Sketchy ads, like those for miracle weight loss pills and suspicious-looking software, sometimes appear on legitimate and well-regarded websites. It turns out that most websites do not actually decide who gets to show ads to their viewers. Instead, most sites outsource this task to a complex network of advertising tech companies that do the work of figuring out which ads are shown to each particular person.

The online ad ecosystem is largely built around “programmatic advertising”, a system for placing advertisements from millions of advertisers on millions of websites. The system uses computers to automate bidding by advertisers on available ad spaces, often with transactions occurring faster than would be possible manually.

Programmatic advertising is a powerful tool that allows advertisers to target and reach people on a huge range of websites. As a doctoral student in computer science, I study how malicious online advertisers take advantage of this system and use online ads to spread scams or malware to millions of people. This means that online advertising companies have a big responsibility to prevent harmful ads from reaching users, but they sometimes fall short.

Programmatic advertising

The modern online advertising marketplace is meant to solve one problem: match the high volume of advertisements with the large number of ad spaces. The websites want to keep their ad spaces full and at the best prices, and the advertisers want to target their ads to relevant sites and users.

Rather than each website and advertiser pairing up to run ads together, advertisers work with demand-side platforms, tech companies that let advertisers buy ads. Websites work with supply-side platforms and tech companies that pay sites to put ads on their page. These companies handle the details of figuring out which websites and users should be matched with specific ads.

Most of the time, ad tech companies decide which ads to show through a real-time bidding auction. Whenever a person loads a website, and the website has a space for an ad, the website’s supply-side platform will request bids for ads from demand-side platforms through an auction system called an ad exchange.

The demand-side platform will decide which ad in their inventory best targets the particular user, based on any information they have collected about the user’s interests and web history from tracking users’ browsing, and then submit a bid. The winner of this auction gets to place their ad in front of the user. This all happens in an instant.

When you see an ad on a web page, behind the scenes an ad network has just automatically conducted an auction to decide which advertiser won the right to present their ad to you. Photo credit: Eric Zeng, CC BY-ND

Big players in this marketplace include Google, which runs a supply-side platform, demand-side platform and an exchange. These three components make up an ad network. A variety of smaller companies such as Criteo, Pubmatic, Rubicon and AppNexus also operate in the online advertising market.

This system allows an advertiser to run ads to potentially millions of users, across millions of websites, without needing to know the details of how that happens. And it allows websites to solicit ads from countless potential advertisers without needing to contact or reach an agreement with any of them.

Imperfect system

Malicious advertisers, like any other advertiser, can take advantage of the scale and reach of programmatic advertising to send scams and links to malware to potentially millions of users on any website.

There are some checks against bad ads at multiple levels. Ad networks, supply-side platforms and demand-side platforms typically have content policies restricting harmful ads. For example, Google Ads has an extensive content policy that forbids illegal and dangerous products, inappropriate and offensive content, and a long list of deceptive techniques, such as phishing, clickbait, false advertising and doctored imagery.

However, other ad networks have less stringent policies. For example, MGID, a native advertising network my colleagues and I examined for a study and found to run many lower-quality ads, has a much shorter content policy that prohibits illegal, offensive and malicious ads, and a single line about “misleading, inaccurate or deceitful information”.

Native advertising is designed to imitate the look and feel of the website that it appears on, and is typically responsible for the sketchy looking ads at the bottom of news articles. Another native ad network, content.ad, has no content policy on their website at all.

These political ads from the 2020 election are examples of potentially misleading techniques to get you to click on them. The ad on the left uses Trump’s name and a clickbait headline promising money.

The ad in the centre claims to be a thank you card for Dr Fauci, but in reality, it is intended to collect email addresses for political mailing lists. The ad on the right presents itself as an opinion poll but links to a page selling a product. Photo credit: Screenshots by Eric Zeng

Websites can block specific advertisers and categories of ads. For example, a site could block a particular advertiser that has been running scammy ads on their page, or specific ad networks that have been serving low-quality ads.

However, these policies are only as good as the enforcement. Ad networks typically use a combination of manual content moderators and automated tools to check that each ad campaign complies with their policies. How effective these are is unclear, but a report by ad quality firm Confiant suggests that between 0.14% and 1.29% of ads served by various supply-side platforms in the third quarter of 2020 were low quality.

Malicious advertisers adapt to countermeasures and figure out ways to evade automated or manual auditing of their ads, or exploit grey areas in content policies. For example, in a study my colleagues and I conducted on deceptive political ads during the 2020 US elections, we found many examples of fake political polls, which purported to be public opinion polls but asked for an email address to vote.

Voting in the poll signed the user up for political email lists. Despite this deception, ads like these may not have violated Google’s content policies for political content, data collection or misrepresentation, or were simply missed in the review process.

Bad by design

Lastly, some examples of “bad” ads are intentionally designed to be misleading and deceptive, by both the website and ad network. Native ads are a prime example. They apparently are effective because native advertising companies claim higher clickthrough rates and revenue for sites. Studies have shown that this is likely because users have difficulty telling the difference between native ads and the website’s content.

These are examples of native ads found on news websites. They imitate the look and feel of links to news articles and often contain clickbait, scams and questionable products. Photo credit: Screenshot by Eric Zeng

You may have seen native ads on many news and media websites, including on major sites like CNN, USA Today and Vox. If you scroll to the bottom of a news article, there may be a section called “sponsored content” or “around the web”, containing what look like news articles.

However, all of these are paid content. My colleagues and I conducted a study on native advertising on news and misinformation websites and found that these native ads disproportionately contained potentially deceptive and misleading content, such as ads for unregulated health supplements, deceptively written advertorials, investment pitches and content from content farms.

This highlights an unfortunate situation. Even reputable news and media websites are struggling to earn revenue and turn to running deceptive and misleading ads on their sites to earn more income, despite the risks it poses to their users and the cost to their reputations.

Eric Zeng is a PhD Candidate in Computer Science & Engineering at the University of Washington.

This article first appeared on The Conversation.