Tuesday, November 21, 2017

Has Web Advertising Jumped The Shark?

The Web runs on advertising. Has Web advertising jumped the shark? The relevant Wikipedia article says:
The usage of "jump the shark" has subsequently broadened beyond television, indicating the moment when a brand, design, franchise, or creative effort's evolution declines, or when it changes notably in style into something unwelcome.
There are four big problems with Web advertising as it currently exists:
  1. Bad guys love it.
  2. Readers hate it.
  3. Webmasters hate it.
  4. Advertisers find it wastes money.
#4 just might have something to do with #3, #2 and #1. It seems that there's a case to be made. Below the fold I try to make it.

Bad guys love it

There are at least three major, and one so far minor, business opportunities for the bad guys in Web advertising:
  • Fraud
  • Malvertising
  • Domain spoofing
  • Cryptojacking
They're all enabled by the fact that, as blissex wrote in this comment, we are living:
In an age in which every browser gifts a free-to-use, unlimited-usage, fast VM to every visited web site, and these VMs can boot and run quite responsive 3D games or Linux distributions


In 2015 George Slefo at Ad Age reported that:
As digital spend continues to reach landmark highs -- it hit $27.5 billion for the first half of 2015 -- so does ad fraud, which is now estimated to cost the industry about $18.5 billion annually, according to a report released Thursday by Distil Networks.

That means for every $3 spent, $1 is going to ad fraud.
A long 2015 report from a team at Bloomberg took off from this study:
A study done last year in conjunction with the Association of National Advertisers embedded billions of digital ads with code designed to determine who or what was seeing them. Eleven percent of display ads and almost a quarter of video ads were "viewed" by software, not people. According to the ANA study, which was conducted by the security firm White Ops and is titled The Bot Baseline: Fraud In Digital Advertising, fake traffic will cost advertisers $6.3 billion this year.

One ad tracked in the study was a video spot for Chrysler that ran last year on Saveur.tv, a site based on the food and travel lifestyle magazine. Only 2 percent of the ad views registered as human, according to a person who was briefed on data provided to the study's participants.
Note the roughly 3x difference in the 2015 estimates of fraud; from $18.5B to $6.3B in a $55B industry, or between 34% and 11%. This suggests that researchers have only a vague idea of the scale of the problem, but even the low estimate would put ad fraud as a company in the bottom half of the S&P 500. Other estimates are in the same range. For example, at The Register Thomas Claburn writes:
'It's about 60 to 100 per cent fraud, with an average of 90 per cent, but it is not evenly distributed,' said Augustine Fou, an independent ad fraud researcher, in a report published this month.

... Among quality publishers, Fou reckons $1 spent buys $0.68 in ads actually viewed by real people. But on ad networks and open exchanges, fraud is rampant.

With ad networks, after fees and bots – which account for 30 per cent of traffic – are taken into account, $1 buys $0.07 worth of ad impressions viewed by real people. With open ad exchanges – where bots make up 70 per cent of traffic – that figure is more like $0.01. In other words, web adverts displayed via these networks just aren't being seen by actual people, just automated software scamming advertisers.
The ANA report covered the full range of ad fraud but focused on click fraud, which Wikipedia defines thus:
Click fraud is a type of fraud that occurs on the Internet in pay-per-click (PPC) online advertising. In this type of advertising, the owners of websites that post the ads are paid an amount of money determined by how many visitors to the sites click on the ads. Fraud occurs when a person, automated script or computer program imitates a legitimate user of a web browser, clicking on such an ad without having an actual interest in the target of the ad's link.
The study is now annual, the 2017 edition reported that:
The third annual Bot Baseline Report reveals that the economic losses due to bot fraud are estimated to reach $6.5 billion globally in 2017. This is down 10 percent from the $7.2 billion reported in last year's study. The fraud decline is particularly impressive recognizing that this is occurring when digital advertising spending is expected to increase by 10 percent or more.
Nevertheless, at least a gross $6.5B/year is flowing to the bad guys. Not bad for a high-margin business.


