Perhaps now that Google has taken steps to block websites that display these ads, Google should take steps to stop accepting these ads onto their network in the first place.
Most of the time when I see those DOWNLOAD/PLAY buttons, they're hosted on doubleclick.
I remember a few years ago AdSense was showing a lot of fake Download buttons (and users would complain about it). I haven't seen them recently, though, so I hope that means they've fixed that problem.
I just checked and the download page on getpaint.net still has a deceptive "Start Download" AdSense ad. That site came to mind because, a few months ago, I tried to be charitable and disabled ad blocking for a few days. That was the site where I decided enough was enough and started blocking again.
The AdChoices icon is used by many ad networks, not just Google's, to indicate that there's per-user targeting happening. [1] But if you click on that "AdChoices" button and you get an AdSense help page.
I'm not too familiar with AdSense vs. DoubleClick vs. AdChoices, but when I hover the ad it shows a link to DoubleClick, the little triangle icon points to an AdSense support page, and the JavaScript to load the ad comes from googlesyndication.com. From what I understand, that all points to it being an AdSense ad.
I suspect the reason that kind of ad is allowed (despite being deceptive IMHO) is that it's not just a download link. It also indicates that it's an ad for a driver update site (which makes it even shadier to my eye, but probably not violating any policies).
You're not being charitable disabling your ad blocking. You're just perpetuating a system where egregious invasion of privacy is 'the deal' for using the internet. I understand that some sites might struggle for income without advertising but if they want me to view their ads they had better find some partners who don't stalk me across the web.
I was going to say exactly the same thing. Blocking/warning about them at the browser level is a great move, especially as it will also work for ads not served by Google. But they should also be working to stop these ads getting published on their network as well.
I tried to flag a deceptive "Start Download" ad of this kind by clicking on this button a few days ago (which appeared on a site I run, annoyingly). The form I was required to fill out needed me to say where the link in the ad took me. So I"m supposed to click on the link in an ad which is pretty plainly attempting to install some kind of malware, in order to be able to report it? I'm supposed to either be 100% confident there's no vulnerability in my browser, or set up some kind of VM to test with, just in order to report a single, obviously malicious ad?
I just tried it on the getpaint.net site (mentioned elsewhere itt) and it only had an option box set with three options: inappropriate, repetitive, irrelevant.
But you could just right click and copy the ad link. The link would point to the ad network (e.g. googleads.g.doubleclick.net/aclk), but it would be better than nothing. Also, many ads include a domain, sometimes in a tooltip, and usually just the tld, but again, better than nothing.
I'm not at all against this move from Google - it is good sense. However, to play Devil's advocate, what are the odds this was pushed down by the MPAA/RIAA or similar? This policy more or less directly targets sites that offer free online streaming or torrent downloads of Movies/TV/Music. The sites that wind up with these deceptive ads are typically sites that provide copyrighted content to their users.
Again, this is not a bad move. But I'm curious about the true motivations. If I were the MPAA, and trying to shut down the revenue stream of sites offering free streaming and torrents, this would be one of the ways to do it. That, or Google is simply sick of receiving takedown notices - and this is one method to take these sites out of their listings before even receiving the DMCA.
Download button ads appear on websites providing useful utilities and in particular Minecraft content and add-ons. I'm having to educate my kids on what is and isn't a real download button. Its a pain in the arse.
I would say it hasn't come from the MPAA or RIAA. These deceptive download buttons appear on a myriad of sites which are not related to streaming/torrenting.
Actually when I saw the headline my first thought was sourceforge. You expect these kinds of deep web ads when perusing sites you know damn well are "less than legal" but I've seen them on a number of websites I wouldn't normally expect to, sourceforge being the worst offender in my experience.
In my experience most free online streaming and torrent downloading websites have very small hard-to-find download buttons with a lot of fake "Download Now!" ads. So this would actually make torrenting easier.
I'm not sure they need to. Google's approach here tackles the problem of these ads being created from an economic direction: if nobody is seeing these ads, they won't make any CPM money any more, so their creators will stop running them.
That's a much more sensible approach than doing what you're suggesting—trying to catch specific instances of people doing something nefarious that makes them money. That just causes the people posting the ads to get more clever, such that it gets more and more costly to catch each instance. (That was helpful in the ReCAPTCHA case, since spammers were advancing computer vision techniques in the process. It's not a harnessable force in the general case.)
The point was made elsewhere, but I think you stated it most eloquently. Here's my question though: does it not benefit the user to enforce some minimum of deterrence through automated policing on the ad acceptance side?
Yes, it's whack-a-mole, but so is SEO, and Google's continually tweaking that instead of giving up. Based on the current rudimentary techniques used by the advertisers (e.g. "DOWNLOAD!" buttons), even eliminating only such blatant examples would go a long way towards cleaning up deceptive ad's.
And as you've noted... it's not like Google doesn't have access to advanced CV techniques and the computational infrastructure to run them...
> It has nothing to do with CV, it is not an engineering problem.
Not sure what you mean by this, given that there's a human with eyeballs on the other end of the bad ad and a limited number of keywords to trick that human into undesirable actions (virus,error,infected,download,update,install).
CV is exactly the solution you'd want to use for a first-pass categorization, given that's the pathway by which the ads communicate with users.
You're aware that people view websites through browsers which don't run Google's safe browsing software, right? How is leaving them to get tricked into downloading malware (served via Google) "more sensible"?
You're not "leaving them"; making the ROI for an ad 30% lower (given a 30% Chrome install-base) is usually enough to make the advertiser give up on that ad, because they could instead be running an ad that converts ~90% as well and not losing 30% of their impressions in the process.
