Plausible Deniability and Gaslighting in Fighting Ad Blockers

Google is planning changes in Chrome impacting ad blocker extensions and people are wondering whether those changes are motivated by self-interest or whether there are plausible, benign explanations. In this post I’ll attempt to summarize the background and lay out arguments for what I think is happening.

What is changing

Settings out the technical details of these Chrome changes is fairly relevant, but if you’re not interested in the details feel free to skip this section. The main takeaway is: Google is limiting ad blocker capabilities.

As part of a wider revamp of Chrome extensions, called Manifest v3, Google is planning to change an important API extensions are relying on. That API is called webRequest and it allows extensions to evaluate web requests made by Chrome by running extension code to implement various pieces of functionality, such as blocking certain requests, redirecting them or simply monitoring that they occur. In Chrome, this API is blocking (Firefox has an async implementation). The Manifest v3 change, as it stands now, deprecates the blocking capabilities of the webRequest API, turning it into monitoring-only. The stated reasons for the Manifest v3 changes are to improve security, privacy and performance. The change to webRequest by itself would completely break ad blockers, privacy-focused extensions and so on, so Google is adding a new API, called declarativeNetRequest.

The new declarativeNetRequest API, as its name implies, is a declarative API. With this new API, extensions do not make blocking decisions on-the-fly anymore: the algorithm for making the blocking decision moves from extensions to Chrome itself and extensions have to provide a list of things to block at extension installation time. In other words, extensions now have to bundle blocklists with the extension itself and any update of those blocklists requires a new extension version. The API also doesn’t allow for user customization in picking and choosing filter lists. There are also new limits on the number of blocking rules extensions can make: 30,000. Popular ad blocking extensions have many times as much filter rules. (There is a possibility in more recent proposals for Manifest v3 for dynamically added blocking rules, but the limit on those make it unusable: as it stands now only 5,000 rules would be allowed.)

Taken together, these changes have the effect of limiting ad blockers and making their development harder.

And now, for something completely different:

Financial incentives of a public company

After the technical context I think it makes sense to discuss the financial context as well. Zooming out to the big picture, when the phrase large tech company gets mentioned, I think it’s underappreciated how different the companies that get included in this category are. Some, financially speaking, make their money from manufacturing, some from retail, some from services, and in the case of Facebook or Google: predominantly from advertising. Around 85% of all Google revenues come from its ad business, which have been growing below expectations in recent quarters.

Google as a publicly traded company is required to file periodic reports to the SEC in the US. Those filings are one of the few places in which a company is legally required to be truthful. Quoting from their most recent 10-K filing:

New and existing technologies could affect our ability to customize ads and/or could block ads online, which would harm our business.

Technologies have been developed to make customizable ads more difficult or to block the display of ads altogether and some providers of online services have integrated technologies that could potentially impair the core functionality of third-party digital advertising. Most of our Google revenues are derived from fees paid to us in connection with the display of ads online. As a result, such technologies and tools could adversely affect our operating results.

Every corporation of this size has business planning that includes planning for business risks: quantifying them (the summary of which is described in the quoted SEC filing) and mitigating them. Ad blocking, aimed at the primary source of Google revenues, is such a business risk to be addressed.

As one of the foremost companies in data-gathering and analysis, it’s safe to assume that Google has collected as much data on ad blocking as possible. KPIs on dashboards for ad performance, detailed metrics on who and how is blocking ads. User studies on why people block ads, different user segments, behavioural studies, you name it. Every company with billions of dollars on the line would have done the same.

Mitigating business risk is primarily about strategy: it requires careful analysis, long(er)-term planning and constant reevaluation of assumptions. Google has been a major company for a long time now, I don’t think measures to protect the company’s main business started recently.

In fact, I think Chrome as a browser was and is primarily intended as risk mitigation for Google’s ad business. Developing a browser is incredibly expensive. It literally costs billions of dollars to do so for any of the major browsers and no company would¹ foot such a bill without a good business reason. Controlling the channel through which ads are displayed and mitigating business risk to Google’s ad revenues is that primary reason.