Web advertising is a channel by which web sites deliver third-party content to browsers. Sites generally have little control over this third-party content. So bad guys can use the Web advertising channel directly, or by compromising an ad supplier, to deliver malware. This is called malvertising. Malware such as Angler has been disseminated via even the most prominent web sites:
However, out of the blue on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:
Publisher Traffic (monthly)*
msn.com 1.3B
nytimes.com 313.1M
bbc.com 290.6M
aol.com 218.6M
my.xfinity.com 102.8M
nfl.com 60.7M
realtor.com 51.1M
theweathernetwork.com 43M
thehill.com 31.4M
newsweek.com 9.9M

Or more recently, this campaign:
RoughTed is a large malvertising operation that peaked in March 2017 but has been going on for at least well over a year. It is unique for its considerable scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.
Which is very sophisticated:
Another interesting aspect is that redirections to RoughTed domains seem to happen even to those running ad-blockers and that was reported by users of Adblock PlusuBlock origin or AdGuard.
Thus readers don't merely use ad-blockers to retain control over their user experience, prevent tracking and economize on bandwidth, but also to reduce their risk of infection by malware.

Domain Spoofing

Most advertisers buy their space on web sites via exchanges, real-time auction systems that connect space sellers (web sites) with space buyers (advertisers). Maciej Cegłowski described the baroque complexity of this system in What Happens Next Will Amaze You. Fraudsters take advantage of this complexity and obscurity to trick advertisers into buying space on web sites that the site isn't selling, and pocket the proceeds on an enormous scale:
Methbot, a domain spoofing scam that's widely regarded as the largest ad fraud attack in history, bilked marketers of $3 million to $5 million a day for over a month. Even Google, which is regarded as having the best defenses when it comes to preventing fraud, is also believed to be a victim of a recent domain spoofing attack.
This problem is endemic and the scale of fraud is astonishing, as revealed by an experiment run by Business Insider. One:
Business Insider advertiser thought they had purchased $40,000 worth of ad inventory through the open exchanges when in reality, the publication only saw $97, indicating the rest of the money went to fraud.

"There was more people saying they were selling Business Insider inventory then we could ever possibly imagine," ... "We believe there were 10 to 30 million impressions of Business Insider, for sale, every 15 minutes."

To put the numbers in perspective, Business Insider says it sees 10 million to 25 million impressions a day.
Any time the bad guys can siphon off 99.7% of the cashflow, the good guys have a problem.


The idea that micro-payments would be the business model for digital services goes back to the early days of the Web, and was later one of the benefits Satoshi Nakamoto initially touted for Bitcoin:
Banks must be trusted to hold our money and transfer it electronically, but they lend it out in waves of credit bubbles with barely a fraction in reserve. We have to trust them with our privacy, trust them not to let identity thieves drain our accounts. Their massive overhead costs make micropayments impossible.
Alas, Bitcoin's "massive overhead costs" (over $10/transaction for the last 6 months) and high probability of dropped transactions (currently about 20%) mean that micro-payments are one of its early promises upon which Bitcoin failed to deliver. Mining Bitcoin is the domain of data centers full of custom ASICs; it is far out of reach of the free VMs in your browser.

Fortunately from the point of view of the bad guys, there are other cryptocurrencies that are easier to mine than Bitcoin, so still within the reach of the free VMs in browsers. Of course, this means they are worth less, but they aren't worthless. A company called CoinHive spotted this opportunity, and released a JavaScript miner for Monero. Their idea was that web sites would, instead of selling space to advertisers, mine Monero in their readers browsers. As usual, The Pirate Bay was in the forefront of business model innovation on the Web. It was one of the sites that experimented with this idea.

The experiments weren't a success. The sites didn't explain to their users why their CPUs were bogged down, or offer them a choice between ads and CPU cycles. But CoinHive's technology quickly found its market niche. Malvertising entrepreneurs realized that mining Monero was more directly profitable than many of the other plagues they visit upon their victims, and thus cryptojacking was born.