Now, the advertisers who only run these mal-ads will stick around and continue running them. They're also the ones who would fight tooth-and-nail to make their mal-ads more clever, instead of giving up and switching to regular ads; so they're exactly the ones Google will have a hard time discouraging at the ad-network level.
My hope for those is that other browsers simply copy Google's strategy here. If Chrome, Firefox, and IE all do this, there's pretty much no point in running these ads any more.
It'll be interesting to see if they block people from visiting sites that use doubleclick for ads, or if this is just an excuse for blocking sites that use competing ad providers.
I wonder if those ads that push you to install certain product with half-truths and lies are considered deceptive as well. You know, "Install Chrome for better experience".
No. I mean the companies whose sole business is to get you to download bundled malware, change your search engine, push ads to every site you browse using extensions etc.
Surely the companies that advertise via Google to try and deceive you to into clicking their download button or whatever fit the bill? And surely Google, by actively enabling them, is also part of the process. As stated elsewhere on this thread, if they can detect deceptive sites, they can detect deceptive adverts.
So they implement detection, and remove these ads. The scummy advertisers then permutate their ads until they get past the detection and the game continues.
We're getting pretty good at image classification, but I don't think that extends to maliciously crafted inputs.
That or they manually verify each ad submission. If that violates their business model of high-volume low-value automated processes (and it obviously does) then you have to take account of that when decide how you view company. Automation and the inability to verify at the scale that they operate doesn't somehow absolve them.
Yeah, basically Google is looking for any way to avoid actually reviewing the ads they broadcast. Probably because advertising becomes drastically less profitable for them if they do. I feel when this sort of conflict of interest is occurring, where it's profitable for Google to continue shipping malware to users, they should be held legally accountable for their failure to police what they distribute.
This is a joke right ? We run Adsense display ads on our site and have to spend significant time every day reviewing and blocking new ads which try to use these deceptive practices.
Since Google clearly has the tech to detect this they should be implementing it at source on the advertisers (malvertisers). Instead they are pushing this down to the publishers and hitting them with penalties.
It's a clever ploy in some ways - Google gets the revenue from the ads and also the kudos from Joe Public for "being on the side of the consumer".
Google doesn't charge for ads, it charges for impressions. If you user doesn't seem it, google doesn't get paid.
It also seems like a very different tech than trying to determine what an ad script will actually show a user. So it's not easy as if they can do A they can do B. Still doesn't excuse the fact that they should be doing their best to block those kind of ads in their ad network.
FWIW, "impression" means "request". Who knows what the user saw.
Google AdSense is pay-per-click (or some algorithm, based on clicks against and the subject matter's value). In the context of adware rubbish, we are probably talking about AdSense. So no, Google doesn't pay per impression.
DoubleClick (part of Google for some time) may still offer an impression-based product. My experience of them a few years ago was that they'd negotiate on anything if you have enough traffic to make it worth their time.
Are you talking about google paying the website for each click/impression or are you talking about advertisers paying google for each click/impression. Both are termed under impressions (CPM or PPM). And in both cases google loses money in rolling out this feature.
It's a big company, I can imagine the browser guys wanting this but the ad guys saying they "can't" do this and there being a mini-war.
You get the sense that sort of thing happens all the time at microsoft for example, before Ballmer left it felt like the ASP.Net team were pulling in one direction, the Visual Studio team another and the IIS team had gone rabid and were just trying to bite everyone.
It happens when different products have different priorities.
It also happens when one department is perceived as an "expense" like IT or R&D, and starts pushing against "revenue-generating" departments like sales.
Of course, all components of a properly-functioning organization are revenue-generating. An idealized business in some respects would be people giving you money with no money being spent. Everyone knows that's not how the world works, but it's awfully hard to justify on a quarterly statement.
At Google, many departments aren't directly revenue-generating. Sure, Chrome and Android help people browse the Internet, where they view ads, but that's quite removed from actually selling the product, and those are very large projects. Search, maps, and gmail can show ads internally to generate revenue, but that's still a layer removed. Perhaps Google Apps and Drive are loss leaders, and maybe Fiber will make money eventually, but Glass? Calico? Driverless cars? Loon? Seriously, where does the money for these projects come from? I suppose you can answer "AdSense and AdWords", but why do those businesses give them money? And the harder question is how do they generate political and cultural capital to maintain these expenses?
At most of the companies I have been involved with, these projects would have been cut, outsourced, or consumed by the AdWords and AdSense teams. But there's little question that the world is better and the Internet is used more because of projects like Search, Gmail, Android, and Chrome.
How does Google generate this culture? How can other companies replicate this process?
Counting web ads served to users as revenue generated by the computer's operating system is ludicrous. Oracle is trying to misrepresent the amount of money made so they can sue for damages. The numbers are BS.
There are a lot of pieces to that puzzle. One of them is a stock program that basically guarantees the investors have a voice, but zero actual steering capacity for the company, coupled with a CEO who wants to take risks, coupled with a company track record of risks paying off in bizarrely outsized ways just often enough to keep investors hungry for the stock in spite of the fact that ownership of the stock grants them no control.
In short, the company's founders have the ability to steer where the company's money goes, nobody has the authority to tell them otherwise, and so far benevolent dictatorship is working. To give a concrete contrasting example, Apple ousted Steve Jobs when his leadership became fiscally risky; because of Alphabet's stock structure, there's no legal way for holders to directly oust Larry Page.
Google doesn't control all advertisers. Presumably this applies to sites with non-Google ads too.
