Mobile adblocking is overhyped & mostly unworkable

There's been a lot of fuss in recent weeks about the possibility of mobile operators blocking ads transiting cellular networks - or perhaps even charging advertisers for their delivery. I've written before that I think the idea is a non-starter (link), and I still believe that to to be the case

Three has announced a deal (link) with Shine that will (at a future date) implement network-level ad-blocking. The PR talks a good game about privacy and control, but is unfortunately divorced from reality in several important ways.

(Incidentally - I apologise. Mea culpa. I was the one who originally suggested that mobile ads' data-traffic could be charged to the advertisers - see this link. But that was 5 years ago, and the mobile world has moved on rather far since then)

Now to be fair, some mobile ads are very annoying and intrusive. I hate the ones that pop-up while scrolling through a website (or in-app) and take you straight to the appstore download page, as you swipe on the wrong bit of the screen. And yes, if I was limited to a very small data allowance, I'd be annoyed by the big chunks of data from the ads themselves, cookies and assorted other background marketing eating up my quota. There's a bunch of dodgy privacy-invading practices too, which I despise.

But.

There are multiple reasons why trying to fix these issues in the cellular network is the wrong answer:

• 50-90% of smartphone use, and probably 90-95% of tablet use, is over WiFi - and almost exclusively WiFi not provided by cellular operators, or transiting their core networks. Therefore people will still get ads on their phones most of the time. (And no, they won't "onload" to cellular just for the ad-free experience).
• The most fast-growing part of mobile advertising is in-app. And while some in-app traffic (eg rendered in browser-style webview pages) might be blockable, the "native" ads such as Facebook's in-timeline ads won't be. Facebook blends them in at the server, and encrypts it all. That's not going to change, apart from becoming ever more-sophisticated.
• Encryption is also being more widely used elsewhere. HTTPS, encrypted video streams, full-VPN clients and so forth. Some of this might be block-able, eg if it comes from easily-identified servers or IP addresses, but it's naive to think that isn't subject to a million workarounds
• People who really want ad-blocking are likely to do it themselves, either with an app or browser-capability, or perhaps even in the OS. That way they can block ads on WiFi too
• Any network-level solution is held hostage to future modifications in Android and iOS which offer work-around options for advertisers. That might not be a bad thing, in that it could cut down on some of the worse pop-up offenders or most-egregious "cookie monsters", but it won't reduce the overall amount of ads.
• Advertising and B2C engagement is changing anyway. Some is moving to apps, some is moving to ads/interactions in messaging (conversational commerce - see link here from my friends at STL Partners)
• It risks all manner of embarassing or legally-questionable side-effects. There will be false positives (eg blocking things that aren't ads) and false negatives (failing to blocks ads). What happens when Operator A blocks an ad from Operator B, and the competition authorities take a dim view? Or blocks a government ad for submitting tax returns on time, or a charity's disaster appeal? Put your PR and legal teams on danger-money....

The bottom line is that screaming headlines in stories like those from ZeroHedge (link) about "the risk to Internet companies' business models" are nonsense. Ironically, it's Google and Facebook's approach to advertising that is safe. Small online publications using other advertising channels may not be so lucky. I noticed this tweet referencing mobile advertising growth forecasts from Goldman Sachs (link) which seems to suggest that Wall St is sanguine about the adblocking "threat" and that rapid growth in revenues will continue.

Yes, there are some possible upsides here. Network-level cookie blocking is a possibility, and could help preserve privacy. (I already use a VPN service from F-Secure that anonymises my traffic, on mobile and WiFi). We could also see a proportion of the nastiest pop-up ads being squashed, which is also a good thing in most users' eyes. But that will just shift mobile advertising to other inventory types or channels. And maybe for some very low-end users, in markets with low-end data plans and a preponderance of web vs. app traffic, it could make a worthwhile difference.

But for everyone else, I think it's hugely overhyped. It's unlikely to stop more than single-digit % of overall data traffic per user. There's a huge set of "gotchas" for the idea that mobile network operators can make a meaningful difference, given WiFI and in-app ads. And the idea of actually charging advertisers for some sort of curated "personal advertising preference" system isn't going to come through this route either. (There's a whole separate post's worth of problems about that side of things, but it won't even get to that stage).

Yes, it makes for fun controversial headlines and might allow telcos to stick another metaphorical finger up at net-neutrality rules ("See? We're protecting consumers by fiddling with traffic non-consensually!"). But it's a sideshow, not something that will give Google sleepless nights.

Incidentally if you're reading this on a phone, here's a mobile advert: I do workshops, consulting projects and speaking engagements for operators, vendors and investors, on a variety of topics such as mobile networks, voice/video/UCaaS, and broader telecom futurism (link). I think of concepts like this, 5 years ahead, when they're stilll plausible. Drop me a line via information AT disruptive-analysis dot com, or via Twitter or LinkedIn. And good luck blocking this paragraph in the network without some really good AI and contextual analysis (I cover those technologies too).

Welcome to the "Age of Obfuscation" - with Apple as a major catalyst

Something I've expected to happen for a long time is starting to come true. Driven largely by growing global interest in privacy and security, we should expect an ever-greater number of technologies to try to hide or disguise ("obfuscate" - "render obscure, unclear, or unintelligible") both what they are, and what they're doing.