Cryptojacking involves breaking into a web site, or an advertiser, and adding JavaScript that invokes CoinHive's miner, or one of the rash of copy-cat miners. When a browser visits the web site, or a site displaying the advertiser's content, the miner is activated and mines as long as the page is open, typically consuming a large fraction of the available CPU cycles. As Iain Thomson reports for The Register:
Mursch found 30,611 sites on the web running Coin Hive's JavaScript to effectively crypto-jack machines
It appears that:
many of these mining operations are being run by one person. Mursch found that one “Mohammad Khezri” of Iran seems to be controlling a vast number of mining operations spread across many domains to maximize his returns.
Ad-blockers have rapidly adapted to this new incursion:
At least two ad blockers have added support for blocking Coinhive's JS library - AdBlock Plus and AdGuard - and developers have also put together Chrome extensions that terminate anything that looks like Coinhive's mining script - AntiMiner, No Coin, and minerBlock.
Is cryptojacking doomed? No! Firstly, ad-blockers haven't killed Web ads, because only some readers block ads. Secondly, there is the advent of Encrypted Media Extensions (EME), the W3C's DRM for the Web. The whole goal of EME is to ensure that the reader and their browser neither know what encrypted content is doing, nor can do anything about it. All that is needed for cryptojacking profitability is for the cryptojacker to use EME to encrypt the payload with the cryptocurrency miner. The reader and their browser may see their CPU cycles vanishing, but they can't know why. Although in the nature of the arms race between advertisers and readers there is a proposal at Google that might prevent even EME-ed cryptomining:
If a site is using more than XX% CPU for more than YY seconds, then we put the page into "battery saver mode" where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely."
There is also a problem with the economics of cryptojacking. The use of free CPU cycles to mine Monero will increase the supply of miners, and thus drive down the value in Monero of a CPU cycle. Like Bitcoin, the total supply of Monero is limited, so the more miners the smaller the share of the reward each can expect. If cryptojacking becomes popular, and it can evade the ad-blockers, it will drive miners who have to pay for their CPU cycles out of the Monero blockchain.

The main reason for transactions to use Monero is anonymity:
Monero is now establishing itself as the ‘coin of choice’ for people that want privacy in their transactions or that want to use Dark Markets. Bitcoin lost flavor with Dark Market users who quickly switched loyalty when they realized that Monero took privacy a few steps further than Bitcoin ever could.
The supply of Monero is fixed irrespective of its price. The demand to both buy and sell Monero is currently the demand for anonymous transactions plus speculation. In order to spend their ill-gotten gains, cryptojackers need to sell the Monero they mine for "fiat currency", adding to the sell-side but not the buy-side, and thus driving the price in "fiat currency" down. If cryptojacking became significant in the Monero blockchain it would tend to be a self-limiting phenomenon.

Readers hate it

OK, so fraud and insecurity is rampant in Web advertising. But that's true to some extent of everything on the Internet. People keep using e-mail despite the flood of spam and phishing. But in fact the e-mail ecosystem adapted. Techniques were developed to filter out the spam and phishing, and they were successful enough that they typical e-mail user sees very little of it.

The analogous development has been happening for Web advertising. The competition for eyeballs drove advertisers to develop increasingly obnoxious ads, and economic pressure drove web sites to sell more and more of their space to run them. Reader's experience of the Web degraded, as ads seized control of the page, forced them to search for the tiny X that would kill the pop-over between them and the content, and made the page bounce around like a demented terrier:
This leaves you chasing after buttons and tabs as they slide around, jump up and down, run about in circles and generally act like some demented terrier that has just dug up a stash of cocaine-laced Bonio.

I blame web browser developers for letting this happen. Allowing websites to load into a browser window bit by bit was a mistake. Over the years, this has persuaded application developers into thinking this is acceptable behaviour when IT ISN'T.
And now publishers are inflicting auto-running video on  their readers (my emphasis):
there have been numerous cases over the last six months to a year in which digital publishers have announced either major job cuts or in some cases literally fired their entire editorial teams in order to ‘pivot to video.’ The phrase has almost become a punchline since, as I’ve argued, there is basically no publisher in existence involved in any sort of news or political news coverage who says to themselves, my readers are demanding more of their news on video as opposed to text. Not a single one. The move to video is driven entirely by advertiser demand.
You are not the customer; you are the product.

Users responded by deploying "ad blockers" to regain some control over their browsing experience, and to defeat the trackers that infested the content and consumed much of their bandwidth.

Nushin Rashidian at Columbia Journalism Review reported that:
More than 28 percent of US internet users have installed ad blockers.
Doc Searl's It's People vs. Advertising, not Publishers vs. Adblockers makes a good point:
nearly all press coverage of what's going on here defaults to "(name of publisher or website here) vs. ad blockers."

This misdirects attention away from what is actually going on: people making choices in the open market to protect themselves from intrusions they do not want.