Internally at Google there is most definitely a strategy for dealing with ad blockers, they have probably decided that banning ad blockers from Chrome outright is not possible, as it would bring antitrust issues and the user outcry would be too large. However, there are ways to limit the damage potential to Google’s bottom line. In other words by containing ad blocking and by raising barriers to adoption. Google is known to be paying several ad blocker makers hundreds of millions of dollars for Google to be whitelisted (“Acceptable Ads Program” and such). There are dozens of ad blocking extensions and it’s quite difficult for users to guess which are the few (like uBlock Origin) that do not make backroom deals with large ad companies.

Plausible deniability or genuine change?

Given this technical and financial background, the question then becomes: are the upcoming Chrome changes done in good faith or are the public reasons given for them merely plausible deniability, excuses in order to make changes that are in Google’s financial self-interest? How would we go on deciding which version is more likely, anyway?

I think it’s fairly safe to say at this point that Google is institutionally incapable of imagining a world without ads, so they’re not capable of entertaining solutions that would seriously interfere with the ad ecosystem. I think we can treat that as a baseline, any proposal/suggestion to change the web ecosystem that disrupts ads is as if it didn’t exist from Google’s perspective. This sort of institutional attitude, which tolerates ad blockers as long as they don’t threaten Google’s revenues too much is the best-case baseline scenario to which we should compare other theories for explaining these proposed changes.

In context of the proposed extension changes, the most benign assumption I can come up with is that of distant indifference by Google towards ad blockers: they do not see the value in them, but they are aware that lots of users like them, so some minimal efforts are made to let them exist in some form.

To evaluate then whether Google is acting here in a benign way, I propose four criteria:

1. How necessary is the change?
2. Has there been a history of too convenient explanations?
3. Assuming that change is necessary, what else could have been done?
4. What do we know about the decision making process?

Purported security/privacy reasons

It is precisely the value of these extensions that’s important here. Google is allegedly proposing the Manifest v3 changes to extensions for security, privacy and performance reasons. Those should always be subject to cost/benefit analysis. While some users might be using ad blockers to reduce annoyance, the widespread view in the infosec community that ads are a source of security and privacy issues and thus blocking them vastly improves security and privacy, is starting to trickle down into general awareness. Google has one of the best security teams in the world, so I have no doubt that they also know.

It is against this, that potential security and privacy issues in extensions has to be compared. (Let me skip the performance topic here for reasons of brevity, with the addendum that uBlock Origin adds ~14 microseconds on average to each request it inspects - not exactly a burning performance problem).

Considering this cost/benefit calculation, it seems to me then that the security, privacy rationale for limiting extensions from continuing to block requests via the webRequest API isn’t that strong, given that lots of extensions do highly useful things with that API.

Has Security been used as an excuse before?

Google always had a reputation for taking security seriously, including not using security as a justification for a change that really was made for business reasons. That is, until last year, when Google made a lot of people uncomfortable (including me) with their unified Chrome and Google Services login change. The official reasoning was security / UX for that change but it was on the borderline of believability, where it felt wrong but Google had some cover in claiming innocence.

To be clear, Google is not yet Facebook (Facebook asked for phone numbers and stated they would use them for security reasons only and then went ahead and used those phone numbers for ad targeting), however what used to be unthinkable - using security as an excuse - isn’t quite so unthinkable anymore.

Paths not taken

Let’s assume for a second that Google’s stated security, privacy and performance rationales are entirely justified.

What could Google do to solve them?

Tackling performance first, Google could have adopted Firefox’s async approach to turn the webRequest API into something that blocks less. Collecting metrics is something Google is fond to do, so why not collect performance data of extensions and surface that to users? There are fast extensions and slow extensions, so why not help the users to tell which is which and let them make the decision if the tradeoff is worth it for them?

