262 comments

[ 3.3 ms ] story [ 138 ms ] thread
Perhaps now that Google has taken steps to block websites that display these ads, Google should take steps to stop accepting these ads onto their network in the first place. Most of the time when I see those DOWNLOAD/PLAY buttons, they're hosted on doubleclick.
Because this way they get to charge for the ad and then also not let their users get suckered. They win both ways.
Google doesn't charge for ads, it charges for impressions. If you user doesn't seem it, google doesn't get paid. Get your facts straight.
I remember a few years ago AdSense was showing a lot of fake Download buttons (and users would complain about it). I haven't seen them recently, though, so I hope that means they've fixed that problem.
I just checked and the download page on getpaint.net still has a deceptive "Start Download" AdSense ad. That site came to mind because, a few months ago, I tried to be charitable and disabled ad blocking for a few days. That was the site where I decided enough was enough and started blocking again.
I just went there and saw a fake start download button, but it was with the 'AdChoices' network, not AdSense.

EDIT: I guess AdSense is involved with AdChoices somehow. My mistake.

Pretty sure it's an AdSense ad: http://imgur.com/OBy1PFR

The AdChoices icon is used by many ad networks, not just Google's, to indicate that there's per-user targeting happening. [1] But if you click on that "AdChoices" button and you get an AdSense help page.

[1] http://www.youradchoices.com/faq.aspx

I'm not too familiar with AdSense vs. DoubleClick vs. AdChoices, but when I hover the ad it shows a link to DoubleClick, the little triangle icon points to an AdSense support page, and the JavaScript to load the ad comes from googlesyndication.com. From what I understand, that all points to it being an AdSense ad.

I suspect the reason that kind of ad is allowed (despite being deceptive IMHO) is that it's not just a download link. It also indicates that it's an ad for a driver update site (which makes it even shadier to my eye, but probably not violating any policies).

You're not being charitable disabling your ad blocking. You're just perpetuating a system where egregious invasion of privacy is 'the deal' for using the internet. I understand that some sites might struggle for income without advertising but if they want me to view their ads they had better find some partners who don't stalk me across the web.
They are still there. Now in green instead of blue.
Nope. We started experimenting with AdX ads a few days ago and immediately saw exactly these ads: https://www.en.advertisercommunity.com/t5/Ad-Approval-Policy...

That post is from 2013. The answer to the question in the title is apparently "not for at least three years".

I'll take Google's concern about deceptive ads seriously when they stop serving those ads themselves.

I was going to say exactly the same thing. Blocking/warning about them at the browser level is a great move, especially as it will also work for ads not served by Google. But they should also be working to stop these ads getting published on their network as well.
But that is a more direct threat to their revenue stream so of course not :).
There should be an easy way to flag an ad for inappropriate behaviour (by the user seeing it)
How long would it take before fake "Flag this ad" buttons start appearing on ads?
The little X button in the top right corner of Google display ads already performs this function, no?
I tried to flag a deceptive "Start Download" ad of this kind by clicking on this button a few days ago (which appeared on a site I run, annoyingly). The form I was required to fill out needed me to say where the link in the ad took me. So I"m supposed to click on the link in an ad which is pretty plainly attempting to install some kind of malware, in order to be able to report it? I'm supposed to either be 100% confident there's no vulnerability in my browser, or set up some kind of VM to test with, just in order to report a single, obviously malicious ad?
I just tried it on the getpaint.net site (mentioned elsewhere itt) and it only had an option box set with three options: inappropriate, repetitive, irrelevant.

But you could just right click and copy the ad link. The link would point to the ad network (e.g. googleads.g.doubleclick.net/aclk), but it would be better than nothing. Also, many ads include a domain, sometimes in a tooltip, and usually just the tld, but again, better than nothing.

I'm not at all against this move from Google - it is good sense. However, to play Devil's advocate, what are the odds this was pushed down by the MPAA/RIAA or similar? This policy more or less directly targets sites that offer free online streaming or torrent downloads of Movies/TV/Music. The sites that wind up with these deceptive ads are typically sites that provide copyrighted content to their users.

Again, this is not a bad move. But I'm curious about the true motivations. If I were the MPAA, and trying to shut down the revenue stream of sites offering free streaming and torrents, this would be one of the ways to do it. That, or Google is simply sick of receiving takedown notices - and this is one method to take these sites out of their listings before even receiving the DMCA.

Download button ads appear on websites providing useful utilities and in particular Minecraft content and add-ons. I'm having to educate my kids on what is and isn't a real download button. Its a pain in the arse.

I would say it hasn't come from the MPAA or RIAA. These deceptive download buttons appear on a myriad of sites which are not related to streaming/torrenting.

Actually when I saw the headline my first thought was sourceforge. You expect these kinds of deep web ads when perusing sites you know damn well are "less than legal" but I've seen them on a number of websites I wouldn't normally expect to, sourceforge being the worst offender in my experience.
In my experience most free online streaming and torrent downloading websites have very small hard-to-find download buttons with a lot of fake "Download Now!" ads. So this would actually make torrenting easier.
By showing a full screen alert ?

