Adblocking, Definitively Measured

The Problem

The web is a different place now. Advertising on websites was bearable at one stage, but now a simple visit to nearly any mainstream site buries you with an intrusive popover ad, which then reveals a 3/4 page animated banner, side banners and, finally, a tiny part of the article you’re looking for, poking out from below the fold. In the background, nearly 6MB of bandwidth has been used just for this, nearly 400 separate connections opened, the vast majority of them to third-party tracking and advertising sites, which dutifully record your location, where you came from, and any personal details that they can hoover up, before dropping around 70 identifying cookies on your browser in return. Some of the cookies will stay forever, evading your best efforts to clean your browser’s cache, broadcasting your history and identifier to any sites you visit in the future. That’s IF it doesn’t first drop some malware on your machine, from poorly-vetted ads from a greedy network, beyond the control of the site.

All this from simply visiting one webpage, for no more than a few seconds, then closing the window. Welcome to the web today. No wonder ad-blocking is growing exponentially, especially in more technically-literate circles. One analogy I can think of is going for a walk down the street, when you get swarmed by aggressive paparazzi that get in your way and block your view, intent on recording everything you say, do or look at in the tiniest of details, in order to cross-match and sell that information elsewhere. Even the ‘Share’ or ‘Like’ buttons you see on pages are tracking your visits, because they already know your identity, regardless of whether you are currently logged in.

A similar result has been found by many. For example, a single nypost.com webpage was was tested here, resulting in a 10MB download on mobile just for one page, even though no video ads were seen. To quote:

“Over 900 HTTP/HTTPS calls. Total sum of response body sizes = 10.8 million bytes, or about 10.3 megabytes. A great deal of this appears to be large JPG files like which are frame-by-frame images of ads. These include: Pur Water Filters (example), and Crest Toothpaste (example).”

“My full IP address (changed in the file by me to 50.xxx.xxx.xxx) is being passed around like chips at a Super Bowl party: a total of 291 times — there are hundreds of “pixel sync” calls, where ad networks and companies essentially “compare notes” on who you are. Adap.tv (AOL/Verizon) for example matches to a whole bunch of other companies by name like Audience Science, DataXu, Turn, Yashi, TheTradeDesk etc.”

Another test, this time on the tabloid junk site that masquerades as a technology blog, theverge.com. This site opens no less than 263 connections, the vast majority to third-party tracking sites to harvest your information, 22 which could be classified as spyware. It’s no surprise that click bait titles are so popular – as soon as you open the page, it’s too late, they’ve already profited from you.

The problem is that the vast majority don’t want to pay for content. The advertising model is what has worked up to now, but it has become an arms race, with advertisers cramming more and more ads, in increasingly nefarious ways onto viewers. In the meantime, Google is rolling out an experimental way of funding sites, but the click bait is getting more brazen, all for those precious CPMs. Google is also rolling out more GMail ads, some of which look like emails. All while websites are increasing ‘native advertisements’ – paid placements under the guise of a normal review or article, but of course, with a glowing conclusion and usually without disclosure.

The bottom line is this – if the ads were pictures only, no tracking involved, and were vetted and hosted by the sites that I visit, I would have no issue with viewing them at all. It used to be done this way, at least when I first started using the internet more than a decade ago, but it’s too vulnerable to fraud. Since then, advertising has grown into this multi-headed unstoppable hydra which infiltrates every nook and corner of the web. I don’t know what the solution is, but I do know that third-party tracking of visitor behaviour should be avoided. Privacy and security is of the highest importance and cross-site tracking through cookies and Javascript on advertising networks flies in the face of this. But let’s put the ethical quandry aside for a moment and assess, just what effect ad-blocking has on us users.

Mozilla LightbeamMozilla Lightbeam shows how all the 3rd-party ad networks connect on the sites you visit. It all fits together in the end, except for you.

Aim of Testing

A number of questions need to be answered for this test on desktop ad-blocking via a combination of addons, hosts-files and Javascript-blocking. I’ve summarized my results, but if you want to read the methodology, analysis and graphs, read further down.

  • Does ad-blocking make webpages load quicker?

