Eli Grey

Unverified vanity URLs & interest tracking catalyze fraud online

Link fraud is increasingly undermining trust in major online platforms, including ad-supported websites like Google, Bing, and Twitter.com. These platforms allow advertisers to spoof links with unverified ‘vanity URLs’, laundering trust in their systems, while simultaneously deflecting blame onto advertisers when these mechanisms are exploited for fraudulent purposes. 

I believe that this status quo must be abolished. Commercial entities that maintain advertising systems that systemically enable link fraud must contend with their net-negative impact on society.

What are vanity URLs and link fraud?

URL spoofing is the act of presenting an internet address that appears to lead to one destination but actually leads to another, unexpected, location. URL spoofing is commonly referred to as “vanity URLs” by the adtech industry when provided as a first-class feature on adtech platforms.

Link fraud is the use of URL spoofing to achieve financial gain or other illicit objectives. It is a staple practice in spam emails and scam websites, where links may appear legitimate but lead to harmful content.

Implicit regulatory capture

Adtech companies play the victim by claiming that fraudsters and scammers are ‘abusing’ their unverified vanity URL systems. These companies should not be able to get away with creating systems that enable link fraud and then pretend to tie their hands behind their back when asked to combat the issue. They have created systems for trust-laundered URL spoofing, and then disclaimed ethical or legal responsibility for the fundamental technical failures of these systems.

It is not possible to automatically prevent link fraud in systems that allow for unverified URL spoofing to occur. If adtech providers do not perform domain ownership verification on vanity URLs, advertisers are technically free to commit fraud as they please.

Interest-targeted advertising

Interest-targeted advertising is another area where adtech is negatively affecting society. Interest tracking is often used in combination with link fraud in order to make scams seem more enticing to consumers.

Websites have commonly tracked user interests through means such as third-party cookies. Other, more privacy-preserving solutions such as Google’s Protected Audience API also exist, but these solutions still run unconsensual tracking adtech on user hardware. I consider this tracking unconsensual because it is enabled by default in Google Chrome and intentionally does not respect browser-level privacy signals, even though respect for these signals will soon be required by law in California.

Companies are starting to adopt Privacy Sandbox APIs such as Protected Audience for their advertising use-cases, and these companies are now individually tasked with mapping and staying compliant with the matrix of potential user rights, user agent privacy signals, and user privacy choices across the world. This necessitates companies to install consent management solutions on their websites in order to use these APIs in a compliant manner. (Full disclosure: I work on a consent management SDK for my current employer.)

Interest-targeted advertising enables advertisers to tailor advertising based on socioeconomic status. The potential ability to afford a holiday outing or purchase a car can be inferred through basic interests. Being able to differentiate on interests such as ‘holidays’ and ‘cars’ as compared to ‘fast food’ enables advertisers to weaponize link fraud and provide a similar product or service at different prices to different socioeconomic groups. Unconsensual tracking of personal interests defrauds people of their personal autonomy.

Google is already off to a shaky start with their new adtech experiments. Privacy Sandbox became generally available in Google Chrome back in September 2023, and initially gaslit users by telling them that Privacy Sandbox “enhanced ad privacy” when it does not, in order to mislead users to stay opted-in to the Privacy Sandbox experiments. Google misleadingly conflates the removal of third-party cookies with Privacy Sandbox to justify these statements. Additionally, opting out of these new adtech experiments currently takes many clicks, involving a long and winding trip through three separate Privacy Sandbox sub-menus in Google Chrome’s browser settings. 

How did we get here?

The adtech industry may excuse these practices as an unavoidable consequence of the complexity of online advertising. However, this overlooks the responsibility that these companies bear for prioritizing profit over user safety and the integrity of their platforms.

Corporate greed has gotten so out-of-control that companies such as Google, Microsoft, and Brave now all deeply integrate advertising technologies at the browser-level, with some effects ranging from battery drain to personal interest tracking, and even taking a cut of the value of your attention.

National security risks

The risk of malvertising and fraud through adtech platforms has become so concerning and prevalent that the FBI now recommends all citizens install ad blockers. Interestingly, some of the FBI’s advice for checking ad authenticity is inadequate in practice. The FBI suggests “Before clicking on an advertisement, check the URL to make sure the site is authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.” — this is useless advice in the face of unverified vanity URLs. Instead of asking private citizens to block an entire ‘legal’ industry, the FBI should be investigating adtech platforms for systemically enabling link fraud.

Intelligence agencies such as the NSA and CIA also use adblockers in order to keep their personnel safe from malware threats. I anticipate that the US federal government may start requiring adblockers on all federal employee devices at some point in the future.

What can be done? Verification & enforcement

Companies are often mandated by law to provide true statements to consumers where technically possible. Unverified vanity URLs as a first-class feature flies in the face of these requirements.

Adtech providers should validate ownership of the domain names used within vanity URLs, or alternatively vanity URLs should be banned entirely. Validating domain ownership can easily be done through automated or manual processes where domain name owners place unique keys in their domain name’s DNS records.

A common, yet fundamentally flawed verification mechanism that adtech platforms such as Google Ads employ is the use of sampled URL resolution, which involves visiting a website at given points in time from one or more given computers. This technique can easily be bypassed with dynamic redirection software that can hide fraud and malware from URL scanning servers.

Petition your elected government officials to let them know that big tech is willingly ignoring their role in the rise of effective link fraud, spurred by their support of unverified vanity URLs and unconsensual and pervasive interest tracking across the web. The United States Federal Trade Commission should request an investigation and seek to prosecute companies that knowingly enable link fraud through unverified vanity URL systems that are fundamentally impossible to audit.

On a personal level, you can install an adblocker such as uBlock Origin to block advertising, which has a nice added side effect of increasing web browsing privacy and performance.

Can advertising stay profitable without interest tracking?

There are some forms of advertising that don’t require user behavior or interests to be tracked. One of these is contextual advertising, where an ad network uses available context information, such as the category and related topic information from the webpage that the ad is being placed on.

Google’s tech lead on Privacy Sandbox, Michael Kleber, says that “[…] limiting the web to contextual advertising solutions dramatically decreases the ability of web sites to fund themselves — for example, 52% less revenue for sites on average, and 62% less for news sites, according to one source, with similar numbers widely replicated by others.”

A 52% reduction in ad revenue still leaves plenty to spare for most site owners. Advertisers don’t have an intrinsic right to optimally profit off your device hardware, and they should be thankful for whatever profit they do end up getting. Contextual advertising is more fair to the web ecosystem as a whole, as it better serves to respect user privacy first.

Leave a Reply