Ad blocking and tracking protection are effects, not causes. Blame for them should not go to the people protecting themselves, or to those providing them with means for protection, but to the sources and agents of harm.
The arms race between advertisers and readers continues, with Google enhancing their Chrome browser:
With Chrome 64, Google plans to tackle auto-redirects. We've all been there: you open a new tab or web page and just as it starts to load you get whisked away to a different page, often filled with nonsense or surveys or any other thing you didn't ask for an[d] never wanted to see. It's frustrating, especially when you can't go back or you get prompted to download random suspicious stuff. All you can do in those situations is close the page or tab and try to find your way back to where you wanted to be before the foolery happened.
Alas, as I described in The Amnesiac Civilization: Part 4:
DRM-ing a site's content will prevent ads being blocked. Thus ad space on DRM-ed sites will be more profitable, and sell for higher prices, than space on sites where ads can be blocked. The pressure on advertising-supported sites, which include both free and subscription news sites, to DRM their content will be intense.
Having accepted that valuable video and audio content deserves DRM protection, the W3C will find it hard to argue that valuable advertising content doesn't deserve similar protection. The readers who will bear the impact of obnoxious and malware-infested ads will have no voice in the decision; the W3C ignored unprecedented opposition to approve EME.

Webmasters hate it

Advertising pays for most of the content on the Web, but about 2/3 of the revenue from advertising, and almost all of the growth in revenue, goes to Google and Facebook, neither of whom produces any content. Not merely does Web advertising not bring in as much money as site owners think they deserve and need to produce quality content, but worse, it leaves the webmaster's business at the mercy of Google and Facebook. Josh Marshall runs Talking Points Memo, a fairly successful independent news publisher. He wrote A Serf on Google's Farm, a deep dive into the details of the relationship between his site and Google:
It all starts with "DFP", a flavor of Doubleclick called DoubleClick for Publishers (DFP). DoubleClick was one of the early "ad-serving companies" that Google purchased years ago. ... DFP is the application (or software, or system - you could define it in different ways) that serves ads on TPM. I don't know the exact market penetration. But it's the hugely dominant player in ad serving across the web. So on TPM, Google software manages the serving of ads. Our ads all drive on Google's roads.

Then there's AdExchange. That's the part of Google that buys ad inventory. A huge amount of our ads come through ad networks. AdExchange is far and away the largest of those for us - often accounting for around 15% of total revenues every month - sometimes higher. So our largest single source of ad revenue is usually Google. To be clear that's not Google advertising itself but advertisers purchasing our ad space through Google. But every other ad we ever run runs over Google's ad serving system too. So Google software/service (DFP) runs the ad ecosystem on TPM. And the main buyer within that ecosystem is another Google service (Adexchange).
Advertisers are the customers for an ad-supported site's business, readers are the product. Google controls the channel by which the site sells its product to its customers. Not a comfortable place for a business to be. Marshall certainly isn't comfortable:
The publishers use DoubleClick. The big advertisers use DoubleClick. The big global advertising holding companies use Doubleclick. Everybody at every point in the industry is wired into DoubleClick. Here's how they all play together. The adserving (Doubleclick) is like the road. (Adexchange) is the biggest car on the road. But only AdExchange gets full visibility into what's available. (There's lot of details here and argument about just what Google does and doesn't know. But trust me on this. They keep the key information to themselves. This isn't a suspicion. It's the model.) So Google owns the road and gets first look at what's on the road. Not only does Google own the road and makes the rules for the road, it has special privileges on the road. One of the ways it has special privileges is that it has all the data it gets from search, Google Analytics and Gmail. It also gets to make the first bid on every bit of inventory. Of course that's critical. First dibs with more information than anyone else has access to. (Some exceptions to this. But that's the big picture.) It's good to be the king. It's good to be a Google.
Marshall's response is to reduce his dependency on advertising:
We could see this coming a few years ago. And we made a decisive and longterm push to restructure our business around subscriptions. So I'm confident we will be fine. But journalism is not fine right now. And journalism is only one industry the platform monopolies affect. Monopolies are bad for all the reasons people used to think they were bad. They raise costs. They stifle innovation. They lower wages. And they have perverse political effects too. Huge and entrenched concentrations of wealth create entrenched and dangerous locuses of political power.
[Full disclosure - I subscribe to Talking Points Memo and access subscriber-only content in return.]. Marshall's choice of the "freemium" model supported by both advertising and subscription is common, as Ariel Stulberg writes in Columbia Journalism Review:
Even as they’ve added paying Web subscribers by the hundreds of thousands, daily newspapers have decisively rejected an all-in approach featuring “hard” website paywalls that mimic their print business models. Instead, most are employing either “leaky” paywalls with unlimited “side doors” for non-subscribers or no paywalls at all, according to a CJR analysis of the nation’s 25 most-visited daily newspaper sites.