Also, if these ads are rejected immediately (or nearly so) by Google, it will provide that much more feedback that malicious advertisers can use to "improve" their ads that much more quickly.
Those download buttons look always the same. Oh wait, they changed their color. After years of blue buttons they are now green. So Goolge can detect your face in a crowd on a photo, but can not detect a download button on small ad?
Firstly, this will work on ad networks other than Google, so it''s more broad reaching than anything they could do just within AdSense. This is good.
Secondly, and arguably more importantly, the way to stop these adverts is for them to cost the advertiser (in either money or time) without giving them the reward of revenue. If the ads stop working then people won't have a reason to make them. By stopping the ads in AdSense rogue advertisers would just change to a different ad network. The problem wouldn't stop.
This does not make any sense. Advertisers paying per view do not get charged for a view if crome prevents the user from viewing the page.
The good news here is we now have official admission by google that allowing adsense ads without filtering is dangerous. And those of us who do not have sophisticated techniques that can detect deceptive ads have no choice to but to block the entire network serving them, if we want to be secure.
>Advertisers paying per view do not get charged for a view if crome prevents the user from viewing the page.
The cost isn't in money, it's in views. By not letting you click a fake DL button, the malicious ad doesn't lead you to the site it wants you to end up on, which is usually plastered with other ads and sometimes has malware lying around on it. The end result is that the malicious party can't make money off their own site's ads and can't redirect you to download god-knows-what onto your system.
Any blockning of "malverts" should arguably just emulate view so it costs the advertiser even more than the lost view. If Google don't want to do that themselves (which would be understandable) they could likely expose it in APIs so plugins like ad blockers can do it.
I don't think it would be fraud if they did it to ads from non-Google networks. But yeah, they shouldn't fake views on ads that come from their own networks.
"more broad reaching than anything they could do just within AdSense"
... as long as you don't care about browsers which don't run Google's Safe Browsing service.
You know another way to stop these ads? Make available an advertising network which doesn't serve them. Website owners who don't want to install malware on their users' computers - which is probably most of us - would prefer that network to the others. As-is, with even Google's network serving up malicious ads, the choice for a website that wants to run display ads appears to be either build out a sales team & manage inventory itself, or accept that some percentage of its users will get scammed.
Surely it would make the most sense to build it into both AdSense and Chrome. That way Google know they're not running a network facilitating this, and they are also able to block malicious ads from other networks in the browser.
I've actually built an advertising network[1] that is not focused on serving display ads, but linking to content directly in images. Video demo: https://www.youtube.com/watch?v=8GfKBvs53Ss
The thought is that if "advertising" is actually a feature of a website, then it solves the problem of users trying to avoid being shown ads. If you could hover your mouse over an object on any image on the internet and be taken directly to where you can buy that without all the hassle, I'd see that as a big win.
Note: Just onboarded our first customer yesterday. He's using it to promote iPhone cases based on his instagram feed[2]. Hover over the cases on a desktop, and you'll see what the case is. Click on it, and it takes you directly to the product page.
That's pretty good. The issue I have with it is that without this prior knowledge, I can't tell what will happen when I click - the URL isn't informative, and there's no alt-text.
What would you like to see it do? I've been thinking of tons of different ways of displaying that to a user, but I figured I'd just put it out there and see what people suggested.
This is the first ad platform I've seen that is innovative in a good way, instead of the usual remarketing/tracking/native/data whatever bullshit. Seriously, awesome idea and execution. Have you gotten any press for this?
> By stopping the ads in AdSense rogue advertisers would just change to a different ad network
The sites that "everyday folk" browse are much more likely to be running ads from the AdSense network. Forcing the rogue advertisers to place ads on a smaller network serves to cost them (money or time) without the reward of the revenue they'd otherwise get from AdSense-enabled drive-bys.
It's a good move, but it seems unlikely that they going to block a site that's only using AdSense to serve up deceptive ads. Where is the announcement that adsense/adwords will detect those ads as well?
I run an online media streaming site for public safety communications, and we've noticed that Adsense advertisers often use these exact social engineering techniques to display download/play links that end up having customers install crappy spyware infested "media players" and other software.
I'm semi-serious here, but if you noticed that you are serving ads that are harming your users, why would you continue to use ad-sense? Why not switch to a different ad network and let Google know why you switched?
> might as well use the terrible option with the highest ROI, right?
No, thanks. Does The Deck serve spammy, malicious ads? I know they're tightly targeted at the techy/designy crowd, but they're also a great example of high ROI ads that aren't terrible.
Valid point. But I still reject the notion of "that sucks but might as well get mine". Sounds like there's a lot of space for ad networks that don't suck. Or monetization models that don't rely on spammy, useless ads.
Nobody suggested there's one solution for everybody. I was just responding to the comment that advertising is the only monetization strategy and that's ridiculous.
> If all your options are terrible, you might as well use the terrible option with the largest ROI, right?
One of the options is "stop running ads". Why is a "site for public safety communications" running ads at all?
Public safety announcement: block all ads to make your browsing much safer. Use Adblock Plus (with so-called "acceptable ads" turned off) or uBlock Origin.
He's not running a public safety institution, he runs a site that has live audio streams from police / emergency scanners.
(incidentally, Lindsay, I've used http://www.radioreference.com to learn a great deal about Software Defined Radio, and I occasionally listen to various Illinois streams on http://www.broadcastify.com - thanks for running these sites!)
> He's not running a public safety institution, he runs a site that has live audio streams from police / emergency scanners.
