Yes, Google chose to act *after it became public*, but Google was operating a major market segment, where they had dedicated members of the Ads sales team working on fostering a business area that was… outright predatory. At a CPC of $230, big money was moving here. It’s hard for me to credibly believe that this harm happened due to the algorithm, that no humans at Google were clearly aware of what was going on, when Googlers were being sent out to events to pitch to this market.
This business Google was involved in was targeting an incredibly at-risk segment of the population, getting wild profit off of it, and, despite being a party to fraud, gets to keep all of it’s profits from having done so. The problem I see here isn’t just that the Ads team gets paid for participation in criminal activity, but they have no incentive to really stop profitable illegal activity.
When Google got caught, they didn’t lose a cent. So why would they be proactive about preventing harm going forwards?
I mean, I feel like at some point, I have to move into my personal anecdotes: I’ve done computer support for senior citizens for over a decade, and my takeaway from that has been that Google’s primary business model is misleading people into clicking on ads that are indistinguishable from search results. And the reason that people call me after doing so, is because a large portion of those ads masquerading as search results are full of malware.
Apparently, that’s possible because marketers want to redirect URLs through shifty third party services, so Google permits ads to do something real results can’t: Display a completely fake destination URL.
One of my regular examples I have pointed out before is MapQuest. A site which is still heavily used by senior citizens, who Google for it because they don’t know how URLs work. Every ad served for “mapquest” on Google is a malicious scam site. And no matter how many times I report them, Google won’t remove them, because nearly every dang click is a successful scam hit, so it’s a wildly profitable term to sell ads on. But any time Google delivers a user to mapquest.com, they make nothing.
Ultimately, choices companies make often slide between security and profitability. And it feels to me like the Google Ads business has no meaningful commitment to security or protecting users. Scams and malware end up running rampant whenever ads are involved, that’s where the money for the business segment is coming from, and ultimately, some senior citizen’s lost retirement money is making it into your paycheck.
The issue here is that the advertising company’s incentives are not aligned with consumers. It’s in the best interests of Google for the consumer to click on an ad, not a search result. So even if Google has the best search result, it’s goal is to get the consumer to click on the ad. This is a concern Sergey and Larry originally had, and expressed in their original paper. Google would rather a senior get scammed than find the right result.
It sounds like you’re talking about ads on search results? I work on display ads and don’t know very much about the search side of things.
I don’t have any internal information, but some thoughts on the examples you’re listing:
Scammers placing ads is harmful, though not unique to advertising. The article you link describes a similar issue happening in the phonebook era. It’s very hard to tell from this sort of investigation how well a service is doing at avoiding abuse.
“Google Ads are regularly hijacked, such that they present https://youtube.com or https://bestbuy.com as the destination, but lead to a fraudulent website” Is this actually common? Looking at your link, it’s hard to tell what happened in that case but I think it was probably an open redirect on amazon.com?
I’m not able to find any examples of ads against “MapQuest” searching on my laptop or phone in a couple different browsers; you don’t happen to have screenshots?
“It’s in the best interests of Google for the consumer to click on an ad, not a search result. So even if Google has the best search result, it’s goal is to get the consumer to click on the ad.” This misses that there’s enormous value in giving users a good experience long-term, where they keep coming back.
But again, I know very little about this kind of advertising, since I work in a completely separate part of the industry.
Also an IT professional here. Google is among the less unsavory players in the ad space, but it’s a cesspool overall. Malicious ads seem to be one of the easiest ways to get that crap in front of a huge number of users. In practice I don’t see “reputable” providers directly serving malware: rather it’s generally a chain of redirects either implemented by the site they land on (that presumably behaves itself under indexing/due diligence), or by exploiting the ads on the landing site to cause a redirect. Ultimately lands either on an attacker-controlled site or just a site running an ad network that gives zero fucks or outright caters to cybercrime.
That said I made up my mind on this a while ago and I’ve been blocking substantially all ads and analytics for 5+ years. The game of cat and mouse may well have moved on.