There are also a lot of free file hosting sites with tons of those fake download buttons. Good luck downloading from them now.

I mean it makes displaying "Download Now!" banners less effective. You can bypass the alert; Chrome puts the alert if I understood.
I'm not sure they need to. Google's approach here tackles the problem of these ads being created from an economic direction: if nobody is seeing these ads, they won't make any CPM money any more, so their creators will stop running them.

That's a much more sensible approach than doing what you're suggesting—trying to catch specific instances of people doing something nefarious that makes them money. That just causes the people posting the ads to get more clever, such that it gets more and more costly to catch each instance. (That was helpful in the ReCAPTCHA case, since spammers were advancing computer vision techniques in the process. It's not a harnessable force in the general case.)

It’s an approach that has many casualties, though.
The point was made elsewhere, but I think you stated it most eloquently. Here's my question though: does it not benefit the user to enforce some minimum of deterrence through automated policing on the ad acceptance side?

Yes, it's whack-a-mole, but so is SEO, and Google's continually tweaking that instead of giving up. Based on the current rudimentary techniques used by the advertisers (e.g. "DOWNLOAD!" buttons), even eliminating only such blatant examples would go a long way towards cleaning up deceptive ad's.

And as you've noted... it's not like Google doesn't have access to advanced CV techniques and the computational infrastructure to run them...

Google is trying quite hard to stop the download ads. The people running those ads are trying even harder.

It has nothing to do with CV, it is not an engineering problem.

> It has nothing to do with CV, it is not an engineering problem.

Not sure what you mean by this, given that there's a human with eyeballs on the other end of the bad ad and a limited number of keywords to trick that human into undesirable actions (virus,error,infected,download,update,install).

CV is exactly the solution you'd want to use for a first-pass categorization, given that's the pathway by which the ads communicate with users.

You're aware that people view websites through browsers which don't run Google's safe browsing software, right? How is leaving them to get tricked into downloading malware (served via Google) "more sensible"?
You're not "leaving them"; making the ROI for an ad 30% lower (given a 30% Chrome install-base) is usually enough to make the advertiser give up on that ad, because they could instead be running an ad that converts ~90% as well and not losing 30% of their impressions in the process.

Now, the advertisers who only run these mal-ads will stick around and continue running them. They're also the ones who would fight tooth-and-nail to make their mal-ads more clever, instead of giving up and switching to regular ads; so they're exactly the ones Google will have a hard time discouraging at the ad-network level.

My hope for those is that other browsers simply copy Google's strategy here. If Chrome, Firefox, and IE all do this, there's pretty much no point in running these ads any more.

It'll be interesting to see if they block people from visiting sites that use doubleclick for ads, or if this is just an excuse for blocking sites that use competing ad providers.
Admob too serves similar Ads: "Your phone is infected, click here to install Clean Master..."
I wonder if those ads that push you to install certain product with half-truths and lies are considered deceptive as well. You know, "Install Chrome for better experience".
Interesting that when I read "these buttons", I thought " which buttons?" because my brain's spam filter initially made them invisible to me!
This is really important. One step closer to killing ad tech companies who only make money off my grandma and little brother.
You mean Google? I see a tonne of deceptive advertising propagated by Google's ad network.
No. I mean the companies whose sole business is to get you to download bundled malware, change your search engine, push ads to every site you browse using extensions etc.

Source: I've worked at one of those.

Surely the companies that advertise via Google to try and deceive you to into clicking their download button or whatever fit the bill? And surely Google, by actively enabling them, is also part of the process. As stated elsewhere on this thread, if they can detect deceptive sites, they can detect deceptive adverts.
So they implement detection, and remove these ads. The scummy advertisers then permutate their ads until they get past the detection and the game continues.

We're getting pretty good at image classification, but I don't think that extends to maliciously crafted inputs.

That or they manually verify each ad submission. If that violates their business model of high-volume low-value automated processes (and it obviously does) then you have to take account of that when decide how you view company. Automation and the inability to verify at the scale that they operate doesn't somehow absolve them.
Yeah, basically Google is looking for any way to avoid actually reviewing the ads they broadcast. Probably because advertising becomes drastically less profitable for them if they do. I feel when this sort of conflict of interest is occurring, where it's profitable for Google to continue shipping malware to users, they should be held legally accountable for their failure to police what they distribute.
This is a joke right ? We run Adsense display ads on our site and have to spend significant time every day reviewing and blocking new ads which try to use these deceptive practices.

Since Google clearly has the tech to detect this they should be implementing it at source on the advertisers (malvertisers). Instead they are pushing this down to the publishers and hitting them with penalties.

It's a clever ploy in some ways - Google gets the revenue from the ads and also the kudos from Joe Public for "being on the side of the consumer".

Google doesn't charge for ads, it charges for impressions. If you user doesn't seem it, google doesn't get paid.

It also seems like a very different tech than trying to determine what an ad script will actually show a user. So it's not easy as if they can do A they can do B. Still doesn't excuse the fact that they should be doing their best to block those kind of ads in their ad network.

FWIW, "impression" means "request". Who knows what the user saw.

