strange. Those who see this as being yet another way of Google using their power to manipulate what people see on the Internet are being heavily downvoted, while those agreeing with the practice are not? That doesn't feel like HN to me.

I'm in the former group. This mollycoddling is just going to lead to more users who can't decide for themselves whether something is suspicious or not and are thus easier to deceive, which might be exactly what Google wants, but I certainly do not think it is good for the Web as a whole (or even society in general.) Being able to make these sorts of decisions of trust is an important part of growing up in general, and I'd even say "finding the right download button" could be considered a sort of right of passage to being an effective user of the Web, and not just a consumer.

You can't seriously be saying that people potentially running into malware because they couldn't figure out with download button was the real one is reasonable?

You can't seriously be saying that not being able to figure out which download button is the right one is reasonable? With experience, it's extremely easy to find the real one.

- It's usually smaller and less prominent than the fake ones.

- Mousing over it doesn't show a huge long URL to some external domain that sounds ad-like.

Using adblock probably gets rid of a lot of the fake ones too, but the general principle here is if it looks too good/easy to be true, it probably is. The buttons that seem really enticing are the ones you don't want to click, and it's that odd, not-very-attractive one that you want.

As an experienced user, when I'm looking for some semi-obscure Windows program, I still do have problems distinguishing legit download links from this. Perhaps I'm too used to the radical method "just select what you want from the repository, and it will be installed automagically;" in other words, one of the issues here is nonexistent install management in Windows (party like it's 1998!), forcing users to run this gauntlet (MSI? Puh-leeze).

Hovering the link to check the URL is a good old trick. Well until browsers start to hide that as well.

Nice try, but no, that's a broken old trick. window.status is gone for exactly this reason, but things like onclick="this.href=http://evilsite.example/" (or even onclick="window.location=http://somewhereelse.evil.example/;return false") still work (link shows a benign location, but it's changed to a malicious one when you click).

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact