Hacker News new | comments | show | ask | jobs | submit login
Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis [pdf] (uiowa.edu)
91 points by dedalus 5 months ago | hide | past | web | favorite | 67 comments



This is probably not an arms race ad companies want to play. Someone who has an adblocker installed is unlikely to be respective to ads, and by installing an adblocker they currently are opting out of from the ad vendors metrics. which is better than adblock vendors trying to feign ads loading or "interest" in the ads, such as addons like https://adnauseam.io

So its debatable even they would win the ad arms race, but they would also lose credibility in their own metrics as the easiest solution will be to start fooling ad companies that their ads are loading.


One of the Penny Arcade guys once related an anecdote about when he worked in a telemarketing call center. In this case, all the phone numbers he had were from people who had signed up for an anti-telemarketing service, which had then sold their list to telemarketers. He said that the people he called, understandably, usually responded with snarling rage unusual even by the standards of people getting telemarketing calls. The moral is, when people specifically take determined action to avoid you, and you go out of your way to circumvent them and reach them anyway, they're not going to be especially receptive or warm.

I think publishers deploying anti-adblock technology are making a similar mistake. When someone takes action not to see ads, do you really think they're going to respond well when you deploy trickery to show them ads anyway? Are they going to be especially well-disposed to your brand, or are they going to be filled with determined hatred for you? This is a losing proposition.


> Someone who has an adblocker installed is unlikely to be respective to ads

Any statistics to believe this is true? I know for a fact it's false for myself because I do sometimes click on ads when I don't block them.


I never said it doesn't happen. You're the odd case and of course there's someone who had adblock installed for them. I just said "unlikely", because they went out of their way to install the adblocker.


I myself will go to any length to avoid advertising. Luckily its pretty easy.


One of the reasons for ads is not clicks, but increased brand recognition/familiarity. Brand familiarity and brand choice are proven to be highly correlated.


Ads appearing when you don't block them isn't really an issue.

When you are blocking ads, do you click on them? I wouldn't: I'd instead be annoyed that I'm seeing ads when I have an adblocker running.


> Ads appearing when you don't block them isn't really an issue. When you are blocking ads, do you click on them? I wouldn't: I'd instead be annoyed that I'm seeing ads when I have an adblocker running.

Yeah I do, that's literally what I'm saying. I've clicked on ads that have slipped through.


Most call centers has a policy to stop if the recipient clearly says no.

Is there statistics to support this as a business decision? How effective is continued pestering a person in order to sell a product. The Sales Pitch by Philip K. Dick comes in mind.


> Someone who has an adblocker installed is unlikely to be respective to ads

This is false.


if it weren't for CDNs, simply blocking all 3rd party domains is the fastest, most reliable and secure way to block ads and greatly reduce bandwidth.

i highly recommend running both uMatrix and uBlock Origin. then whitelist cdns on a per-domain basis.

with the amount of tech and data available these days, google still chooses to show me an ad for chevy on an ice cream site. the fact that the ads are so obviously out of context is truly baffling - does this seriously work for the general consumer? even if i've searched for chevy before, why would i suddenly exit my ice cream experience?

if ads were contextually better, less distracting and less bandwidth/perf impactful, i may actually be convinced to view them. unfortunately none of these things are true.


> with the amount of tech and data available these days, google still chooses to show me an ad for chevy on an ice cream site. the fact that the ads are so obviously out of context is truly baffling - does this seriously work for the general consumer? even if i've searched for chevy before, why would i suddenly exit my ice cream experience?

The point of that particular ad is likely less to get you to click and more to remind you that Chevy exists and is important. So when you go buy that new or used car, Chevy goes through your mind at least once, and you subconsciously have some trust in the brand because you are reminded of its existence through various outlets on a daily basis, which is naturally comforting when done correctly.

