JD's Forum

If you haven't muttered this yourself, then you've probably met someone who has. This column offers some tips I've collected on ways to work with such concerns, both with Macromedia Flash and other online advertising.

Ads on websites aren't an unalloyed good, and they're not an unalloyed evil either. Ads pay for much of the web content we enjoy. Your own income may depend on selling ad space. Ads are a vital part of the current business model of many websites.

More to the point, they're an evolving part of business models on the web. We haven't found the perfect equilibrium yet. Parts push and pull at each other, exploring what works for all participants and what isn't acceptable to some participants. Compelling content attracts attention, and figuring a way to skim some of that attention to pay for content creation is something we'll be dealing with for quite some time.

If you wander online much, you certainly see the backlash against bad ads, bad sites, and bad techniques. That's natural, and useful. These techniques need to evolve to become acceptable to all the parties involved.

An ad technique that works for the general public may not work for a power user such as yourself. Most office workers, for instance, report that they don't receive much spam. Browsers with pop-up blockers and security settings are used more by web developers than by the general public. Different people have different needs.

I've been on the net daily for over a decade—from dial-up bulletin boards, through Green Card Lawyers and Atomic Bomb Blueprints, to the death of UseNet and the impairment of e-mail—I make my living visiting websites, listening to web developers, and screening through a few thousand e-mails each day. The following are some techniques I've picked up to make the net more enjoyable. These aren't recommendations for the general public, nor are they official Macromedia techniques. They're just what I've personally found useful. I hope they make web life more enjoyable and sustainable for you too.

Flash Ads

Here's a shockingly simple secret: if a Macromedia Flash ad is visually distracting, just context-click the ad and deselect the Play option to pause it. This won't stop all motion but it's a quick help for most of the ritalin-deprived ads.

(I sure wish I could disable those strobing "You may be a winner!" GIF ads.... ;-)

Ads have definitely helped Macromedia Flash adoption—the day DoubleClick started serving SWF ads marked the day that Macromedia Flash changed from "just another web technology" to a standard part of the web experience. No other cross-browser technology has reached such wide consumer support, and ads have played a big part in this acceptance. At the same time, this has sparked a definite backlash. We're still working towards finding a practical balance here.

Macromedia Flash developers have started talking about the problems that obnoxious ads impose on other developers. A new site, WhatIsFlash.com, offers wiki-based collaboration on best practices, myth-busting, and even a Hall of Shame for bad ads. I'm not sure how this effort will eventually develop, but if you have an interest in this area I urge you to monitor this site and perhaps contribute to it.

The type of ad that may have drawn the most negative comment is the overlay ad. This uses the "wmode" parameter in the markup to drop out the SWF background and allow compositing with other HTML content. Historically this has been restricted to Microsoft Internet Explorer for Windows (IE/Win), but support for such overlays in more browsers is on the horizon. I expect we'll see more discussion about obtrusive overlay ads in the future.

One of the most frequent complaints I see among new users has nothing to do with Macromedia Flash directly. Consumers often write in to Macromedia complaining, "Why do you keep trying to install Flash on my machine?!" What's happening is that they're using IE/Win and are visiting sites that use SWF files. Most basic installations of IE/Win include a Flash player, but if they don't have Macromedia Flash Player installed or have an older player installed, the OBJECT tag will prompt the browser to show a dialog box requesting installation. Using a different browser removes those dialog boxes, but try conveying that idea to consumers one by one by one.

One worrying development I see are system utilities that turn off or disable Macromedia Flash. These machines belong to individuals, and they can adjust them as they wish, but I'm hoping we find a more sustainable way to accommodate the desires of all individuals.

The team of people who create Macromedia Flash Player are currently evaluating ways to reconcile all these conflicting desires. If you've got ideas, comments, or anecdotes, then these could be very useful to deliver to the team directly. Thanks!

GIF Ads

I used to tolerate all ads on all sites... I figured that if I was enjoying the fruits of someone's labor that went into creating the site I was visiting, then the least I could do is visit them on their terms.

