I'm telling y'all, it's adbotage!

I recently stumbled upon a chrome extension called Ads-only Facebook feed that modifies your Facebook feed to only show you sponsored content. I absolutely love an absurd waste of time and found this to be hilarious at first, but then I thought about it more deeply, and realized that this type of an extension reveals the potential for a novel denial-of-service attack on the Internet’s ad-based economy that would be difficult to defend against.

How would you go about handling a very large number of netizens suddenly turning off their ad-blockers, scrolling through social media, and indiscriminately clicking on every single ad that they see with the intention of not buying anything? How would you differentiate between a legitimate user and a user with malicious intent without reducing ad revenue?

Now that agentic browsers are emerging, what is to stop people from bind-mounting their personal browser data directories — cookies and history — into multiple containers running agentic browsers that have been instructed to loop through the social media platforms they hate the most, clicking on every ad that it sees?

I think that the largest concern for the American (world?) economy would be a well-coordinated wave of politically motivated people with time on their hands — fired, furloghed, replaced — deciding to perform this type of attack together, over a period of months, as a form of economic protest.

Every single popular social media platform has been cynically engineered to use data-mined information about its user base to pinpoint their interests and political trigger points, so that they can serve content that keeps everybody scrolling. Adbotage wouldn’t even feel like a task. It would probably feel like a game.

Suddenly all of the platform’s advertising analytics would be in question and the companies paying per click, or some other engagement metric, would see their advertising spend skyrocket, which would force them to either pay it or withdraw their ads from the platform.

I assume it would be the latter because for a protest of this nature to be effective, it would need to be loud and premeditated. It would need a large number of people who are motivated to participate for several hours per day. If it was clear that they had those numbers and that motivation, the companies advertising with these platforms would likely pull their ads before the protest even started.

The infrastructure that serves the ads is also probably also not provisioned or engineered to be resilient for that kind of relentless traffic. They would be forced to over-provision compute to handle the deluge of additional requests, or just eat the DDoS, which would cripple their business(es).

I am wracking my brain trying to think of a way to defend against this, and I can only come up with a couple of possible solutions.

The first is to block users who are clicking on too many ads, which would also reduce their ad engagement to zero, multiplied by potentially millions of users. The second is to, instead of blocking them, just not count their ad-clicks, or rate-limit them. But that also reduces the platform’s ad revenue and has the potential to sweep up users who just click a lot of ads organically. The third would be to place a captcha on every ad click, which is a terrible user experience that would reduce their ad engagement, and make users weary of clicking on ads.

There is just not a solution that doesn’t impact the platform’s bottom line, in my opinion, and it feels like it could be a big problem were it to happen.