Why is Stack Overflow trying to start audio?

Question 1

I often have my browser's devtools open since I'm often debugging a snippet. I noticed this message often recently:

Update.

I see it's from an ad(?).

https://static.adsafeprotected.com/sca.17.4.95.js

Update 2

It happens when this ad appears, from Microsoft via Google.

Update 3

2019年08月15日: Official company response after investigation and inquiry. It has been decided that such user fingerprinting ads will be permitted, as they do not violate any laws or regulations.

Question 2

I'm normally running an ad blocker but have been testing in Chrome Canary recently where I don't have one installed. That probably explains why I didn't see the message until recently

Question 3

Probably it tries to use the AudioContext for browser fingerprinting.

Question 4

@gman en.wikipedia.org/wiki/Device_fingerprint

Question 5

FYI: we have a group of folks investigating this; will update once we have more details. Definitely not a good experience.

Question 6

In this age of the internet I'd be surprised if there exists an ad that isn't trying to track you.

Question 7

news.ycombinator.com/item?id=20288768

Question 8

How did this happen in the first place? I was under the distinct impression that SE only allowed ads that were a static image and nothing else. No audio, no video, no JavaScript. The existence of this ad on the network is a bit of a betrayal of our trust...

Question 9

ahh Microsoft, not the first time that their ads cause turmoil. "Paging Doctor Freud..."

Question 10

Digging a bit, found an interesting study on this behavior from last year - worth a read. Note that Stack Overflow is not included in the list of sites where they observed this behavior; this appears to be a regression of some sort, so hopefully we can identify what triggered it.

Question 11

@VLAZ that "feature" is (probably) used to build a better profile on you too.

Question 12

@Magisch I'm aware. Yet whenever "ethics" and "ads" come together, it's because advertisers are denouncing adblockers as unethical. Yet their whole business model is fishy and I can't find a better example of that than the triangle with i which nobody tells you about yet it's supposed to be the advertisers' "get out of jail free" card for the fact that they are, frankly, creepy with their targetting.

Question 13

Ouch! - Sneaky fingerprinting script in Microsoft ad slips onto StackOverflow, against site policy El Reg doesn't miss a beat.

Question 14

This isn't surprising, coming from Microsoft.

Question 15

I also found a browser window containing several SE tabs playing regularly-patterned audio outside the audible range (but visible in the volume mixer), apparently trying to do cross-device connection and fingerprint with mobile devices etc. which might have been nearby. There were non-SE tabs open there too, and that particular ad didn't reload after closing and reopening the window, so I can't conclusively link it to an SE ad, but based on how SE ads have been working it certainly seems possible.

Question 16

So the official company response is that this is actually OK and that they'll keep doing it?

Question 17

The ad is attempting to use the Audio API as one of literally hundreds of pieces of data it is collecting about your browser in an attempt to "fingerprint" it, to uniquely identify you across sites despite your privacy settings.

This isn't general speculation; I've spent the last half hour going through the source code you linked above, and it goes to considerable lengths to deanonymize viewers. Your browser may be blocking this particular API, but it's not blocking most of the data.

I've included several examples below. To be absolutely clear, this logic is not being used for legitimate feature detection. The results of these checks are not used to enable/disable parts of the ad; they're only used in aggregate to generate a user fingerprint, which the ad includes along with the advertising ID when recording analytics for the publisher.

It detects your system's resolution and accessibility settings.

function "==typeof matchMedia&&a239.a341.a77 ("
all and(min--moz - device - pixel - ratio: 0) and(min - resolution: .001 dpcm)
")},function(){return"
function "==typeof matchMedia&&a239.a341.a77 ("
all and(-moz - images - in -menus: 0) and(min - resolution: .001 dpcm)
")},function(){return"
function "==typeof matchMedia&&a239.a341.a77 ("
screen and(-ms - high - contrast: active) and(-webkit - min - device - pixel - ratio: 0), (-ms - high - contrast: none) and(-webkit - min - device - pixel - ratio: 0)
")},function(){return"
function "==typeof matchMedia&&a239.a341.a77 ("
screen and(-webkit - min - device - pixel - ratio: 0)
")},function(){return"

