Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Defeat Perceptual Ad Blockers, Declare 'New Arms Race' (vice.com)

Posted by BeauHD on from the winners-and-losers dept.

dmoberhaus writes: Perceptual ad blockers were supposed to be the "superweapon" that put an end to the arms race between advertisers and users. According to new research, however, perceptual ad blockers will come out on the losing side in the war against internet advertisers and expose users to a host of new attack vectors in the process. Researchers at Stanford tricked six different visual classifiers used in perceptual ad blockers with adversarial ads designed to trick the ad blockers by making nearly imperceptible changes to the ads. "The researchers tried several different adversarial attacks on the perceptual ad blockers' visual classifiers," Motherboard reports. "One attack, for example, slightly altered the AdChoices logo that is commonly used to disclose advertisements to fool the perceptual ad blocker. In another attack, the researchers demonstrated how website publishers could overlay a transparent mask over a website that would allow ads to evade perceptual ad blockers."

"The aim of our work is not to downplay the merits of ad-blocking, nor discredit the perceptual ad blocking philosophy, which is sound when instantiated with a robust visual ad detector," the researchers concluded. "Rather, our overarching goal is to highlight and raise awareness on the vulnerabilities that arise in building ad blockers with current computer vision systems."

18 of 144 comments (clear)

  1. Why visual? by DogDude · · Score: 3, Insightful

    Why would they test a visual ad blocker? Who uses those? All the ad blockers I have ever seen block domains. A visual ad blocker seems doomed to fail.

    --
    I don't respond to AC's.
    1. Re:Why visual? by Anonymous Coward · · Score: 2, Insightful

      Really? What is these ad's your talking about ... Firefox+Ublock Origin.

    2. Re:Why visual? by djinn6 · · Score: 2

      For any site you visit frequently, you can always write a simple Chrome or Firefox extension to do it.

      I have one that makes the comment boxes take up full screen width, but I can easily modify it to hide the ads (if my adblock wasn't doing it already).

  2. Javascript by Anonymous Coward · · Score: 3, Informative

    If ads get too pervasive and hard to block people could just disable JavaScript completely.

    1. Re:Javascript by ChromeAeonuim · · Score: 4, Insightful

      That's how I do it. I use NoScript, and rarely ever see ads. The ads themselves are all being served up from some other site anyway, so even if I allow the scripts coming from the site itself, the ads are still blocked, which is fine by me.

      If advertisers really want me to see ads, the simple solution is to stop being assholes. Stop using tricks like native advertising to deceive users, stop redirecting to God knows which questionable and potentially malicious sites, stop advertising scams, and in general stop being so hostile. They'll piss and moan about how I'm taking away advertising revenue, when really, all I want to do is keep myself and my machine safe. You guys are the ones who started the hostile behavior, not me, so don't be surprised when I react accordingly.

      If they really want me to see ads, it is simple. Have an image, using standard basic Img tag, saying 'Drink Brand X Cola!' or whatever, clearly linking to brandXcola.com. There, simple. No scams, no malware, no tricks, transparent and honest. If they don't want to do that, then it's not my problem if someone's unethical behavior bites them in the ass.

    2. Re:Javascript by markdavis · · Score: 2

      >"If advertisers really want me to see ads, the simple solution is to stop being assholes"

      But the reality is, that will never happen. They will never stop using:

      1) Animation of any type (scroll, change, fade, flip, whatever)
      2) Video of any type
      3) Sound
      4) Pop-overs, pop-unders, mouse-overs, and overlays
      5) HUGE portions of the screen

      The genie is not going back into the bottle. Had they never done the above, I would never have had that much motivation to block them. And that is even before considering the security, cpu, memory, bandwidth, speed, battery, tracking/privacy, and all the many other issues with ads.

    3. Re:Javascript by Opportunist · · Score: 3, Insightful

      This is basically why the ad industry is in the huge pit they're in today. You might notice that the amount of sites that beg and whine to turn off the adblocker has increased in the past 1-2 years. Why? Because now even the computer illiterates block ads.

      Ads have always been part of the internet. Pretty much since the first time the masses entered with AOL there were banners. And ads got more and more invasive because they could. They'd pop up, over, under, blare from speakers and go fullscreen video. Why? Because advertisers were used to getting away with it from TV. What would you do? Change the channel?

      What they didn't take into account was that on a computer, the owner of the computer can easily turn off their obnoxious invasion. But that was ok. The ones that could were few and far between. And the illiterates were plentiful enough to keep the ad industry going.

      But apparently not enough people clicked their ads. Even when they tricked people by disguising them as "close" buttons. So ads got more and more invasive, because apparently the ad industry thought that people somehow missed that full screen flashing and honking ad. And at some point the breaking point was reached: The illiterates installed ad blockers.