This goes beyond encryption of data, although that is an important part. Obfuscation does not just scramble the content of something, but either tries to hide its existence entirely, inserts random noise to make analytics unreliable, or pretends to be something else.

Obfuscation can be a deliberate action, or a side-effect of something else, such as a security technology, which then has collateral effects elsewhere. A lot of companies and services depend on monitoring and observing data - and are very "fragile" to their main data-source being switched-off or hidden.

Two things that Apple has done recently stand out:

• iOS8 uses false WiFi IDs when looking for WiFi hotspots ("spoofing MAC addresses"). This means that your device's unique identity is not exposed when your phone/tablet does a scan for available hotspots. It reverts to the real MAC address only when you actually attempt to log onto one of them. This means that various businesses that use "broadcast" MACs will suffer from the obfuscation, for example tracking people walking through retail stores, or other less-salubrious forms of monitoring.
• Also in iOS8 is something called App Extensions. This essentially allows one app to embed another mini-app. For example, a communications app might include a 3rd-party photo-editing capability, and the option to upload a snapshot from a video-call to another 3rd-party social network. This partly overcomes a longstanding Apple limitation on allowing apps to talk to each other - normally they run in closed silos. Android has something roughly similar too. This then also has some interesting obfuscation effects on the network - it makes defining data traffic "belonging to an app" even harder than it is already. Operator's DPI systems might be able to spot the 3rd-party app-in-app doing something with data, but it will become very hard to correctly allocate it, from the user's perspective. If you sell "$5/month Facebook access", then you have to expect Facebook to use all manner of mashups and integrations either on server or the device. 

 (The latter example is something I discuss in the context of "app-based charging" practical limitations, in my new report on mobile broadband business models).

Other examples of obfuscation are also appearing.

Google seems to be succeeding in getting its SPDY web-acceleration framework adopted as the basis of the forthcoming HTTP2, and in any case it is being used not just in Chrome but also IE and Safari as well. Although its main purpose is to improve web-page loading times, it will have some interesting side-effects. Often, web pages create multiple connections to multiple servers, slowing down as each one's URL gets decoded by DNS servers, as well as scrutinised by other boxes in the network. SPDY combines (multiplexes) the various HTTP requests into ore efficient form. In doing so, it also effectively encrypts them and thus hides them from - you guessed it - DPIs, proxies, caches and the like.

In other words, web traffic accelerated with SPDY will "go dark" to ISPs and telcos in the network path, making it much harder to do fine-grained policy management, or perhaps differential charging. As a result, US-based telecoms industry group ATIS has belatedly woken up and started the "Open Web Alliance" and is vainly hoping for telcos to be allowed to implement "SPDY proxies" to re-intermediate themselves. Given everything that's going on with Net Neutrality at the moment, I'd rate their chances of success as very low.

In general, all forms of encryption are on the rise - partly driven by revelations about national security agencies, but also because processor speeds are getting fast enough to routinely encrypt everything anyway. It's hard to argue against it.

But beyond that, I think we're about to see a pushback against data being collected for marketing and advertising purposes. Consumers - and their "advocates" who create devices or other products - are looking at ways to help improve privacy. It seems that often, legislation doesn't work well - or certainly not fast. So I suspect we'll see moves to hide or disguise meta-data, or "pollute" it to near-uselessness.

Maybe we'll have software that automatically clicks random locations on the web, makes unexpected searches, spoofs locations, or does false "likes". Maybe we'll see more app-in-app usage, or "steganography", hiding data encrypted inside other data. We will get more mixing of data flows - as seen in WebRTC, where voice and video streams can be bundled together. And we will see various methods of anonymisation - again, Apple is a major player leading the way with its use of DuckDuckGo as a search engine.

Looking ahead, I also expect to see a lot of data being sent/received through multiple independent paths - perhaps half of your content (or signalling) via WiFi and the rest through cellular - maybe even to different servers or services. Imagine storing half of a document's words on DropBox, and half on Google Drive, blending them only when necessary, on the device.

Various outcomes are likely:

• Marketing and advertising, dependent on tracking various data sources, are going to become less reliable, as they will be working with dirty/hidden/partial/fake/unreliable data. Google and Facebook are also exposed here.
• Governments are going to find interception and interpretation of communications much harder again. 
• Telcos are going to lose a lot of visibility of user data traffic. A growing amount is already encrypted, but further layers of obfuscation are going to increase the problems faced by DPI boxes. False-positives and false-negatives will likely increase, and the practicalities of application/traffic detection or policy-enforcement will get much worse. App-based charging will introduce plenty of arbitrage opportunities. On the other hand it is also possible that some telcos could offer "obfuscation as a service" to improve privacy to customers - perhaps modifying web cookies, for example, or creating "noise" for search etc.
• Developers will be able to create apps that are more private and secure - and perhaps cheaper for end-users in terms of data charges. There will be lots of interesting middleware providers or opportunities for "obfuscation enablers"

Welcome to the Age of Obfuscation, where everything online is not necessarily what it seems. And where data might well be Big, but it may also be polluted.