Thanks for the clarification; that makes more sense.
I'd still echo the comments from elsewhere in the thread about not doing business with a vendor with shady practices just because other vendors do no better.
> We run Adsense display ads on our site and have to spend significant time every day reviewing and blocking new ads which try to use these deceptive practices.
This may be a very stupid question, but are there no ad networks that are more trustworthy?
You could look at something like Project Wonderful, but I think they're a little more geared towards small-scale niche advertising (gaming, comics, blogs).
Actually, never mind. I just looked and their top 5 sites are all well under 1,000,000 page views - and 4 of the 5 are webcomics plus Omegle which I think is one of those random chat sites that popped up a few years ago.
tl;dr no. AdSense sucks, but all other networks are actually worse. (There are tiny ad networks that are actually trustworthy, e.g. Project Wonderful, but they won't make you a living.)
I agree, I have a personal blog and wanted to experiment with ads, so I put AdSense up there. I reported the "Download" ones but just kept getting more, so i finally removed the ads.
Exactly this. Ads served through Adsense are flooded with these. We have spent countless hours trying to block all of them but they just pop up again under a different domain. So is Google going to punish publishers who are using Adsense if these ads come through Adsense?
I could only wish that Google will punish their own sites the same too. There are countless ads on YouTube claiming to provide free Minecraft downloads, commonly shown to very young viewers of YouTube. You might even be able to see these right now by turning on Private Browsing and disabling your ad-blocker.
Yep! This is a big issue on pretty much most Minecraft specific content sites & videos. I think these spammers specifically target Minecraft keywords and Minecraft sites through Adwords display ads knowing that kids will click the ads. If your site has Minecraft content and is serving Adsense within that content, you are almost certain to have these types of ads display. Not the fault of the actual content site but an issue with the spammers targeting through Adwords.
It is really common actually on most game content or videos that are geared towards the youth. These Adwords spammers target this category specifically.
Most websites seem not to care about the content they deliver to their visitors. When I visit xyz.com, it is xyz.com's job to ensure that it doesn't deliver to me malicious content. I have zero sympathy for xyz.com telling me that it's not their problem, they serve 3rd party ads and if these ads are malicious it's the fault of these advertisers not their.
Sure, this is fine, but Google seems to plan to block sites which show malicious ads served by Google's AdSense. That's idiotic.
This is the second case in a month of Google punishing web publishers for using Google products. (The previous case was Google punishing non-https search results, when in fact many of Google's own web publishing tools don't support https.)
And I'm willing to bet Google will make a special exception for itself. I actually posted a screenshot on my G+ page yesterday of the most recent fake download button I saw online... On a YouTube banner ad, served by Google AdSense.
Do they have a history of making exceptions for themselves? If not, then you winning this bet will be quite a big deal - it'll show them as anti-competitive. They'd be forcing customers to use their AdSense product instead of just-as-good competitors.
Maybe they'll just give this "malvertising" detection software to AdSense who can then filter their own content before it hits websites. I'd be more willing to bet this will be the beginning of Adsense cleaning itself up than what you suggest.
Yes. On last week's story, a commenter mentioned how they decreed that web pages which showed a full-page ad on landing would be penalized in search, yet they themselves continued to show a full-page ad in mobile GMail for the GMail app, and it remained the first hit for "e-mail".
Well, it's a way for Google to throw their weight around to multiple effects.
First, it's positively perceived and accepted by end users, which is good for Google and end-users.
Second, it punishes ad networks that don't spend the time to vet what types of adds are allowed. As an end-user, I'm in favor of this.
Third, it boosts ad networks that do spend time vetting ads to prevent malicious ones. Presumably Google, and other networks, that spend time and resources doing this will see a return on that effort. This is good for responsible ad networks, and as an end-user, I'm in favor of this idea to the extent that it should hopefully reduce these malicious ads overall.
It's easy to see this as a way for Google to boost their own ad network, but I think that's too cynical of a take. They aren't boosting themselves specifically, they are punishing bad-actors and boosting good actors overall.
Well, it punished them both. An ad network that can't display it's ads in places it could before is a form of direct punishment. Forcing sites for choosing ad networks that don't vet their ads well is an additional indirect punishment as well, as it may encourage those sites to choose a more discerning ad network.
On one hand it's unfortunate that the site is being punished, on the other hand maybe they deserve some responsibility for not being more selective. I'm not sure.
I used to have a Firefox add-on which rated the sites linked to in Google ads.[1] I could have deleted the ads, but didn't. Should I bring that back?
It was amusing to run that. Ad quality was much better on some sites than others. Ads on Business Week pages were generally legitimate. Ads on entertainment sites were awful.
Totally deleting ads seems to have won out over merely thinning them out.
No, it's not a "ploy", it's the only realistic action google could take. It would be a huge business mistake to ban malvertisers from adsense, because those would move to other networks, which would then in turn be preferred by publishers because that's where the money moves. Adsense would lose, and the consumer wouldn't have won anything.
The publishers aren't innocent at all. They decide to place ads right above, below, and all around the real download button. Because they know that a good percentage of their consumers will be tricked, and so they get payed.
I too have seriously struggled with this. I recently discovered that you can ban this entire category of ads (mostly). Go to "Allow & block ads", then "sensitive categories" and select "Ringtones & Downloadables." This will remove most of these types of ads.
You'd think that Google could use a Bayesian classifier to detect malicious AdSense display ads at setup time. Add an appeal process to take care of ongoing training.
This would negatively affect Google's revenue... which is probably why they haven't done so.