It looks for the presence of vendor-specific cryptography APIs,

return "function" == typeof MSCredentials && a239.a341.a66(MSCredentials)
 }, function() {
 return "function" == typeof MSFIDOSignature && a239.a341.a66(MSFIDOSignature)
 }, function() {
 return "function" == typeof MSManipulationEvent && a239.a341.a66(MSManipulationEvent)
 }, function() {

It looks at the list of fonts you have installed.

 return "object" == typeof document && a239.a341.a68("fonts", document.fonts)

It detects which Audio API capabilities your browser supports.

 return "undefined" != typeof window && "undefined" !== window.StereoPatternNode && a239.a341.a66(window.StereoPannerNode)

It detects which mobile-browser-specific APIs you support.

 return "function" == typeof AppBannerPromptResult && a239.a341.a66(AppBannerPromptResult)

It checks for platform-specific DRM support.

}, function() {
 return !!a239.a341.a72() && a239.a341.a66(a239.a341.a72().webkitGenerateKeyRequest) && a239.a341.a66(a239.a341.a72().webkitCancelKeyRequest) && a239.a341.a66(a239.a341.a72().webkitSetMediaKeys) && a239.a341.a66(a239.a341.a72().webkitAddKey)
}, function() {

It detects a hundred other things but this post is long enough.

Use an ad blocker!

Question 18

Is this ad geographically restricted? Because I can't imagine this not being illegal in Europe.

Question 19

@gman it says the AudioContext was not able to start, not that audio was not able to start. AudioContext sounds to me like something holding a bunch of characteristics, not a stream.

Question 20

@NicHartley in Europe (more specifically, the GDPR), the PII concept doesn't exist. "The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people."

Question 21

How can websites possibly ask of users to disable adblock if ads are going to these lengths to create a profile on users? Disgusting.

Question 22

So... this means SO runs creepy ads, right?

Question 23

"Use an ad blocker!" <-- Best advice ever.

Question 24

I'm not European and haven't paid much attention to it. But it wouldn't make any sense at all to make every website show a warning about cookies (a feature that users already had the choice to disable) and not do anything about dirty tricks that do the same job as cookies, intentionally evading the user's choice to disable cookies.

Question 25

This is moderately terrifying.

Question 26

Why is this at all acceptable? I would hope that on StackOverflow they have the sense to ban ads that contain Javascript. Evidently not.

Question 27

@GregoryMagarshak that's far from the truth. Mobile browser, specific version of it, OS, language, screen resolution and so...the combination of it is quite unique. Just go to amiunique.org and check for yourself

Question 28

@Gregory Magarsgak: it turns out, most of the time something is unique about your browser or its environment. Have a look here: amiunique.org. And because it is almost always unique, fingerprints like this likely are indeed covered by the GDPR's concept of personal data, which is a lot stronger than the US' PII.

Question 29

@NicHartley the UK data protection regulator the ICO has just released a pretty scathing preliminary report about adtech. They are certainly of the opinion that personal data is being processed, and not in a lawful fashion: techcrunch.com/2019/06/20/…

Question 30

@ReblochonMasque Welcome to capitalism.

Question 31

Okay, so there were a bunch of comments here asking about the user deletion. Clearly people are concerned they were deleted for this answer, so to be clear: Their account was removed upon request and due to other moderation issues. They were not deleted for posting a dissemination of the ad's javascript.

Question 32

I was wondering: is it possible to measure how many users (like me) re-enabled their ad blockers after reading this? Sad :(

Question 33

Update: 2019年06月27日

We’ve been working on a lot behind the scenes and wanted to give an update here. On Stack Overflow specifically the ads are delivered directly through us or relayed through specific 3rd party providers. The latter is where the fingerprint issue lies.

We are trying to address this on a few fronts:

We have contacted Google for assistance in what features they provide to address this. (We use them as our ad server, that’s why we’re in contact with them).
We are testing deployment of Safe Frame to all ads. It’s on most ads now, but we’re putting control on our rendering side to enforce this safety mechanism.
We are trying to deploy the Feature-Policy header to block access to most browser features from all components in the page.