      To give you an idea what we're talking about: We're talking about the user that dutifully closes 20 error messages when he starts his computer from programs that didn't quite uninstall properly. The user that doesn't care that his i7 is slow as molasses when browsing because of the 99 tracking plugins littering his browser, or that he has a browser real estate of a stamp on his 28" screen due to all the plugin bars that somehow got installed. The ad industry managed to piss off THIS user enough to get off his ass and install an ad blocker.

      And he's not gonna uninstall it. Can you imagine just HOW much you have to piss off someone like this to block your ads? You could promise him a new car to uninstall that ad blocker and he won't uninstall it. That ship has sailed.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Moving the wrong way. by Gravis+Zero · · Score: 4, Interesting

    If you want to get rid of ads, you shouldn't be looking to completely prevent them from loading because that's an eternal game of cat and mouse. Instead, you should be looking to poison advertisers click-though information. Basically, fooling ads into thinking you have clicked them and loading things in the background (after you have loaded the page excluding the ads) would have a very negative effect on advertisers because it spoils the very thing they keep track of: who clicks-through to a site. If most people provided a completely false click-through and browsing information it would diminish the value of ads entirely.

    Honestly, people are fighting ad networks all wrong.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: Moving the wrong way. by Anonymous Coward · · Score: 4, Interesting

      Clicking on ads automatically on behalf of users would be very dangerous. I'm an author of the paper discussed in the article, and we looked at one ad-blocker that actually does this (specifically it clicks on ads to check whether they link to an ad statement page). It turns out that you can fool the ad-blocker into thinking something is an ad, which then causes it to click on an arbitrary link of your choice... You could use this for DDoS purposes, cross site request forgery attacks, etc.

    2. Re:Moving the wrong way. by Anonymous Coward · · Score: 3, Interesting

      If you find yourself in a fair fight, your tactics suck. Have a type of proxy set up for the ad servers based on their DNS call, that allows the original content in, but tells the ad networks you're based in, say, Nepal. Poison the stream with false information. Pretty soon the ad networks will realize they are ineffective.

      I already blackhole every ad network at the DNS level using a Pi-hole. I add new subscriptions all the time. I also block referers, CSS history, the ability for sites to see anything about my computer or it's OS, software/hardware. I falsify my fingerprint, as it were. Works a treat. I test myself against test sites to see how I'm faring once or twice a month.

    3. Re:Moving the wrong way. by Rockoon · · Score: 4, Insightful

      Doesnt sound like fraud to me. The user has not given you a promise to do anything in particular with your advertisement, therefore they are not misleading you when they click but dont visit.

      --
      "His name was James Damore."
    4. Re:Moving the wrong way. by Anonymous Coward · · Score: 2, Funny

      LOL. Guys, I think we just found a person whose paycheck depends on advertising dollars. Get a rope.

    5. Re:Moving the wrong way. by epine · · Score: 2

      If most people provided a completely false click-through and browsing information it would diminish the value of ads entirely.

      Your analysis is not even on the right set of train tracks.

      Current compensation formulas might well involve relative conversion rates (I don't follow this closely), but that's merely convention.

      What actually matters is the absolute conversion rate: number of widgets sold, and average selling price. As long as those two quantities are in the black, advertising will remain a going concern.

      (There are a fair number of retail ventures where the price paid depends on your history of arrival. Amazon has tried this in house, but other places astroturf apparently independent outlets and then work to steer customers to the most expensive outlet, at or below willingness to pay. Willingness to pay is measured by having the deepest discount associated with filling out many bullshit forms, poor shipping terms, and generally poor terms in every other respect. Professionals very quickly elect to protect their time and energy by paying more under the general heading of "convenience". Gradually the industry trains consumers to accept their general convenience category, and to only shop within those parameters. This is half the function of advertising, as viewed from the systemic perspective.)

      Bullshitting a lot of click-throughs (with no conversion possible) inflates the cost of delivering electrons (very marginal these days, though enough to make to make Amazon even richer).

      It doesn't fall into hardly anyone's convenience category.

      And it's fundamentally non-verifiable. Because while you fantasize over how this creates difficulties at the other end, all this sophisticated new AI isn't fooled (for long) in the slightest.

    6. Re: Moving the wrong way. by Gravis+Zero · · Score: 2

      I'm not suggesting using a perceptual ad recognition for poisoning ad networks but rather the list based method. The entire concept of the perceptual ad recognition is flawed and is even more of a cat-and-mouse game than list based detection. If anything, the perceptual ad recognition should be used by list maintainers to identify new ad new domains to their lists... just not automatically.

      --
      Anons need not reply. Questions end with a question mark.
  4. Why aren't adblockers implemented like this? by Bryan+Ischo · · Score: 2

    The problem I have seen with ad blockers (and admittedly, I have only tried a few, and haven't put a lot of effort into trying to find the best or most useful one) is that they work by preventing the loading of certain parts of web sites. Like, they refuse to load images from a certain domain, or refuse to load and run javascript from a certain domain, or whatever. The important point is that I believe they work by not loading content that they want to block.