Google AdSense is pay-per-click (or some algorithm, based on clicks against and the subject matter's value). In the context of adware rubbish, we are probably talking about AdSense. So no, Google doesn't pay per impression.

DoubleClick (part of Google for some time) may still offer an impression-based product. My experience of them a few years ago was that they'd negotiate on anything if you have enough traffic to make it worth their time.

Are you talking about google paying the website for each click/impression or are you talking about advertisers paying google for each click/impression. Both are termed under impressions (CPM or PPM). And in both cases google loses money in rolling out this feature.
I would expect an ad blocker to block stuff like this.
I would not expect Google to recommend using an ad blocker. They still want you to be able to see the 'good' ads.
They also recommend not do any evil if you do not want it to be posted publicly on the internet (E. Schmidt in particular).
It's a big company, I can imagine the browser guys wanting this but the ad guys saying they "can't" do this and there being a mini-war.

You get the sense that sort of thing happens all the time at microsoft for example, before Ballmer left it felt like the ASP.Net team were pulling in one direction, the Visual Studio team another and the IIS team had gone rabid and were just trying to bite everyone.

It happens when different products have different priorities.

It also happens when one department is perceived as an "expense" like IT or R&D, and starts pushing against "revenue-generating" departments like sales.

Of course, all components of a properly-functioning organization are revenue-generating. An idealized business in some respects would be people giving you money with no money being spent. Everyone knows that's not how the world works, but it's awfully hard to justify on a quarterly statement.

At Google, many departments aren't directly revenue-generating. Sure, Chrome and Android help people browse the Internet, where they view ads, but that's quite removed from actually selling the product, and those are very large projects. Search, maps, and gmail can show ads internally to generate revenue, but that's still a layer removed. Perhaps Google Apps and Drive are loss leaders, and maybe Fiber will make money eventually, but Glass? Calico? Driverless cars? Loon? Seriously, where does the money for these projects come from? I suppose you can answer "AdSense and AdWords", but why do those businesses give them money? And the harder question is how do they generate political and cultural capital to maintain these expenses?

At most of the companies I have been involved with, these projects would have been cut, outsourced, or consumed by the AdWords and AdSense teams. But there's little question that the world is better and the Internet is used more because of projects like Search, Gmail, Android, and Chrome.

How does Google generate this culture? How can other companies replicate this process?

Didn't Oracle reveal recently (maybe I'm totally misremembering this) that Google receives a shitload of revenue via Android?
Yes. To date, Android has generated $31 billion in revenue and $22 billion in net profit.

http://www.bloomberg.com/news/articles/2016-01-21/google-s-a...

Counting web ads served to users as revenue generated by the computer's operating system is ludicrous. Oracle is trying to misrepresent the amount of money made so they can sue for damages. The numbers are BS.
> Counting web ads served to users as revenue generated by the computer's operating system is ludicrous.

Why? Isn't that precisely why Google invested so much in Android?

These are very good questions. I have wondered the same for a long time. Can anybody shed some light on this?
There are a lot of pieces to that puzzle. One of them is a stock program that basically guarantees the investors have a voice, but zero actual steering capacity for the company, coupled with a CEO who wants to take risks, coupled with a company track record of risks paying off in bizarrely outsized ways just often enough to keep investors hungry for the stock in spite of the fact that ownership of the stock grants them no control.

In short, the company's founders have the ability to steer where the company's money goes, nobody has the authority to tell them otherwise, and so far benevolent dictatorship is working. To give a concrete contrasting example, Apple ousted Steve Jobs when his leadership became fiscally risky; because of Alphabet's stock structure, there's no legal way for holders to directly oust Larry Page.

Nope. The ads team at Google has been actively working against these types of ads for years. No one at Google wants to serve bad ads.
Google doesn't control all advertisers. Presumably this applies to sites with non-Google ads too.

Also, if these ads are rejected immediately (or nearly so) by Google, it will provide that much more feedback that malicious advertisers can use to "improve" their ads that much more quickly.

Those download buttons look always the same. Oh wait, they changed their color. After years of blue buttons they are now green. So Goolge can detect your face in a crowd on a photo, but can not detect a download button on small ad?
Firstly, this will work on ad networks other than Google, so it''s more broad reaching than anything they could do just within AdSense. This is good.

Secondly, and arguably more importantly, the way to stop these adverts is for them to cost the advertiser (in either money or time) without giving them the reward of revenue. If the ads stop working then people won't have a reason to make them. By stopping the ads in AdSense rogue advertisers would just change to a different ad network. The problem wouldn't stop.

This is a good move by Google.

> By stopping the ads in AdSense rogue advertisers would just change to a different ad network. The problem wouldn't stop.

It would stop the problem on every Google's partner that decided to trust it by displaying its ads.

This does not make any sense. Advertisers paying per view do not get charged for a view if crome prevents the user from viewing the page.

The good news here is we now have official admission by google that allowing adsense ads without filtering is dangerous. And those of us who do not have sophisticated techniques that can detect deceptive ads have no choice to but to block the entire network serving them, if we want to be secure.

>Advertisers paying per view do not get charged for a view if crome prevents the user from viewing the page.