It’s not really any different from seeing a Tide laundry detergeny commercial while watching South Park. What’s tide got to do with a cartoon, and are you going to run out immediately and buy some Tide during the break? No, but next time you go to the store to buy detergent you’ll see Tide and while you might not buy it you’ll at least be familiar with it in a relatively positive manner, which for most will make the chances of them buying it higher.


except that i researched chevy thoroughly and decided that it sucked. now i have to go and purge what google thinks it knows about me. and theoretically repeat this process for every other ad network, but this is neither possible nor practical.


Point is, you researched Chevy heavily.

Not everyone is going to buy Chevy but almost everyone is going to research Chevy. The role of Chevy ads being shown to everyone plays a role in this. So a Chevy ad still is “relevant” even on an ice cream site.


Hum... The GP is almost certainly seeing those Chevy ads because he researched it. Not the other way around.

That's how tracking ads (don't) work. You usually get ads for things you just brought (or decided not to), hoping that you didn't actually buy it yet or will buy more than once, and the medium can intermediate the transaction.


ads can serve as a great discovery mechanism. instead, they're this annoying parrot that continuously yells at you about shit you've already seen and researched or some other unchanging highest bidder. fwiw, facebook, has recently surprised me with its ad relevance on a few occasions.

no thanks.


> except that i researched chevy thoroughly and decided that it sucked

Time for a re-decision. Expect to see those ads for years to come. How does a 2019 cherry-red Corvette sound?


> with the amount of tech a d data

This blows my mind. The ad industry has basically taken three steps backwards in a time with incredible analytics. Google, Facebook etc have drunkenly ruined and inundated their targets to the point people outright mentally adblock


Except all their internal metrics show the exact opposite when it comes to engagement, lower CPAs, higher CTRs, etc. Just because you personally think it's worse doesn't mean it's statistically worse across their entire userbase. FB didn't become a $500bn company in spite of being bad at optimizing their ads business, they became a half-a-trillion dollar company precisely because they are very very good at that.


I completely agree that they are clearly successful, I was mostly stating my opinion of the low quality of advertising. The ads might be engaging but that doesn't mean they are generally useful or relevant.

Hell most ads barely bother to state a purpose. they rely on the "shiny" factor


Nearly half of Facebook's advertisers are buying on a CPA metric tracked back to purchases on their site, so it's hardly just a shiny factor.


Can you please provide a link? I am genuinely curious because the ads I currently see are dubious at best.


I can’t find the FB specific data right now, but here is some old industry trend data: http://www.nanigans.com/wp-content/uploads/2015/04/US-Digita...

You can kind of suss this out of their 10k by looking at their cost of sales which is much stronger than companies like Twitter who rely more heavily on brand ad sales (direct response ads generally have lower sales overhead than brand ads since they are more commonly bought on a self-serve basis, even by advertisers with very high budgets)

One reason your ads may be bad on FB is if you use an ad blocker. FB uses a lot of signal from third party websites for targeting and if your ad blocker is blocking the FB pixel from loading you are blocking some of the most common data (conversion tracking data, product interest data) used to target high-value ads.


You are overthinking it so much. It's all about just shoving that brand name or product reminder in front of you as often as possible, wherever they can. Eventually you might click the ad and give them .002 cents of revenue, or you might even click through and buy that new car for $30,000! Before I installed AdBlock, I myself constantly saw ads for eBay items I've looked at, and I see them on all sorts of websites. I've also found that certain T-shirt websites are particularly persistent. And even when I unblock ads on certain sites, as I've done on about 40, I'll see the eBay ads again.


Blocking 3rd party domains isn't enough. Especially when there is tons of advice to link to Google fonts, and 3rd party libraries instead of your own. Also when a bunch of websites are using AWS/Cloudfront URLs for things like loading images and in some cases ads may hide behind those as well.


> [...] when a bunch of websites are using AWS/Cloudfront URLs for things like loading images [...]

You missed this part:

> if it weren't for CDNs, [...]


There was an article the other day on HN regarding mental burnout of ads.

This morning I decided to count the ads on a news article, there were 14 between sponsored bs and banner ads. Every single one was complete garbage.

Click here to find out how the tech and ad industry are lowering the bar at a "shocking" rate


What would be an example of a non-garbage ad that could've been there?