I have definitely caught AdSense serving those super dishonest software download ads that pretend to be the download button on file sharing and software sites…
As far as you core concern, are you actually causing significant harm with your work, I really doubt it. Google has a decent incentive to crush bad actors lest govt. step in and kill their cash cow, and just getting the industry at large to match the mediocere level of ethical standads Google is upholding would still be a huge win. Ads suck as a solution and cause a fair amount of preventable harm, but harm reduction is a legitimate thing to work on. Bonus points when you can pressure competitors to shape up and not be too evil.
It’s hard for me to credibly believe that this harm happened due to the algorithm, that no humans at Google were clearly aware of what was going on, when Googlers were being sent out to events to pitch to this market
Never attribute to malice that which is adequately explained by stupidity. It sounds like the fraud involved was extremely sophisticated, as it was hiding behind state negligence. Google now requires these advertisers to be licenced by a reputable third party.
The problem I see here isn’t just that the Ads team gets paid for participation in criminal activity, but they have no incentive to really stop profitable illegal activity
In 2011 Google settled a negligence case regarding illegal pharmaceutical sales for $500 million.
Scams and malware end up running rampant whenever ads are involved, that’s where the money for the business segment is coming from
I find it hard to imagine this is true within reputable ad networks, though I agree that such content is endemic to online advertising.
IDK how many repeats you get or if you’re looking for tools, but if so, consider setting DNS to one of the public DNS providers (e.g. OpenDNS) that provide some basic web filtering of malicious websites without otherwise breaking the internet too much. The Ghostery plugin for chrome/edge is also worth a look. Even without setting it to block ads or analytics, it shuts down shady behavior like multiple redirects that many of those bad ads rely on. Can be configured to do more but gets progressively higher touch. Both lowish touch free options.
jefftk, you state you’re open to being convinced that you’re causing harm through your work. So let me take a crack:
Have you read about the “rehabs near me” incident that the Verge uncovered? https://www.theverge.com/2017/9/7/16257412/rehabs-near-me-google-search-scam-florida-treatment-centers
Yes, Google chose to act *after it became public*, but Google was operating a major market segment, where they had dedicated members of the Ads sales team working on fostering a business area that was… outright predatory. At a CPC of $230, big money was moving here. It’s hard for me to credibly believe that this harm happened due to the algorithm, that no humans at Google were clearly aware of what was going on, when Googlers were being sent out to events to pitch to this market.
This business Google was involved in was targeting an incredibly at-risk segment of the population, getting wild profit off of it, and, despite being a party to fraud, gets to keep all of it’s profits from having done so. The problem I see here isn’t just that the Ads team gets paid for participation in criminal activity, but they have no incentive to really stop profitable illegal activity.
When Google got caught, they didn’t lose a cent. So why would they be proactive about preventing harm going forwards?
I mean, I feel like at some point, I have to move into my personal anecdotes: I’ve done computer support for senior citizens for over a decade, and my takeaway from that has been that Google’s primary business model is misleading people into clicking on ads that are indistinguishable from search results. And the reason that people call me after doing so, is because a large portion of those ads masquerading as search results are full of malware.
*Every* malware support call I’ve ever gotten from a senior citizen came from a search ad. Every. One. (Not all from Google Search, but every one was a “top of result page search ad” from a major search site.) And it doesn’t even seem like Google’s committed to making sure the ads accurately represent the destination. Google Ads are regularly hijacked, such that they present https://youtube.com or https://bestbuy.com as the destination, but lead to a fraudulent website. Here’s one with a photo that hit a news site: https://www.zdnet.com/article/malicious-google-ad-pointed-millions-to-fake-windows-support-scam/#ftag=RSSbaffb68
Apparently, that’s possible because marketers want to redirect URLs through shifty third party services, so Google permits ads to do something real results can’t: Display a completely fake destination URL.