The cost isn't in money, it's in views. By not letting you click a fake DL button, the malicious ad doesn't lead you to the site it wants you to end up on, which is usually plastered with other ads and sometimes has malware lying around on it. The end result is that the malicious party can't make money off their own site's ads and can't redirect you to download god-knows-what onto your system.

Any blockning of "malverts" should arguably just emulate view so it costs the advertiser even more than the lost view. If Google don't want to do that themselves (which would be understandable) they could likely expose it in APIs so plugins like ad blockers can do it.
Google can't do that. It'd be fraud.
I don't think it would be fraud if they did it to ads from non-Google networks. But yeah, they shouldn't fake views on ads that come from their own networks.
Why not block it at the source instead? Prevent these types of ads from being submitted to AdSense in the first place.
"more broad reaching than anything they could do just within AdSense"

... as long as you don't care about browsers which don't run Google's Safe Browsing service.

You know another way to stop these ads? Make available an advertising network which doesn't serve them. Website owners who don't want to install malware on their users' computers - which is probably most of us - would prefer that network to the others. As-is, with even Google's network serving up malicious ads, the choice for a website that wants to run display ads appears to be either build out a sales team & manage inventory itself, or accept that some percentage of its users will get scammed.

I wonder if Mozila will attempt to create a list of scam advertisements and automatically block those...
Surely it would make the most sense to build it into both AdSense and Chrome. That way Google know they're not running a network facilitating this, and they are also able to block malicious ads from other networks in the browser.
I've actually built an advertising network[1] that is not focused on serving display ads, but linking to content directly in images. Video demo: https://www.youtube.com/watch?v=8GfKBvs53Ss

The thought is that if "advertising" is actually a feature of a website, then it solves the problem of users trying to avoid being shown ads. If you could hover your mouse over an object on any image on the internet and be taken directly to where you can buy that without all the hassle, I'd see that as a big win.

Note: Just onboarded our first customer yesterday. He's using it to promote iPhone cases based on his instagram feed[2]. Hover over the cases on a desktop, and you'll see what the case is. Click on it, and it takes you directly to the product page.

[1] http://pleenq.com

[2] http://www.obeythekorean.net/pages/instagram-feed

That's pretty good. The issue I have with it is that without this prior knowledge, I can't tell what will happen when I click - the URL isn't informative, and there's no alt-text.
What would you like to see it do? I've been thinking of tons of different ways of displaying that to a user, but I figured I'd just put it out there and see what people suggested.
This is the first ad platform I've seen that is innovative in a good way, instead of the usual remarketing/tracking/native/data whatever bullshit. Seriously, awesome idea and execution. Have you gotten any press for this?
In my experience as a consumer, project wonderful ad system thingy ads seem to be unobjectionable.

They are paid per length of time, not by click or view, and they are determined by a continuous auction.

It's a necessary but not sufficient step. They should also block all such ads within AdSense.
> By stopping the ads in AdSense rogue advertisers would just change to a different ad network

The sites that "everyday folk" browse are much more likely to be running ads from the AdSense network. Forcing the rogue advertisers to place ads on a smaller network serves to cost them (money or time) without the reward of the revenue they'd otherwise get from AdSense-enabled drive-bys.

It's a good move, but it seems unlikely that they going to block a site that's only using AdSense to serve up deceptive ads. Where is the announcement that adsense/adwords will detect those ads as well?
Spot On.

I run an online media streaming site for public safety communications, and we've noticed that Adsense advertisers often use these exact social engineering techniques to display download/play links that end up having customers install crappy spyware infested "media players" and other software.

My jaw dropped when I saw this blog post.

I'm semi-serious here, but if you noticed that you are serving ads that are harming your users, why would you continue to use ad-sense? Why not switch to a different ad network and let Google know why you switched?
Based on other comments in this thread: does such an ad network exist?

If all your options are terrible, you might as well use the terrible option with the largest ROI, right?

> might as well use the terrible option with the highest ROI, right?

No, thanks. Does The Deck serve spammy, malicious ads? I know they're tightly targeted at the techy/designy crowd, but they're also a great example of high ROI ads that aren't terrible.

You can't just use The Deck, you have to be invited.
Valid point. But I still reject the notion of "that sucks but might as well get mine". Sounds like there's a lot of space for ad networks that don't suck. Or monetization models that don't rely on spammy, useless ads.
> Or monetization models that don't rely on spammy, useless ads.

I'm struggling to find one, any idea?

Build something so good, people will pay for it? It seems to work for companies like Netflix and Toyota.
But not companies like Google, or Facebook, or Twitter...
Nobody suggested there's one solution for everybody. I was just responding to the comment that advertising is the only monetization strategy and that's ridiculous.
> If all your options are terrible, you might as well use the terrible option with the largest ROI, right?

One of the options is "stop running ads". Why is a "site for public safety communications" running ads at all?

Public safety announcement: block all ads to make your browsing much safer. Use Adblock Plus (with so-called "acceptable ads" turned off) or uBlock Origin.

He's not running a public safety institution, he runs a site that has live audio streams from police / emergency scanners.