While Feature-Policy is the browser feature most meant to address this, we’re hitting issues in practice. I’ve reached out to several experts and the Google Chrome security team and we’ve filed a bug in the Chrome tracker. A minimal test version of the header is deployed on Stack Overflow now to help the browser teams investigate what we’re hitting.

We know the audio/fingerprinting issue is not isolated to Stack Overflow, but external sites as well. Our goal is to fix it at the third party layer if possible and add any protections we can to directly our network/pages.

We are not turning off these ad campaigns as a knee-jerk reaction because we need a repro to confidently fix the issues. We would much rather put in protections for long-term guards than playing whack-a-mole with issues as they arise. We are working on those stronger long-term protections now.

We are open to help fixing this. If you have more information, suggestions, can help with the Chrome bug above, or anything else: we welcome it. We are trying to do the right thing and get this fixed and fixed well ASAP.

I’ll update this post as we have more info.

Original Response: 2019年06月26日

Thanks for letting us know about this.

We are aware of it. We are not okay with it.

We're trying to track down what is doing it and get that mess out of here. We've also reached out to Google to enlist their support. I'll be honest: it's late in the day and we're unlikely to get this resolved today. But we've reached out and hope to get it fixed ASAP.

Note: this is not related to ads being tested on the network - it's a distinctly separate issue. Programmatic ads are not being tested on Stack Overflow at all.

I'm also sorry it took a bit to respond. We had a completely unrelated SQL issue earlier causing production issues that stole a lot of our attention.

Question 34

Does stack overflow use Google ads? I thought it had its own ad network

Question 35

"We've also reached out to Google to enlist their support" - see, that's where you're going wrong in life.

Question 36

What does "that mess" refer to exactly? The correct solution here is simply to ban javascript from ads. Anything else is inviting advertisers to abuse your users' trust and data.

Question 37

I'm not sure Google would be my "go-to" source when it comes to user privacy.

Question 38

Just to make a lot of passive grumps explicit and directed: why do your ads even allow javascript to run? Is this just The Way Things Are, or was it a conscious decision? Have they always been like this? Is there any intention to prioritize users before revenue and prevent all this from ever happening by promptly switching to passive ads?

Question 39

Short answer there @Andras is that the ad market is kinda messed up; our old ad director Danny went into some detail on this a few years back (over what it occurs to me was probably an earlier revision of this same script). Trying to get the better end of the deal in a devil's bargain is no small feat to attempt, but we have a bunch of good folks on the team working on this & some ideas to follow up on - wish us luck...

Question 40

@Shog9 well, good luck for all our sakes. In the answer you linked "This includes but is not limited to running only static, non-animated banner" sounds to me like "image only", but I'm completely ignorant of web dev, perhaps my expectations are way off. I'd naively think that whatever is "static" will not eavesdrop on users.

Question 41

@GregHewgill but then again wouldn't turning off JS result in a mostly experience-free browsing experience too? :)

Question 42

'We are aware of it.' - Do you mean aware of it prior to this post (If so, why was nothing done sooner?) or as a result of this post?

Question 43

To the people confused why ads need to run their own Javascript (even ones that are just static images): The short answer is that Ad Networks do not and cannot trust website operators. They need to run their own JavaScript served from their own servers in order to verify that a real user saw the ad and for how long, and they can't trust the website operator to tell them. And these pieces of JavaScript tend to be more invasive and privacy-destroying than the website's JS because they care, far more than the actual website does, that the "user" is not a bank of iphones in a sweatshop.

Question 44

@Clueless so, in order to detect possible fraud, ad networks try to squeeze personal information about (legitimate) users. You know, this whole racket somehow smells fishy

Question 45

Most ads are pay per click, not pay per impression. So no, they don't need to verify that the ad was viewed by an actual human.

Question 46

@Clueless not via boundlessly tracking their users, thats for sure. That just means people are even more justifiable in using adblock everywhere.

Question 47

Downvoting for one reason only: "We are not turning off these ad campaigns". This is unacceptable. I've re-enabled my ad blocker on Stack until you can get your things together. You are willfully violating my privacy.

