A bad ad is a troublemaker. It’s the loudmouth in the movie theater that won't stop talking, ruining the experience for everyone else. And if a theater manager doesn't enforce rules during a show, moviegoers will eventually find another venue. In the complex digital ad ecosystem, publishers now unwittingly find themselves in the role of the theater managers, saddled with an unwanted but critical responsibility to their stakeholders and customers to corral bad ads. If they don't, they're just inviting users to browse elsewhere.

But it's not quite as easy as just kicking them out of the theater. Bad ads are both dynamic and malignant, adapting and evolving like a microbe when security measures step in its way. In other words, a potent solution that stops a bad ad today might fail miserably tomorrow. Ultimately, if left alone, bad ads threaten the ROI of the entire industry, beginning with publishers but equally impacting exchanges and every other participant along the digital ad supply chain.

To help you combat the detrimental effects of this not-so-silent killer, we're going to take a closer look at bad ads by answering some key questions:

• What are bad ads?
• What types are there? Where do they come from?
• How do bad ads affect the digital ad ecosystem?
• How can you stop bad ads?

Know thy enemy and you're much better equipped to fend them off. Take these insights to heart, have a better understanding of the scope and impact of bad ads, and you're well on your way to protecting your top-line performance and gaining a distinct competitive edge.

What Are Bad Ads?

A bad ad disrupts the user experience in some way. And considering that, at any given moment, nearly 30% of internet ads fall under this auspicious banner, the user experience is under a full-fledged assault. Ad Lightning categorizes bad ads into three separate categories:

1. Non-compliance: Ads that don't comply with industry standards, brand guidelines, or approved media formats. This also includes inappropriate or irrelevant ads with needless redirects, autoplay with audio, or objectionable content that is ill-suited for the target audience and publisher brand.
2. Malware: Ads that compromise websites with malware, malicious behavior, or embedded viruses
3. Ads leaking user data (data leakage): Typically through embedded trackers or cookies, these are ads that leak unauthorized user information with the intent of selling it to outside parties.

Each of these categories affects the UX, publisher, and exchanges differently. Traditionally, enterprises have tried to defend themselves against these different types of bad ads with a splintered approach rather than a comprehensive, more holistic solution that addresses them all at once.

Perhaps the most foreboding notion of all, though, is the continually evolving nature of bad ads. While redirects, data leakage, and the many other types are certainly daunting, tomorrow's bad ads will be different and more potent.

Considering the size and severity of the collective problem, both today and tomorrow, attacking each type of bad ad individually is inherently inefficient with fleeting success. A closer look at the different kinds of bad ads reveals the scope of the entire issue as well as the need for a more comprehensive solution.

Malware

Now more of a catch-all term than a specific problem, malware encompasses a variety of different bad ad types. In general, malware is malicious and stealthy, often obfuscating the domains from where it comes from, speaks to, or is otherwise associated.

Malware usually comes from technically savvy bad actors in the space with a deep understanding of the programmatic advertising system, and can manipulate it for their needs. They exploit holes in a complicated auction system and extremely open platforms filled with intermediaries that provide several easy entry points.

Demand-side platforms (DSPs) are an especially popular front door for malware, where a skilled bad actor can use that single door to proliferate a bad ad across a variety of platforms. No matter how it enters the ecosystem, however, malware prompts the user to take action and install some piece of software.

• Redirects: A forceful redirect from a page, typically to a phishing scam or a piece of malware disguised with a "You won $1,000 type message." Oftentimes, the user can’t close the new page or ad. Redirects don’t come from viruses on a device but from the ad platform itself, when an ad with malicious code is delivered directly to the page.
• Trojan horse: This type of malware is malicious code or software that looks legitimate to the user but can quickly take control of their machine. Unlike a virus, Trojans cannot execute or replicate on their own and, therefore, need to trick the user into installing them. Spyware and ransomware are two of the most notorious types of Trojans that can be delivered via bad ads.
• Browser extension: A type of Trojan in and of itself, a browser extension injects an unsolicited script or tracking pixel on a user's machine. They usually hijack search queries, inject their own ads, or redirect the user to install other extensions from the same developer. These extensions can often hijack "good" ads to deliver these bad experiences.
• Phishing: A phishing attack attempts to collect personal information in a devious manner, often as a fake company support page or something similar. Phishing will use a legitimate-looking ad to get the user to divulge personal information like usernames, passwords, phone numbers, Social Security numbers, and many others.

Ad Compliance

This is another term that encompasses several different types and sources of bad ads. Ad compliance issues aren't malicious like malware, but every bit as devastating considering how much a non-compliant ad affects critical performance metrics like page load speeds, bounce rates, page views, and more. In a nutshell, ad compliance issues create latency and directly affect the UX and, thus, an enterprise's revenue. Some of the more common non-compliant bad ads include:

• 41% of banner ads and 26% of all ads are out of compliance.

• Inappropriate file size: Simply put, an ad that is too large relative to industry compliance standards. When an ad is large, it takes longer to load, adding to latency issues that, along with other factors like excessive network requests, compel a user to give up and try elsewhere. 41% of banner ads and 26% of all ads are out of compliance with industry file size guidelines.
• Inappropriate content: Adult, violent, or otherwise inappropriate content for a user and publisher brand found in an ad or landing page. This also includes the introduction of content from a competitor, material regarding brand safety concerns, or content previously blocked or flagged by a user as inappropriate for some reason.
• Video stuffing: Video stuffing usually entails a display ad that loads a hidden video. Basically, someone figures out how to load a video into a display slot, saving themselves a good amount of money since they're paying for a display ad but delivering an intrusive video ad to the user, which are much more expensive.

