It's ridiculous. It's a text-based ad. At worst, it's a clickable image. At what point did it become okay in your minds to let advertisers run arbitrary code?
I've left ads turned on specifically on StackOverflow because 1) I want to support StackOverflow, and 2) I trust them not to run malicious ads.
I don't even care that they're running ads network-wide. But if they're going to be running these kinds of ads anywhere on the site, they're going right on the ad block list along with everyone else.
It’s completely insane. Can you imagine a TV station receiving ads on tapes and playing them to their audience without looking at them first? Can you imagine TV stations occasionally showing ads containing porn, urging people to kill, showing extreme violence during cartoons, or containing specially crafted audio that blows out your speakers, and the TV station just shrugs and says they try their best to stop these things but they can’t stop everything?
Imagine a TV ad that tries to make your phone call a 1-900 number so they can rip you off, and the station says they don’t know where it came from but they’re trying real hard to put a stop to it. And somehow watching the ads themselves before broadcasting them never crosses their mind.
It’s worse than that. Imagine a TV ad which sends malicious code that gets executed to your television, which profiles the hardware in your TV and sends information about your viewing habits (tied to a unique ID) back to the advertiser.
In any other context we would call this a security vulnerability. I think that label also applies here.
I bought a new wifi router and never told the Vizio the new credentials. If it manages to somehow figure out how to log onto the new router, and transmit the data about how I don't own cable service and mostly use it to play retro games? I'm going to be kindof impressed really; at that point, Vizio can have the data.
The state of web ads is closer to the public pinboard only instead of having ads for grandmas couch its Mr CEO trying every trick to drain your money and track you.
The only reason it’s not the same situation is because they’re willing to throw their users under the bus for a little extra cash. If they wanted to exert more control, they absolutely could. Ads would cost more and we’d see fewer distinct ads as a result.
Digital ads could work where every single one is vetted by people before it’s served to any users. There is no reason it can’t work this way, other than it being a lot cheaper to skip that step.
Yet adverts on porn sites do operate as per our wish list:
* adverts are vetted by a human
* adverts are not allowed to inject JavaScript.
There have been a few interesting blog posts from businesses outside of the adult entertainment industry where they discuss just how work is involved in getting an advert approved on adult sites.
It’s a sad state of affairs when an adblocker is less required on porn sites than it is on Stack Overflow.
That sounds nice but is neither realistic or even sensible. There are other solutions like sandboxing to prevent access to features, it's not an unsolvable problem.
Billions? No single creative is seen by that many. In fact, with dynamic creative optimization (DCO) and all the optimization that happens, you can easily get creatives that are custom generated and only see by a few individuals or even a single person.
I think this comment[1] on the linked Meta question explains it pretty well:
> To the people confused why ads need to run their own Javascript (even ones that are just static images): The short answer is that Ad Networks do not and cannot trust website operators. They need to run their own JavaScript served from their own servers in order to verify that a real user saw the ad and for how long, and they can't trust the website operator to tell them. And these pieces of JavaScript tend to be more invasive and privacy-destroying than the website's JS because they care, far more than the actual website does, that the "user" is not a bank of iphones in a sweatshop in China.
Not just arbitrary JavaScript, arbitrary JavaScript where they can’t easily even see where it came from! Sheesh.
Could we require advertisers to sign their ad code to have a trail of where it came from, prevent tampering, and make it easier to pull the plug on bad actors?
The people bearing the costs of the internet ad economy aren’t the people in any position to do anything about it. So there’s very little pressure to fix anything.
Maybe if the US government started threatening to enact something like GDPR unless the a democratic industry gets its shit together.
Large adtech demand/sell side platforms do not want to remove these bad actors because they make money on percentage of spend. They are incentivized to increase volume and ad spend at all costs, and there is no regulation to stop them from doing otherwise by continuing to deal with shady companies and known malware techniques.
This is not a solution. JS still runs, it just has limited access to certain features.
You also need to somehow <iframe> the ad content (and serve it from somewhere else with the feature policy header set/attribute on the iframe set) or else sacrifice use of these features on your own site.
The solution is to make the ads inert. They do not need to run code.
Sites like StackOverflow require JavaScript to work (or at least, to work in a manner approaching interactivity). So, even someone who disables JavaScript normally, would presumably enable it in order to use this popular and useful site. Furthermore – and importantly – they place trust in StackOverflow not to abuse the privilege of executing arbitrary JavaScript. That is an entirely reasonable thing for a technically savvy modern web user to do.
By serving this ad with JavaScript not vetted to StackOverflow's presumed standard, StackOverflow has violated that trust. Thus the onus is on them, not the user, to remove the offending ad or risk damaging their brand.
Honestly, what you said is like saying "why would you ever not keep a hand on your wallet" after someone got pickpocketed in a nice restaurant. Reasonable people have reasonable expectations of safety in certain places which they trust to provide it for them. No-one should go around being constantly paranoid of pickpockets everywhere, no more than anyone on the web should be constantly paranoid of malicious JavaScript even on sites with established records of safety.
> So, even someone who disables JavaScript normally, would presumably enable it in order to use this popular and useful site.
I agree that StackOverflow is at fault here, but enabling JS is not a binary choice — "allow all JS on this site" vs "block all JS on this site" are not your only options.
Tools like uMatrix allow me to control JS coming from different domains on different domains independently. For example, on SO I have enabled JS from Stack Exchange and related domains, but not from Google or other snoopers.
It's ridiculous. It's a text-based ad. At worst, it's a clickable image. At what point did it become okay in your minds to let advertisers run arbitrary code?
I've left ads turned on specifically on StackOverflow because 1) I want to support StackOverflow, and 2) I trust them not to run malicious ads.
I don't even care that they're running ads network-wide. But if they're going to be running these kinds of ads anywhere on the site, they're going right on the ad block list along with everyone else.