First of all, important note: my opinion isn’t the usual one, and it’s a lot more nuanced. I relate a lot more to Brave than uBlock’s philosophy.
Second, in response to this:
But the point is that our app has only 1 banner.
That’s not going to be very effective in grabbing people’s attention, trust me. Just a forewarning on that one nit.
Would you be fine if a non-profit data protection organization served ads? We have a problem with the ecosystem.
My concern isn’t who, but the safety and efficiency of the ads themselves. If ads were like newspaper ads, I have zero issue with them. Even a little CSS animation isn’t a major issue, as long as they remain isolated to their frame. The tracking, however, tends to get computationally intensive across various providers (even non-malicious ones, sometimes), and malicious actors love to take advantage of the economy of scale in hiding their slipping of malware into their ads.
I don’t have an issue with tracking clicked links (Twitter itself does this, as do most URL shorteners), but I’d rather tracking page views restricted to things like pixels, CSS media queries, and such, which are easily blocked by privacy-conscious users, but not always by the general user base. You can still gather data based on the content that’s being viewed, as well as screen resolution (via CSS media queries +
background-image on a pixel), but you don’t get the vast amount of invasive data JS can provide.
If everyone is happy with tracking locally on your computer, but your data not going to third parties, I have a solution to this problem. Will discuss it in a few minutes.
What normally gets users concerned is the fact most advertisers either send lots of data to third parties or they keep the vast data for targeted advertising that’s accurate enough to spook them. For the first reason, most major ad servers (like Google) don’t give advertisers much data on who can target what, but most of the industry has been reluctant to accept the second, despite losing human traffic to that independently of the ad blocking issue.
If an ad provider uses a script to place and monitor ads, that’s okay, too, as long as they’re open and explicit in what it does, and they limit the ads themselves to keep them HTML/CSS only. (My main issue with trackers is that the ad agencies themselves tend to install more tracker scripts than they need, when a few pixels with media queries is all they need.)
But the issue as it stands IMHO fall in the hands of two groups: ad agencies (those who develop the ads) and ad servers (those who serve the ads, like Google). The former is the one doing all the questionable behavior, and the latter is who’s enabling it. If the latter would start placing much greater restrictions on the format of various ads, many of the bad actors in the former would be instantly crippled (those creating all the malvertisements and ad-driven miners), while most everyone else would just need to adjust. And even on native mobile ads, they could do similar and prevent most of the ad-driven infections overnight.
As for why I recommend specifically disallowing JS in ads (short of the ad server itself), it’s mostly for security and performance reasons:
- The data some trackers and session replay scripts collect is not merely highly invasive and unethical, but blatantly illegal.
- Several trackers attempt to obscure their origin from both web masters and users, while collecting as much data from the page as they possibly can.
- Some trackers even attempt to collect passwords on other sites, whether due to unwitting site operator mistakes (who rarely bother to read the fine print until it bites them) or due to complete and utter disregard for the security of a site’s security.
- Many adult sites, online marketplaces, social sites, and other sites where data is critical for user retention tend to be so flooded with third-party trackers (when they allow them) that they begin to bog down and take a crap ton of memory and CPU time just to compute everything and manage their frequent ping-backs. This isn’t really an issue with Google (who starkly limits third-party ad serving and more recently, third-party tracking), but it’s a mild issue with Facebook and Amazon, and a major issue on most free/freemium porn sites.