On security and privacy, extensions are operating from a position of trust. For some, that’s required to perform their functionality, for others it’s something they acquire. Why not require clear consent from a user if an extension wants high-level request monitoring/altering capabilities? Deprecating the webRequest API doesn’t do anything for privacy anyway, given that it’ll continue to be available in read-only form. At some point it really comes down to trust and usability, so why not help users make informed choices? Instead of leaning heavily on automated auditing, why not build ways so that extensions can earn reputation?

It has to be said that the declarative API itself would not be a bad idea, if it would be voluntary to use, with more advanced decision making logic, and with way higher limits. Why not encourage its adoption from extensions who can use it, instead of mandating it from the get-go?

Looking at other browser vendors, regardless of technical details Google at least could commit to some clear promises, to which then later they could be held accountable. Mozilla for example stated this:

Regardless of what happens with Chrome’s manifest v3 proposals, we want to ensure that ad-blockers and other similarly powerful extensions that contribute to user safety and privacy remain part of Mozilla’s add-ons ecosystem while also making sure that users are not being exposed to extreme risks via malicious use of powerful APIs.

That’s a clear commitment for cost/benefit analysis from Mozilla’s side.

Coincidentally, a new study was just published that deals with web feature deprecations in Chrome. Based on this paper web feature deprecation seems highly metric driven, carefully balanced, rigorous. Where is all that when it comes to extensions?

Decision making

Is the Google Chrome planning and decision making process transparent?

Generally, I find that when people see not just the outcome of a decision, but also how that decision was arrived at and by whom, then people tend to respect that decision more.

Last year when Google introduced the unified Chrome/Google Services login, I attempted to trace how those changes came to be. The code is open source, so transparency is a given, right? It turned out that that feature was under development through multiple iterations for four YEARS, and yes, I could see the commits themselves. Those kept referring to internal roadmaps, to internal milestones, to internal tasks and tickets, to internal decisions. All of those are inaccessible to non-Googlers.

The situation today is roughly the same, there is that design draft for the Manifest v3 changes, but when it comes to data or explanations on the why, Googlers just keep referring to the what and linking to the document that doesn’t explain based on what data, how the decision was taken to make these changes. I don’t think that’s anywhere near transparent enough for a browser that has a monopoly marketshare.

Talking points

Before you jump to (the) conclusions, I’d like to address the title of this post a bit, specifically the word gaslighting.

Gaslighting

A form of psychological manipulation that seeks to sow seeds of doubt in a targeted individual or in members of a targeted group, making them question their own memory, perception, and sanity. Using persistent denial, misdirection, contradiction, and lying, it attempts to destabilize the victim and delegitimize the victim’s belief.

Over the last few weeks, a bunch of googlers and ex-googlers quite forcefully attempted a defense of the Manifest v3 ad blocking related changes, calling people doubting Google’s motive hysterical, conspiracy theorists and such niceties. I didn’t participate in those discussions so I wasn’t personally affected, but the tone for me felt incredibly close to gaslighting critics to bully them into giving up the subject.

There were a few arguments that were repeated. I’ll call them talking points as I believe the people making them should really know better.

“Apple is doing the same”

It is true that Safari has a similar declarative API as the proposed Chrome one. That’s where the similarities end.

Looking at the context of how the API was created on Apple’s side, it’s clear they primarily had to make it work like this because of iOS. On iOS only Safari’s browser engine is allowed and therefor the ad blockers had to be able to be packaged up as an App Store app, with all the isolation and communication barriers that this entails. As far as I know Apple’s declarative API doesn’t have the same low rules limits as Chrome’s planned one either.

Chrome on Android doesn’t have extensions, so the planned change regarding extensions applies to desktop-class environments. The declarative API doesn’t provide an increase in privacy as the previous webRequest API is still available in read-only form, and the isolation requirements are different.

