twitter facebook rss

CISO View: on Enforcing Ad Blocking

Posted by on November 2, 2015.

WG_lookingglass_logo_160x160Ad blocking is in the news. On the one hand is the moral argument put forward by publishers and marketeers that advertising fuels the free internet. According to a PageFair/Adobe study $21.8bn has already been lost in advertising revenue during 2015.

On the other hand is the argument that intrusive adverts spoil the internet experience and are fed by covert and sinister web tracking and surveillance.

Now there are additional considerations. Earlier this summer the Simon Fraser University published a study on AdBlock Plus. It concluded that blocking adverts could reduce network traffic by 25%; introducing an economic argument to the ad blocking debate. And in October Malwarebytes reported that poisoned adverts had found their way onto the Mail Online website; introducing a security argument.

Malvertising is serious and worsening. Bev Robb reported in January,

2012 saw 10 billion malicious advertisements with 42 percent of them delivered as drive-by executions that required no user interaction. In 2013, it was estimated that 12.4 billion malicious advertisements was [sic] served.

The question now is, ‘should companies enforce ad blocking, for both company and user devices, for economic and security reasons?’ We put this question to 10 senior CISOs in the Wisegate community, giving six options:

  • No, advertising fuels the free internet
  • No, ad blocking has to be a user choice
  • No, the economic and security arguments are over-hyped
  • Yes, we already block adverts
  • Yes, we will encourage users to use ad blocking technology
  • Maybe, but we need further research

adblockingInterestingly, not a single CISO buys into the free internet argument or considers the warnings to be over-hyped. Just one considers that the user issue should be left entirely to the user’s discretion. Four of them already block adverts, and three will encourage their users to do so.

However, the greatest number, fully 50%, are not averse to the idea but want further research before doing anything. This is typical CISO pragmatic caution – and is probably well-founded.

The world’s leading ad-blocker is Eyeo’s AdBlock Plus. Eyeo has fought and won three separate cases brought against it in Germany this year alone. The most recent was in September. Reuters reported,

A German court said on Tuesday that local software firm Eyeo’s Adblock Plus browser extension does not breach laws on competition, copyright or market dominance, rejecting arguments brought by Axel Springer, the publisher of Bild, Europe’s biggest daily newspaper.

But AdBlock is free software, and Eyeo needs a revenue stream. To gain that stream and possibly ward off some of the court cases it has started an acceptable ads ‘whitelist’ scheme. Provided that publishers can demonstrate advert acceptability (for example, by not being too intrusive), and provided the company pays a fee to Eyeo, then they will be allowed through the Eyeo firewall.

So AdBlock does not block all ads, only the majority. Put another way, you cannot rely on AdBlock Plus to protect yourself or your users from malvertising. The 50% of CISOs are right – blocking adverts may well be a good idea, but further research is required on how best to do so.

But now there is a new argument to consider. Last month Finnish security firm F-Secure published its own research suggesting that blocking third party web tracking reduces the average page load size by 14%, and increases load times by 1.6%. There is possibly an even greater argument for eliminating web tracking, since not only does it fuel targeted advertising, it can also be used to provide the sort of information that is used for social engineering in spear-phishing attacks. Encouraging users to block web tracking may well be a more important security issue than encouraging them to block advertising.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives |