I'm constantly asked by websites to drop my ad blocker but why would I do that? If they want to serve ads than maybe there is a way they can do it themselves, as opposed to a third party serving them.
Indeed there is a way. And if they do it the old-fashioned way, using static ad assets, then the ads aren't typically blocked by ad blockers, anyway (at least not automatically).
Furthermore, these kinds of embedded, static ads lead to more honest, authentic relationships between content providers, advertisers, and viewers.
Sounds like the PR agency is interested in making ads which nobody would see. Great job, PR agency.
In my opinion if a website can't make a profit without ads, then it shouldn't exist. There are a tons of other ways to make money from a website without showing a single ad on the page.
This is 100% acceptable to me for the following reasons: first, these site owners fully control the ad presentation on the site, and there's zero possibility of unvetted JS going through because the advertiser delivers plain text to a knowledgable human publisher who is the one who will run the placement. Likewise, the advertiser gains no knowledge of visitors who didn't elect to click the ad link and visit their site.
This gets to my comments above: the quest for a fully-scalable inventory of both eyeballs and advertisers is a hugely corrupting influence on so many levels. Small companies wanting to build relationships to help each other, without exploiting visitors in the process, is OK in my view.
But I guess these sites would rather just continue to be a conduit for screwing with their viewers.
What we need is some third-party intermediary to screen, not the ads, but the sites hosting the ads---some kind of certification authority that says "this is a list of websites that don't allow people to run untrusted code or scams," and then allows users to block everything else by default.
I'm amazed too. But I'm also fairly certain publishers would love to do that. It's just not as practical as you make it sound. (And frankly, if you do come up with a solution for this, by all means reach out and let's bring it to the ad tech market; we'll rapidly make a fortune.)
For starters, how do you deal with ad fraud? What do you do with fraudulent sites that e.g. stack dozens of ads on top of each other so they all count as views? Or those that have zombie devices replay actual site visits and ad clicks? Or those that have toolbars replace ads with something else? Picture an EasyJet special offer popping up in the middle of your screen as you're pulling out your CC to book a ticket on RyanAir. This type of stuff happens; many times without the offending company even knowing how its ads got served to a zombie device. Companies lose billions per year to ad fraud. It's an enormous problem. Whether it's PPV (ad stacking), PPC (click bots), or PPA (CC fraud), you need some sort of tracking to weed out fraud.
And then there's the logistics of the whole thing. In theory there are more user-friendly ways to market and serve ads than real time bidding platforms. In practice, not so much. Apple tried to sell vetted ads at one point with a direct sales force to interact with relevant brands; it miserably failed. Similarly, there used to be a rather high quality ad network that ran image/text-only ads on Daring Fireball and a bunch of other sites; it eventually shut down. Selling your own ads is a non-starter unless you've a large audience already. So the truth is, and for better or worse, the simpler and cheaper way to buy and sell ads may very well be RTB for the foreseeable future.
Why do you care how many people saw the ad? What you care about is results. If you run an ad and accrue benefits of $50,000, you are happy if the ad campaign cost less than that.
Say you sell lamps. If you spend $5000 next month on digital ads and you are able to attribute new sales of $6000 to that ad campaign, then why do you care what the impression numbers were? All that matters is that sales went up by a big enough amount.
The company selling ads can't tell you how effective the ads were. Only you know that.
In the current JS-based ad world you can go: my ROI on the first is X with reasonable confidence; and on the second I believe it is Y after discounting for [heaps of ad fraud-related reasons] -- which is not great, but still better than no idea.
In a text/image only ad world you'd go: my ROI on the first is X with reasonable confidence; on the second I've absolutely no idea except that the numbers are getting worst by the month because of [heap of ad fraud related reasons].
The main victim here, I should point out in passing, are the websites you're getting your news from.
And yes, you're somewhat correct, the company selling ads can't tell you how effective the ads ultimately are. But only they can tell you if the ad likely got served to an actual human rather than to a bot, among other schemes. And knowing that a bot is likely browsing your site can make a world of difference with your boss when you're reporting on whether you should spend more on content/SEO or online ads, or with your payment provider when someone is testing stolen CCs on your SaaS sign-up form.
The main victim is the user. We are tracked and profiled a million different ways. Shitty ad-tech devours our bandwidth and batteries and makes everything feel worse. I'd wager that end users are often paying more for the bandwidth and power to receive an ad than the publisher is getting paid to show the ad.
Also, PPC and PPA are what SMBs prefer to buy. PPV only holds its ground when used for brand recognition purposes, with the caveat that it's hilariously easy for fraudulent publishers to stack ads on top of each other and get away with it.
How could we tell you that? You know better than anybody what your revenue numbers are. A billion impressions isn't worth anything if it doesn't affect anything you measure.
As you just said: a billion impressions aren't worth anything if it doesn't affect anything you measure. And that's the whole problem in the ad industry. Are you buying ads to:
- Build your brand/awareness/mailing list?