Fits with Google: free consumer services (paid for by advertisers); and Google gets the highest price possible by letting advertisers fight it out in real time (the other advertisers are the bad guys... but Google gets the money).
Not really all that clever. Same old story. They take users for fools. Maybe users will stay dumb re: ads, but then maybe not. It's amusing to watch the companies that must jam the ads into your pages to make money claiming they can "make the internet faster" (a previous ploy) or "safer" for users. These companies are part of the problem, not the solution. Unless they find a new "business model". But why bother when this one - being a middleman to people's use of the internet, selling ads and jamming them into every page they can - works so well?
"You may have encountered social engineering in a deceptive download button, or an image ad that falsely claims your system is out of date."
Weeeellll...I see 99% of these in Android in-app ads. So - a) this should be the end of it, or b) someone is being a bit hypocritical here. I sure hope for the former.
I did not install flash in FF, and I do not miss a thing. Sometimes there is this warning that not all content could be displayed, but I would not have a clue what functionality is missing.
A deceptive button does not equal phishing. It just might (and most often does) open a non-malicious popup with some ad. (non-malicious in a sense it won't install ransomware to your PC)
And of course Google can easily integrate it's own ad blocker in Chrome if it chooses so.
I hope they'll include a "Stop the nanny" flag in chrome://flags as well.
I mean you can't even change the new tab page to a custom .html, without Chrome nagging you at every launch if the settings are correct. If you make a manifest.json and load as an unpacked extension, it will moan about that.
FFS, I know what you're trying to do with Joe/Jane Noob, but at least give me something to skip that if I know what I'm doing.
[edit] This wouldn't be even needed if new tab page was customizable. Now it it's just a Google billboard.
The hard part here is that, wherever you'd decide to persist a "don't bug me any more about this" flag, malware could also potentially write that same flag to that same place. For example, Windows UAC is frequently set to the "don't bug me about this, just auto-elevate" setting by malware.
> The hard part here is that, wherever you'd decide to persist a "don't bug me any more about this" flag,
Build a new binary - offer users to install a "developer" build of Chrome which is exactly the same as the mainstream "release" build, except it allows disabling the protections.
You don't actually have to go that far; there are plenty of Chrome settings controlled by command-line options, and that's usually safe enough—it's actually really hard for malware to "sneak in" command-line options (if the user is a regular user, while the the Chrome shortcuts in the Start Menu et al were installed under elevation, which is the usual case.) There's a command-line option to Chrome that entirely disables the sandboxing protections, for instance.
My distinction was just that there's absolutely no way to have a UI-based mechanism for disabling nags, since behind any UI is a persisted flag. If you're up for editing your shortcuts to add command-line options, that's fine.
You mean shortcuts placed in the All Users Desktop/QuickLaunch/StartMenu folders? (I'm guessing it's just "hiding" them with a Desktop.ini entry, rather than truly deleting them?)
That's probably fine, actually, as long as the user (i.e. malware) isn't allowed to create their own shortcuts to replace the deleted ones. I assume there's a GPO to disable the per-user Desktop/QuickLaunch/StartMenu folders, so that only the results from the All Users ones show up?
At least theoretically, it should be possible to build Chromium with such customizations; you'll lose the benefits of the Google walled garden, but you'll gain a bit of user freedom as well (probably won't be point-and-click, alas).
I know these fake ads all suck and everyone hates them but somehow getting rid of them feels like cutting off a little piece of what makes the web the web.
I kinda like this darker, more free-for-all, wild wild west side of the Internet.
Me too man, I remember the internet back then where everything was unique and not a cookie-cutter bootstrap boilterplate. Want a nostalgia trip? Download Opera (one of the early versions) - it'll pluck at your heart strings and make you yearn for times when you had more personal responsibility and Google wasn't there to infect everything with it's nanny browser. Hell, even Firefox the last bastion of Freedom on the web, is following Chrome.
This. More specifically, the Wild West got wild for a few years - during a massive population influx - while the entire system was unstable (which also means interesting, in most senses of the word). The metaphor leaks, but is close enough.
I agree, but it still sucks that it seems you're being sold something at every turn. Websites are no longer there, just to be there. It's always about the upsell or agenda.
That's one reason why I'm a little annoyed personal websites went mostly the way of the Dodo and you can only expect friends to check things out if you give them direct links to some trusted site from a site they use all the time, like a link to a Youtube video from Facebook, or your Medium or Tumblr entry from Twitter.
I still like designing personal websites, but it seems like a waste of time now.
As I write this, the ranking of the comments here is... strange. Those who see this as being yet another way of Google using their power to manipulate what people see on the Internet are being heavily downvoted, while those agreeing with the practice are not? That doesn't feel like HN to me.
I'm in the former group. This mollycoddling is just going to lead to more users who can't decide for themselves whether something is suspicious or not and are thus easier to deceive, which might be exactly what Google wants, but I certainly do not think it is good for the Web as a whole (or even society in general.) Being able to make these sorts of decisions of trust is an important part of growing up in general, and I'd even say "finding the right download button" could be considered a sort of right of passage to being an effective user of the Web, and not just a consumer.
You can't seriously be saying that people potentially running into malware because they couldn't figure out with download button was the real one is reasonable?
You can't seriously be saying that not being able to figure out which download button is the right one is reasonable? With experience, it's extremely easy to find the real one.
- It's usually smaller and less prominent than the fake ones.
- Mousing over it doesn't show a huge long URL to some external domain that sounds ad-like.