Yes, just ad-blocking alone reduces loading time from an average of 23.8s (on the five sites I tested), to 9.0 seconds, or 2.64x faster.

  • Does ad-blocking save bandwidth?

Yes, page size reduced from 2.9MB to 2.2MB on average, a 1.3x improvement.

  • Does ad-blocking reduce the quantity of tracking that occurs?

Yes, 3rd-party cookies dropped from an average of 30.6 to 1, more than a 30x improvement. Connections to unique sites (including tracking sites), dropped from 33.4 to 5.4, a 6.2x improvement.

  • Is there a difference between ad-blocking with an addon/extension and hosts-based ad-blocking?

Barely. Hosts-based blocking has approximately the same effect on page load speed and bandwidth, but is slightly more effective at blocking cookies. Memory use is also lower. On mobile devices, hosts-based blocking applies system-wide, blocking connections from other apps. However, hosts-based blocking is harder to implement and nearly always requires root access.

  • Does turning off third-party Javascript help?

Yes, average load time is reduced from 9.0s to 3.96s, a 2.2x improvement. Download size is also reduced from 2.2 to 1.16MB, a 1.9x improvement.

  • Does turning off first-party Javascript help?

Yes, average load time is reduced from 3.96s to 2.4s, a 1.6x improvement. Download size is further reduced to 0.94MB, a further 1.23x improvement.

  • I browse around 20 sites per day on average, what will I save in a month?

You will save 148 minutes of time waiting for pages to load. You will also save 420MB of download bandwidth, per month.

  • Is there anything else I can do to protect myself apart from ad-blocking?

Yes, there are still plenty of other ways to track you, apart from cookies and third-party Javascript, do not be lulled into a false sense of security. See my privacy guide for more browser-specific information.

  • How can I support the sites I like?

Many sites have a donate option where you can throw a few dollars to help them along, which I prefer to do on an occasional basis. Otherwise, you can whitelist the site on your ad-blocker to allow ads on that site specifically.

uBlock Rules
uBlock Origin hosts loaded, with everything selected. Many of these can be implemented in system-wide hosts as well. Note the whitelist tab for sites you want to support.

Test Methodology

Site Selection

  • Five mainstream sites, representing popular, common sites (within the top 100 worldwide ranking) which a user might visit in a day.
  • Two news sites [New York Times / Huffington Post], an entertainment/sports site [ESPN], one technology site [CNet] and a shopping site [Amazon].
  • All consist of front page advertisements and are reasonably heavy sites, which makes measuring the impact of ad-blocking easier. The CNet site, for example, opens 351 individual connections and drops 79 cookies, just loading the front page.

Browser and platform selection

  • Firefox 40.0.3 running on Ubuntu 14.04 LTS.
  • Fresh install / profile for everything.
  • Only two addons installed at first – Lightbeam by Mozilla (for monitoring unique third party connections), and Firebug debugging utility.
  • DNSmasq local DNS resolver was used, to cache DNS names for instant lookups to remove any possible delays from remote DNS.
  • Time measured by ‘window.onload’ trigger, when page and assets have completely loaded.
  • Results for other browsers should be relatively similar.

Routine –

  • Entire browser cache/history/cookies cleared after each run.
  • Multiple runs used and results averaged.
  • No VPNs or proxies used.
  • After page loaded, all cookies are dumped to file and counted.
  • Test 1 – Stock / No addons, to establish a baseline.
  • Test 2uBlock Origin ONLY, the best adblocker available for effectiveness and performance, as tested here. All relevant host sources loaded, as pictured below, total 170634 hosts.
  • Test 3 – Hosts-file ONLY in /etc/hosts. Hosts sources are a collection of commonly used hosts which I rolled myself (including some overlap with uBlock) – total 192797 hosts.
  • Test 4uMatrix loaded on top of uBlock, lax setting. All 3rd-party assets (including Javascript) is blocked, except CSS/images [default setting]. Note that uMatrix can effectively serve as a replacement for Noscript (barring XSS/ABE protection), RequestPolicy and Policeman.
  • Test 5 – Same as Test 4, but strict blocking. All 1st-party Javascript/embeds are also blocked. Only 1st and 3rd party CSS/images are allowed. Some sites do not work correctly, shame on them.

