It garbles advertisers’ data as a result, but you must disable uBlock Origin to run it; they can’t work simultaneously. I recently moved to it and, so far, am never looking back!
Couple of issues I’m wondering about…
First, wouldn’t clicking on everything just make you easier to track?
Second, how much bandwidth would all this use?
Also wouldn’t this be directing a ton of money to google? (or I guess any other ad provider)
The advertisers are paying for the opportunity either way. Clicks cost them more money than just displaying the ad. Useless clicks cost them money for nothing.
In the short term, I would think so.
In the long run, it makes it less appealing for companies to advertise, because they would have larger costs while having less sales. That, in return, hurts Google as advertisers don’t want to pay as much anymore. If 80% of all users used this extension, advertisers would have to pay more than ever, while having only 20% of all users can be reached (simplified, of course).
Or in short, it’s designed to hurt the system as a whole, not specific companies.
Yeah, I can’t find an answer whether the “click” is behind some obfuscation, or if the “click every ad” is the obfuscation step itself by attempting to poison the data. The latter may work but yes, may actually increase tracking. Wish that answer wasn’t so hard to find on their site.
Did you look at the FAQ?
https://github.com/dhowe/adnauseam/wiki/FAQ#how-does-adnauseam-click-ads
Thanks, I didn’t see this, there was a different embedded FAQ that didn’t have the specific Q & A below.
But, if anything, it seems to confirm the ad itself is just legitimately clicked from the user’s IP address and hidden from the user, and that there is code execution protection, but not that there is any privacy protection? It’s still very ambiguous.
How does AdNauseam “click Ads”?
AdNauseam ‘clicks’ Ads by issuing an HTTP request to the URL to which they lead. In current versions the is done via an XMLHttpRequest (or AJAX request) issued in a background process. This lightweight request signals a ‘click’ on the server responsible for the Ad, but does so without opening any additional windows or pages on your computer. Further it allows AdNauseam to safely receive and discard the resulting response data, rather than executing it in the browser, thus preventing a range of potential security problems (ransomware, rogue Javascript or Flash code, XSS-attacks, etc.) caused by malfunctioning or malicious Ads. Although it is completely safe, AdNauseam’s clicking behaviour can be de-activated in the settings panel.
- not in this way
- not enough to matter
the way it works is sending an HTTP request that registers as a “click” to the advertiser (thus costing them money), but then doesn’t actually let the browser download any content and fetch the webpage, basically pi-holes the destination site and any attached tracking cookies. Combined with the fact that it does this to every ad, it would basically poison any click tracking.
edit: pedants
and before I get any more of you, this is just what I remember reading about adnauseam, do not take it as gospel, go look at AdNauseam’s FAQ.
none
Ah great
it works [by] sending an HTTP request that registers as a “click” to the advertiser
Uh, wait a minute. 🤔
Sending a request also uses bandwidth, you know.
That HTTP request would also show up in the advertisers web logs with your origin IP address.
A basic GET request, even with a long querystring, will be negligible even on a 1998 dial-up connection.
This would just give money to the advertisers.
This transfers money from the advertiser to the advertising agency, without creating a sale for the advertiser. This devalues the services of the agency.
I still don’t want to give those fuckers money. If I just use uBlock, the ad is never seen, thus no sale is made and the slimy ad company gets money.
Totally, it’s up to you. The idea for fake-clickers is the long game: the marketers think they’re landing clicks over months or possibly even years, but will may slowly realize (gotta account for the stubborn ones) that it’s ineffective and eventually pivot to different approaches, hopefully ones that involve less tracking (I can’t imagine what any worse approach could be, at least).
Interesting, was wondering about this. This would also “help” the websites with more ad income right?
IMO, this is a bit much.
It’s one thing to block ads, it’s another thing to essentially participate in an ad fraud scheme. If this simply hurt Google, I would have no issues (they are corrupt criminals, an American oligarchic institution), but you also risking harming independent sites that have done nothing wrong.
This is an excessive approach that risks collateral damage to 3rd parties who are not involved.
I have no issues with blocking ads (internet is unusable without ublock origin + Pihole), but actually simulating clicks is IMO not the right approach.
I still don’t get why you think it’s not the right approach. Seems perfectly fine to me.
Some ads have used browser exploits to infect visitors in the past. So this is a very, very bad idea, if it actually is implemented in a way that is hard to filter for ad networks.
So the way I understand this to work, it’s 100% safe from the type of attack you’re describing.
You are clicking the link (asking the advertiser for the data) but then never actually fetching it.
So you can never get the malicious payload to be infected.
Im too scared to trust it works out fine in the end to use it, been raised on the idea that interacting with an ad in any way other than task managering the pop up is dangerous. Wheres the part of the code that makes it safe and a write up of how it functions, otherwise im fine just blocking ads with regular ublock.
the part that’s safe is in the browser. it’s a basic fact of how http requests work that you can just request data and then not read it.
also, “task managering the popups”? unless i’ve missed some very weird development that has literally never worked, because popup windows are part of the parent process.
Here you go, from the repo:
const visitAd = function (ad) {
function timeoutError(xhr) {
return onVisitError.call(xhr, {
type: 'timeout'
});
}
const url = ad && ad.targetUrl, now = markActivity();
// tell menu/vault we have a new attempt
broadcast({
what: 'adAttempt',
ad: ad
});
if (xhr) {
if (xhr.delegate.attemptedTs) {
const elapsed = (now - xhr.delegate.attemptedTs);
// TODO: why does this happen... a redirect?
warn('[TRYING] Attempt to reuse xhr from ' + elapsed + " ms ago");
if (elapsed > visitTimeout)
timeoutError();
}
else {
warn('[TRYING] Attempt to reuse xhr with no attemptedTs!!', xhr);
}
}
ad.attempts++;
ad.attemptedTs = now;
if (!validateTarget(ad)) return deleteAd(ad);
return sendXhr(ad);
// return openAdInNewTab(ad);
// return popUnderAd(ad)
};
const sendXhr = function (ad) {
// if we've parsed an obfuscated target, use it
const target = ad.parsedTargetUrl || ad.targetUrl;
log('[TRYING] ' + adinfo(ad), ad.targetUrl);
xhr = new XMLHttpRequest();
try {
xhr.open('get', target, true);
xhr.withCredentials = true;
xhr.delegate = ad;
xhr.timeout = visitTimeout;
xhr.onload = onVisitResponse;
xhr.onerror = onVisitError;
xhr.ontimeout = onVisitError;
xhr.responseType = ''; // 'document'?;
xhr.send();
} catch (e) {
onVisitError.call(xhr, e);
}
}
const onVisitResponse = function () {
this.onload = this.onerror = this.ontimeout = null;
markActivity();
const ad = this.delegate;
if (!ad) {
return err('Request received without Ad: ' + this.responseURL);
}
if (!ad.id) {
return warn("Visit response from deleted ad! ", ad);
}
ad.attemptedTs = 0; // reset as visit no longer in progress
const status = this.status || 200, html = this.responseText;
if (failAllVisits || status < 200 || status >= 300) {
return onVisitError.call(this, {
status: status,
responseText: html
});
}
try {
if (!isFacebookExternal(this, ad)) {
updateAdOnSuccess(this, ad, parseTitle(this));
}
} catch (e) {
warn(e.message);
}
xhr = null; // end the visit
};
That’s pretty much it! Let me know if it doesn’t make sense, I can annotate it