Then I started noticing that some pages would stall because they couldn't connect to an ad server. I also noticed these problems more acutely when loading multiple pages at once on my dial-up connection. The adoption of GIF ads that strobed quickly between two contrasting background colors, or which otherwise made reading the site difficult, finally made me take action.

The simplest technique I've seen for news sites that take a long time to load their ads is to just stop loading once the main article has appeared. I press Escape on a PC and Command-period on a Mac to stop loading after I've gotten the information I actually want, to free up more bandwidth to retrieve other articles in other windows. (If a site's ads load quickly, then they wouldn't be a problem here in any case.) But even this is an extra cost to the audience.

These days I use Mozilla for most browsing. Whenever a site's ads are particularly obnoxious I context-click and choose "Block images from this server." I rationalize the social contract by assuming that the site creator doesn't want to lose the audience completely, even if they have accepted an objectionable ad. When I change browsers or computers the slate will be wiped clean and those particular ad servers will get another chance.

(There's another angle to this debate, and that's the increasing move to syndication and web services for web content. The HTML presentation of content is now only one way in which this content is used... a blog or syndicated news service can now be read in a browser-based or stand-alone aggregator without any of the presentation layer we find in HTML. As a community, we haven't really worked through this issue of an actual separation between data and presentation but I expect this will receive much more debate over the next two years.)

Other people take different approaches to blocking GIF ads: Some use proxy servers and filter out blacklisted source domains, others rewrite their incoming markup to avoid images in standard ad dimensions. The most ethical tack may be to write the webmaster, the ad server, and the product company when an ad has a negative impact, but that's a very expensive approach for most of us to take. Ads are necessary to support many websites but certain ad techniques are compelling some individuals to block out ads altogether. The entire web community will be finding ways to achieve a sustainable balance between these conflicting concerns.

E-mail Ads

This is a clear breach of the social contract: If I choose to visit a site then I enter into an implicit contract with the site's creator but when I expose an e-mail address to the world I do not give permission for someone to sell my name to others. Spam is in an entirely different category than browser ads.

Some governments are trying to find ways to prevent e-mail from certain sources. This worries me. If we grant governments power to prevent some e-mail, then it's easy for them to incrementally increase their control over other types of e-mail content. Some days I fantasize about how nice it would be if governments simply removed other legal protections from people who abuse others—"But, your honor, the defendent punched me in the jaw for no reason!" "You mailed unrequested commercial e-mail to nonconsenting people, didn't you? Get out of here before I take a swing at you myself"—but somehow I don't think the world is quite ready for this yet.... ;-)

Most mail servers have been forced to invest in some type of filtering program... one day recently I saw that the Macromedia mail servers had rejected 147 messages sent to me offering to help enlarge a certain part of my anatomy. But lots of spam still gets through.

For the last few years I've been using a local whitelist approach. I have a filter for each mailing list and a filter at the bottom to catch offlist mail from other Macromedians or personal friends. Everything else falls into my general inbox, which I rarely get the chance to read. Spam has made it harder for me even to see private e-mail from people I'm not expecting.

Besides spam, there are also well-known problems with attachments, markup, and scripts coming through e-mail. It's one thing to choose whose site you visit but another thing entirely when strangers can push JavaScript instructions at you. Even a scriptless HTML reader exposes you to people tracking your reading, as described below. Pushed messages like e-mail are good for short, quick notifications... other techniques are good for a destination you explicitly visit. It may take a bit of work to find one these days, but a straight ASCII e-mailer removes many of the security and privacy concerns that others see in e-mail.

E-mail has been phenomenally useful for it all. But it also shows that we can't leave our own lives open to the poor judgment of others. Future web technologies will have to make a better match between those who pay for a cost and those who choose whether the cost is incurred.

Cookies and Stored Data

HTML and HTTP are stateless, which means each page is disconnected from the next; the server doesn't remember who requested what files and once you move to another page the previous actions are removed from memory. These document browsers don't normally remember the state of user activity like a true application would.

One of the earliest ways to provide some memory to document browsing was through cookies. When the server delivers a file, it can request that the browser store some data locally. Each server can have its own little local file, which only it reads. This is how a site can remember your passwords or other data from session to session, for instance.

