Security Experts:

What's the Real Cost to Us of an Ad-Funded Web?

Much of today’s Web content—news, search, free email and collaboration tools, video sharing and social media—is paid for by advertising. Ads are an effective “micro-payment” system loosely linked to consumption.

Although we benefit from these supposedly “free” services it’s important to understand the real cost and downsides of the ad-funded Web for everyone who uses it. Ostensibly the advertiser foots the bill, but tracking invades user privacy, and advertisements undermine security, degrade performance, and shifts much of the real cost of delivery onto users. There are other problems with online ad delivery as we know it, including billions of dollars that are utterly wasted on malicious and fraudulent ads, according to one recent report. But the toll on the user experience and hidden network-related costs is the true untold story.

Successful ad targeting relies on an intimate knowledge of user behavior and activity. Analytics that allow the search giants to track your every click are baked into most sites, and Google will soon allow advertisers to directly target specific users based on their email addresses. The entire premise of targeted advertising demands an ever more intimate knowledge of the user—an invasion of privacy that leaves users increasingly uncomfortable and raises the specter of a dystopian Internet in which every move people make online is tracked.

The privacy concerns bleed into the security issues. Unfortunately, malware writers are keenly aware of the opportunity afforded by well-targeted advertisements. My colleague Rahul Kashyap has explained how targeted attacks increasingly use compromised news and entertainment sites to deliver malicious ads that can compromise your device even without a click. A precisely targeted ad platform allows malware writers to efficiently reach their targets, and despite the best efforts of the ad networks to detect malvertisements, they face the same limits of detection as traditional anti-virus and are relatively easy to bypass.

A typical ad-populated Web page reaches out to scores of different sites to fetch and render content, making it harder to detect anomalous traffic patterns and malicious content. And since the vast majority of enterprise breaches start with a compromised endpoint—often malware delivered to the browser—the ad-funded Web is a direct contributor to the shocking toll of enterprise breaches.

And then there are the hidden end user costs that no one talks about.

You’re probably fed up with the jarring user experience of video ads that auto-play in the middle of a news story you’re reading, but you may not be aware that in addition to the annoyance, you are paying in other ways for much of the real cost of ad delivery as well.

When you visit a site such as, advertisers bid in real time to deliver targeted content to your browser, which generates tons of network traffic and impacts response times, particularly for video-based ads.

Research by the New York Times estimates the monthly data cost for ad delivery to a mobile subscriber in the U.S. to be as high as $9.60 per month. For the roughly 200 million smartphones in the U.S. alone, that totals $23 billion —about 40 percent of annual U.S. online advertising industry revenues. 

And finally, there are additional negative impacts on the user experience that get ignored. Processing all that traffic and rendering complex content slows the Web to a crawl, consumes CPU and memory, and drains your battery. Research by my colleague Dan Allen using the Project VRC framework confirms that the browser is the most resource-intensive application for most users. Eliminating ads from a Web page slashes memory use up to 60 percent and CPU utilization by as much as 90 percent, dramatically reducing battery drain.

We owe the richness of today’s Web to the micro-payment model of online advertising, and it is difficult to imagine an alternative. But there are consequences for anyone who uses the Internet, although they may not realize it.

A Web without ads would respect user privacy, reduce security breaches and make the experience more zippy and responsive. Fortunately it’s entirely within your power to opt out of the status quo. If you want to experience the joys of an ad-free Web, some options include using ad blockers or a modified hosts file, while some security products also block ads.
view counter
Simon Crosby is Co–founder and CTO at Bromium. He was founder and CTO of XenSource prior to the acquisition of XenSource by Citrix, and then served as CTO of the Virtualization & Management Division at Citrix. Previously, Simon was a Principal Engineer at Intel where he led strategic research in distributed autonomic computing, platform security and trust. He was also the Founder of CPlane Inc., a network optimization software vendor. Prior to CPlane, Simon was a tenured faculty member at the University of Cambridge, UK, where he led research on network performance and control, and multimedia operating systems. In 2007, Simon was awarded a coveted spot as one of InfoWorld’s Top 25 CTOs.