Why I won’t whitelist your site

Publishers need to take responsibility for code they run on my systems.

By Mike Loukides
February 5, 2018
Malware Malware (source: Christiaan Colen on Flickr)

Many internet users—perhaps most—use an ad blocker. I’m one of them. All of us are familiar with the sites that won’t let us in without whitelisting them, or (only somewhat better) that repeatedly nag us to whitelist.

I’m not whitelisting anyone. I don’t have any fundamental problem with advertising; I wish ads weren’t as intrusive, and I believe advertisers would be better served by advertisements that had more respect for their viewers. But that’s not really why I use an ad blocker.

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

The real problem with ads is that they’re a vector for malware. It’s relatively easy to fold malware into otherwise-innocent advertisements, and that malware executes even if you don’t click on the ads. I’ve received malware from sites as otherwise legitimate as the BBC, and there are reports of malware from virtually every major online publisher—including sites like Forbes that won’t let you in if you don’t whitelist them. The New York Times, Reuters, MSN, and many others have all spread malware.

And no one takes responsibility for the advertisements or the damage they cause. The publishers just say “hey, we don’t control the ads; that’s the ad placement company.” The advertisers similarly say “hey, our ads come from a marketing firm, and they use some kind of web contractor to do the coding.” And the ad placement companies and marketing firms? All you get from them is the sound of silence.

Here’s the deal. I’m willing to whitelist any online publisher that will agree to a license in which they take responsibility for any code they run on my systems. Call it a EULA for using my browser on my computer. If you deliver malware, you will pay for the damages: my lost time, my lost data. If the idea catches on, managing all the contracts sounds like a problem, but I think it’s a business opportunity. Something would be needed to track all the licenses in an authoritative ledger. This sounds like an application for a blockchain. Maybe even a blockchain startup.

If I really need to read something on your site, and you won’t let me in because I am running an ad blocker, I might read your site anyway. That’s trivial—I have four or five browsers on all of my machines, and not all of them have ad blockers installed. But I won’t link to you, quote you, or tweet you. You’re dead to me.

I’ve been asked whether I have any proposals for a business model other than advertising. Not really. Though my employer, O’Reilly Media, does a bit of online publishing, and we don’t take advertising. But advising publishers on their business model isn’t my job—and they’ve yet to ask me for advice, anyway. My job is keeping my systems safe, and that requires keeping malware out.

Again, I have nothing against advertising as a business model. However, that model (and the businesses relying on it) deserve to fail if publishers won’t take responsibility for the ads they deliver. While I understand that publishers don’t control the ads, and don’t have the technical expertise to inspect the ads they deliver, they are the ones that deliver the ads. They bear the responsibility for damages.

Could this be a movement? Can we imagine a future with ad blockers that would let ads through if, and only if, the publisher has agreed to a license that allows users to recover damages from advertising-spread malware?

I’m in.

Post topics: Emerging Tech
Post tags: Commentary