But when an image file is served, it can request a cookie too. This includes banner ads. Content sites rarely serve ads themselves, but instead link out to centralized ad servers. Through cookies attached to GIF ads, you can leave a trail of which sites you visit that are supported by a particular ad server.

This is normally an anonymous trail—an ad server would only know the visiting history of that one browser, without necessarily knowing the name of the person using the browser. But you can indeed be traced across sites by ads that use cookies.

(Although it is "normally" an anonymous trail, a number of techniques have been devised to associate a real-world name and address with the cookies in your browser. Many of these require that you first give your name to a nonadvertising site which then passes it to an ad server for cookie tracing. But if your e-mailer uses the system-level HTML renderer, then it's easy to send you an e-mail that contains a web-bug which references your name, firmly and covertly associating your name with your viewing history. Considering that GIF cookies in e-mail can also "eavesdrop" on a subsequent e-mail thread, the widespread use of HTML-rendering e-mail software in business seems a definite liability. I firmly believe that it's safer to keep pushed e-mail simple and reserve the fancy stuff for specific opt-in visits.)

Why do ads use cookies? The best reason I've heard is so that they can check whether you click on an ad, to give you more related items in the future. I don't click on ads and I still get tons of ad cookies, so I'm a little unclear on the reason they're there.

I do know that I haven't seen an ad that asked me if I'd like a cookie. When I visit a site, I'm assuming that the site's creators might want to track how frequently people visit and I'm willing to give them a little data in order to get a little service in return. But I don't enter similar implicit contracts with the advertisers on a site. There's no reciprocal value, not even informed consent. I feel no compulsion to accept such hidden cookies. If you want something from me, ask for it.

That said, I haven't actually seen ads used for such covert identity-tracking purposes—the capability is there but I haven't seen evidence of its use. The major advertisers have a built-in incentive to do the right thing (see Doubleclick's privacy section, for example) because a security or privacy vulnerability could damage their entire business. But there are many smaller advertisers out there who may not have similar incentives to do good. I think it might be better to take care of your own privacy than leave it to the good intentions of everyone else.

Early browsers let you bar cookies entirely, or ask at each request whether a cookie should be accepted. I tried both techniques but found they made surfing difficult.

For awhile I would periodically open my cookies.txt file to see who was storing data on my hard drive. Sometimes I would change the numbers stored in particular cookies, trying to monkey-wrench a database that was tracking me without my informed consent. But that also was too much work.

These days I use Mozilla's Cookie Manager to track who's tracking me. You can easily set the browser to not accept cookies from certain domains. Other browsers may have similar features, and there are probably utility programs out there that provide similar services for additional browsers, but Mozilla's Cookie Manager works for me.

Some sites require you to have cookies enabled, such as The Washington Post or sites using "anti-leech" techniques. That's fine because they're upfront about their requirements for viewing their content and I can accept or reject their proposed contract. If you use some type of cookie-management tool then you can make more-informed decisions about what data is stored about you as you surf the web.

Macromedia Flash can store data locally now, too. This hasn't gotten much attention, and I haven't seen any exploits, but I don't see that many major structural differences between Macromedia Flash's shared objects and GIF cookies.

Instead of storing data in the browser's cookie file, Macromedia Flash stores data in its own file. You can access the controls by context-clicking on any Macromedia Flash content, choosing Settings, and clicking the Local Storage tab. The default size for how much data a domain can store is 100K—large for ads but moderate (some have said "too small!") for most non-ad uses. You can set your player to never accept data from a particular domain but, so far, I've found it easier to set my global data settings low so that any request for local storage will display a permissions dialog box.

I haven't come across any ads yet that want to remember me but I haven't hit all sites either, and technology changes rapidly. If you're keeping an eye on this issue as well, then I'd appreciate a heads-up if you find anything interesting. Thanks!

Summary: Advertising makes many websites possible—it's a necessary part of today's web. An experienced web developer may have different needs and priorities than the large number of people who spend less time on the web. It seems sounder to take control of your own privacy than to leave it up to the good intentions of others: Trust, but verify.