One of my regular examples I have pointed out before is MapQuest. A site which is still heavily used by senior citizens, who Google for it because they don’t know how URLs work. Every ad served for “mapquest” on Google is a malicious scam site. And no matter how many times I report them, Google won’t remove them, because nearly every dang click is a successful scam hit, so it’s a wildly profitable term to sell ads on. But any time Google delivers a user to mapquest.com, they make nothing.
Ultimately, choices companies make often slide between security and profitability. And it feels to me like the Google Ads business has no meaningful commitment to security or protecting users. Scams and malware end up running rampant whenever ads are involved, that’s where the money for the business segment is coming from, and ultimately, some senior citizen’s lost retirement money is making it into your paycheck.
The issue here is that the advertising company’s incentives are not aligned with consumers. It’s in the best interests of Google for the consumer to click on an ad, not a search result. So even if Google has the best search result, it’s goal is to get the consumer to click on the ad. This is a concern Sergey and Larry originally had, and expressed in their original paper. Google would rather a senior get scammed than find the right result.
It sounds like you’re talking about ads on search results? I work on display ads and don’t know very much about the search side of things.
I don’t have any internal information, but some thoughts on the examples you’re listing:
Scammers placing ads is harmful, though not unique to advertising. The article you link describes a similar issue happening in the phonebook era. It’s very hard to tell from this sort of investigation how well a service is doing at avoiding abuse.
“Google Ads are regularly hijacked, such that they present https://youtube.com or https://bestbuy.com as the destination, but lead to a fraudulent website” Is this actually common? Looking at your link, it’s hard to tell what happened in that case but I think it was probably an open redirect on amazon.com?
I’m not able to find any examples of ads against “MapQuest” searching on my laptop or phone in a couple different browsers; you don’t happen to have screenshots?
“It’s in the best interests of Google for the consumer to click on an ad, not a search result. So even if Google has the best search result, it’s goal is to get the consumer to click on the ad.” This misses that there’s enormous value in giving users a good experience long-term, where they keep coming back.
But again, I know very little about this kind of advertising, since I work in a completely separate part of the industry.
Also an IT professional here. Google is among the less unsavory players in the ad space, but it’s a cesspool overall. Malicious ads seem to be one of the easiest ways to get that crap in front of a huge number of users. In practice I don’t see “reputable” providers directly serving malware: rather it’s generally a chain of redirects either implemented by the site they land on (that presumably behaves itself under indexing/due diligence), or by exploiting the ads on the landing site to cause a redirect. Ultimately lands either on an attacker-controlled site or just a site running an ad network that gives zero fucks or outright caters to cybercrime.
That said I made up my mind on this a while ago and I’ve been blocking substantially all ads and analytics for 5+ years. The game of cat and mouse may well have moved on.
I have definitely caught AdSense serving those super dishonest software download ads that pretend to be the download button on file sharing and software sites…
As far as you core concern, are you actually causing significant harm with your work, I really doubt it. Google has a decent incentive to crush bad actors lest govt. step in and kill their cash cow, and just getting the industry at large to match the mediocere level of ethical standads Google is upholding would still be a huge win. Ads suck as a solution and cause a fair amount of preventable harm, but harm reduction is a legitimate thing to work on. Bonus points when you can pressure competitors to shape up and not be too evil.
Never attribute to malice that which is adequately explained by stupidity. It sounds like the fraud involved was extremely sophisticated, as it was hiding behind state negligence. Google now requires these advertisers to be licenced by a reputable third party.
In 2011 Google settled a negligence case regarding illegal pharmaceutical sales for $500 million.
I find it hard to imagine this is true within reputable ad networks, though I agree that such content is endemic to online advertising.
IDK how many repeats you get or if you’re looking for tools, but if so, consider setting DNS to one of the public DNS providers (e.g. OpenDNS) that provide some basic web filtering of malicious websites without otherwise breaking the internet too much. The Ghostery plugin for chrome/edge is also worth a look. Even without setting it to block ads or analytics, it shuts down shady behavior like multiple redirects that many of those bad ads rely on. Can be configured to do more but gets progressively higher touch. Both lowish touch free options.