Consumers Consumers Consumers

Posted by on Sep 29, 2011 in Uncategorized

Why is it that consumers are not as protected online as they are offline?

When one goes shopping at a reputable grocery store, isn’t the barrier to entry for products in these stores incredibly high? If I were Target, Fred Meyers, Safeway, Pick’n Pay, Spar, any one of these; wouldn’t I want to know exactly what it is that I am selling or referring to my customers? After all, if I endorse a product (let’s say I put it on my shelves or up on one of the walls as a poster) then isn’t my reputation also at stake if it turns out to be a really bad product? You already know the answer to this. Of course my reputation is at stake.

So why are things different in the online advertising world? Perhaps this is simply the nature of online advertising, i.e., sometimes there are risks involved. Fortunately these risks, these threats to the consumer,  can be mitigated even though online advertising is a little trickier than selling goods offline. Consider that the contents of a milk carton doesn’t change after one buys the milk carton and takes it home. This is referred to as a bait and switch on the security side of the advertising ecosystem.

Basically, an advertiser sets up a landing page (let’s call it, registers with an ad network, creates creative and launches a campaign. This is called the bait. Before the ad network lets the campaign go live, they have automation in place (although sometimes it is a manual process) that checks out the advertiser’s page for bad things. Bad things could be inappropriate content such as illegal pharmaceuticals, hate speech, gambling, malware et cetera. Since we’re still in the bait phase though, our advertiser has lots of happy care bears on his page, so the content is good and the campaign goes live.

When traffic starts rolling in, the nefarious advertiser changes the content (enter the switch!). Suddenly, a landing page filled with happy care bears is now also filled with a hidden little payload of javascript on the side that is trying to exploit and gain control of your computer. The tricks of the trade when it comes to malware in this domain are astounding. The bad guys that know what they are doing really do know what they are doing.

So whilst the contents of a milk carton doesn’t change once you’ve bought it and taken it home, the advertiser on an ad network has the ability to change the content of his Web site a little while after the ad network starts referring consumers to him. This is the nature of the Web, not just online advertising. A link to a site that you thought was good, can go bad at any point in time. This is why good ad networks mitigate this risk by regularly monitoring the landing pages that they send their consumers to.

Are consumers aware of the risks involved? Should they be? Perhaps consumers can make the assumption that proper steps are in place within the ad networks and that the safety of the consumer is one of the ad network’s highest priorities? I argue that most consumers are not aware of the risks involved at all, nor do they understand the advertising ecosystem enough to be making any assumptions about who has their best interests at heart.

If I buy milk at the grocery store, and let’s say that on the way home it does turn into cheese, well I have a few options:

1. I’ll just take it back to the store

2. I could contact the folks originally responsible for packaging the milk

When an online ad goes bad, option (2) isn’t really an option since the folks behind the ad are usually the folks trying to do bad things. You could complain to them, but it’s probably not going to help much.

Option 1 is tricky. What do you know about the ad? You know the landing page, and you know where it came from (the original publisher’s site), so perhaps this is what you could report to the network that served you the ad. I argue that a fairly significant amount of people don’t know the difference between an ad and an organic link on a site. Referring to Ben Edelman’s work on Labels and Disclosures in Search Advertising:

First, we evaluate a widely-used disclosure and two plausible alternatives, assessing their relative merits and showing their distinctive effects on particular subsets of users. Second, we isolate the mechanism of their effects—showing that alternate disclosures reduce advertisement clicks not through user fear or confusion but through a genuine increase in understanding.

So what does one do when the ad network is not the same entity responsible for the content of the page that you visited?

Using the last MAD Monday as an example, who should I have reported the malicious ad to? And how? If I was mom or pop, I suppose I could have sent an email to The New York Times.

Dear NYT,

One of your ads resulted in my computer being infected. It was the one that pointed to


Mom and Pop

This is a great effort from mom and pop but, truth be told, NYT can’t do much with this. Well, NYT could forward the email to the ad network (assuming they know which one was rotated in when mom and pop visited), but the ad network can’t do much with this either. Ad networks serve hundreds of millions of impressions every single day. When was the ad served, and which country was it served in (they need to know which data center to query)? Even looking up an ad when you know everything about it can be tricky. Even more complexity enters the scene when third party ads are involved.

To keep things nice and simple though, I’m not going to touch on third parties, just yet. The best solution for mom and pop is simply to enable them to report an ad without much effort at all on their part. It’s not fair to expect mom and pop to know the intricacies involved with online advertising.

This brings me back to my point that most consumers are simply not aware of the risks involved with online advertising. I am willing to wager that most people don’t know they are the victim of malware or deceptive practices from an ad. Of those that do, most of them don’t know how to report the ad responsible. Furthermore, the ad networks don’t do very much to enable one to report an ad.

Since the ad network from this week’s MAD Monday has still not taken down the malicious ad identified on The New York Times (as of 11PM PST, 9/28/2011) , let’s stick with them in the following example:

As always, the red scribble has been added by me. Yes folks, the bad ad is still there. You know it’s bad now, but how are you going to report it? Have you tried emailing a premium publisher before? How about emailing a large ad network? I tried to email the VP of Advertising on NYT but the email listed in their contacts section ( bounced. I didn’t even know where to start when it came to emailing the ad network.

Why isn’t there a little button or small link next to each ad that with just a click or two results in everything the ad network needs in order to take the ad in question down? I am going to leave it to you to make your own assumptions here. Ah yes, I want to emphasize one last point. I discussed the bait and switch up above because this is something that the good ad networks prepare for. It’s very difficult to eliminate this threat. It will always be there, but the good networks do their best to protect the consumer regardless.

That said, the bad ad highlighted above is not a bait and switch. It is what it is and it has been doing what it does for a while now. There’s no bait, there’s no switch.

There’s just an ad network sending consumers to a landing page with deceptive practices and distributing binaries that we know infects one’s computer.

« »

1 Comment

  1. Eric
    September 29, 2011

    Great post!