This web page consists of three components: an XML page, an XSL page, and some CSS instructions. Without getting too technical1, the purpose of each of these pieces is as follows:
- The XML page holds the actual content of this article, i.e. the words that I'm typing. It also holds an instruction to tell your browser to get an XSL file
- The XSL page holds a set of instructions to transform the XML page into something called HTML, which your browser uses to put the text on the screen by using a series of something called 'tags'. It has an instruction in it to go get something called a CSS stylesheet2
- The CSS Stylesheet contains a list of instructions that tells your browser where I want things to go, like the headers and the footers, and what colors I want to make things. Things like that.
That should give you pause. Would you trust any random person walking down the street with using your computer? Even just for a minute? Yet, that's kind of what you're doing every time you visit a website. You allow someone (or a large team of someones) you may have never met to do whatever it is they want on your computer via your web browser.
I'm just using XML, XSLT, and CSS here, and I've kept things simple so that everything this site does is easy(ish) to understand without too much effort3, but there are lots more technologies that can do a whole lot more things. Something called JavaScript can do lots of interesting things like making interactive forms, or even programming games. But it can also be used for malicious things. And the programs that are written in JavaScript or other programming languages that run in your web browser can be written in such a way that you may not easily be able to divine what they're doing without an advanced degree in computer science. You just have to trust that whoever put the site together that you're visiting isn't making your browser do something that you don't want it to do.
What has that faceless person or company done to earn that trust?
You might argue that it's in the author's best interest to not do something stupid to the computers of the people that might visit their site. All I'm asking is that your browser run some instructions to lay out this page in a way that I thought looked nice, and you don't have to trust me, you can look and verify that it's doing what I say it's doing. But people frequently don't operate in their own best interests, especially when there's money involved, and they almost never act in someone else's best interest when there's money invoved. A huge number of websties are owned and operated by companies, and companies usually view their best interest as: "whatever makes me the most money".
Lots of entities that own and operate websites view the visitors of their site and the computers they browse with as resources to be exploited to make money. They do this in a variety of ways4, mostly involving ads, but how did those ads get there? You can try to look at a website's instructions 5 to find out, but the instructions are almost always hidden deep within layers and layers of computer code that is nearly impossible to figure out what it does. It's so convoluted and complicated that even the owner of the site most likely doesn't know specifically what ads are on their own site6. They know that they left a hole for an ad to go into, and they know that they sold access to that hole to a third party, and they allow that third party to put whatever they want there, sight unseen, in exchange for a few dollars. Worse, when something goes wrong7 and the visitors complain to the site owner, the owner frequently has no easy way to fix it. That's insane to me.
Let's concoct a scenario. Let's say you own a television station, WYRM, because you want to broadcast all of the amazing television shows that you make. Eventually, you decide that you want to sell ad space between or during the shows to generate revenue to do things like cover expenses. Selling ads is hard, though, and would take you away from your passion (making killer television shows), so you would need to hire a sales team, which means salaries and equipment and benefits. That means increased expenses, which means that you need to sell more ads to cover those expenses, too. All of those things result in you having less time doing the thing you started your television station to do, and more time doing boring administrative stuff.
But then you find about about this company, we'll call them 'AdMoolah'. AdMoolah says that they have a solution. They'll provide you with a device that you install into your plant. When the device detects that you are going to a break AdMoolah will semi-randomly pick out a selection of commercials, exactly speficied to fill the size of the hole you left in the programming, and speficically tailored to your audience. They'll even pay you to put it in place, and they pay you more if you show more ads. They also have a database of millions of ads ready to go for every situation. It's a slam-dunk.
So you put it place, and it all works exactly as AdMoolah says it does. You go to a two minute break and AdMoolah plays two minutes of commercials. You get paid and you can go back to doing what you like to do: creating television shows.
Then one day you get a complaint. Sometime during the day AdMoolah played a wildly inappropriate ad8 a few times, which offended the sensibilities of some people. You didn't see it because you were too busy making television shows, and every time you watch an ad break, everything looks fine9, and you don't see whatever it is that people were complaining about.
You try to contact AdMoolah anyway to tell them that they have an inappropriate ad in the mix, and you discover that they don't have massive sales and support teams in place, not really. It's mostly automated, and once an advertiser has an AdMoolah account, they can add almost anything they want with very little to no oversight, it mostly operates on the honor system. In fact, if something untoward does manage to make it through, AdMoolah doesn't really have an incentive to get rid of it. They got paid, after all, and maybe that ad is more appropriate for another kind of channel. They just need to adjust their mix of commercials so that the computer that's selecting the commercials to play doesn't pick that questionable one again for your station.
That wouldn't fly in the television market10, but it's allowed and encouraged this way on nearly every ad-supported site you visit. This is completely insane to me.
Even if I can divine what a website is doing by Viewing its source and I decide that I can trust it enough to run its source code instructions on my computer via my web browser, now I have a third party or several third parties to deal with because the website owner has decided to lend their name and any goodwill that they've devloped to some other outfit of unknown provenance. And that third party has leased out their already questionable name to any number of fourth parties. The webmaster might trust AdMoolah. Ad AdMoolah might trust its advertisers. But why would I trust that AdMoolah's advertisers at all, even if I decide to trust a website for some reason? Trust isn't transitive.
Unfortunately, though, we live in the real world.
In the real world, people seem to have an irrational attachment to money, and it doesn't help that decades of websites emulating the television model11 has conditioned people that information and entertainment should be free(*), *as long as you consume some ads in exchange for the privelege. Ads are everywhere supporting ostensibly free things, and they're not going to go away any time soon.
That's the world we live in, and I'm not railing against ads12. But I am saying that if you run a website, do you really trust the ad networks that you've sold that ad space to? And if you do, why should I? Is it okay if I do a lot of charity work, but I fund it by tricking people into paying me to take care of imaginary computer problems (Oh, your computer's registry is full and it needs to have its hard disk rotated. That will be $400, please)? Do you really trust that the black box of code that you embedded on your site won't ever do something stupid (do you really know what those thousands of lines of outbrain.js are doing?) and tarnish your site's reputation, possibly irreparably? If someone has a bad experience due to an ad on your site, the blowback comes back to you for putting a scummy ad on your site, not the ad network for letting a scummy ad into their network.
But since the prevailing sentiment among websites seems to be that advertising with as many scummy ad networks as they think their visitors will tolerate is the only reliable way to cover expenses13, my default position has to be to not trust any website until they give me a reason to14, and if there's a hole on a website that has some kind of content and nobody knows what that content is until the page is loaded? I can never trust that.