There was little agreement on a paywall strategy and certainly no consensus solution to the problem of the “ideal” newspaper paywall. The paywalled news sites, 15 in total, diverged widely in the cost of their subscriptions, the number of free articles dispensed, the specific combination of “side door” exceptions employed, and whether they operated via one flagship website or two—one free and one for subscribers.

Despite what seems like widespread optimism about the prospect of digital subscriptions buttressing the industry, a full 10 sites, 40 percent of the outlets we looked at, focused on ad revenue exclusively, eschewing paywalls.
Marshall isn't alone in his discomfort, either. Melody Kramer writes for the Poynter Institute:
And despite our (perhaps) growing unease with these platforms, we still rely on the them for distribution. In their excellent report on the convergence between publishers and platforms, Emily Bell and Taylor Owen write that “A growing number of news organizations see investing in social platforms as the only prospect for a sustainable future, whether for traffic or for reach,” echoing what Franklin Foer recently wrote in The Atlantic about The New Republic’s increasing dependency on these platforms — and what their algorithms might surface: “Dependence generates desperation — a mad, shameless chase to gain clicks through Facebook, a relentless effort to game Google’s algorithms. It leads media outlets to sign terrible deals that look like self-preserving necessities: granting Facebook the right to sell their advertising, or giving Google permission to publish articles directly on its fast-loading server. In the end, such arrangements simply allow Facebook and Google to hold these companies ever tighter.”
Marshall continues his insider analysis of the economics of Web publishing by predicting a crash:
You have three different factors coming together at once: two primary ones and one secondary but critical one.

First, digital publishing has always been ruled by a basic structural reality: there are too many publications. ... Well, it’s like this: There are too many publications relative to the funding available to support them, given that it has been almost universally assumed that the funding comes from advertising. That creates the furious competition for clicks and the ever growing intrusiveness of ads. The advertisers have all the power. So rates are always going down.
Then came the platform monopolies: Google, Facebook and a few others. Over the last five years or so but accelerating rapidly in the last 24 months, they’ve gobbled up almost all of the growth in advertising revenue and begun to engross a substantial amount of the existing advertising revenue as well.
Now, here’s the too little discussed part of the equation. A huge, huge, huge amount of digital media is funded by venture capital. That’s not just to say they had investors at the start but in effect a key revenue stream of many digital publications has been on-going infusions of new investment.

Much of that investment has been premised on the assumption that scale – being huge – would allow publications to create stable and defensible business models. ... But that hasn’t happened. Just as one fact point, The Wall Street Journal reported today that Buzzfeed is going to miss its revenue target this year by as much as 20%. That’s a lot.
Another way of putting that is that the future that VCs and other investors were investing hundreds of millions of dollars in probably doesn’t exist. And that means that they’re much less likely to invest more money at anything like the valuations these companies have been claiming.

The big picture is that Problem #1 (too many publications) and Problem #2 (platform monopolies) have catalyzed together to create Problem #3 (investors realize they were investing in a mirage and don’t want to invest any more). Each is compounding each other and leading to something like the crash effect you see in other bubbles
After the shark comes the crash.

Advertisers find it wastes money

Procter and Gamble, the world's biggest advertiser, cut spending on digital ads:
by an amount equating to $140mm. For context, P&G spent $7.2bn on advertising during its fiscal 2015, and likely around $1.5bn in digital advertising, or ~$400mm per quarter. An advertiser like P&G might allocate around 70% of digital advertising budgets to Google and Facebook ($300mm?). P&G's prior rhetoric regarding Facebook and Google (and crude math, given the scale of the cuts) strongly suggest that these media owners would have experienced cuts.
And nothing bad happened to P&G:
Most critically, because P&G indicated its view that reductions did not impact revenue growth, the statement will undoubtedly add fuel to the fire of large brands more carefully scrutinizing their digital advertising choices. Large advertisers represent around 30% of Facebook revenues, on our estimates.
Tyler Durden reports that:
Previously P&G's CFO had said that “the reduction in marketing that occurred was almost all in the digital space. And what it reflected was a choice to cut spending from a digital standpoint where it was ineffective: where either we were serving bots as opposed to human beings, or where the placement of ads was not facilitating the equity of our brands."