Ads Leaking User Data (Data Leakage)

Ads that leak user data often go hand-in-hand with inappropriate file size and network requests. Both give bad ads plenty of opportunities to include something like a tracker or cookie. These can transmit a user's data to an unauthorized third party who, in turn, piggybacks it to other parties, all without consent.

• Trackers: A small piece of code that tracks activity and leaks that data elsewhere
• Cookies: Another piece of code that collects personal information about the user, and then supplies that data to an outside party.

It's important to remember that neither trackers nor cookies are invariably bad, each having a set of very valid and legitimate purposes. When a bad ad embeds an unauthorized tracker or cookie on a user’s device, though, it creates a data privacy issue for both the user and publisher by sharing that information on what is essentially a consumer data black market.

One of the tell-tale signs of an unauthorized tracker or cookie embedded by a bad ad is an abundance of accompanying network requests, sometimes numbering in the hundreds.To demonstrate the scope of the problem with bad ads leaking data, there are, on average, 56 network requests/tracking scripts by the time a user loads any given page, almost 4x above the IAB guideline maximum of 15. It goes without saying that collecting unauthorized data through such unscrupulous techniques is a massive issue for the industry, only seeming to grow by the day.

How Do Bad Ads Affect the Digital Ad Ecosystem?

Obviously, bad ads impact every participant in the ecosystem, including users, publishers, and platforms. From a user's perspective, bad ads have several direct consequences:

• Increased latency that damages the UX
• Data privacy issues from data leakage
• Users turning to ad blockers to prevent ads outright, causing a negative economic impact for the entire ecosystem.

Bad Ads and Publishers

When bad ads affect a website visitor, they simultaneously impact publishers as well. Logically, when users have a bad experience, they're less likely to visit that website again or do business with that brand. As statistics from our report, The Cause, Scope and Impact of Data Leakage, demonstrate, publishers are collectively losing losing billions due to the adverse effects of bad ads on their audience, as these statistics demonstrate:

• An additional one second of load speed increases bounce rates by almost 50% on mobile devices and 40% on desktops.
• Each second of page load latency correlates with an 11% drop in page views and 17% lower customer satisfaction.
• Mobile sites that load within 5 seconds realize 2x more ad revenue than sites that load at the industry average of 19 seconds.
• Publishers lose an average of $400,000 per year of ad revenue strictly from page load latency.

Publishers must also keep the legal repercussions of bad ads in mind as well, where something like data leakage could lead to significant GDPR or CCPA issues if a user's personal information or browsing habits lead to an unauthorized outside party getting a hold of user data. Aside from legalities, publishers also stand to lose thousands when those unauthorized parties sell ads based on user behavior culled from things like trackers and cookies. That's ad revenue publishers would otherwise realize if it wasn't for unauthorized use.

To provide some context to the situation, our 2020 State of Ad Quality Report found that 30% of the digital ad industry sees GDPR and CCPA compliance as the top ad quality priority in 2020, up from 15% in 2019. These findings represent a broad spectrum of the industry, including publishers, advertisers, and platforms as well.

Naturally, platforms are no different than other industry participants, equally susceptible to damage from bad ads. Publishers are already on the defense, where the negative impact of malware, non-compliant ads, data leakage, and potent forms of fishing like domain spoofing are significantly impacting revenue. Initiatives like ads.txt personify a willingness for publishers, especially larger ones, to take the bull by the proverbial horns. To that point, publishers are now more willing and able to drop platforms if a publisher feels that a platform isn't serving its best interests. If the platform is especially reliant on that publisher for revenue, the results can be catastrophic for the organization.

How Can You Stop Bad Ads?

Think of bad ads as an infectious disease, where there are short and long term solutions to implement. You can treat the symptoms as they arise and save some lives but, over time, a disease figures out how to get around those treatments and carries on, even stronger than before. Publishers face similar challenges in their fight against bad ads, where most solutions will typically provide short-term benefits that quickly dissipate. However, that doesn't mean that publishers, platforms, and users are defenseless against such ads.

First, DSPs could strike a significant blow to bad ads by being more stringent at the front gates. While this won’t eradicate the problem, it would certainly make it more difficult for bad ads to find the light of day. Likewise, since cloud servers host much of the malicious content, they could get more involved and better police the files moving to and from their servers. However, again like a disease, the only way to eliminate the total threat is to inoculate the entire population against it. For publishers and SSPs, this equates to blocking the ads before they can do any damage.

To use another metaphor, an ad is like a package delivered through the mail. It goes through many different places and touches many hands before it arrives at its final destination. As sophisticated as screening tools might be in identifying dangerous packages in isolated situations, the sheer vastness and complexity of the ecosystem make it impossible to screen out all but a fraction of the countless bad ads out there. The only way to truly prevent damage from occurring is to open the package and immediately neutralize any harm.

The only way to truly prevent damage from occurring is to open the package and immediately neutralize any harm.

In the advertising ecosystem, that's what makes ad blocking and scanning such powerful tools in the fight against bad ads and their corrosive effects. Ad blocking stops bad ads before they can cause any harm to a publisher, exchange, or user. The combination of tools, provide a proactive approach that constantly monitors for malware, IAB compliance issues, and sources of data leakage. This holistic strategy, the basis for Ad Lightning’s own ad blocking technology, addresses the overwhelming threat from bad ads with one fell swoop rather than employing a segmented, disconnected approach.