- Get marketing qualified leads that your sales will handle?
- Get sales for your SaaS without going through sales?
- Something else?
Each of these require different type of tracking - views, clicks, actions. More importantly though, each is subjected to ad fraud. And simple text/image ads won't let you detect the latter to weed it out of your stats.
And the event you're thinking "so? as long as your ROI is positive you're fine" the answer is no, it's not good, because it incites more fraud and the budget might have been better spent on content marketing or other efforts.
I don't know what an SMB is btw.
Per the answer I gave to a separate answer, there's more than meets the eye when you're measuring an online ROI. Text/image only ads would prevent adequate ad fraud tracking. Take the naive scenario where you add some utm parameters to your PPC campaign and call it a day. The next thing you know you can have a bunch of bots crawling your site owing to click bots and referral spam, alongside fake user bots building profiles by replaying bits and pieces of actual traffic sessions, the two combining to messing up your traffic stats. And if you're large enough to have sophisticated fraudsters target your site, another cohort of bots might show up registering to your SaaS to test stolen CC numbers, messing up your sign up stats to boot.
And, don't get me wrong here. I'm an engineer too and I've been using ad blockers for longer than I've been neck deep into marketing and sales. I just get where you're coming from. But the sorrier realities on the ground are not as simple as one might think from afar.
Spend 10k advertising one month, measure your revenue increase in the following month.
This is how we were tracking our Facebook adverting.
Why not limit them to just static images?
If you're interested in working to combat the problem outlined in the blog post, we would love to hear from you! Please reach out to me [eliya AT confiant DOT com].
I will be back a little bit later to answer some of the questions that I see here in the comments as well. Thanks!
As others have noted this issue is more about the lax security of ad networks (and their sub networks). Rather than introducing real security, most major ad networks play a cat and mouse game with malware.
Which, come to think of it, is a great way to screen malware---anyone who will run a flash update probably thinks they need it to get their AOL e-mail, and will happily take the forthcoming call from Apple's Tech Support (TM) asking them for their password and SSN.
We really need to stop pretending that ad networks are these neutral entities. They are a backdoor that inserted on every website, and I shouldn't have to justify plugging it up, you should have to explain why you've sold my security.
And people still click on things they shouldn't be clicking on.
It is amazing the brainpower that goes into developing processes like this just to trick a person into doing what they've been told NOT to do.
I understand every new generation of user's needs to be reminded this. Of course, right? Kids grow up, and have to be taught basic online hygiene.
Maybe it is time to do away with the entire paradigm of "click to install" and have authenticated package managers for everything.
Would that solve the problem? If the only way to install software was through an "app/apt-store" where everything is fingerprinted? This reminds me of the article on HN a few days ago about enabling HTTPS and Tor for apt. I learned a lot about how apt verifies untouched packages are installed.
Why isn't that the ONLY method to add software to a computer?
Just seems like we are attacking the wrong problem. People still get STIs because they don't want to use a condom (or don't know how to use one). My analogy sucks, but if we got rid of sex we wouldn't have STIs, by definition. Ok, F for that metaphor, but am I going in the right direction?
> The `veryield-malyst` domain, as a case in point, has been active for months, but only recently are VeryMal starting to smuggle it using steganography. Here’s one of their tags ad tags from early November for comparison:
So we've known since at least November that this site is bad, but it's still serving this stuff up today? WTF?
So, Google, tell me what options do I have? Switch to CPU and memory hog Firefox, to the new Internet Explorer called Safari, or watch while ads that I can't block fuck up my computer?
In addition, I vastly prefer Chrome's devtools. Nothing comes close, and I believe this is a huge part of why developers are so Chrome-loyal.
So do I (I’ve also heard good things about Firefox’s dev tools but never made the switch), which is why I use Chrome for web development and Safari for everyday browsing. It works really well for me and I like that my browsing history isn’t full of with localhost URLs, my form fill history isn’t spammed with entries like “testtest123”, and my dev tools are (nearly) unadulterated by extension scripts.
I am 100% in agreement JS is the problem and should be abandoned. But the web falls apart if you disable it.
source: disabled JS on iOS safari. I leave it disabled but have to open other browser all the time. Even stupid HuffPo "click to read" is JS. So when I click 'news' links from the main news widget they open in Safari and I can't read the article I have to copy and paste into Chrome (which does have JS enabled).
There's no way this is an ok user experience. But JS is not an ok security experience. I'm like F THIS I'M SWITCHING TO LYNX. :-(
The other side is that any advertising re-sellers should have to put up a bond/insurance against serving malware. If you get busted, you're out. It's up to the advertising companies to ensure that they don't deliver malware. If a campaign includes malware, then it's a $10K fine + $1 for every time that campaign was shown.
if publisher had minimal CSP eval protection on Ads it will be safe. but I guess that would break every ad, even Google's.
in the end, same old everything. just a slightly clever way to avoid static analysis, that is also not new at all.