Mobile network operators in Europe are reportedly planning to strip out ads in order to coerce ad networks into giving the network operators a cut of the revenue. Here's how to protect your website.
A report in the Financial Times (paywalled) indicates that multiple mobile network operators in Europe are planning to strip advertisements out of web pages, unless ad networks — such as Google — provide a cut of the revenues to the network operators. The extent to which the operators in question will apply pressure to Google is still undetermined, as the report indicates that the first rollout will be on an opt-in only basis.
While this action would likely run afoul of net neutrality legislation in the US, there are no such protections in the European Union (EU). According to the European Commission, "There are no clear rules on net neutrality today at EU level, leaving 96% of Europeans without legal protection for their right to access the full open internet." Notably, it appears that action is being taken in the European Council to kill net neutrality, according to the French digital rights group La Quadrature du Net, who have released a copy of a leaked document from the office of the presidency of the European Council. This document removes reference to net neutrality, and references requirements for traffic management that "shall be based on objectively different technical quality of service requirements of specific classes of traffic."
How this block is achieved
The blocking of advertisements is handled by a company called Shine. Representatives from Shine declined to discuss the technology developed by the company, though it is not particularly difficult to guess how the advertisement blocking is implemented.
The brute-force approach
The easiest means to approach is for the ISP to include a DNS or IP filter that blocks systems positively identified as being ad servers. Theoretically, the ad servers have no public facing function other than serving ads — there is no website content being served from the same IP, for example — making it easy to simply refuse to establish a connection to an ad server. For larger ad networks, this is generally true.
This method would be easier for targeting specific high-profile advertising networks — as opposed to blocking anything that looks like an ad — for the express purpose of pressuring those organizations into a revenue-sharing program. This amounts to a firewall service with a pre-populated ruleset, which is probably too simplistic to really sell as a distinct product.
The deep packet inspection approach
Deep packet inspection is a rather tricky discipline, and there are multiple ways to go about achieving these ends. Deep packet inspection is used by various governments to suppress information as part of a national censorship program. Some vendors such as Nokia Networks sell deep packet inspection appliances, though the capabilities of these solutions are generally not publicly documented. As such, the method outlined below uses open-source software to achieve the same means, and is likely somewhat labyrinthine and expensive to implement, though it in effect achieves the same end result.
Assuming that it would not be generally safe to perform DNS or IP level blocking, as outlined above, the next possible option would be DPI. It's possible to implement this at the ISP level using nginx (the same technology used by CDNs such as CloudFlare), using a custom script to implement blocking of URLs based on a predefined ruleset — the EasyList rules, used in browser add-ons such as Adblock Plus come to mind — and serve web pages from the nginx systems controlled by the ISP.
How to avoid interference with your website
The most pain-free way to avoid the interference of ISPs with your website is quite simple: encrypt them. Paying for an encryption certificate might be out of reach for some users, though, if you can receive ad revenue for a domain, it is recommended to earmark some funds for a certificate.
The Let's Encrypt project, which is scheduled to launch this summer, will provide and manage encryption certificates freely to any website. Additionally, the free tier at CloudFlare offers a valid SSL certificate for your site when enabled and cached with CloudFlare. When using CloudFlare, it is recommendable to have a self-signed certificate for the transit between your production server and CloudFlare, while CloudFlare offers security between the CloudFlare nodes and the end user.
What's your view?
Does this plan by European mobile carriers go too far? Do you have HTTPS support enabled for websites you manage? Let us know in the comments.
- FCC's Open Internet rules won't end the net neutrality debate in the US
- Zero rating poses a conundrum for net neutrality advocates around the world
- Let's Encrypt initiative to provide free encryption certificates
- Speed up smaller websites by migrating them to CloudFlare Free
- The undercover war on your internet secrets: How online surveillance cracked our trust in the web
- Enterprise encryption: Trends, strategic needs, and best practices (Tech Pro Research)
Note: TechRepublic and Tech Pro Research are CBS Interactive properties.