the ad, only serving malvertising every
10th or 20th time, and not serving malvertising to certain IP addresses.
large and reputable websites have been
known to accidentally serve malvertising, making malvertising a potential
problem for every Internet user.
Is Ad Blocking
a Breach of Contract?
It would take a long law review article,
and one written by another set of authors, to properly address the legality of
ad blocking. We do, however, wish to address the oft-cited argument that the provision of free content that contains ads
is done under an “implicit contract.”
Under this contract, the consumer is
provided with free content in return for
the user’s agreement to view advertisements. This is not a new argument, as it
has been applied by network executives
to broadcast television for many years,
sometimes in a very extreme form. In
2002, Jamie Kellner, then CEO of Turner
Broadcasting, suggested that any systematic practice of using the bathroom
during commercials was stealing.
In the U.S., the legal concept underlying this argument is the “
implied-in-fact” contract.b The law is summarized
To establish the existence of an implied
in fact contract, it is necessary to show: an
unambiguous offer, unambiguous acceptance, mutual intent to be bound,
and consideration. However, these elements may be established by the conduct
of the parties rather than through express
written or oral agreements.
As an example, suppose you agree to
wash your neighbor’s car once a week.
You receive payment for each of the
first six weeks, but upon washing his
car the seventh time, your neighbor
refuses to pay because there was no
written agreement. Most courts would
agree that there was an implied-in-fact
contract as evidenced by the conduct of
the parties for the first six weeks. Your
neighbor has to pay.
Now consider a real example in
which it was found that there was no
b U.S. contract law allows for two other types of
contracts: express contract (written) and im-plied-in-law contracts (also called “quasi contracts,” they are more legal obligations than true
contracts). We only address U.S. contract law
here; other jurisdictions may be substantially
different, and are well beyond our expertise.
Publishers will sometimes try to circumvent attempts at ad blocking. Anti-ad blocking usually works by serving a
fake ad in some way and verifying that
it has been loaded or displayed. If it fails
to load, the site stops displaying the primary content or refuses to load it in the
first place. For example, a site can contain an iframe ostentatiously marked as
to see if it was displayed.a If the iframe
is not displayed, the site does not provide the primary content. Similarly, the
can be found in common ad blocker
filter rules and check to see if it is run.
Aside from trying to explicitly detect ad
blockers, ad networks can obfuscate the
URLs of their ads, such as by using IP
addresses instead of domain names.
Ad blockers can often adapt, circumventing new anti-ad blocking mechanisms. Facebook recently announced it
would prevent ad blocking,
38 only to have
Adblock Plus announce a few days later
that it found a way to defeat Facebook’s
39 This is but one
example of the evolving arms race between publishers and ad blockers.
Though the initial motivation for ad
blocking may be annoying ads or tracking, increased computer security is a
major side benefit. Online ads are usually pieces of code as opposed to static
images or text. The end result of the
ad auction process described earlier
is that the user’s browser is redirected
to a URL of the advertiser’s choosing.
The retrieved object may take the form
Vulnerabilities in these frameworks
can be used to execute malicious code
on the client machine without the user
noticing anything out of the ordinary.
Even though browser support for Java
and Adobe Flash is being phased out,
vulnerabilities in these frameworks are
still being exploited. Java exploits are
on the decline, but Flash vulnerabilities are still some of the most common
vehicles for malvertising.
4 While ad networks have measures in place to detect
malvertising, there are ways to circumvent and avoid detection, at least temporarily, such as serving a legitimate
ad until the ad network has approved
a See, for example, http://adblockingdetector.
attempts at ad
works by serving
a fake ad in some
way and verifying
it has been loaded