Perceptual Ad Blocking Study paints grim picture
Advertisement blockers address a growing number of issues related to online advertisement: from online tracking to sell higher paying ads over saving bandwidth and improving page load time, to blocking malware that is distributed through advertising channels.
One downside to ad blocking is that some publishers cannot sustain their business any longer; means, they either go out of business or use other means of earning revenue which may be even more problematic than ads. Some publishers implement anti ad blocking mechanics on their sites to block ad blockers from working correctly or running at all.
Princeton researchers created a software last year that used a different approach to detect and block advertisement. Instead of relying on hostnames or code snippets, the solution of the Princeton researchers mimiced how Internet users identify advertisement on websites.
A perceptual ad blocker is not that interested in code that ads use. It uses visual cues to identify advertisement instead; this includes subtle cues that sites are often required to show to users when page elements are sponsored -- e.g. sponsored or advertisement labels -- but also close buttons or icons on ads by ad companies such as Google.
The proof-of-concept extension for Google Chrome highlighted advertisement on Facebook and on the web but did not block it.
Advertisers and publishers can make changes to how advertisement is delivered to bypass conventional ad blocking extensions that rely on hostnames or code snippets to block ads.
While that is a short-lived benefit, as blocking lists get updated frequently with new data, it is one part of an arms race between publishers and advertising companies on the one side, and ad blocking programs and users on the other.
The visual nature of perceptual ad blockers should, in theory, make it difficult for advertisers and publishers to modify advertisement to avoid detection and thus blocking.
The Princeton researchers hoped that perceptual ad blocking would end the arms race as advertisers would have to change the visual nature of the advertisement to avoid detection. Requirements, legal or self-regulatory, limit certain forms of change so that it would become difficult and sometimes impossible to change certain elements of an online ad.
Perceptual ad blockers have weaknesses
Researchers at Stanford University and CISPA Helmholtz Center for Information Security published the research paper Ad-versarial: Defeating Perceptual Ad-Blocking recently in which they refute the claim that perceptual ad blocking could put an end to the arms race between publishers and Internet users.
We show that perceptual ad-blocking engenders a new arms race that likely disfavors ad-blockers. Unexpectedly, perceptual ad-blocking can also introduce new vulnerabilities that let an attacker bypass web security boundaries and mount DDoS attacks.
The researchers devised eight different strategies to attack perceptual ad blockers and grouped these into four categories:
- Attacks against Data Collection and Training -- if the perceptual ad blocking systems use crowd sourcing, most do according to the searchers, then it may be possible to dilute the learning process and thus the effectiveness of the blocking by submitting training data with visual backdoors or through other means.
- Attacks against Page Segmentation -- the attacks targets blockers that "segment webpages based on their DOM" either by overloading through the use of a large number of HTML elements or by using techniques such as image sprites and CSS styles.
- Attacks against Classification -- classification determines whether an element is considered an advertisement or not. Attacks that target classification aim to evade detection or detect the use of ad blockers. The researchers discovered, for example, that "most visual classifiers, the perturbation
necessary to induce mis-classification [was] near-imperceptible to humans".
- Attacks against Ad-Blocker Actions -- sites may exploit the high-privilege context in which ad blockers run, e.g. to block non-ad parts of a site for all users that use an advertisement blocker or by triggering requests.
The researchers evaluated the effectiveness of attacks and concluded that "all visual ad-detection techniques are fundamentally broken in the challenging attack model" that they used.
You can check out the research project's Github page here.Advertisement