Question 48

Nick, is this post correct? Is SE actually OK with fingerprinting users now?

Question 49

There's not much to be done about it, sadly

If you use a mobile phone you've probably noticed this a lot more because Adsense hijacking is a very real and serious problem and, for some reason, Google seems to take a "this filtering is good enough" approach

Many social media posts lamented that even top-tier publishers like The New York Times and The Atlantic were willing to run such intrusive ads on their sites. But experts say the problem isn’t with lack of discernment on the part of site publishers but with an extremely complex online advertising system that makes it hard for publishers involved to detect, let alone weed out, misleading and malware-laden ads.

Malvertising, as it’s sometimes called, isn’t new. The first recorded sighting of a malware-loaded ad, in late 2007 or early 2008, stemmed from a vulnerability in Adobe Flash, and affected a number of platforms including MySpace, Excite, and Rhapsody. In 2012, the Online Trust Alliance, an industry group, estimated nearly 10 billion ad impressions were compromised by malicious ads. But those in the digital ad industry say the problem has been rapidly growing worse.

I notice it a lot because I have a site I frequently (not SO) that runs Adsense, and they used to have a massive problem with their ads hijacking the page (on mobile you can't just easily close the affected tab). I know Nick Craver is going to get farther than most, but I don't think this is a problem he can solve. Yes, you can identify the bad actor and then block and report them, but they're a dime a dozen. Unless SO moves to an entirely in-house ad solution (which means they have to write a system to handle adding, showing and tracking ads, as well as a viable way to sell those ads), or Google comes up with a solution they've not come with in the last 7 years or so, this is going to be a persistent problem.

The only winning move here is not to play

Question 50

I think the "Google comes up with a solution" ship has sailed.

Question 51

FYI: Firefox for Android supports extensions, including uBlock Origin.

Question 52

@Stijn I did not know that! Thanks! Hopefully it's less of a battery hog than Chrome.

Question 53

@AndrasDeak The irony that the link you provided was for an article full of extremely obnoxious and intrusive ads..

Question 54

@fbueckert: Sadly, mobile Fiirefox is unusably slow and, even worse than the plain slowness, has serious UI lag problems. Otherwise I love it. The only browser that offers (only partial) adblocking and decent performance on mobile is Brave. I don't like it at all but use it because the other options are worse.

Question 55

@Servy ha, sorry about that. I don't have most of the JS enabled on most sites, so I wouldn't know...

Question 56

Kiwi browser in the Google Play Store is Chromium based with Chrome extensions enabled. Works great for installing your desired adblocker.

Question 57

You can also use Brave browser. It's blocked literally thousands of ads in the short time I've had it and virtually every page loads noticeably faster.

Question 58

I can recommend Firefox Focus for Android. Comes with ad and tracker blocking out of the box. It doesn't keep cookies and it deletes your history directly after you press the back button. This comes with obvious drawbacks but so far has been totally worth it to me.

Question 59

"The first recorded sighting of a malware-loaded ad, in late 2007 or early 2008," Huh? I distinctly remember running across my first one while I was in college in 2004.

Question 60

@ColinBasnett Was about to mention Brave. Have had it on all my devices for about 2 months now, very happy with it so far.

Question 61

The best aproach is probably delete all of the SE accounts and get this "site" out of here. I have found this site useless for all of the ads that it has posted. It is also very distracting because we want to earn reputation. Anyone is very welcome to delete this comment

user11703325user11703325 · Answer 1 · 2019-06-26 16:44:28Z

The ad is attempting to use the Audio API as one of literally hundreds of pieces of data it is collecting about your browser in an attempt to "fingerprint" it, to uniquely identify you across sites despite your privacy settings.

This isn't general speculation; I've spent the last half hour going through the source code you linked above, and it goes to considerable lengths to deanonymize viewers. Your browser may be blocking this particular API, but it's not blocking most of the data.

I've included several examples below. To be absolutely clear, this logic is not being used for legitimate feature detection. The results of these checks are not used to enable/disable parts of the ad; they're only used in aggregate to generate a user fingerprint, which the ad includes along with the advertising ID when recording analytics for the publisher.