Using adblock probably gets rid of a lot of the fake ones too, but the general principle here is if it looks too good/easy to be true, it probably is. The buttons that seem really enticing are the ones you don't want to click, and it's that odd, not-very-attractive one that you want.
As an experienced user, when I'm looking for some semi-obscure Windows program, I still do have problems distinguishing legit download links from this. Perhaps I'm too used to the radical method "just select what you want from the repository, and it will be installed automagically;" in other words, one of the issues here is nonexistent install management in Windows (party like it's 1998!), forcing users to run this gauntlet (MSI? Puh-leeze).
Nice try, but no, that's a broken old trick. window.status is gone for exactly this reason, but things like onclick="this.href=http://evilsite.example/" (or even onclick="window.location=http://somewhereelse.evil.example/;return false") still work (link shows a benign location, but it's changed to a malicious one when you click).
It's a laudable initiative to protect average Joe from himself, but I don't feel like Google (or any other company) deciding for me what is dangerous. They should at least provide this feature as an opt-out option. Still, better option would be to educate more people of ad and script blockers.
Came here to say this. Most of their above-the-fold "results" are either ads or SEO-ed junk probably full of Google ads.
More broadly, pretending to protect against social engineering is a joke. They won't catch anything other than the most obvious stuff, and they will also block some stuff that many people won't want blocked. Does this feature block Java downloads containing the Ask toolbar? Should it?
Are you saying the bright "ad" lozenge next to the paid results isn't explicit enough?
And anyways, users don't go out of their way to avoid clicking on ads unless the ads are utter crap. Google's whole business is to make the ads relevant to the search and the user, so who's to say the ad isn't actually a relevant result?
>the bright "ad" lozenge next to the paid results isn't explicit enough
Yes, it is not explicit enough. The tiny yellow box is just a noise present on every search page. As any noise it will be ignored. Especially when everything else in these ads tries to look exactly as a valid search result.
Google has more options than just the size of the box: for one thing they could make the box surround the ad (that is a common UX design to show related elements) and put the word "ad" around the entire border or the box, like police tape. That would make it a lot clearer that it was an ad.
Or simply put ads only in the right-hand column that is now entirely populated by ads. "Do you want the results our software comes up with? Then read left. Or do you want the results people pay us to show you? Then read right." This would be an honest business model, and if advertisers had to provide more value to searchers than Google's algorithm with their keyword bids, they might actually do something smart and useful.
No, it's not good enough. It's a bizarre colour that is too similar to the white that they use to write 'Ad' in it. A website with white-on-yellow text would be painful to read.
Also, they don't even bother putting it next to each ad. On the right hand side, there's just one 'Ads' at the top and then everything underneath is an unlabelled paid ad. Why?
Google ads started out quite distinct, but they have gradually made them blend in. They used to have a stand-out background colour, then they had a very pale background, and now there is no obvious 'advert box' at all. Google know that many people are misled into clicking on the adverts, but they don't care because of the $$
The lozenge is not enough. I had a user last week who googled "<ispname> email" wanting to get to her email. Instead of clicking the official link a few results down she clicked on of the ad links at the top. This took her to a page which started beeping, playing a virus alert message, and creating JS popups telling her that her computer was infected and she needed to call the phone number on the screen.
It's absolutely not enough. After watching tons of seniors use computers (and having to degunk them), it seems Google's ads in search are the primary malware distribution method on the Internet. Phishing sites are always atop searches for banks, malware links are always atop searches for drivers and software, and normal users see that top ad as the 'first result'.
Users placed their trust in Google, and Google betrayed them.
Somewhat off topic... but also, it states 1,010,000,000 results on the first page of this query but if I go to the last page, it comes down to 412 results... I can't believe that there is only 412 insurance related pages on the whole Internet... https://www.google.com/search?q=insurance&num=100&safe=off&s...
It works as expected according to them if they don't expect you to look at all the results, I guess.
Please tell me what link you have at result #500, because I can't see it even if I remove the URL parameters and use the standard 10 results per page...
I cannot go past page 53 when using the URL that you are referring to (they added some results that can be seen, it currently is 532 but it changes pretty often).
But the behavior changed since yesterday... yesterday it would have said "Page 53 of 532 results" and now it says "Page 53 of about 1,010,000,000 results" but most of them still can't be seen...
There's an unexpectedly large number of commenters who seem to think that this falls under free speech. Do I need to explain that the crap these ads usually download when clicked is responsible for a ton of support calls, many of which go to innocent kids on weekends just trying to unwind from school? :)
I'm kidding of course but seriously comparing blocking these buttons and deceptive elements is not censorship, it's Google saying to these publishers that if they don't get their shit together, that they will dissuade traffic from visiting their sites. The only way to get the attention of bigger publishing companies is to grab them by the revenue stream, you all know this.
Also, ideally Google should implement this within their search algorithm itself, by punishing the sites which indulge in such practices by pushing their search results much further away.
"Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself."
This is a broad statement. Taken at face value, this covers all native advertising - with articles/images/videos/thumbnails/etc intended to fit in with the content of the site/app.
Too late google. I already intsalled ad blocker on every computer in the house years ago because my parents would accidentally click "play" or "download" in deceptive ads.
So if a site is using Adsense and doesn't require all ads are reviewed then as site owners appears we run the risk of another part of Google telling visitors that the site is malicious. Hope that the site owner tooling referred to is good enough that it can identify the advert, at worst the network otherwise only option would be to remove Adsense code.
I'm surprised of the negativity towards this action, but I guess I shouldn't be. A lot of you are in a very different situation than me and this will affect you directly. However, warning people away from being potentially tricked by these deceptive ads is a very good thing.
