YouTube’s Ad Blocker Detection Believed to Break EU Privacy Law

Most ad-blocking browser extensions look for specific file paths and filenames (such as those in the ad blocking Easylist) being called from within a page, and remove them from the version of the page that is rendered in your browser.

For example, a JavaScript program called “clever_ads.js” (the name of a script produced by the Clever Ads advertising automation service, which embeds ads in your page) would be identified by the ad blocker and removed, along with any content it would normally load. In the case of YouTube, the ad API returned JSON files, which the ad blockers would replace.

There are a few methods of detecting whether a user is blocking ads, most of which involve another JavaScript program that checks the rendered page for evidence that ad content has been removed. A frequent approach is to have your ad-loading script also insert a JavaScript variable or an HTML element that can be checked for.

Of course, ad blockers can look for and remove the anti-adblocker scripts as well, and that’s what’s happening in the case of blocking tools, such as Adblock Plus and uBlock Origin, that regularly provide extra filters to download and add to the blocker so that it can remove the latest scripts.

But as its anti-adblocker scripts are added to the filter lists, YouTube releases updated versions of those scripts. So now there’s an adblock detection arms race going on, embodied by the “Is YouTube Anti-Adblock Fixed” website, which monitors whether the uBlock Origin browser plugin is successfully circumventing YouTube’s adblock detection or not by comparing a list of YouTube anti-adblocker script IDs with the list of script IDs that are blocked by the plugin.

Fundamentally, the EU says that random websites aren’t allowed to rummage around in your stuff without permission. That’s something most people agree on. Google itself forbids Android app developers from using the QUERY_ALL_PACKAGES permission, describing a user’s installed apps as “personal and sensitive information.”

The question facing the DPC is whether YouTube’s adblock detection scripts are invasive enough to qualify: Is downloading and running a JavaScript routine equivalent to downloading and storing a cookie?

It looks like YouTube intends to argue that it isn’t, and is emphatic that it only seeks to identify whether ads have been served but not played. When WIRED asked the company if it was using or testing server-side ad blocker detection, YouTube’s Lawton said that it was currently carrying out ad blocker detection within YouTube and not on users’ devices. That doesn’t line up with our observations or those of the ad blocker developers, as a JavaScript detection routine on a website has to be run by the browser to function.

Lawton says that YouTube “will of course cooperate fully with any questions or queries from the DPC.”

The Irish Data Protection Commissioner’s office did not provide a comment for this feature, but Hanff says that the DPC has confirmed to him that it’s investigating the case.

Most ad-blocking browser extensions look for specific file paths and filenames (such as those in the ad blocking Easylist) being called from within a page, and remove them from the version of the page that is rendered in your browser.

For example, a JavaScript program called “clever_ads.js” (the name of a script produced by the Clever Ads advertising automation service, which embeds ads in your page) would be identified by the ad blocker and removed, along with any content it would normally load. In the case of YouTube, the ad API returned JSON files, which the ad blockers would replace.

There are a few methods of detecting whether a user is blocking ads, most of which involve another JavaScript program that checks the rendered page for evidence that ad content has been removed. A frequent approach is to have your ad-loading script also insert a JavaScript variable or an HTML element that can be checked for.

Of course, ad blockers can look for and remove the anti-adblocker scripts as well, and that’s what’s happening in the case of blocking tools, such as Adblock Plus and uBlock Origin, that regularly provide extra filters to download and add to the blocker so that it can remove the latest scripts.

But as its anti-adblocker scripts are added to the filter lists, YouTube releases updated versions of those scripts. So now there’s an adblock detection arms race going on, embodied by the “Is YouTube Anti-Adblock Fixed” website, which monitors whether the uBlock Origin browser plugin is successfully circumventing YouTube’s adblock detection or not by comparing a list of YouTube anti-adblocker script IDs with the list of script IDs that are blocked by the plugin.

Fundamentally, the EU says that random websites aren’t allowed to rummage around in your stuff without permission. That’s something most people agree on. Google itself forbids Android app developers from using the QUERY_ALL_PACKAGES permission, describing a user’s installed apps as “personal and sensitive information.”

The question facing the DPC is whether YouTube’s adblock detection scripts are invasive enough to qualify: Is downloading and running a JavaScript routine equivalent to downloading and storing a cookie?

It looks like YouTube intends to argue that it isn’t, and is emphatic that it only seeks to identify whether ads have been served but not played. When WIRED asked the company if it was using or testing server-side ad blocker detection, YouTube’s Lawton said that it was currently carrying out ad blocker detection within YouTube and not on users’ devices. That doesn’t line up with our observations or those of the ad blocker developers, as a JavaScript detection routine on a website has to be run by the browser to function.

Lawton says that YouTube “will of course cooperate fully with any questions or queries from the DPC.”

The Irish Data Protection Commissioner’s office did not provide a comment for this feature, but Hanff says that the DPC has confirmed to him that it’s investigating the case.