It detects your system's resolution and accessibility settings.

function "==typeof matchMedia&&a239.a341.a77 ("
all and(min--moz - device - pixel - ratio: 0) and(min - resolution: .001 dpcm)
")},function(){return"
function "==typeof matchMedia&&a239.a341.a77 ("
all and(-moz - images - in -menus: 0) and(min - resolution: .001 dpcm)
")},function(){return"
function "==typeof matchMedia&&a239.a341.a77 ("
screen and(-ms - high - contrast: active) and(-webkit - min - device - pixel - ratio: 0), (-ms - high - contrast: none) and(-webkit - min - device - pixel - ratio: 0)
")},function(){return"
function "==typeof matchMedia&&a239.a341.a77 ("
screen and(-webkit - min - device - pixel - ratio: 0)
")},function(){return"

It looks for the presence of vendor-specific cryptography APIs,

return "function" == typeof MSCredentials && a239.a341.a66(MSCredentials)
 }, function() {
 return "function" == typeof MSFIDOSignature && a239.a341.a66(MSFIDOSignature)
 }, function() {
 return "function" == typeof MSManipulationEvent && a239.a341.a66(MSManipulationEvent)
 }, function() {

It looks at the list of fonts you have installed.

 return "object" == typeof document && a239.a341.a68("fonts", document.fonts)

It detects which Audio API capabilities your browser supports.

 return "undefined" != typeof window && "undefined" !== window.StereoPatternNode && a239.a341.a66(window.StereoPannerNode)

It detects which mobile-browser-specific APIs you support.

 return "function" == typeof AppBannerPromptResult && a239.a341.a66(AppBannerPromptResult)

It checks for platform-specific DRM support.

}, function() {
 return !!a239.a341.a72() && a239.a341.a66(a239.a341.a72().webkitGenerateKeyRequest) && a239.a341.a66(a239.a341.a72().webkitCancelKeyRequest) && a239.a341.a66(a239.a341.a72().webkitSetMediaKeys) && a239.a341.a66(a239.a341.a72().webkitAddKey)
}, function() {

It detects a hundred other things but this post is long enough.

Use an ad blocker!

Is this ad geographically restricted? Because I can't imagine this not being illegal in Europe.
@gman it says the AudioContext was not able to start, not that audio was not able to start. AudioContext sounds to me like something holding a bunch of characteristics, not a stream.
@NicHartley in Europe (more specifically, the GDPR), the PII concept doesn't exist. "The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people."
How can websites possibly ask of users to disable adblock if ads are going to these lengths to create a profile on users? Disgusting.
I'm not European and haven't paid much attention to it. But it wouldn't make any sense at all to make every website show a warning about cookies (a feature that users already had the choice to disable) and not do anything about dirty tricks that do the same job as cookies, intentionally evading the user's choice to disable cookies.
Why is this at all acceptable? I would hope that on StackOverflow they have the sense to ban ads that contain Javascript. Evidently not.
@GregoryMagarshak that's far from the truth. Mobile browser, specific version of it, OS, language, screen resolution and so...the combination of it is quite unique. Just go to amiunique.org and check for yourself
@Gregory Magarsgak: it turns out, most of the time something is unique about your browser or its environment. Have a look here: amiunique.org. And because it is almost always unique, fingerprints like this likely are indeed covered by the GDPR's concept of personal data, which is a lot stronger than the US' PII.
@NicHartley the UK data protection regulator the ICO has just released a pretty scathing preliminary report about adtech. They are certainly of the opinion that personal data is being processed, and not in a lawful fashion: techcrunch.com/2019/06/20/…
Okay, so there were a bunch of comments here asking about the user deletion. Clearly people are concerned they were deleted for this answer, so to be clear: Their account was removed upon request and due to other moderation issues. They were not deleted for posting a dissemination of the ad's javascript.
I was wondering: is it possible to measure how many users (like me) re-enabled their ad blockers after reading this? Sad :(

score 498 · Answer 2 · 2019-06-26 22:07:20Z

Update: 2019年06月27日

We’ve been working on a lot behind the scenes and wanted to give an update here. On Stack Overflow specifically the ads are delivered directly through us or relayed through specific 3rd party providers. The latter is where the fingerprint issue lies.

