AdNauseam revisited: a discussion with the developer

Unread post by **Moonchild** » 2017-09-01, 11:56

In an attempt to keep as much transparency about what has turned out to be a controversial subject for a group of our users, I'm creating this post here as an announcement to explain the background behind our blocking of the extension, highlighting essential parts of the discussion I had with the extension's developer, Daniel Howe.

We have agreed to disagree -- he will keep his extension as-is (and harmful), and we will keep blocking it by default. Our compromise will be added controls in the browser to more easily allow harmful extensions to run in your browser in the next version. If you really insist on using harmful extensions to your browser, you can with minimal effort (insofar it is less effort than changing one about:config preference).

I've made all the points below as clear as possible to Daniel in my exchange with him; this in part re-iterates what was already stated by me in the original thread on this forum, but was clearly not entirely understood or comprehended by the developer, so was stated again in our discussion.

If you want to read the full exchange with him, there's a link at the end of this post to the entire PM/e-mail discussion (published with permission).
Since he didn't want me to reformat it into something more palatable or allow me to quote sections within context, I'll be summarizing the points discussed in my own words.

The core problems

It doesn't prevent "ad surveillance"

The coined phrase "ad surveillance" being the overarching term for ad networks to be able to follow users around as they browse from site to site and being able to determine "browsing paths" and profiles. The extension is supposed to stop this kind of tracking, but it achieves the opposite. When asking Daniel about the harmful nature of the extension, he stated that the biggest harm in his opinion is caused by the "surveillance advertising system".

The problem is that AdNauseam makes exposure to this surveillance worse (and that is where it completely misses the mark as far as I'm concerned) by generating requests to advertiser's servers and then purposefully generating clicks, instead of preventing the content from being grabbed in the first place. The extension is therefore generating visits to external sites that would otherwise not know of the user's existence, in effect broadcasting the user's presence on the web making it all the easier to be followed around.

It doesn't achieve it core goal (harming advertisers or ad networks)

While lowering the value of ads on websites (Indirect harm, see below) is theoretically a longer-term negative effect for ad networks caused by Daniel's extension (since their catalog of ad positions will have fewer "favored" sites), it does not cause a loss for them because Advertisers will use fixed budgets, and in turn will just end up with their ads shifted to other sites or paying more per impression because of increased competition with a smaller (but higher quality of conversions) market.
This means that it has no influence at all on advertisers or ad networks. The budget will be paid and used; and it just shifts the balance of cost versus value. There is no shortage of publishers for ads, after all.

As a extra remark here: If the extension would, by some twist of fate, be installed on a large enough percentage of browsers to make this effect being felt by the advertising industry, it would give rise to another problem: the Denial of Service factor. Generating clicks and traffic from hundreds of thousands or millions of browsers is no different than what malicious botnets do to take sites down by pure flooding with fake traffic.

It's malware

Daniel and I disagree on the definition of the term, apparently.

In my opinion, "Malware" is a general term for all malicious software, meaning software that causes harm. It does not have to be hidden to be malicious; it does not have to be installed without the user's permission or consent (if it is misrepresenting itself or its functions, it's still malware); it does not have to act like a worm, trojan or other difficult to counter or remove piece of software to be malicious. It does not have to target the user who installs it. Botnet clients are malware; while they do not harm the user installing the software, they cause harm to innocent third parties (either targeted or not) by using the user's resources. AdNauseam is most certainly doing this.

Since DoNotTrack is one of the mechanisms AdNauseam uses to target/avoid sites, it can even be directed into more focused attacks on specific sites or domains, and can be abused by users alike. It will not botclick if a site has a DNT statement published. Since those statements are usually false anyway (you can't guarantee non-tracking if you run third-party ads!), it's being selective in which sites are targeted (with negative impact) by design. This makes it even more akin to traditional malware by being discriminant about its targets.