Moeller also touched on the two most common complaints about digital advertising scams: advertisers are paying for ads that are viewed and clicked on by bots, not humans; and ads are placed by thousands of automated “ad exchanges” that are out of control of the advertiser on sites and pages that don’t match the advertiser’s products.
Tyler Durden also reports that it isn't just P&G:
Restoration Hardware delightfully colorful CEO, Gary Friedman, divulged the following striking anecdote about the company's online marketing strategy, and the state of online ad spending in general ... What Friedman revealed - in brief - was the following: "we've found out that 98% of our business was coming from 22 words. So, wait, we're buying 3,200 words and 98% of the business is coming from 22 words. What are the 22 words? And they said, well, it's the word Restoration Hardware and the 21 ways to spell it wrong, okay?"

Stated simply, the vast, vast majority of online ad spending is wasted, chasing clicks that simply are not there.
Friedman concluded:
I mean, I can't believe how many companies buy their own name and they're paying Google millions of dollars a year for their own name, like maybe if this is webcast, right, a lot of people are going to go, holy crap. They're going to look at their investments. They'd go, maybe we don't need to buy our own name. Google's market cap might go down...
Nushin Rashidian at Columbia Journalism Review reported that:
This has been the worst year since 2000 for WPP, the world’s largest ad agency, after, earlier this year, two of the biggest ad spenders in the world, Procter & Gamble and Unilever, decided to slash ad spending in part because of concerns around the transparency and performance of hyper-targeted ads served by algorithms.

So What?

Wolf Richter writes:
There’s a larger issue: Retail spending (not adjusted for inflation) has grown on average 2.4% per year in the US over the past five years. Over the same period, digital advertising nearly doubled to $72.5 billion in 2016. Clearly, even digital advertising – despite the lure of Facebook and the like – cannot induce consumers overall to spend more and increase the size of the overall pie for advertisers. It can only, at best, divide up the pie differently.

And when one of the most sophisticated high-tech advertisers in the world decides it is overspending on digital advertising and is able to very carefully remove the rot, thus bringing down its costs without hurting its revenues, other companies will follow, with some consequences for the relentless but often ineffective surge of digital advertising dollars.
Tyler Durdern again:
Of course, the implications to this admission that online advertising was either being gamed by bots, or generally underperforming were significant, as it jeopardized the future revenue streams of two of the biggest companies in the world, Alphabet (aka Google) and Facebook, both almost entirely reliant on online advertising. How long before other anchor names decided to similarly cut back on their online ad spending?  In short: slowly but surely, chronic buyers online advertising space, are slowly waking up to the fact that "adtech" may be one of the biggest hype (and hope) bubbles in history. Not all of it, but a material, substantial portion: one that may be responsible for a significant chunk of Google's or Facebook's cash flow and market cap.
Wolf Richter again:
When P&G speaks about cutting digital advertising, people listen, other companies follow, and the advertising industry quakes in its boots.

In April, P&G announced some details of its $12 billion or so cost-cutting binge over five years. This includes slashing $2 billion in advertising expenditures – among them $1 billion in media and $500 million in agency fees.

A year ago P&G announced that it would move away from ads on Facebook that micro-target specific consumers. Facebook is trying to leverage its enormous trove of consumer data to enhance its income. This has been its big promise. But P&G found that this micro-targeting of specific consumers based on the data Facebook has collected on them reduced reach and wasn’t working.
Tyler Durden again:
A separate, if just as concerning problem emerged last month, when the WSJ reported that online ad giant, Google, would issue refunds to advertisers for ads bought through its platform that ran on sites with fake traffic, and generated no actionable advertising "clicks." Just how much of Google's ad revenue (and thus profits and market cap) had been inflated over the years by said "fake ads"?
Tyler Durden concludes:
One wonders how long before all retailers - most of whom are notoriously strapped for revenues and profits courtesy of Amazon - and other "power users" of online advertising, do a similar back of the envelope analysis, and find that they, like RH, are getting a bang for only 2% of their buck? What will happen to online ad spending then? And what will happen to the online ad giants, if the vast majority of ad spending that justified their hundreds of bilions in market cap is exposed as "bloat"? As Friedman politely, yet sarcastically put it, "Googles market cap might go down"...
Clearly, the price of GOOGL and FB is what financial journalists like Durden and Richter care about. But, given the winner-take-all nature of technology markets, my guess is that a reduction in overall spending on online advertising is going to be a much bigger problem for smaller web sites than for Google and Facebook. Its going to accelerate the centralization of the Web.

