Even the NSA Agrees: Targeted Ads Are Terrifying

Even the NSA Agrees: Targeted Ads Are Terrifying
Photo: Samuel Corum, Getty Images

Ad blockers. Maybe you love them, maybe you don’t think about them at all, but chances are, you know someone that’s using them. And it turns out a growing number of those people are in the federal ranks.

Motherboard was first to report on a new letter Oregon Sen. Ron Wyden sent to the Office of Management and Budget (OMB) on Wednesday that describes some of the federal agencies deploying ad-blocking tech alongside a pretty reasonable request for those agencies not currently on board: Use a damn ad blocker. Please.

“I have pushed successive administrations to respond more appropriately to surveillance threats, including from foreign governments and criminals exploiting online advertising to hack federal systems,” Wyden wrote the letter. And indeed, thanks to massive scandals like Cambridge Analytica and the smaller privacy scandals that just keep on coming in its wake, it looks like some agencies finally agree that targeted ads are terrifying. In 2018, the National Security Agency (NSA) issued public guidance urging its ranks to block “unnecessary advertising web content.” In January of this year, the Cybersecurity and Infrastructure Security Agency (CISA) put out similar guidance for all federal agencies, urging officials to use ad blockers to protect against malware-laden ads, in particular.

“Adversaries can use carefully crafted and tailored malicious ads as part of a targeted campaign against a specific victim, not just as broad-spectrum attacks,” CISA’s guide reads.

This letter might be new, but the threat certainly isn’t. We’ve seen malvertising campaigns target military bases in 2014, swing-state voters in 2018, and, well, a bunch of the rest of us since then. When ads start to creep into every digital avenue where we spend time online, it’s only natural that ads housing malicious software or other shady stuff will also be on the rise, too.

As Wyden’s letter lays out, this includes “seemingly innocuous online advertisements” that carry software designed to “steal, modify or wipe sensitive government data, or record conversations by remotely enabling a computer’s built-in microphone.”

And then there’s the many, many other privacy issues. Every ad loaded into a browser means more data going back to the companies on the other side, even if that ad is for something ridiculous that you’d never click on in a billion years. There are no hard and fast rules for what’s being sent in the so-called “bidstream” on the other side of that ad, but it generally includes details like your location, IP address, and device type. Ad blockers are far from perfect, and can collect that kind of data on you, too — but at least you know what company is on the other side. The digital ad ecosystem is an opaque and under-regulated mess, which makes it hard to pin down some shady ad company that’s squirrelling away your data. When an ad blocking company does the same (or worse), at least you have a company to be mad at, and a browser extension you can delete.

It’s likely that the NSA’s known all of this, and known it for a while, which is why they were first to hop onto the ad-blocking train. After all, this is the same agency that brought us Edward Snowden, and Snowden’s revelations about the NSA’s entire phone-tracking empire. In the years since, that empire’s continued to grow, even after the passage of the 2015 Freedom Act that gutted the way federal agencies tap into telecom data. But that law applied to telcos, not marketing firms or adtech companies that mine the same data by design — and which made a business out of selling data to federal agencies in the years since Snowden’s revelations, and that business appears to be going gangbusters. Hell, Wyden asked the NSA about this specific loophole less than a year ago, and they responded by… well, not responding.

Will adblockers hamper any of this? Who knows! What we do know is tech privacy legislation in the U.S. is becoming an increasingly fractured, ineffective mess — and the longer we’re stuck with that bleeding wound in tech policy, the more a browser extension feels like a pretty wimpy bandaid.