We are trying to address this on a few fronts:

We have contacted Google for assistance in what features they provide to address this. (We use them as our ad server, that’s why we’re in contact with them).
We are testing deployment of Safe Frame to all ads. It’s on most ads now, but we’re putting control on our rendering side to enforce this safety mechanism.
We are trying to deploy the Feature-Policy header to block access to most browser features from all components in the page.

While Feature-Policy is the browser feature most meant to address this, we’re hitting issues in practice. I’ve reached out to several experts and the Google Chrome security team and we’ve filed a bug in the Chrome tracker. A minimal test version of the header is deployed on Stack Overflow now to help the browser teams investigate what we’re hitting.

We know the audio/fingerprinting issue is not isolated to Stack Overflow, but external sites as well. Our goal is to fix it at the third party layer if possible and add any protections we can to directly our network/pages.

We are not turning off these ad campaigns as a knee-jerk reaction because we need a repro to confidently fix the issues. We would much rather put in protections for long-term guards than playing whack-a-mole with issues as they arise. We are working on those stronger long-term protections now.

We are open to help fixing this. If you have more information, suggestions, can help with the Chrome bug above, or anything else: we welcome it. We are trying to do the right thing and get this fixed and fixed well ASAP.

I’ll update this post as we have more info.

Original Response: 2019年06月26日

Thanks for letting us know about this.

We are aware of it. We are not okay with it.

We're trying to track down what is doing it and get that mess out of here. We've also reached out to Google to enlist their support. I'll be honest: it's late in the day and we're unlikely to get this resolved today. But we've reached out and hope to get it fixed ASAP.

Note: this is not related to ads being tested on the network - it's a distinctly separate issue. Programmatic ads are not being tested on Stack Overflow at all.

I'm also sorry it took a bit to respond. We had a completely unrelated SQL issue earlier causing production issues that stole a lot of our attention.

Does stack overflow use Google ads? I thought it had its own ad network
"We've also reached out to Google to enlist their support" - see, that's where you're going wrong in life.
What does "that mess" refer to exactly? The correct solution here is simply to ban javascript from ads. Anything else is inviting advertisers to abuse your users' trust and data.
I'm not sure Google would be my "go-to" source when it comes to user privacy.
Just to make a lot of passive grumps explicit and directed: why do your ads even allow javascript to run? Is this just The Way Things Are, or was it a conscious decision? Have they always been like this? Is there any intention to prioritize users before revenue and prevent all this from ever happening by promptly switching to passive ads?
Short answer there @Andras is that the ad market is kinda messed up; our old ad director Danny went into some detail on this a few years back (over what it occurs to me was probably an earlier revision of this same script). Trying to get the better end of the deal in a devil's bargain is no small feat to attempt, but we have a bunch of good folks on the team working on this & some ideas to follow up on - wish us luck...
@Shog9 well, good luck for all our sakes. In the answer you linked "This includes but is not limited to running only static, non-animated banner" sounds to me like "image only", but I'm completely ignorant of web dev, perhaps my expectations are way off. I'd naively think that whatever is "static" will not eavesdrop on users.
@GregHewgill but then again wouldn't turning off JS result in a mostly experience-free browsing experience too? :)
'We are aware of it.' - Do you mean aware of it prior to this post (If so, why was nothing done sooner?) or as a result of this post?
To the people confused why ads need to run their own Javascript (even ones that are just static images): The short answer is that Ad Networks do not and cannot trust website operators. They need to run their own JavaScript served from their own servers in order to verify that a real user saw the ad and for how long, and they can't trust the website operator to tell them. And these pieces of JavaScript tend to be more invasive and privacy-destroying than the website's JS because they care, far more than the actual website does, that the "user" is not a bank of iphones in a sweatshop.
@Clueless so, in order to detect possible fraud, ad networks try to squeeze personal information about (legitimate) users. You know, this whole racket somehow smells fishy
Most ads are pay per click, not pay per impression. So no, they don't need to verify that the ad was viewed by an actual human.
@Clueless not via boundlessly tracking their users, thats for sure. That just means people are even more justifiable in using adblock everywhere.
Downvoting for one reason only: "We are not turning off these ad campaigns". This is unacceptable. I've re-enabled my ad blocker on Stack until you can get your things together. You are willfully violating my privacy.
Nick, is this post correct? Is SE actually OK with fingerprinting users now?

