Google Squashed a Chrome Extension That Flooded Ad Networks with Disinformation
80 points by Deinos 4 hours ago | 55 comments





Previous discussion: https://news.ycombinator.com/item?id=13327228

The good news is that there might be some Streisand Effect going on here: I'd never heard of AdNauseam. Now I've added it to Firefox: https://addons.mozilla.org/en-US/firefox/addon/adnauseam/.

Disclaimer: I'm a Google employee, though I have no inside knowledge about this case at all.

> Do not create an extension that requires users to accept bundles of unrelated functionality, such as an email notifier and a news headline aggregator

It sounds like they may have just requested oddly broad permissions. Google really cares about privacy. They really care about consent fatigue from unnecessary permissions. Is it possible this is just an effort to rein in unnecessary permissions & the app will be reinstated after the fat is trimmed?

>Google really cares about privacy

Is this a joke? Considering Google is a glorified data mining company I'm going to have to disagree

Marketing to friends of your existing customers is a natural goal, right? And Google has that data for maybe half of humanity, in its gmail archive. A highly saleable commodity. But try to make Google sell you either that gmail contact data or anything equivalent.

Well hey, if your data is private to everyone other than Google, guess who wins?

Depends on what you mean by privacy. If a computer program collects information about you to determine what products you might be interested in, but never reveals that information to anyone but yourself (by showing you ads related to those interests), is that information still private? I would argue that it is.

They care about not sharing your privacy with anyone except themselves and anyone accompanying them.

>Google really cares about privacy

I was laughing too hard after this part that I stopped reading the rest of the comment.

You don't think it's far more likely they were interested in stopping the "click-fraud" that this caused because it would make their ad network less valuable.

> I'm a Google employee

> Google really cares about privacy

Is there any skepticism of Google from within Google? Because from the outside, it seems like the hiring process is designed to accept only the most loyal, desperate Yes-men in CS...

Google has knowingly built and sold tools to global surveillance regimes, for "national security reasons" that inadvertent or not, have created a mechanism for population-scale control. Maybe Google cares about privacy when it comes to fuzzing what ads you click on. But to say "Google really cares about privacy" is to live with your head in the sand...

what tools is google selling to global surveillance regimes ?

not to be rude, but does google care about the privacy of the chinese, where having the wrong religious or political beliefs can result in forced organ harvesting.

This extension made no sense anyway!

Clicking every single ad is bound to get you so many tracking cookies and give up so much metadata about your browsing that you're working against your own privacy by using it (see also "cookieless fingerprinting": https://news.ycombinator.com/item?id=13644139).

Not to mention that it's actively disruptive to the websites you visit (which presumably you like since you are visiting them) by generating so many extraneous and unnecessary network requests. You will slow down your browsing and get your favorite websites banned from the ad networks they use (see: https://news.ycombinator.com/item?id=13644226).

If you don't like ads, just block them. This plugin is a silly pipedream thought up by lawyers and artists without any relevant consultation from technologists or ad industry experts. It's harmful to everyone that uses it.

Btw, if you're using this plugin on Firefox, enjoy the exploits that your browser downloads and runs in the background by clicking every ad! :-D

You'd be advised to read their book, by Nissenbaum and Brunton that describes the theory behind privacy through obfuscation. It argues that by clicking all the ads, all useful information is lost in the noise. Simply put, the signal-to-noise ratio is so heavily biased to noise that the signal is lost. https://www.amazon.com/Obfuscation-Users-Guide-Privacy-Prote...

Neither of these people are technologists with any experience in the ad industry or data science. They're lawyers and artists. Why would I trust that they know what they're talking about in this domain?

Why not evaluate their arguments on the merits rather than relying on authority (or lack thereof)? And it's not like this is a particularly technical subject anyway.

How is it not technical?

You have to understand statistics, ad networks, etc. plus all the stuff that can be used to identify you online, cookies, e-tags, browser storage, browser property sniffing, etc. plus how all that works in regard to domains and sub-domains, what's accessible cross-domains, etc.