(incidentally, Lindsay, I've used http://www.radioreference.com to learn a great deal about Software Defined Radio, and I occasionally listen to various Illinois streams on http://www.broadcastify.com - thanks for running these sites!)

> He's not running a public safety institution, he runs a site that has live audio streams from police / emergency scanners.

Thanks for the clarification; that makes more sense.

I'd still echo the comments from elsewhere in the thread about not doing business with a vendor with shady practices just because other vendors do no better.

I don't think I'd be comfortable doing that.
> We run Adsense display ads on our site and have to spend significant time every day reviewing and blocking new ads which try to use these deceptive practices.

This may be a very stupid question, but are there no ad networks that are more trustworthy?

You could look at something like Project Wonderful, but I think they're a little more geared towards small-scale niche advertising (gaming, comics, blogs).

Actually, never mind. I just looked and their top 5 sites are all well under 1,000,000 page views - and 4 of the 5 are webcomics plus Omegle which I think is one of those random chat sites that popped up a few years ago.

tl;dr no. AdSense sucks, but all other networks are actually worse. (There are tiny ad networks that are actually trustworthy, e.g. Project Wonderful, but they won't make you a living.)
I agree, I have a personal blog and wanted to experiment with ads, so I put AdSense up there. I reported the "Download" ones but just kept getting more, so i finally removed the ads.
Exactly this. Ads served through Adsense are flooded with these. We have spent countless hours trying to block all of them but they just pop up again under a different domain. So is Google going to punish publishers who are using Adsense if these ads come through Adsense?
I could only wish that Google will punish their own sites the same too. There are countless ads on YouTube claiming to provide free Minecraft downloads, commonly shown to very young viewers of YouTube. You might even be able to see these right now by turning on Private Browsing and disabling your ad-blocker.
Yep! This is a big issue on pretty much most Minecraft specific content sites & videos. I think these spammers specifically target Minecraft keywords and Minecraft sites through Adwords display ads knowing that kids will click the ads. If your site has Minecraft content and is serving Adsense within that content, you are almost certain to have these types of ads display. Not the fault of the actual content site but an issue with the spammers targeting through Adwords.

It is really common actually on most game content or videos that are geared towards the youth. These Adwords spammers target this category specifically.

Most websites seem not to care about the content they deliver to their visitors. When I visit xyz.com, it is xyz.com's job to ensure that it doesn't deliver to me malicious content. I have zero sympathy for xyz.com telling me that it's not their problem, they serve 3rd party ads and if these ads are malicious it's the fault of these advertisers not their.
Sure, this is fine, but Google seems to plan to block sites which show malicious ads served by Google's AdSense. That's idiotic.

This is the second case in a month of Google punishing web publishers for using Google products. (The previous case was Google punishing non-https search results, when in fact many of Google's own web publishing tools don't support https.)

And I'm willing to bet Google will make a special exception for itself. I actually posted a screenshot on my G+ page yesterday of the most recent fake download button I saw online... On a YouTube banner ad, served by Google AdSense.
Do they have a history of making exceptions for themselves? If not, then you winning this bet will be quite a big deal - it'll show them as anti-competitive. They'd be forcing customers to use their AdSense product instead of just-as-good competitors.

Maybe they'll just give this "malvertising" detection software to AdSense who can then filter their own content before it hits websites. I'd be more willing to bet this will be the beginning of Adsense cleaning itself up than what you suggest.

Yes. On last week's story, a commenter mentioned how they decreed that web pages which showed a full-page ad on landing would be penalized in search, yet they themselves continued to show a full-page ad in mobile GMail for the GMail app, and it remained the first hit for "e-mail".
(comment deleted)
Says someone who has never managed webs on a website.
Well, it's a way for Google to throw their weight around to multiple effects.

First, it's positively perceived and accepted by end users, which is good for Google and end-users.

Second, it punishes ad networks that don't spend the time to vet what types of adds are allowed. As an end-user, I'm in favor of this.

Third, it boosts ad networks that do spend time vetting ads to prevent malicious ones. Presumably Google, and other networks, that spend time and resources doing this will see a return on that effort. This is good for responsible ad networks, and as an end-user, I'm in favor of this idea to the extent that it should hopefully reduce these malicious ads overall.

It's easy to see this as a way for Google to boost their own ad network, but I think that's too cynical of a take. They aren't boosting themselves specifically, they are punishing bad-actors and boosting good actors overall.

(comment deleted)
>>Second, it punishes ad networks that don't spend the time to vet what types of adds are allowed. As an end-user, I'm in favor of this.

It punishes the sites using those ad networks directly, the networks themselves are indirectly punished.

Well, it punished them both. An ad network that can't display it's ads in places it could before is a form of direct punishment. Forcing sites for choosing ad networks that don't vet their ads well is an additional indirect punishment as well, as it may encourage those sites to choose a more discerning ad network.

On one hand it's unfortunate that the site is being punished, on the other hand maybe they deserve some responsibility for not being more selective. I'm not sure.

I used to have a Firefox add-on which rated the sites linked to in Google ads.[1] I could have deleted the ads, but didn't. Should I bring that back?