Tons of sites out there that turn a blind eye to such ads and that's bad. Yes, there will be some unfortunate pain for sites that responsibly attempt to block these ads as they come up. Assuming the blog post is correct and Google has implemented this correctly, it should be minimal for those sorts of folks since they claim the penalty will only occur if users are consistently getting social engineering ads. (I suspect Google will ratchet up the rate over time though, assuming these ads become less common as a result of this and similar efforts).
EDIT: See below. I'm convinced and with y'all now. Google--this is a step in the right direction and I support this action, but you do need to get your own house in order too!
> I'm surprised of the negativity towards this action
Its pretty basic. A lot of people are not happy that Google is serving these ads that they are telling you they will stop at the browser-level with a warning that makes the site owner look guilty. They want Google's Ad network to stop serving the ads in the first place.
So can anyone point me to an ad served by Google that is as bad as the examples in the blog post? I thought Google had previously cracked down on such ads from the serving side too, although less deceptive ones were still allowed, no? I'm happy to be better informed!
Gotcha. Yeah, I see one there. Big green button with a down arrow saying "GET IT NOW" lots of whitespace below and then a smallish rewaterpressure logo. Because of the whitespace, the button very much looked associated with the paint.net download text above, not with the rewaterpressure logo below.
I also received the less bad (but still bad) text-based "start download now" one the same page. You convinced me. Editing my parent post above.
EDIT: for those curious, here's what the page looked like on the page load mentioned above: http://imgur.com/SisOXNT
I feel like something needs to be done about these sort of ads, I'm happy the Chrome/SafeBrowsing teams are taking these steps. But it's so hypocritical, because most of the times I see these ads, it's from Google's network!
I'm not happy that they punish the publisher/webmaster with no accountability for the advertiser or ad network. I can use Google's AdSense on my website, and unless I continually make an effort to manually review ads, it's very likely it will begin display these sorts of ads. And then because AdSense doesn't care, Chrome will begin flagging my website as malicious to users?!?
I'm surprised they're not doing this as well as making an effort to purge these sorts of ads from AdSense. That way, I could feel comfortable that my users aren't being shown scummy ads, which would be a huge advantage over other ad networks. Now instead, running ads on a website will either become a liability, or an extra added effort to make sure I don't get screwed over by Google.
Also, while a noble goal, there's no details of how they detect and classify these ads. I've had an entire Domain flagged and blocked off by SafeBrowsing because a single page on a subdomain was displaying an ad (via DoubleClick) which linked to malware.
> I'm surprised of the negativity towards this action
I'm not. This site is filled with grey-hat folks who would do anything to make a buck on the web. I mean, it's a forum hosted by/affiliated with a VC firm, and look at the comments here. A bunch of people angry that google would dare do this, because they might/will be targeted. People were also pissed when Google stopped using meta keywords, and when they stopped reading text that was made invisible in CSS, and really any grey- or black-hat way to get more visitors/ad impressions.
Despite all the legal attacks in the UK and elsewhere, this is probably the biggest blow to piracy sites so far. When one gets taken down another spins up, but if you turn your adblocker off they all have these awful adverts.
For organic traffic pirate sites, the biggest blow was Google's algorithm change. For websites which used a freemium model, the biggest blow was PayPal, Visa and Mastercard banning file sharing websites from using them. Todays announcement was merely a nail in the coffin for those sites.
So who decides what to flag? Is google analyzing the behavior of chrome users and then automatically flags websites? Or can users flag websites? I disabled "Automatically report details of possible security incidents to Google" and "Protect you and your device from dangerous sites" in the settings, will my chrome browser still report these websites (in case it ever did)?
It's about time google crack down on these ads. The download button is just one of the many tactics. Any ads that show a guy with biceps three times the size of his head should also be banned. Yahoo is infested with these "sponsored" ads, and pretty much any other site that lives on ads revenue only.
Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself.
These are deceptive tactics, intended to confuse and trick.
What you describe is annoying and perhaps exploitative of humans desires, but in the end no different from normal advertising and far less evil than the ads described in the quote above. You want a full ad-blocker. Perhaps you're already using one and want to justify it.
This "Google Safe Browsing" initiative seriously worries me. It's effectively some unknown, mysterious, un-contactable set of AI algorithms/people/who knows what controlling the internet because Google owns everyone's browser.
One of my websites got tagged as "Dangerous" and having "harmful programs" despite having nothing of the sort. My guess is a silly hiccup of their neural network algorithms. And I have absolutely nobody I can contact about the issue to get an explanation. They just effectively killed the site in one fell swoop.
Yeah, I've experienced the same and it's really a pain in the ass. Apparently there's tons of orgs that can automatically add sites to that blacklist, I got abuse from some company saying there was a phishing page on my IP because it featured a login page and the text "Amazon" and suddenly chrome started showing alerts when I visited the IP.
As with most of similar systems (spamhaus etc) the people running them are just as bad as the people they're trying to stop.
De-indexed in search is a bit different from effectively blocked in the browser. If Chrome says your site is dangerous and actually your site is harmless, are they defaming your website? If Google choose not to include you in their search engine, that could still be an issue, but it's probably a lot more nuanced.
Probably not, but Google EU is in Ireland and their libel laws are likely to be a lot like those of England, which is to say super pro the person who feels wronged.
If the claim that your site is dangerous is demonstrably false and there are demonstrable damages you can indeed be liable for damages or face injunction.
I'm not sure if you know what the "first amendment" is. I'll tell you what it isn't, it's not a magical trump card that lets you say whatever you want.
