ITsecurity
twitter facebook rss

Blocking the Ad-blockers: Europe’s Next Legal Storm?

Posted by on May 4, 2016.

I talked about the growing distaste for intrusive in-game advertising here, but it’s an even bigger problem in the browser world. Users are increasingly adopting the use of ad-blockers to prevent the intrusion of dynamic targeted adverts, and all the risks to security and privacy that entails, as well as the unbearable, desperate attention-grabbing aesthetic of the ads themselves. Marketeers, of course, say this practice will destroy the free internet. Ad-blocking certainly does decrease revenue to publishers who get paid by the number of ‘impressions’ – that is, how many people see the advert. With impressions having underpinned the economy of the online world for so long, it’s easy to see where this claim comes from.

UK Culture Secretary John Whittingdale seems on board with this attitude, calling the practice of ad-blocking a “modern day protection racket” in March, saying that ad-blocking poses a threat on a similar level to how the music and film industries were threatened by file sharing and piracy. This may indeed be an accurate assessment, given that they are both still multi-billion-dollar industries which are alive, well and extremely profitable.

It’s just a pity that some developers of ad-blocking software are playing into this perception with the self-defeating ‘whitelists’ such as those in use by AdBlock Plus. Sometimes a financial arrangement and sometimes simply a question of meeting certain criteria, it’s nonetheless true that Eyeo, the company behind AdBlock Plus, has taken certain adservers off their blocklists for a fee, thus giving rise to the ‘protection money’ analogy.

The comparison is a specious one, though. These Whitelists are not altogether the ad-block immunity they’re played up to be; AdBlock Plus’ Acceptable Ads feature is only enabled by default, and can be turned off in the extension’s settings. On top of this, there are purely user-defined blocklists available, and companies like Amazon and Taboola are only buying their way out of what amounts to AdBlock Plus’ factory settings.

Whatever the conclusion on the rights and wrongs of ad-blocking in itself, suffice it to say that on a security level, ad-blockers are good and targeted advertising is bad. Rather than put pressure on advertising companies to fix the security holes, crack down on malvertizing or have more stringent requirements for their adverts, publishers have always done their best to discourage users from blocking adverts. Any ad-block users are sure to have encountered messages requesting, with varying degrees of politeness, that they switch off their ad-blocker just for this or that site. In recent months, publishers have been fighting back in earnest. They’ve started blocking ad-blocker users. You’ve probably seen this if you use an ad-blocker. Here’s an example from Forbes:

image1

There is huge irony in Forbes blocking ad-blockers, since Forbes has already been caught delivering malvertizing to its readers (http://www.networkworld.com/article/3021113/security/forbes-malware-ad-blocker-advertisements.html). In theory, the responsibility for malvertizing does not lie with publishers like Forbes, but with the ad networks. However, the fact that websites like Forbes are more intent on forcing their users to be exposed to advertisements than they are on forcing their ad servers to reduce the risk of serving up infections shows exactly the kind of publisher culture that is driving more and more people to use Adblock.

In America, the Adblock Arms Race is mostly a moot issue. Users will continue to try to reduce their exposure to advertising, and publishers will either accept that or fight back. The real storm is brewing in Europe. Alex Hanff is a privacy activist, among other things. He was concerned about the legality of publishers scanning users’ browsers for the presence of an ad-blocker – and this is the reply he got from the European Commission:

image2

Use of ad-blockers can only be detected via JavaScript code, and any script which gathers data about a user’s browser or computer configuration is required, under EU law, to ask for the user’s permission before running. Most ad-block detection scripts work in this exact way, by scanning for the installed extensions and then running the script if they are detected, such as the anti-adblock code here. However, this alternative code works in a different way; by attaching a script to an invisible element, the code detects whether that element undergoes any client-side changes.

This creates something of a grey area, at least legally. If even so much as gleaning the knowledge of ad-blockers can be said to be ‘gathering information’, then this method is subject to the same laws and no less illegal to do without permission. Given their past – and indeed present – behaviour, it seems sure that publishers would contest this, if it came down to it.

Nonetheless, the writing on the wall must be faced sooner or later. Economically, the noose is tightening for internet advertising very slowly, but surely. The legal side is only just beginning to pick up steam, and it has the potential to hit much harder and faster. The European Commission has made it pretty clear that blocking visitors from viewing content based on a scan of the client’s browser is illegal in Europe. Forbes can and will carry on because it’s not an EU-based publisher. But European publishers should beware:

image3

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Josh Townsend |