This is a very cool approach for detecting anti-adblocking.

However, I don't quite get the point for disruption. That is, it seems necessary to load pages at least twice, and then do some computation. How does that help users who are concerned about privacy, throughput or CPU load?


This is a technique for automatically generating anti-anti-adblocking rules. They'll be added to the block lists, so you won't have to generate them each time, only when the anti-adblocking script changes enough to break them.


Doh. Thanks.


According to the paper, they seem to have modified Chromium's JavaScript engine in order to record execution paths of JavaScript code. Does anyone know exactly how they modified Chromium (or preferably the exact patch they applied to Chromium)?


Cross-browser support for WebAssembly was the death knell for ad blockers.


Worst case scenario, we can sandbox the whole browser and detect ads visually.


Let me know how that works when the website "requires" DRM to function.


Probably about as well as most forms of DRM...


Or optimise usage for less annoying, privacy invasive services. Which was always the solution.


If we visually detect and remove ads, we take away the incentive for big companies to create ads and track us in the first place.


If Apple ever builds hardware for that, they could destroy Google.


No, stopping ad blockers would be trivial today if the ad distributors let their JavaScript and ads be distributed from the same domain as page content. As long as the ads come from clearly identifiable domains, there is a good chance at stopping them.


If WebAssembly is primarily used for ad tech, it may be the death knell for WebAssembly.


Why? What special about JavaScript that makes this kind of analysis possible? Or what is it about WebAssembly in particular that prevents it?


How? Ads will still be served from 3rd-party domains which will be blocked, WebAssembly does not change anything to that.


Assembly never stopped anti-virus suites. Where there's a will, there will always be a way.

Without adblock, the majority of web users would be FURIOUS with websites and they'd demand legislative action. Advertisers should shut up and pray they don't poke the hornets nest.


The majority of web users don’t use ad block.


This is pretty immoral. Companies that create or provide content should at the very least be able to decide if they want to serve you content if you don't agree to see ads with it (or pay for it). How is it moral to effectively force someone to allow you to see the content you want to see without compensating them for it.


This is like saying that it's immoral to change the channel whenever ads come on the TV or radio, or to use the mute button on your TV. It is in no way immoral. The way HTML works is your browser sends a request for resources it wants, then renders them for you. IF you don't send the request for resources you don't want, that's not immoral. If it affects the web sites' businesses, then the onus is on them to come up with a model that works. There are other reasonable free models, such as those used by public TV and public radio.


You are sending the request for the resources though, e.g. if you load facebook.com there isn't a separate request for ads, they are just loaded as part of the feed. It's very much within their right (contractually) to encumber your usage of the site to rendering the full page as it's served to you. Attempting to fool them into thinking you're rendering the content as presented while you do not actually do that (as a result, imposing on them a net revenue loss) is clearly immoral.

You don't agree to a TOS by watching TV and listening to the radio, the internet is fundamentally different from those media.


That isn't how the internet works. It's a series of requests and at any point some requests can be rejected. Whether that request was critical for site functionality depends on what request that was.

Consenting to requests from google.com does not guarantee or imply consent from adservices.google.com, so if google.com tells my browser to please fetch resources from adservices.google.com I'll tell them to go away.

Personally, I use a giant blocklist [0] of domains I do not wish to request resources from.

As a comparison, if you invite a friend to your house do you expect them to show up with 50 other people? Would you be upset with your friend for assuming it would be okay to invite other people to your house without your consent? Is it morally wrong to tell your friend they may not bring other friends to your house without your approval? If you agreed to letting them bring friends over, are you okay with any friends or is their neo-nazi friend not allowed?

[0] http://someonewhocares.org/hosts/

>You don't agree to a TOS by watching TV and listening to the radio, the internet is fundamentally different from those media.

You don't agree to a TOS by visiting a website either. Agreement is usually done when registering an account and even those are limited in any legal ability to enforce it.


> If you invite a friend to your house do you expect them to show up with 50 other people?

