Mastodawn

Reading https://thatshubham.com/blog/news-audit ( HT @pluralistic ) and I'm astounded.
I had heard of web ad auctions.
I had heard of edge computing.
I did not realize they were pushing their ad auction calculations onto your device!
Knowing this, I think ad blockers are too polite a response. Are there any browser plugins that send them something like a decompression bomb? Or maybe that interferes in the ranking so the cheapest bid is returned as the winner? My device is the one deciding, after all!

The 49MB Web Page

A look at modern news websites. How programmatic ad-tech, huge payloads and hostile architecture destroyed the reading experience.

Show thread

Windy city 1d ago

@rndeon @pluralistic Author here, thanks so much for reading! I was just as blown away when I first dug into this and had the same reaction.

What is wild is that the logical fix for this, something called Server-to-Server (S2S) auctions like prebid server already exists. It offloads the compute and saves massive amounts of bandwidth. But because of certain data-matching limitations between servers, ad-tech prefers to hijack our browsers to keep revenue high.

To your point about messing with the bids, it is a brilliant thought! But currently, the client just collects the bids...the final clearing price is validated server-side by the primary ad server AFAIK. Spoofing the bid might just break the iframe or serve you a cheap fallback ad if they've built contingency measures(which I'm sure they have).

Dropping the requests entirely with an ad blocker is an incredibly effective and sane response! But I'm always open to hearing from smart people. Thank you for sharing 🙏✨

Show thread

Jamey Sharp

@pheonix I'm confused by this response, and I think this is an interesting exercise, so I hope you don't mind this reply.

Either the ad server has enough information to validate the bids, in which case why ask the client to collect them at all? Or it doesn't, and the client could lie, like @rndeon suggested. What am I missing?

In particular, if the client queries several advertisers and forwards all the responses to the ad server, I'd expect a graceful fallback for some of the requests failing. If the ad load fails when any request fails, then every additional bidder multiplies the failure rate. So the client should be able to look at the responses and decide to drop some of them. While signing might help validate bids, encryption might keep the client from making decisions on bid contents, and a signed timestamp might help prevent replaying old bids, even cryptography can't keep the client from pretending it never received a response. And the client could drop responses at random or based on metadata, instead of on actual bid contents, and still screw with the results.

That said, and like you point out, this is much more complicated than just blocking the entire ad loading process, which is safer and more efficient for the client, so I'm not sure it's worth trying to manipulate the auction outcomes. Sending decompression bombs or other invalid data to ad servers to waste their CPU cycles is still tempting though…