The parent is alluding to that while all that ad clicking might obfuscate your reception to ads, it might have the downside of making it extremely easy to distinctly recognise your browsing habits and let every ad network uniquely identify you and link it to other data they have on you.

By allowing their ads (and thus their software) on the web page in the first place, you've already provided all of that data to them. The click doesn't really provide any further, useful data.

Absolutely, and I've outlined cases where I have technical disagreements with them in my original post and elsewhere in this thread. I was merely responding to the accusation that I should blindly listen to them because they wrote a book.

Ad Nauseum's explanation page addresses this question. They're supposed to be triggering sandboxed requests that never return to your browser, and so aren't a threat.

It was my first concern too, and I still wouldn't be comfortable to run it, but it's not as though the security question was unaddressed.

(I do object to the possibility of getting your favorite sites blacklisted by ad networks for low-intent clickthroughs or botting.)

> I do object to the possibility of getting your favorite sites blacklisted by ad networks for low-intent clickthroughs or botting.

Haven't installed the extension for these two reasons.

Also, while I strongly believe that the tech industry re: surveillance, data-mining and data-sharing is completely out of control and deserving of a tool like this... I'm not ready to cross this line and become this kind of activist for change. There's a war going on and our online rights to privacy have been completely stripped away - with things getting so much worse.

As a result, I do understand others using this extension and hope that this tool (among others, especially long-needed legislation which the government opposes) changes things for the better. Whitelisting/Blacklisting could help solve the fav sites issue but it defeats the purpose of this extension when there is so much at stake.

> btw if you're using this plugin on Firefox, enjoy the exploits that your browser downloads and runs in the background by clicking every ad! :-D

It doesn't download or run anything. Just clicks links without even rendering the response, pretty small attack surface there I'd say.

A "click" is a download. In order for the ad network to register your click, you are necessarily sending a request and receiving a response. Whether the browser ends up rendering that response, I don't know, but it's certainly possible, especially because ads generally involve redirects which may also be instrumented and may involve JS instrumentation, making spoofing clicks difficult without following redirects and rendering the resulting page.

reply


This was not the case when I looked at the code years ago. I would not trust any statements to the contrary without reviewing it again for changes.

Also pretty easy to detect/block. Just add a redirect that redirects on page draw after the click. Only record clicks that successfully redirect.

Yeah, it might make for slightly weird flow when clicking ads, but you could totally do it.

So instead of doing that and being respectful and competitive Google decided to ban the extension.

"Respectful" is a really bizarre expectation since this plugin by its nature does not respect Google's or other ad networks. I don't know why Google would demonstrate respect to a plugin designed to damage their ad network.

reply


Because other browser vendors would accept such a plugin as they're not ad networks. This seems to me very much like a case of Google being too big, having their hands in both the ad market and the browser market and abusing that position.

Respect may not have been the right word, but I was going for "not a blatant abuse of power".

I'm not very sympathetic to click fraud. Almost no one would think it acceptable if a site owner were using a click farm to artificially inflate the ad click through rate, but somehow a browser extension doing the same is okay? I have no problem with ad blocking but actively poisoning the network is a different thing entirely.

If Google decided to block users of AdNauseum and similar plugins from using Google web products, you'd probably say it's blatant abuse of power and I'd say it sounds reasonable, exactly as it's reasonable for sites to block users running ad blockers.

> Almost no one would think it acceptable if a site owner were using a click farm to artificially inflate the ad click through rate, but somehow a browser extension doing the same is okay?

Yes. Context and intent matter.

"Almost nobody would think it acceptable to drive recklessly on their commute home, but somehow ambulance drivers get to run red lights and exceed the speed limit?"

I know you're making an analogy but comparing AdNauseum to ambulance drivers is a bit of a stretch. One of these is saving lives. The other has no purpose except to inflict damage on ad networks. Aside from damaging ad networks, it also actively harms site owners by increasing the risk of them getting blocked from the ad networks that fund their work.