That's a VERY different situation. Google is claiming there that (essentially) they have the right to put sites in whatever order they want, and US courts are extremely sympathetic to that argument.
Here the issue is that Google is making direct, verbal claims about other sites. That's not to say Google couldn't come up with a strategy to win in court, but the strategy would have to differ markedly.
google is not a government agency. you can't claim first amendment when dealing with private parties. that's like me suing the NFL for not letting me post racist rants on their homepage because of the first amendment.
edit: i dun read gud. leaving comment as an homage to lack of literacy
According to the FAQ[0] of the safe browsing program, they attempt to contact you first, but there is a way to contact them.
What if you can’t get in touch with
the webmaster because they’re not
registered with Google Webmaster
Tools?
Every time we add an unsafe site to
the list, we make a reasonable
effort attempt to inform the
webmaster by sending a notification
to a standard set of email addresses
(e.g., webmaster@[sitename].com;
info@[sitename].com;
admin@[sitename].com).
If my website has been compromised
and is now unsafe, what can I do?
We offer advice for webmasters whose
sites have been hacked here. It’s
best to register your site at Google
Webmaster Tools in advance of any
problems so that we can notify you
promptly and provide more
information about the problems we
find.
If you don’t want to use Google
Webmaster Tools, you can file
appeals with StopBadware.org once
you have removed the infection from
your site. StopBadware.org also
offers great resources for
webmasters who want to learn more
about what they can do to make their
sites safer.
A while ago I submitted my site for review and provided a contact. I got no response. I also got no such e-mail. In addition it seems they only send you a "notification", i.e. an automatic "We've blocked you" and not a human attempt to resolve the issue. If a human had been viewing my site it would have been 100% clear that there is no malware issue. However, since I do make use of certain HTML5 features after prompting the user, I could see why it causes a trigger if they have some half-baked neural network algorithm trying to identify potential malware based on JavaScript source.
If anyone is wondering, the site is a location-based file sharing app. It makes use of geolocation and file uploading capabilities. Largely a quick experiment, throwing an idea out there just to see if there's any need for such an app. It was running fine for a few months before Google decided to block it.
Yes, there's good reason why I'm posting this from https://www.palemoon.org/ which is Firefox without the politics - Chrome is too intrusive and non-transparent about its intrusion to boot.
Saw this late: I believe they have a running policy of porting all security stuff from main rep FF and adding additional hardening on top (by disabling semi baked features and removing legacy stuff, like XP support, at a much quicker rate than regular FF releases). But how this is managed in terms of man-hours/pay/etc. - haven't got the faintest: organisational transparency is expensive but would be ever so great to get right for software vendors on the whole!
I always thought it was something like visiting the site with a somewhat unprotected (but virtualized) computer and seeing if anything bad (registry keys changed) happened.
Here are some more proactive approaches that would support their desired perception of caring about the browsing safety of their users:
* How about updating the radio buttons that appear when you "report this ad" to include "deceptive" as the reason for the report
* DoubleClick (by Google) serves the majority of these "Download now" ads that I've seen on sites that cater to the general public. Don't let advertisers run these ads. Do. Not. Allow. Many of them have "start download" in the plain text of the ad unit, and others are easily found by a bit of OCR on an image ad unit.
Please do not give me a Google-branded poncho (telling me how amazing it is with an infomercial about its revolutionary Dry Living Experience™) when you could patch the leaky roof to truly create a Dry Living Experience.
A popup in AdWords says I've violated "Unsupported content free desktop software". RackForms Express is a free version of my flagship product, that one actually being advertised.
You're feelings may very well differ, but if I've clicked on a link, organic or ad, and I get offered a solution to the problem I was seeking an answer for, that seem like a pretty good deal. If nothing else, this differentiation may well be the difference between getting a sale or not.
The appeal process is to fill out this form: https://support.google.com/adwordspolicy/contact/advertise_s..., but from my reading in Google's product forms this doesn't always work. If this fails, the end result will be to remove free software from the net.
We're all for blocking those horrible "Download Firefox" ads, but this change, and the resulting aftermath, feels...I don't know, dangerous. If the end result is small companies like mine pulling valuable resources from the web, I think we all loose.
I hate using free hosted download services that some people use, especially on forums, because there are ads with download buttons and real download buttons and it's nearly impossible to tell which button needs to be clicked to initiate a download.
Hmmm, I just went to google.com and typed "Chrome for Windows" Of the 10 links that appeared, at least 4 or 5 were for malware infected versions of Chrome. I followed the links, the download buttons on those pages are still shown. Maybe I misunderstood
Advertising providers, and advertising _publishers_, who forward "bad ads" are given a time-out.
Perhaps 10 minutes for the first instance, but increasing durations for repeat ocurrences. Days, weeks, and months for repeated gratuitious violations.
Ad providers and publishers who find they're being timed out for violating standards are, likely, going to clean up their acts, and find ways to ensure that mistakes _don't_ happen. Including direct vetting of content.
If Google don't block ads, I will.
Oh, wait, I already do that. But the rest of the Net is still catching up.
I tend to enjoy these type of announcements and discussions regarding Google, because it seems to remind the general population that while yes, Alphabet is a diversified technology powerhouse, at its core, its most primal competency is that of an advertising firm. A very successful advertising firm. Sort of like how Jerry Jones was a very successful oil business tycoon before diversifying his interests by way of purchasing the Dallas Cowboys and 'business-ing' it up to a multi-billion dollar brand. No oil, no Cowboys for Jerry. No ads, no self-driving cars for Google.
reply