CNetAs one example of many, CNet drops 79 cookies on a single visit. The majority are to tracking and advertising domains, and some are set only to expire in 17 years. Thanks CNet.

Test Results

Total Connections & Unique Connections

connections uniqueThe number of total connections drops dramatically even with just uBlock Origin installed. Hosts-blocking is slightly less effective at reducing the number of connections. The number of unique connections is important if the site is not using SPDY or HTTP/2. A reduction from an average of 233 connections to just 66.

Download Size and Time

loading sizeData usage and loading time are usually correlated, especially if the unfiltered downloads included 1st and 3rd party Javascript which needs to execute. A reduction of 2.9MB average page size to less than 1MB. Time reduces from an average of 23.8 seconds to just 2.4 seconds, or 3.9 seconds with 1st-party JS. Web developers could tirelessly work to optimize the site for a better experience, only to have tracking and advertising scripts/images blow out loading time by a factor of 6-8.

3rd Party Cookies

cookiesEven the ad-blocker alone is quite effective at reducing cookies being dropped. Most browsers nowadays have an option to prevent third-party cookies, this is definitely a good option to set.

All data

all

Conclusion

  • Reducing the number of scripts and assets to load reduces the loading time, CPU load, download size and memory usage dramatically, as expected. Sometimes by a massive margin.
  • Some 3rd-party resources, such as Facebook assets, are hosted on Akamai, rendering hosts-based blocking ineffective. But uBlock Origin can perform div element and more advanced blocking.
  • There is no benefit to the user to having 3rd-party cookies and tracking, but immense cost to loading time, size and privacy. Nearly all mainstream sites utilize these services to allow data brokers and advertising companies to track users between websites and properties without their knowledge.
  • The absence of third-party cookies does not indicate you are not being tracked, there are plenty of other ways to track you, as outlined in my privacy guide. LSO cookies, hyperlink auditing, ETag tracking, canvas and browser fingerprinting are all commonly used.
  • You might be able to lock your browser down, but if your OS itself is tracking you, then it’s a lost cause, since it knows everything and cannot be audited.

Suggestions:

  • For beginners, install uBlock Origin only, enable all the hosts files and then leave it. You will load pages 2.6x quicker, use 25% less download quota. There should be little to no effect on the functionality of sites.
  • For intermediate users, do the above, but also install uMatrix on top with default settings. Pages will load 6.0x quicker than stock, and use 60% less bandwidth. Some sites might have errors, which will require selectively enabling elements.
  • For advanced users, do the above, and enable blocking of all 1st party Javascript as well (whitelist method). Pages will load 9.8x faster than stock, and use 68% less bandwidth. There will be issues with most sites, which require manual intervention.
  • For additional security, run Noscript as well for the XSS/ABE protection, but allow all script through – uMatrix will intercept instead. Also use a Cookie Manager, like Cookie Controller. As we’ve seen, sites love to drop tracking cookies.
  • Be sure to lock down your OS if you’re using Windows or Android as well, more details in my guides.
  • The use of uBlock Origin and uMatrix dissolves the need for other add-ons, like Disconnect, Ghostery (which is run by an advertising company), and Privacy Badger. Be sure to enable the Social Blocking hosts list in uBlock.
  • For Mobile, Mobile apps are sandboxed individually, however, they nearly all also have access to more private information (such as your e-mail addresses, IMEI, unique IDs, network MAC address, sensors, location), which a browser would not otherwise have.
  • For iOS, if you’re on a mobile browser, Apple is soon bringing content blocking to iOS 9, as demand rises for it, though third-party apps which load webpages will need to update to make use of it. If you’re jailbroken, you can use something like FirewallIP to block outgoing connections, but there is no way to spoof your advertising ID, unique IDs and other information to apps, that I know of.
  • For Android, If you’re on Android, Firefox supports addons, like uBlock Origin. Alternatively, there have been many alternative browsers with ad-blocking available for years.  See my Android guide for more information on spoofing personal information for apps. Loading a system-wide hosts file will prevent apps from sending information back to third-party tracking and analytics companies. Alternatively, an application-specific firewall, like AFWall+ can be used to completely disallow network connections.

 

 

Advertisements