Revealed: The naughty tricks used by web ads to bypass blockers

Analysis Netizens may choose to block unwanted content – such as intrusive and misbehaving ads – but some advertising companies do not to accept that choice.

Instart Logic describes itself as a content delivery service and much of that content happens to be advertising. The California-based biz is determined to help its clients present online ads despite the technical choices made by internet users to avoid that content – adverts bypassing ad blockers, in other words.

The company's technology disguises third-party network requests so they appear to be first-party network requests. This allows ad services used by website publishers to place cookies and serve ads that would otherwise by blocked by the browser's same-origin security model.

Raymond Hill, who maintains the popular uBlock Origin content blocker, on Wednesday updated his uBO-Extra add-on software to prevent Instart Logic's code from bypassing uBlock Origin.

In an explanatory note on UBO-Extra's GitHub repository, Hill describes UBO-Extra as follows: "To foil hostile anti-user mechanisms used to work around content blockers or even privacy settings in a browser."

It defends against anti-content-blocking code, in other words.

Efforts to push back against content blocking have taken on greater urgency as adoption has increased. Last year, the technology became more of an issue for mobile devices when Apple introduced support for a Content Blocking API in its Safari browser.

According to PageFair, a digital publishing consultancy, content blocking grew 30 per cent last year and is now practiced by 11 per cent of internet users around the globe.

Facebook last year took steps to disable content blocking on its network, and companies like Instart Logic, PageFair, Sourcepoint, and Uponit aim to provide similar anti-blocking capabilities to other online publishers.

Uponit provides publishing clients with JavaScipt code that attempts to bypass content blocking. "Our JavaScript detects all blocked ad calls, fully recreates them (including targeting) and communicates them to our servers through a secure, undetectable channel that bypasses ad blockers," the company explains on its website.

According to Hill, Instart Logic's code attempts to conceal the way it disguises cookie files. "Instart Logic will detect when the developer console opens, and cleanup everything then to hide what it does," he says.

Detecting when a browser developer console is open for the purpose of concealing code from the technically inclined has been flagged as a bug in Chromium.

'Hostile'

"I consider this to be extremely hostile to users, even those not using a content blocker, as it allows third-party servers to read/write cookies even if a user chose to block third-party cookies," Hill explains.

Luke Mulks, a developer who works on the Brave browser, reports Instart's code also detects network analysis tools Wireshark and Charles Proxy.

Attempts to bypass content blocking decisions turn out to be fairly common. Hill sees websites increasingly turning to the WebRTC API to bypass content blockers.

In a phone interview with The Register, Peter Blum, VP product management at Instart Logic, said there's a battle going on between "quality publishers like The Register" and people who block ads.

"The problem has been over the past few years, the amount of people coming in with ad blockers has risen dramatically," he said. "If it keeps up, it's going to put publishers out of business and it's going to cost reporters their jobs."

Blum said other approaches haven't worked. Most people won't pay for content and they ignore polite requests from websites to disable ad blockers. And he said companies like Eyeo that make ad blocking software and sell advertisers access through whitelisting make some publishers uncomfortable.

"What we do is we work with publishers to help them create a better experience," said Blum, who attributes the desire to block ads to companies that market obnoxiously.

There are other reasons people cite, such as security, privacy, bandwidth, page load time, disinterest, a desire not to be manipulated, and fundamental antipathy to an industry does not guarantee the effectiveness of its product.

Asked to address how his company rationalizes overriding the technical decisions of users who have expressed their preference not to see ads by deploying a content blocker, Blum demurred by suggesting that was up to publishers.

"We provide this tool and we let the publishers have a lot of control over how they use it," he said. "I don't really get into it. We give the publishers a bunch of options."

It is perhaps worth noting that Google did something similar several years ago when it ignored content settings in Apple's Safari browser to place tracking cookies. The FTC fined Google $22.5 million – a paltry sum for the company – but the Chocolate Factory's sin was going back on a previous promise to avoid such behavior rather than, say, hacking Safari users.

Asked why Instart Logic attempts to conceal the activity of its software when a browser's developer console is active, Blum cited the open nature of JavaScript code and said, "Like other companies we just want to protect our IP." ®