The more the Web is dominated by Google, Facebook and Twitter the more their algorithms drive journalists in their search for clicks. Examples abound, such as:
If you searched Google immediately after the recent mass shooting in Texas for information on the gunman, you would have seen what Justin Hendrix, the head of the NYC Media Lab, called a “misinformation gutter.”
The "misinformation gutter" came from Google's ranking algorithm prioritizing random tweets above actual reporting. Melody Kramer writes:
This reliance on algorithmic click-chasing was the basis for a recent essay by Maciej Ceglowski, who runs a bookmarking site called Pinboard and frequently writes about socio-technological issues. He traces one story that burgeoned out of Amazon’s “frequently bought together” algorithm, and then spread very quickly to other media outlets, despite little evidence that it was true. Justification for republishing, he wrote, was often because other news outlets had already reported on it.
She goes on to interview Cegłowski. It is a must-read piece, and so is Cegłowski's essay Anatomy of a Moral Panic:
The real story in this mess is not the threat that algorithms pose to Amazon shoppers, but the threat that algorithms pose to journalism. By forcing reporters to optimize every story for clicks, not giving them time to check or contextualize their reporting, and requiring them to race to publish follow-on articles on every topic, the clickbait economics of online media encourage carelessness and drama. This is particularly true for technical topics outside the reporter’s area of expertise.
The combination of winner-take-all markets and the dependence of the Web on advertising is rapidly degrading the signal to noise ratio. So it isn't just the fact the everyone involved (except the bad guys, Google and Facebook) hates the system, but it is causing actual harm to society.


David. said...

Look under the clock in your Windows toolbar, says Jerome Segura. You may well find a persistent cryptominer.

Hat tip to Shaun Nichols at The Register.

David. said...

"Security experts claim four extremely popular video-streaming websites have been secretly loaded with crypto-currency-crafting code." Shaun Nichols at The Register's report is based on Andrey Meshkov's blog post:

"we came across several VERY popular websites that secretly use the resources of users' devices for cryptocurrency mining and were avoiding ad blockers so far. According to SimilarWeb, these four sites register 992 million visits monthly. And the total monthly earnings from crypto-jacking, taking into account the current Monero rate, can reach $326,000."

David. said...

Currency-mining Android malware is so aggressive it can physically harm phones by Dan Goodin at Ars Technica starts:

"A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services. Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone."

David. said...

The arms race between advertisers and ad-blockers continues with Measuring and Disrupting Anti-Adblockers Using Differential Execution Analysis by Shitong Zhu et al:

"We want to develop a comprehensive understanding of anti-adblockers, with the ultimate aim of enabling adblockers to be resistant against anti-adblockers. To this end, we propose a system based on differential execution analysis to automatically detect anti-adblockers. Our key idea is that when a website is visited with and without adblocker, the difference between the two JavaScript execution traces can be safely attributed to anti-adblockers."

Hat tip to Cory Doctorow.

David. said...

"Myspace — the iconic social network of the early 2000s — seemed to be experiencing a resurgence this summer when millions of visitors flocked to its new video page, potentially generating a wave of ad revenue for the site’s troubled parent company, Time Inc.

But Myspace shut the page down this week after a BuzzFeed News investigation revealed that the surge in traffic came primarily from suspect sources that racked up fraudulent ad impressions." reports Craig Silverman at BuzzFeed in Myspace Looked Like It Was Back. Actually, It Was A Pawn In An Ad Fraud Scheme:

"The growing awareness of ad fraud among brands and agencies is causing major advertisers to pull back budgets and demand more accountability from their partners. Industry leaders expect more than $16 billion to be stolen by fraudsters this year alone."

Its a must-read, as is his earlier Attack of the Zombie Websites:

"the advertising world is in the midst of its own crisis brought on by a multibillion-dollar form of digital deception: ad fraud. This investigation also reveals how seemingly credible players in the ad supply chain can play an active role in — and profit from — fraud."

David. said...