It has to be said that Safari is way ahead on privacy compared to Chrome. Many features that have to be added by extensions on Chrome are included by default in Safari, reducing the need for powerful extensions.

“Google ads can be trivially blocked even after this change”

Yes, Google’s ads are blocked today by ad blockers that do not whitelist them and they will be the day after those planned Chrome changes are rolled out. However, ad blocking is an arms race. The changes will severely limit the ability of ad blockers to adapt, improve and react.

Six months later, when ad networks decide that they will now put ads on complex uris that ad blockers can’t block reliably due to the lack of complex blocking logic, or ad networks just decide to use short-lived uris that the ad blockers can’t keep up with anymore as it takes a week to get a new version of an extension approved, then then we’ll have another plausible deniability argument. Did Google really intend to decrease the ad blocker’s efficiency or was it just the usual institutional carelessness?

“Chrome has a built-in adblocker that filters all ads”

This is probably the most dishonest talking point that I’ve heard. Chrome has a filter that filters ads which do not meet something called the Better Ads Standards, so some people made the argument that this means Chrome filters all ads, including Google’s.

This is where I should point out that Facebook and Google have been cannibalizing the advertising market in the last 5-10 years or so (with the exception of Amazon’s late entrance to the party). Getting rid of the most annoying ads helps Google maintain that duopoly by pushing out competitors, and probably reduces ad blocker usage. It doesn’t mean you’ll see less ads, especially not less ads from Google. It definitely doesn’t mean that Chrome has a general purpose ad blocker.

“Changes are not final/It’s a draft!”

I think having a draft out there and discussion around that is by itself good, certainly much better than to face fait accompli. It’s possible that the planned changes as they affect ad blockers will be substantially changed or even dropped. However, to hear googlers say “it’s a draft” without also committing to at least making it right for ad blockers, it sounds to my ears more like “shhhh, not so loudly!”. When would be the right time to protest changes if not now?

If changes are dropped due to mounting pressure, is that evidence that there was nothing to worry about?

Conclusions

To be able to arrive at a conclusion I’ve provided some technical and financial context, set four criteria to evaluate Google’s stance and discussed some talking points / common claims.

So what do I think? Where do Google’s actions regarding ad blocking fall on the “institutional timidity” to “deliberate strategy” scale?

I think Google has an overwhelming financial interest, I’m not convinced by the purported security/privacy/performance reasons, I think Google is not above using security as an excuse for something they consider important, I think Google could have done a lot of things to solve issues without disadvantaging ad blockers and I do think the decision making process around Chrome is pretty much completely opaque to people outside Google.

Overall, I tend to believe that it’s a deliberate strategy at Google to go beyond containment and increase friction, and limit ad blockers now that Chrome’s market share is pretty high, that people are getting more security and privacy conscious, and Google’s quarterly ad revenue results are slipping.

To be clear my conclusions are emphatically not “Chrome engineers are out to get ad blockers”. Plausible deniability is useful internally too though, and Google senior management knows how to play politics². Like the joke that what marketing calls AI, to developers it’s machine learning and to those implementing it is applied statistics. It probably doesn’t take much to devote outsize resources to extension security, to grow concerned about all those malicious extensions and demand a solution.

(To put my personal views on the table, I have a complicated view of Google. I’m not too keen on the whole attitude towards data collection, privacy and the ad side of the business. I do think the company has great technical depths and made some amazing contributions. I respect the security side of Google a lot. I’ve evaluated GCP in a professional capacity and found it to be one of the best cloud environments. A long time ago, I’ve even done a GSoC - still have the t-shirt.)

I’d also like to lay out what it would take to change my mind WRT Google and ad blockers, it’s basically two things:

• actual transparency in decision making (~Mozilla-style), data, data, data
• seeing the internal memos from Google (that might surface due to lawsuits) laying out their thinking (something along the lines of Mark Zuckerberg’s unfiltered thoughts on Cambridge Analytica etc)