It was amusing to run that. Ad quality was much better on some sites than others. Ads on Business Week pages were generally legitimate. Ads on entertainment sites were awful.

Totally deleting ads seems to have won out over merely thinning them out.

[1] https://addons.mozilla.org/en-US/firefox/addon/adrater/

No, it's not a "ploy", it's the only realistic action google could take. It would be a huge business mistake to ban malvertisers from adsense, because those would move to other networks, which would then in turn be preferred by publishers because that's where the money moves. Adsense would lose, and the consumer wouldn't have won anything.

The publishers aren't innocent at all. They decide to place ads right above, below, and all around the real download button. Because they know that a good percentage of their consumers will be tricked, and so they get payed.

I too have seriously struggled with this. I recently discovered that you can ban this entire category of ads (mostly). Go to "Allow & block ads", then "sensitive categories" and select "Ringtones & Downloadables." This will remove most of these types of ads.
You'd think that Google could use a Bayesian classifier to detect malicious AdSense display ads at setup time. Add an appeal process to take care of ongoing training.

This would negatively affect Google's revenue... which is probably why they haven't done so.

(comment deleted)
Fits with Google: free consumer services (paid for by advertisers); and Google gets the highest price possible by letting advertisers fight it out in real time (the other advertisers are the bad guys... but Google gets the money).
"It's a clever ploy..."

Not really all that clever. Same old story. They take users for fools. Maybe users will stay dumb re: ads, but then maybe not. It's amusing to watch the companies that must jam the ads into your pages to make money claiming they can "make the internet faster" (a previous ploy) or "safer" for users. These companies are part of the problem, not the solution. Unless they find a new "business model". But why bother when this one - being a middleman to people's use of the internet, selling ads and jamming them into every page they can - works so well?

Sourceforge, download.cnet.com and friends won't like this... also many of the streaming/OCH sites will be affected.
Imagine the fit the various torrent sites will throw about it.
"You may have encountered social engineering in a deceptive download button, or an image ad that falsely claims your system is out of date."

Weeeellll...I see 99% of these in Android in-app ads. So - a) this should be the end of it, or b) someone is being a bit hypocritical here. I sure hope for the former.

I will take programs like this seriously when Google stops bundling Chrome installer with unrelated software like Adobe Flash.
Adobe Flash is a browser plugin. Chrome is a browser. How are they unrelated?
If you install Adobe Flash plugin for a different browser, Chrome gets bundled with it. Even if you don't want Chrome.
(comment deleted)
Chrome doesn't use/work with the Flash browser plugin.
Flash is unrelated to a web browser? I mean I hate flash as much as the next guy... but how can Flash not be related to a browser?
You want to install Flash for Firefox, it will install Chrome by default.
I did not install flash in FF, and I do not miss a thing. Sometimes there is this warning that not all content could be displayed, but I would not have a clue what functionality is missing.
Chrome has Flash built-in. Shipping Chrome with Flash is inane, because if you install Chrome, you don't need Flash. o_o
(comment deleted)
This is really awesome. I was so excited I actually clicked the fake download buttons to try to install it. So when does this role out?
I'm so glad that I'm not the only one! haha
Google should detect and block the buttons, not display full-screen warnings.

What next? "This site contains controversial views"? Or "Politically incorrect website ahead"?

Google can't block elements on sites it does not control.

Warning users of phishing and warning users of speech that it finds objectionable are 2 different things entirely.

A deceptive button does not equal phishing. It just might (and most often does) open a non-malicious popup with some ad. (non-malicious in a sense it won't install ransomware to your PC)

And of course Google can easily integrate it's own ad blocker in Chrome if it chooses so.

It can in the browser they control...
They've already said they'll start shaming non-https sites.
I hope they'll include a "Stop the nanny" flag in chrome://flags as well.

I mean you can't even change the new tab page to a custom .html, without Chrome nagging you at every launch if the settings are correct. If you make a manifest.json and load as an unpacked extension, it will moan about that.

FFS, I know what you're trying to do with Joe/Jane Noob, but at least give me something to skip that if I know what I'm doing.

[edit] This wouldn't be even needed if new tab page was customizable. Now it it's just a Google billboard.

The hard part here is that, wherever you'd decide to persist a "don't bug me any more about this" flag, malware could also potentially write that same flag to that same place. For example, Windows UAC is frequently set to the "don't bug me about this, just auto-elevate" setting by malware.
> The hard part here is that, wherever you'd decide to persist a "don't bug me any more about this" flag,

Build a new binary - offer users to install a "developer" build of Chrome which is exactly the same as the mainstream "release" build, except it allows disabling the protections.

You don't actually have to go that far; there are plenty of Chrome settings controlled by command-line options, and that's usually safe enough—it's actually really hard for malware to "sneak in" command-line options (if the user is a regular user, while the the Chrome shortcuts in the Start Menu et al were installed under elevation, which is the usual case.) There's a command-line option to Chrome that entirely disables the sandboxing protections, for instance.

My distinction was just that there's absolutely no way to have a UI-based mechanism for disabling nags, since behind any UI is a persisted flag. If you're up for editing your shortcuts to add command-line options, that's fine.