Why you shouldn't let your browser remember your username and password:

"Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain.

This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers, login managers that allow browsers to remember a user's username and password for specific sites and auto-insert it in login fields when the user visits that site again.

Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user's login information, such as username and passwords."

Yet another good post from Catalin Cimpanu.

David. said...

Charlie Stross' keynote for the 34th Chaos Communications Congress describes corporations as "slow AIs" and traces the current state of the Web back to 1995, when the Internet started using advertising as a business model. Because these "slow AIs" are profit maximizing, Stross argues that their goal is to harvest as much of the available attention as possible, and that regulatory mechanisms have failed to push back on this.

Cory Doctorow's commentary on this talk is interesting:

"Stross says we should be especially worried about machines designed to command ever-larger slices of our attention, without regard to whether we're made happier through this process (after all, you can make someone pay attention to you by driving them nuts, something that's often easier than pleasing them.

He traces the original sin of attention-optimizing autonomous artificial life-forms to the advertising-driven web, which grew up in the dotcom bubble, and suggests that perhaps paid media built on something like microtransactions would have had a better outcome.

I think that this is a causality error, though. The dotcom boom was also an economic bubble because the dotcoms came of age at a tipping point in financial deregulation, ... That meant that the tech industry's heady pace of development was the first testbed for treating corporate growth as the greatest virtue, built on the lie of the fiduciary duty to increase profit above all other considerations.


All this to say that if the web had been built on direct transactions through micropayments, the slow AIs of the corporate world would have still figured out how to toxify the web and the discourse that ran over it. If clicks were worth direct money (as opposed to indirect money, paid through ad brokers), the same forces that optimized for attention-grabbing to attract eyeballs would have just optimized for microtransaction grabbing."

I agree with Doctorow. We don't know how to build infrastructures that push back against the forces of economics, and in particular the force of increasing returns to scale. And because these forces create huge, market-dominating "slow AIs", the regulatory mechanisms no longer work becasue they are captured by the oligopolists (see Ajit Pai).

David. said...

The advertising industry's solution to Bay Area traffic:

"Here’s what you do in your spanking new, internet-connected car when you approach a red or yellow light: slow down way ahead, creep forward slowly — and make sure you never come to a stop.

Here’s why you do it: If you stop moving, your car will start serving you ads on the dashboard, maybe for anti-itch cream because it knows you’re going shopping after a hike in poison oak country." reports Ethan Baron at Silicon Beat.

David. said...

"Many advertisers suspect that the bidding is rigged and they’re paying more for that ad than they should.

They may be right. In a new paper, Mohammad Akbarpour at Stanford Graduate School of Business and Shengwu Li at Harvard University confirm that the most common format of auctions for online ads do indeed give auctioneers ample opportunity to cheat. That can undermine the auctions themselves, if bidders become so skeptical that they stay away." from Rigged Auctions? Why Top Bidders Don’t Always Feel Like Winners by Edmund L. Andrews:

"The controversy turns on what are called “second-price” auctions, which have been hailed as a great way to make the bidding simpler and less risky. In contrast to an old-fashioned “first-price” auction, where the top bidder pays exactly what he or she offered, the winner in a second-price auction only pays as much as the runner-up bidder had offered. ... only the auctioneers know for certain what the second-highest bid was. If the top bid for placing an insurance ad was $60 per click, and the second-highest was $45, the auctioneer could plausibly claim that the second-highest bid was $55 and pocket the difference. If the bids are all sealed, who would know?"

David. said...

Craig Silverman's Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion-Dollar Ad Fraud Scheme is a must-read account of:

"a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans."

Google's response estimates that:

"the dollar value of impacted Google advertiser spend across the apps and websites involved in the operation is under $10 million. The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks."

David. said...

Dan Goodin's How 3ve’s BGP hijackers eluded the Internet—and made $29M describes a highly sophisticated click-fraud scheme:

"In one of the most sophisticated uses of BGP hijacking yet, criminals used the technique to generate $29 million in fraudulent ad revenue, in part by taking control of IP addresses belonging to the US Air Force and other reputable organizations.

In all, "3ve," as researchers dubbed the ad fraud gang, used BGP attacks to hijack more than 1.5 million IP addresses over a 12-month span beginning in April 2017. The hijacking was notable for the precision and sophistication of the attackers, who clearly had experience with BGP—and a huge amount of patience."