Whether there is intent to harm or not is, however, not a criterion for what ends up on our blocklist; that is purely a matter of objective observation and evaluation of observed behavior and result from said behavior. Extensions that are harmful or malicious "by accident" are still undesirable to have installed.

Ad networks will respond

Ad networks will respond (severely) to invalid traffic. They have to, unless they want to allow click-fraud undermining them and advertisers alike. It is a required precaution they must take to protect their business and their clients (advertisers). From an ad provider's point of view, the extension's behavior looks like an attempt at click-fraud, because it artificially inflates clicks on ads, and damages conversion rates (because there will be no sales from something that has its response discarded-as-received).

Initial increase of pay for publishers because of extra clicks

While on the (very) short term the revenue for a site owner may increase when their site gets visited by people employing AdNauseam, this will only last as long as the ad network does not detect the nature of the traffic (and make no mistake, their algorithms for detecting fake clicks are pretty damn accurate because of so many attempts at click-fraud that occur all the time).

Once the ad network notices the invalid traffic, it's a steep slide down for the publisher:

Direct harm: Culling of pay

When invalid traffic is detected, ad providers will generally put a strict filter on the publisher's account (not just the one detected website) to dock any and all pay that looks even remotely like invalid traffic (which will also include traffic from browsers set up to be more privacy-focused by their users). Because of delayed payment by ad networks, this is usually done on anything that has not been paid out yet, retroactively. This kind of pay reduction to publishers is often also not reflected in what advertisers pay (since they generally pay the moment ads are placed, not a month or 2 after) and as a result it will be a net win for the ad network until the delay catches up with the catalog price of the ad positions. Even if this is fully compensated to advertisers by the ad network, there is a net-0 result for "attacking the system" by way of bot clicks, and not any sort of loss.

Direct harm: Closing of accounts (take-down)

In the worst case, publishers may see their account closed for perceived click-fraud with no opportunity for appeal, effectively cutting their income off completely, overnight, by no action of their own -- that's a financial take-down caused directly by the extension, and another reason why the extension's behavior is considered malicious. It's usually up to the publishers to try (note: try) and provide evidence that "it wasn't them" when they are accused of click-fraud. In most cases this is a battle that is already lost before it is started.

Indirect harm: Devaluation of ad positions

The ad value of published ads on websites will drop like a brick. Ad networks will no longer adopt the affected websites as "preferred" placements when the account is marked as "generates invalid traffic above the threshold", and advertisers aren't willing to pay top dollar for positions known to attract fake traffic, since it's not a good investment of advertising budget, plain and simple.

Discussion dismissed

Unfortunately, the entire discussion at this point was dismissed by Daniel, after I made all these arguments and spent a good amount of time clarifying our position, on the simple excuse that Pale Moon's website uses AdSense, and as such we are assumed to be comfortable with the fact that tracking and profiling of visitors can happen as a result (or somehow backing Google's mission -- if anything, we've already been severely hurt by them, and there is no love for Google in this corner, BUT it is the only reasonable option in the end for display ads because of its size and stability; call it a necessary evil because nobody is actually paying for the use of a full-time development product otherwise, at least until such time as voluntary donations or other revenue make it possible to become ad-free), and him tripping over the fact that AdSense is called a responsible ad network by me in the anti-adblock notification on our sites.
It's "responsible" in the way that ad content is strictly vetted and pretty much guaranteed to be safe to visitors on modern browsers. On top, AdSense gives publishers a pretty large measure of control over what ads and categories are displayed on their websites, and the option to block individual advertisers or ads as well, to prevent the obvious bad apples that might slip through the cracks.

I'm really disappointed that apart from Daniel wanting to have his say to try and get de-listed by referring to some EFF statements, he wasn't willing to listen to the points made here, or discussing this any further, or working on a way to make his extension be less harmful to publishers.

Here's the entire conversation in its raw format, if you want to read it: https://pastebin.com/cJAvkvRt