But if you say no, your friend has the choice of whether to come alone.

Anti-anti-adblocking systems prevent your friend from making that choice.


In theory, content would not be delivered until the ads have been fetched and reported that they've been delivered. In practice, that isn't a realistic option. Not because it isn't technically possible - but because people are impatient and expect near instant load times and this would slow things down a tiny bit.

The anti-adblocking systems are the equivalent of coming over anyway but complaining about not being able to bring 50 friends the entire time. Anti-anti-adblocking systems are telling them to shut up or don't come over.

There's something to be said about people who repeatedly invite the friend over who constantly complains about not being able to bring 50 friends. I tend to respect sites who ask me to disable my ad blocker: I just won't visit their website.

A low traffic site doesn't make enough to sustain from ads. The proper response isn't to push traffic away - it's to find a business model that works. Ad based models are increasingly not working.


That’s a shitty analogy. It’s more like if you invite your friend over to your house and they are wearing a wristwatch and you have an irrational fear of wristwatches (illuminati might be listening, so huge privacy risk obviously). Should you a) rip the watch off their wrist and throw it out the window, or b) not invite people over who wear wristwatches.

To use your analogy though in the context of this paper... It would be more like if your friend only wanted to hang out at your house if everyone could join, and you told your friend everyone was allowed to come in, but then you secretly kicked out one person and managed to trick your friend into thinking the person you kicked out was still there because you knew everyone would leave if they found out. Sounds pretty selfish to me.


What is immoral is for companies to try to manipulate my computer into doing something that I don't want it to do. If they want to keep total control of their content then they should keep it exclusively on their computers, by sending it to my computer they are surrendering control of it.


You're requesting that you load their site by the act of visiting it. It's very reasonable that they should have the right to decide to serve what you are requesting or not depending on if your request is going to make them money or cost them money. If you don't want what they're serving then don't visit the site, it's pretty simple.

Do you go into stores and demand they take down the displays that you don't like while you're shopping?


> Do you go into stores and demand they take down the displays that you don't like while you're shopping?

No, but stores are usually happy for me to not look at the displays if I don't want to. Staff don't follow me around putting up displays in front of the shelves I'm looking at, sneaking things I don't want into my basket, or following me after I leave the store to keep showing me displays. Nor do they outsource these things to unvetted lowest bidders, and swear off responsibility when the people they've contracted steal my car whilst I'm in the shop.


If store ads fingerprinted you for storage and tracking, flashed annoying lights in your face, displayed obscene content or infected your body with viruses, absolutely yes


That’s pretty weird. Why wouldn’t you just not visit the store.


It has a few potentially legit applications:

* Avoiding the privacy implications of ads without restricting access to content

* Avoiding browser fingerprinting through checking which ad-blocking lists are enabled

* (More arguable) Enforcing 'Acceptable ads' policies

* (More arguable) Enabling ad replacement programs such as Brave.


> * Avoiding the privacy implications of ads without restricting access to content

Guaranteed that something like this would also block ads that are "site served" (e.g. Facebook's ads) though. Pretty difficult to make a privacy argument there since you're tracked exactly the same way there by nature of using the site.


I think that even for site served scripts, there's potential for ad-blockers to do good for your privacy, for example, if Facebook had a script that tracked the movements of your mouse through the page exclusively for advertising purposes and which was independent of the rest of the scripts of the page, then it could be blocked for a privacy gain.

But then, for site served scripts, the provider could sufficiently "tangle" it with the rest of the scripts as to be inseparable, so it's a lost war in the end and your point still stands, I believe.


So paywall your site? See if it lasts.

I can't comment on.morality because it is inherently subjective but there is no legal problem here.


Did you read the article? It’s proposing a way to prevent websites from detecting that an adblocker is in use, effectively breaking their ability to selectively paywall.


Did you read their post? They didn't say selectively paywall.


Won't be very useful. The internet is turning to subscription model very quickly.


And most subscription sites still show ads.



. Edit: failed at reading comprehension




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: