The Battles for the Internet

The InternetIt’s always interesting to think about how the Internet might change in the future and what it might become. It’s likely that the outcome of several current industry battles will determine the Internet we have five and ten years from now. Each of these conflicts is important in its own right; taken together they add a lot of uncertainty about where we are headed.

Ad Blocking vs Advertisers: One fairly recent battle is between ad blocking technology and those who make a living through web advertising. Today much of what we think of as the free internet is paid for through advertising placed on web pages. Very few people like the ads on the Internet, particularly as they get more customized and individualized and are aimed at each of us personally.

But a really large portion of the things that most us like on the web are paid for by ads. That includes things like social media sites and news services. Right now the ad blockers are gaining the upper hand. I saw a recent report that over 200 million users worldwide are now using ad blocking software, and it’s growing fast. And companies like Apple are building ad blocking into their OS, probably in an attempt to poke a stick in the eye of some of their other large rivals.

If advertisers don’t figure out a way to fight back, then the revenues that can be made on the web will be on a fast and downward spiral, and that is going to effect a lot of web businesses. But advertisers are already working on ways to punch through ad blockers and so this is likely to morph into a continuous cat and mouse game as the two sides each get the upper hand at times.

Hackers vs Web Security: For the last several years large companies have sat nervously in the crosshairs of the hackers who are working hard to take them down. But to a large degree a lot of the tactics used by hackers in the past have been defeated by web security companies and it’s no longer easy to breach firewalls by brute force. But hackers are probably more successful than ever today because they have shifted tactics and now concentrate on tricking insiders to let them into a network.

This is a critical battle, and big companies look at what happened to Sony and they now understand how devastating it can be to lose control of their network. The companies that fight hacking are getting better all of the time and they will find ways to beat the current tactics deployed by the hackers. But unless we someday migrate to a web run by a superintelligent AI, it’s likely that this battle is going to go on for a long time.

Surveillance vs Encryption: The NSA revelations opened a lot of eyes about how vulnerable we all are to surveillance. We now know that governments can gather huge amounts of information about us, and many people are worried about how access to our data is going to lead to a government abuse of power. But perhaps even worse is that large corporations are gathering data about us, too, and unlike the government they are more likely to immediately put that knowledge to use.

But there is a counter-movement working to make us safer against surveillance. This involves encryption but also in developing safer ways to communicate such as through bit-chains. Surveillance relies on being able to capture data at central nodes, and so perhaps having an Internet that no longer uses centralization will reduce the amount of knowledge that can be gained from us. Ideally, the outside world would only learn what we choose to give out about ourselves, but for now the surveillance forces are winning this battle.

Open Internet vs State-specific Control. Sparked by those same NSA revelations we now see governments looking at ways to protect their citizens and themselves from outside surveillance. China has already done this in an extreme way and it looks like Russia might be headed down the same path as China. But half of the countries in Europe are looking at ways to keep the data generated in their country safe within their country. If we end up with an Internet that is different in each country, with pockets behind different firewalls, we will have killed much of what is great about the current Internet.

I don’t think anybody can predict where each of these trends are going with any certainty, and it’s hard to say how the various battles affect each other.  There is a big chance that the Internet of ten years from now will be a very different place than today. There will be some ugliness along the way and we are going to keep seeing major hacker success bringing down companies. But none of these issues is insoluble and there is also the chance that over time we will end up with an Internet far safer than today’s.

The Dark Side of Web Advertising

virusYesterday I talked about the general way that Internet ads function. But today I want to look at one of the darker aspects of web advertising by looking at how ads spread malware.

Cisco’s Annual Security Report for 2013 provided some pretty amazing statistics about Internet advertising:

  • They said that the highest concentration of online security threats are not found on pornography, pharmaceutical or gambling sites, but rather that the most danger today comes from major search engines, retail web pages and social media outlets,
  • They said that online shopping sites are 21 times more likely, and search engines are 27 times more like to deliver a malicious piece of software than a counterfeit software site.
  • But no threat compares to online advertising, and Internet ads are 182 times more likely to give you a virus as searching the web for porn. (Of course, they didn’t say how the intrepid Cisco researchers made the comparison to porn).

Probably the major culprit of malware in advertising comes from a practice called real-time bidding. When you go to load a web page that has real-time bidding, an ad company like AppNexus (or many others) asks for bids for placing ads on your page. The solicitation gives a quick profile of who you are in terms of age, demographics, geography, etc. The highest bidder then gets the ad space, and this all happens in a flash. The problem with this kind of system is that nobody has time to monitor the ads that are placed and so malicious advertisers gain access to you by bidding the highest. And they don’t have to bid much. It takes only a very tiny fraction of a penny to get an ad placed at one specific user.

The malicious ads don’t look malicious and are usually disguised to look like an ad for some normal company. But the purpose of the malicious ad is to put a piece of code on your computer. The bad news these days is that you don’t have to click on the ad to get the bad software – the act of opening the web page is often enough to activate it.

I run a malware checker regularly and I am amazed at how many pieces of malicious software I get regularly. It is not unusual for my computer to have picked up a hundred pieces of malware within three days after having scrubbed it. I don’t shop much on-line, but I read a lot of articles and I assume that is the source of most of my malware.

According to my malware software, most of the bad things that I pick up are adware, which they define as a piece of code that is gathering and transmitting data about me to the world. These days adware is generally something a little more complex than a cookie. Cookies are somewhat passive files that sit on your machine to tell somebody later that you have already been to a certain web site or something similar. Think of adware as cookies+ in that they gather specific data and either store it for later retrieval or, in the worst cases send it out to the world.

I’d say 99% of what I get is adware with only the occasional more malicious malware, which could be a virus or some other nasty piece of code. But think about what I am getting. I am inadvertently downloading 100 pieces of adware within just a few days, each of which is looking for specific facts about me and reporting back to whoever placed the malware. I am sure that mostly they are tracking the web sites I’ve visited in order to build up a more detailed profile about me. But these little pieces of malware can pick up almost anything else from bank account numbers to passwords.

I think we all understand that half of what is on the web these days is designed to build a profile for each of us. But I don’t think most people realize how intrusive this effort has become. They are not building a profile by slowly studying your web usage. They are spying on your directly to know everything you do. It’s a bit scary when the most dangerous place on the web is a search engine or a major news site that has ads.

Yesterday I talked about ad blocking and perhaps this is what is going to save us from this rash of malicious malware and adware. Certainly if somebody will block all ads to my computer then I can’t be receiving ads with malware. But I would be just as happy if somebody could deliver ads to my machine that are certifiably safe. It doesn’t take a lot of effort for an ad company to test an ad first to make sure it doesn’t leave bad code behind. But that can’t be done in a process where an ad space is advertised and subscribed in milliseconds. This gives the bad guys a really cheap way to get their ads to anybody they want.

So I think Google is onto something with their product that can block all ads. But as I described yesterday, Google is not the last company in the chain between a web site and a user, so I am guessing that even with Google ad blocking that some ads and malware are still introduced after Google has wiped out the first ads. Your ISP is the last entity to touch the data stream coming to your house and thus has the final chance to get rid of malware. I think ISPs might be missing the opportunity to offer better security to their customers by either blocking ads or by making sure that ads are safe.