    It is my experience that sites can detect this behavior - they can tell when you have loaded all of a page but not the ads, because they can see that your browser only fetched part of the page. They probably also embed javascript in ways that require that it be run and show an ad or else some other javascript notices that this did not happen, and then knows that you did not load the ad. And then they run other javascript that blocks out the content of the site itself because they have detected that you are running an ad blocker.

    I don't know why ad blockers don't then just implement the obvious:

    Load the ad. Load the javascript. Just turn all the pixels that you display for those ads to white, and all the sound to zero volume. The javascript won't know that behind the scenes the APIs that would display images have instead decided to show white pixels. The remote server will still see you fetching all the content and "presenting" it to the user.

    I'm talking about switching ad blocking from a detectable and defeatable "don't show ads" to an undetectable (by the ad displayer) "do everything you would have done up to the last possible moment which is the presentation of the ad image/sound, instead showing nothing".

    This seems so much more foolproof to me. It doesn't have the nice property of reducing your bandwidth usage by not even loading ads but ... I personally don't care much about that. I just don't want to see the ads.

    The only recourse of the advertisers at that point would be to make the content of the ads intrinsic to the content of the site; like the site text renders in javascript that also renders ads, or something. At that point, I don't know what we do to stop ads ... maybe stop allowing javascript?

    In terms of how to detect what is an ad, just let users clock on anything that shows up as an ad image, choose a pop-up "this is an ad", when they select that, white out the image, and add the URL of the ad image to a voting database. Then when fetching images, if enough votes have been cast saying that it's an ad ... treat it as such.

    What are the obvious flaws to this design that I am missing?

    1. Re:Why aren't adblockers implemented like this? by markdavis · · Score: 5, Insightful

      >" don't know why ad blockers don't then just implement the obvious: Load the ad. Load the javascript. Just turn all the pixels that you display for those ads to white, and all the sound to zero volume. [...]What are the obvious flaws to this design that I am missing?"

      1) Because that still causes the page to load very, very slowly. Try it- the speed difference is almost unbelievable on many sites. Many sites that load and render in 3 seconds suddenly take 6, 10 or even more seconds.

      2) Because it doesn't help prevent tracking and spying.

      3) Because it doesn't reduce bandwidth/date usage.

      4) Because it doesn't reduce memory, CPU, and power/battery usage.

    2. Re:Why aren't adblockers implemented like this? by UnknownSoldier · · Score: 2

      > And then they run other Javascript that blocks out the content of the site itself because they have detected that you are running an ad blocker.

      If you are blocking content because someone blocked ads then users will just go elsewhere to get that content.

      Forbes does this bullshit. Guess what, I don't care about Forbes anymore.

      Your broken business model isn't my problem.

  5. Why this is silly. by cshark · · Score: 2

    You know, I've given internet marketers a chance to explain themselves. An opportunity to prove they're not complete morons who not only don't understand their product, but their customer. I've been patient with them as they introduce new and ever more obnoxious and invasive advertising techniques that are heavily lauded, but that don't actually work. I've read their blogs. I've commented on their forums. I've tried to speak reason to power. And now... I'm done.

    As I've explained to these intrepid idiots in the marketing industry for the last decade, people block ads because they're a blight. They're implemented poorly. They often contain malware which largely goes unpoliced, and they diminish the reading experience on pretty much any site they're on. If you're on a website, and the ads don't completely destroy both the credibility and quality of the host site, you're probably on buzzfeed. Nearly everywhere else, you're going to notice this nonsense.

    The war on adblockers is a lost cause. Breaking adblockers is not going to result in higher clickthrough rates. It never has, in the entire time it's been around. If a user LOVES your website, they might whitelist you. Short of that, they'll bounce and get your content from somewhere else. Calling attention to and requesting a modification in the software a user runs is a violation of user rights. Period. Plain and simple. And it raises suspicions about the host site, bringing to the user's mind the other invasive practices a site might be engaged in, and the handling of their personal data in general. If you wouldn't demand to look in someone's underwear drawer when selling them a newspaper, you shouldn't engage in the ongoing harassment of your users in this way. There is no moral difference.

    Asking users who are taking aggressive steps not to see ads will only result in lower documented clickthrough rates. It'll result in more bounce traffic. It'll result in fewer people showing an interest in your site, and less exposure over social media. Mind you, a lot of people that have never clicked on an ad in their lives think nothing of sharing your article with their network of followers. If you track the engagement numbers on sites that behave in this way, you'll see a downward trend overall in their engagement numbers -- resulting, ironically, in fewer ad impressions, and fewer clicks.

    I don't know if there's anything to do about it. If the industry wants to sit there and gnaw off its own leg, they're welcome to do it. And I'm sure they will. Like I said in the beginning of this rant, they're not exactly the brightest bulbs to begin with.

    --

    This signature has Super Cow Powers