Machavity Machavity 29.6k11 gold badges56 silver badges107 bronze badges · Answer 3 · 2019-06-27 13:31:34Z

There's not much to be done about it, sadly

If you use a mobile phone you've probably noticed this a lot more because Adsense hijacking is a very real and serious problem and, for some reason, Google seems to take a "this filtering is good enough" approach

Many social media posts lamented that even top-tier publishers like The New York Times and The Atlantic were willing to run such intrusive ads on their sites. But experts say the problem isn’t with lack of discernment on the part of site publishers but with an extremely complex online advertising system that makes it hard for publishers involved to detect, let alone weed out, misleading and malware-laden ads.

Malvertising, as it’s sometimes called, isn’t new. The first recorded sighting of a malware-loaded ad, in late 2007 or early 2008, stemmed from a vulnerability in Adobe Flash, and affected a number of platforms including MySpace, Excite, and Rhapsody. In 2012, the Online Trust Alliance, an industry group, estimated nearly 10 billion ad impressions were compromised by malicious ads. But those in the digital ad industry say the problem has been rapidly growing worse.

I notice it a lot because I have a site I frequently (not SO) that runs Adsense, and they used to have a massive problem with their ads hijacking the page (on mobile you can't just easily close the affected tab). I know Nick Craver is going to get farther than most, but I don't think this is a problem he can solve. Yes, you can identify the bad actor and then block and report them, but they're a dime a dozen. Unless SO moves to an entirely in-house ad solution (which means they have to write a system to handle adding, showing and tracking ads, as well as a viable way to sell those ads), or Google comes up with a solution they've not come with in the last 7 years or so, this is going to be a persistent problem.

The only winning move here is not to play

I think the "Google comes up with a solution" ship has sailed.
FYI: Firefox for Android supports extensions, including uBlock Origin.
@Stijn I did not know that! Thanks! Hopefully it's less of a battery hog than Chrome.
@AndrasDeak The irony that the link you provided was for an article full of extremely obnoxious and intrusive ads..
@fbueckert: Sadly, mobile Fiirefox is unusably slow and, even worse than the plain slowness, has serious UI lag problems. Otherwise I love it. The only browser that offers (only partial) adblocking and decent performance on mobile is Brave. I don't like it at all but use it because the other options are worse.
@Servy ha, sorry about that. I don't have most of the JS enabled on most sites, so I wouldn't know...
Kiwi browser in the Google Play Store is Chromium based with Chrome extensions enabled. Works great for installing your desired adblocker.
You can also use Brave browser. It's blocked literally thousands of ads in the short time I've had it and virtually every page loads noticeably faster.
I can recommend Firefox Focus for Android. Comes with ad and tracker blocking out of the box. It doesn't keep cookies and it deletes your history directly after you press the back button. This comes with obvious drawbacks but so far has been totally worth it to me.
"The first recorded sighting of a malware-loaded ad, in late 2007 or early 2008," Huh? I distinctly remember running across my first one while I was in college in 2004.
@ColinBasnett Was about to mention Brave. Have had it on all my devices for about 2 months now, very happy with it so far.
The best aproach is probably delete all of the SE accounts and get this "site" out of here. I have found this site useless for all of the ads that it has posted. It is also very distracting because we want to earn reputation. Anyone is very welcome to delete this comment

Stack Exchange Network

Why is Stack Overflow trying to start audio?

Update.

Update 2

Update 3

3 Answers 3

There's not much to be done about it, sadly

You must log in to answer this question.

Linked

Hot Network Questions

Why is Stack Overflow trying to start audio?

Update.

Update 2

Update 3

3 Answers 3

There's not much to be done about it, sadly

You must log in to answer this question.

Linked

Related

Hot Network Questions