Google on Wednesday released research conducted in partnership with teams at UC Berkeley, UC Santa Barbara and other institutions that details the harm ad injections from toolbars create for consumers, publishers and advertisers.
Google and its university partners identified millions of cases of ad injections by tracking the pipeline of users who have foreign software deployed on their browser.
“We can tell when a user comes to one of our properties if there’s an ad injection installed, new elements being added or new scripts from domains that don’t belong to Google,” Kurt Thomas, the Google research scientist who led the study, told Adexchanger. “There are very telltale signs of modification in the page.”
Thomas said that the ad injection browser downloads are particularly insidious. “The majority of ad injectors we see don’t come with user consent. And even when they offer a path to removal, they throw up a lot of blockades,” he said. “If you click uninstall they make you fill out a survey, and they throw you through an infinite loop.”
Beyond the considerable indirect effects of a negative browsing experience, ad injection software opens up users’ information to potentially dangerous middlemen. Thomas notes that, “Because browsers are kind of analogous to the operating system now, they can target network credentials, your banking information … And if those servers are ever to be compromised, that [intermediary] would have access to all of that.”
While user complaints may have prompted Google to tackle the topic, this research will send tremors through many publishers and advertisers. In the report, which will be presented at the IEEE Symposium on Security and Privacy later this month, the team writes that, “Money enters the ad injection ecosystem through a tangled web of advertisers and intermediaries.”
For instance, advertisers are not only unaware of the fact that they are purchasing inventory through a duplicitous market, they’re making purchases for inventory on a publisher (Amazon, Google and Walmart are the three primary sources used for the research) without knowing that their ad is actually being served by a toolbar download.
“The question of just who ultimately controls the information presented to users is of great and increasing importance,” said Vern Paxson, professor at UC Berkeley who co-authored the report. For publishers, the direct impact to revenue (Google has no concrete value, but the report cites Superfish, the most prominent ad injector, which reported earnings of $135,000 in 2010 and $35 million in 2013) is actually less damaging than the intangible effects on their environment, like graffiti bringing down a neighborhood’s real estate value.
Advertisers confront yet another incarnation of a frustratingly non-transparent digital network. Webs of intermediaries in the market disguise the dangers of buying through ad injectors. For example, multiple pornographic sites are listed in the report as outlets where injectors funnel ads.
In terms of the networks involved in ad injection, Thomas found that 38% of the Chrome extensions and 17% of Windows binaries are “explicitly malicious,” and Google considers “the whole ad injection ecosystem [to be] a deceptive practice.” It indicates the explicitly malicious players take further action, such as providing personal user data to third parties.
The report also claims three networks, Superfish, Jollywallet and VisADD, are responsible for serving 77% of all ad injections.
Google is taking what steps they can to tackle the issue internally, but that’s limited to promoting its safe browsing product, denying traffic to ad injectors and purging downloads from the Chrome web store when they break the company’s policy (not all ad injectors do break Google’s terms, at least for now).
Citing the complexity of the chain of players that are involved before a user is affected, Thomas emphasized that, “We really do need an industry-wide effort to address this.”
The study was spurred by over 100,000 user complaints flooding Chrome’s feedback channel, some of which cite specific companies like SmartWeb, Flash Mall and Cloud Scout that engage in ad injection, and which represent the mix of user experience and publisher-side concerns that are at the heart of the issue.
An example includes: “All kinds of ads have started popping up all over my websites in Chrome. My PERSONAL website has pop-ups from some ad service I never signed up for.”
