Beyond the considerable indirect effects of a negative browsing experience, ad injection software opens up users’ information to potentially dangerous middlemen. Thomas notes that, “Because browsers are kind of analogous to the operating system now, they can target network credentials, your banking information … And if those servers are ever to be compromised, that [intermediary] would have access to all of that.”
While user complaints may have prompted Google to tackle the topic, this research will send tremors through many publishers and advertisers. In the report, which will be presented at the IEEE Symposium on Security and Privacy later this month, the team writes that, “Money enters the ad injection ecosystem through a tangled web of advertisers and intermediaries.”
For instance, advertisers are not only unaware of the fact that they are purchasing inventory through a duplicitous market, they’re making purchases for inventory on a publisher (Amazon, Google and Walmart are the three primary sources used for the research) without knowing that their ad is actually being served by a toolbar download.
“The question of just who ultimately controls the information presented to users is of great and increasing importance,” said Vern Paxson, professor at UC Berkeley who co-authored the report. For publishers, the direct impact to revenue (Google has no concrete value, but the report cites Superfish, the most prominent ad injector, which reported earnings of $135,000 in 2010 and $35 million in 2013) is actually less damaging than the intangible effects on their environment, like graffiti bringing down a neighborhood’s real estate value.
Advertisers confront yet another incarnation of a frustratingly non-transparent digital network. Webs of intermediaries in the market disguise the dangers of buying through ad injectors. For example, multiple pornographic sites are listed in the report as outlets where injectors funnel ads.
In terms of the networks involved in ad injection, Thomas found that 38% of the Chrome extensions and 17% of Windows binaries are “explicitly malicious,” and Google considers “the whole ad injection ecosystem [to be] a deceptive practice.” It indicates the explicitly malicious players take further action, such as providing personal user data to third parties.
The report also claims three networks, Superfish, Jollywallet and VisADD, are responsible for serving 77% of all ad injections.
Google is taking what steps they can to tackle the issue internally, but that’s limited to promoting its safe browsing product, denying traffic to ad injectors and purging downloads from the Chrome web store when they break the company’s policy (not all ad injectors do break Google’s terms, at least for now).
Citing the complexity of the chain of players that are involved before a user is affected, Thomas emphasized that, “We really do need an industry-wide effort to address this.”
The study was spurred by over 100,000 user complaints flooding Chrome’s feedback channel, some of which cite specific companies like SmartWeb, Flash Mall and Cloud Scout that engage in ad injection, and which represent the mix of user experience and publisher-side concerns that are at the heart of the issue.
An example includes: “All kinds of ads have started popping up all over my websites in Chrome. My PERSONAL website has pop-ups from some ad service I never signed up for.”