I don't see a lot of merit in AdNauseum. It feels to me like a petty "fuck you" response from people who don't like ads.

I'd say it's perfectly acceptable for site owners to perform "click fraud" too.

It's their computer after all, they can use it however they want. If click fraud is what they want to do, go for it. It's up to the ad networks to counter that on their end - on their own computers - in a fair and reasonable way.

Just as browser extension runners have every right to have their computer do what they want it to - if that's click ads, so be it.

Ultimately, I own my computer, it should do what I tell it to.

As others have pointed out, Google could have easily detected this extension and ignored its clicks, just as they do with regular click fraud in most cases. Instead they chose a path which makes Chrome violate user choice. That I have a problem with.

I think the idea is that the ad networks then don't have any idea what you are actually interested in. The problem from Google's side is that it is pay per click for the advertiser so advertisers are paying for these fake clicks.

It can also cause Google to ban sites from Adsense.

Google will ban a site from hosting Adsense ads if Google believes that the site's operators are generating fake clicks. The way they detect this is a trade secret, but many sites have gotten arbitrarily banned after users seemingly clicked ads artificially in a misguided attempt to help the site.

This extension will no doubt be used by a certain subset of users. Those same users may use some sites in a disproportionate number, that could result in people's favorite sites getting banned and losing the ad revenue that keeps the lights on.

I don't actually think this extension is "bad" or "wrong" just might have unintended side effects.

"It can also cause Google to ban sites from Adsense."

If you object to ads, is that a bad thing?

Yes. I'm happy using the site with Adblock. I would be unhappy if they shut down because all of their revenue was lost. I'm aware of the implied hypocrisy but I'm content because I'm unwilling to continue using the product with ads. Under the current system I am able to have my cake and eat it too.

Google harms website operators based on the actions of third-parties. Third-parties are to blame.

Is re-stating what I said above really constructive? Yes, that's what might happen. You may not like it, but that's the reality of the situation.

> is bound to get you so many tracking cookies

I just installed the extension on Chrome and it seems to block the cookies on those requests. There's also a setting in their settings panel that mentions blocking cookies (checked by default).

Even without explicit cookies, many ad networks use cookieless fingerprinting (e.g., https://amiunique.org/) to uniquely identify you or, at minimum, your IP address. You give up a considerable amount of your own privacy and browsing habits by using this plugin.

And why would this plugin help cookieless fingerprinting? This is just another baseless statement.

The explicit purpose of this plugin is to make the signal disappear within the noise. Explain what "considerable amount of one's own privacy and browsing habits" this plugin exposes, or stop spreading FUD because you are ideologically opposed to it.

> enjoy the exploits that your browser downloads and runs in the background by clicking every ad! :-D

this just comes off as FUD, do you have a code example of this?

Ad Networks are well known to be common targets for malware distributing shit bags.

Absolutely but that doesn't automatically mean the firefox plugin is vulnerable to such malware.

The plugin makes your browser "click" the links, no?

It's running in your browser, it's as vulnerable as if you clicked on every single ad you see, no?

Not if the plugin is able to run the request in some sort of sandboxed environment.

Doesn't AdNauseam provide extra revenue for the websites you browse? (at least temporarily, with fixed PPC rates)

There's a real disconnect in behavior and branding here.

Consider if this extension did exactly the same thing, but was called "Ad Click Faker" and was used by those defrauding companies and sites. That doesn't seem like a positive thing, so I'm not sure why AdNauseum should be either.

Is that actually defrauding or just not what the ad companies had in mind? Do the ToS of websites ban such a thing?

If I don't care about ad networks wasting money (I don't), why should I care?

Relevant - Someone posted a show hn for [1] but it was never released or updated.

https://hello-kill.github.io/

Is there any interest level in a Frida script or similar that would fully bypass Google's extension signing so you could load this without the nag into official Chrome?

Seems like it might be an interesting little reverse engineering project.

Now I'll be testing this out in firefox. Thanks, lol

So "Don't be evil" must apply only to paying customers.

Google is too big to have customers.