Adding a command line option that allows disabling the nags via a UI would be solution.
> (if the user is a regular user, while the the Chrome shortcuts in the Start Menu et al were installed under elevation, which is the usual case.)

Nope. Windows allows deletion of "protected" shortcuts e.g. from your desktop and launch bar.

You mean shortcuts placed in the All Users Desktop/QuickLaunch/StartMenu folders? (I'm guessing it's just "hiding" them with a Desktop.ini entry, rather than truly deleting them?)

That's probably fine, actually, as long as the user (i.e. malware) isn't allowed to create their own shortcuts to replace the deleted ones. I assume there's a GPO to disable the per-user Desktop/QuickLaunch/StartMenu folders, so that only the results from the All Users ones show up?

So you're saying we should just obey Big Brother Google and not try to do anything it doesn't approve of?

As the old saying goes, "Those who give up freedom for security deserve neither."

At least theoretically, it should be possible to build Chromium with such customizations; you'll lose the benefits of the Google walled garden, but you'll gain a bit of user freedom as well (probably won't be point-and-click, alas).
Sadly Chrome sync is one of the major thing that keeps me on Chrome, it just works and syncs everything.
I wonder if it would be possible to build an open-source Chromium sync plugin? (Self-hosted, ideally). Is anyone already working on this?
Chromium syncs with your Google account, but in my experience is a bit buggier, at least on Linux.
I know these fake ads all suck and everyone hates them but somehow getting rid of them feels like cutting off a little piece of what makes the web the web.

I kinda like this darker, more free-for-all, wild wild west side of the Internet.

Me too man, I remember the internet back then where everything was unique and not a cookie-cutter bootstrap boilterplate. Want a nostalgia trip? Download Opera (one of the early versions) - it'll pluck at your heart strings and make you yearn for times when you had more personal responsibility and Google wasn't there to infect everything with it's nanny browser. Hell, even Firefox the last bastion of Freedom on the web, is following Chrome.
Mostly because there's more benefit to be gained in making the web usable by non-experts than in preserving the current status quo.

There's a reason the Wild West didn't stay wild.

This. More specifically, the Wild West got wild for a few years - during a massive population influx - while the entire system was unstable (which also means interesting, in most senses of the word). The metaphor leaks, but is close enough.
I agree, but it still sucks that it seems you're being sold something at every turn. Websites are no longer there, just to be there. It's always about the upsell or agenda.
That's one reason why I'm a little annoyed personal websites went mostly the way of the Dodo and you can only expect friends to check things out if you give them direct links to some trusted site from a site they use all the time, like a link to a Youtube video from Facebook, or your Medium or Tumblr entry from Twitter.

I still like designing personal websites, but it seems like a waste of time now.

As I write this, the ranking of the comments here is... strange. Those who see this as being yet another way of Google using their power to manipulate what people see on the Internet are being heavily downvoted, while those agreeing with the practice are not? That doesn't feel like HN to me.

I'm in the former group. This mollycoddling is just going to lead to more users who can't decide for themselves whether something is suspicious or not and are thus easier to deceive, which might be exactly what Google wants, but I certainly do not think it is good for the Web as a whole (or even society in general.) Being able to make these sorts of decisions of trust is an important part of growing up in general, and I'd even say "finding the right download button" could be considered a sort of right of passage to being an effective user of the Web, and not just a consumer.

You can't seriously be saying that people potentially running into malware because they couldn't figure out with download button was the real one is reasonable?
You can't seriously be saying that not being able to figure out which download button is the right one is reasonable? With experience, it's extremely easy to find the real one.

- It's usually smaller and less prominent than the fake ones.

- Mousing over it doesn't show a huge long URL to some external domain that sounds ad-like.

Using adblock probably gets rid of a lot of the fake ones too, but the general principle here is if it looks too good/easy to be true, it probably is. The buttons that seem really enticing are the ones you don't want to click, and it's that odd, not-very-attractive one that you want.

As an experienced user, when I'm looking for some semi-obscure Windows program, I still do have problems distinguishing legit download links from this. Perhaps I'm too used to the radical method "just select what you want from the repository, and it will be installed automagically;" in other words, one of the issues here is nonexistent install management in Windows (party like it's 1998!), forcing users to run this gauntlet (MSI? Puh-leeze).
Hovering the link to check the URL is a good old trick. Well until browsers start to hide that as well.
(comment deleted)
The first thing they should do is harshly penalize websites with a lot of ads in their search results.
This blog post is not talking about those Adsense Download buttons, is it?
Awe man guess I can't use chrome to browse The Pirate Bay anymore...
> Awe man guess I can't use chrome to browse The Pirate Bay anymore...

More likely, TPB stops running these particular shady ads, because chrome is such a popular browser.

It's a laudable initiative to protect average Joe from himself, but I don't feel like Google (or any other company) deciding for me what is dangerous. They should at least provide this feature as an opt-out option. Still, better option would be to educate more people of ad and script blockers.
So safe browsing is now blocking pages where the adverts are "often not distinguishable from the rest of the page"?

IMO that covers all of Google's search result pages. Most users don't seem to realise that the top results are paid advertising...

Came here to say this. Most of their above-the-fold "results" are either ads or SEO-ed junk probably full of Google ads.

More broadly, pretending to protect against social engineering is a joke. They won't catch anything other than the most obvious stuff, and they will also block some stuff that many people won't want blocked. Does this feature block Java downloads containing the Ask toolbar? Should it?

Here's a google SERP for "insurance": http://imgur.com/VUqwyPq

Are you saying the bright "ad" lozenge next to the paid results isn't explicit enough?

And anyways, users don't go out of their way to avoid clicking on ads unless the ads are utter crap. Google's whole business is to make the ads relevant to the search and the user, so who's to say the ad isn't actually a relevant result?

>the bright "ad" lozenge next to the paid results isn't explicit enough

Yes, it is not explicit enough. The tiny yellow box is just a noise present on every search page. As any noise it will be ignored. Especially when everything else in these ads tries to look exactly as a valid search result.

So what should Google do then? If a "tiny yellow box" is just noise, isn't a larger yellow box just more noise?
Google has more options than just the size of the box: for one thing they could make the box surround the ad (that is a common UX design to show related elements) and put the word "ad" around the entire border or the box, like police tape. That would make it a lot clearer that it was an ad.
Go back to a different background for ads, for instance.
Or simply put ads only in the right-hand column that is now entirely populated by ads. "Do you want the results our software comes up with? Then read left. Or do you want the results people pay us to show you? Then read right." This would be an honest business model, and if advertisers had to provide more value to searchers than Google's algorithm with their keyword bids, they might actually do something smart and useful.
No, it's not good enough. It's a bizarre colour that is too similar to the white that they use to write 'Ad' in it. A website with white-on-yellow text would be painful to read.

Also, they don't even bother putting it next to each ad. On the right hand side, there's just one 'Ads' at the top and then everything underneath is an unlabelled paid ad. Why?

Google ads started out quite distinct, but they have gradually made them blend in. They used to have a stand-out background colour, then they had a very pale background, and now there is no obvious 'advert box' at all. Google know that many people are misled into clicking on the adverts, but they don't care because of the $$

The lozenge is not enough. I had a user last week who googled "<ispname> email" wanting to get to her email. Instead of clicking the official link a few results down she clicked on of the ad links at the top. This took her to a page which started beeping, playing a virus alert message, and creating JS popups telling her that her computer was infected and she needed to call the phone number on the screen.
When there isn't a single result on that whole screenshot that isn't an ad? No that's not enough!
It's absolutely not enough. After watching tons of seniors use computers (and having to degunk them), it seems Google's ads in search are the primary malware distribution method on the Internet. Phishing sites are always atop searches for banks, malware links are always atop searches for drivers and software, and normal users see that top ad as the 'first result'.

Users placed their trust in Google, and Google betrayed them.

Somewhat off topic... but also, it states 1,010,000,000 results on the first page of this query but if I go to the last page, it comes down to 412 results... I can't believe that there is only 412 insurance related pages on the whole Internet... https://www.google.com/search?q=insurance&num=100&safe=off&s...
I think there's some weird pagination happening in your URL. If I take the "num=100&safe=off&start=400" off, it works as expected.
It works as expected according to them if they don't expect you to look at all the results, I guess.

Please tell me what link you have at result #500, because I can't see it even if I remove the URL parameters and use the standard 10 results per page...

That gets me "Portal: Health insurance - University of Bern", on page 52. The url looks like:

https://www.google.com/search?q=insurance&biw=1440&bih=830&e...

I cannot go past page 53 when using the URL that you are referring to (they added some results that can be seen, it currently is 532 but it changes pretty often).

But the behavior changed since yesterday... yesterday it would have said "Page 53 of 532 results" and now it says "Page 53 of about 1,010,000,000 results" but most of them still can't be seen...

There's an unexpectedly large number of commenters who seem to think that this falls under free speech. Do I need to explain that the crap these ads usually download when clicked is responsible for a ton of support calls, many of which go to innocent kids on weekends just trying to unwind from school? :)

I'm kidding of course but seriously comparing blocking these buttons and deceptive elements is not censorship, it's Google saying to these publishers that if they don't get their shit together, that they will dissuade traffic from visiting their sites. The only way to get the attention of bigger publishing companies is to grab them by the revenue stream, you all know this.

Does that mean they're taking down SourceForge?
It just got sold to BIZX, which I think promised to stop some of the practices.
Also, ideally Google should implement this within their search algorithm itself, by punishing the sites which indulge in such practices by pushing their search results much further away.
(comment deleted)
First of all, it's only through their browser. There are alternative browsers you can use. And they already filter search results, quite extensively.
"Pretend to act, or look and feel, like a trusted entity — like your own device or browser, or the website itself."

This is a broad statement. Taken at face value, this covers all native advertising - with articles/images/videos/thumbnails/etc intended to fit in with the content of the site/app.

If we can get rid of native advertising too, I'm all for it. Native advertising is a special kind of evil.
Too late google. I already intsalled ad blocker on every computer in the house years ago because my parents would accidentally click "play" or "download" in deceptive ads.