Headline
YouTube's Ad Blocker Detection Believed to Break EU Privacy Law
A complaint filed with the EU’s independent data regulator accuses YouTube of failing to get explicit user permission for its ad blocker detection system, potentially violating the ePrivacy Directive.
Privacy campaigner Alexander Hanff claims that YouTube’s new ad blocker detection is illegal under European law, and he’s taking the fight to the European Commission.
On November 6, German Pirate Party MEP Patrick Breyer addressed Hanff’s claim to the European Commission, formally requesting a legal position as to whether “protection of information stored on the device (Article 5(3) ePR) also cover information as to whether the user’s device hides or blocks certain page elements, or whether ad-blocking software is used on the device” and—critically—if this kind of detection is “absolutely necessary to provide a service such as YouTube.”
YouTube began rolling out ad block detection to Europe earlier this year and is now preventing some European users from viewing its content if they have an ad blocker enabled. The EU’s ePrivacy Directive requires online service providers to get explicit permission to “gain access to information stored in the terminal equipment of a subscriber or user.” Hanff, an expert advisor to the European Data Protection Board, alleges that YouTube’s use of JavaScript-based detection scripts to look for specific HTML page elements rendered by a user’s browser is subject to that requirement and he believes it is failing to abide by it.
In a complaint lodged with Ireland’s Data Protection Commissioner (DPC), Hanff called on the DPC to “take action against YouTube … for this breach of the law and demand YouTube cease their unlawful deployment of adblocker detection tools.”
Hanff, who helped to draft the forthcoming update to the EU’s ePrivacy regulations, says he believes YouTube’s JavaScript violates EU citizens’ privacy.
“The script that [YouTube] deploys is detecting what software people are running on their machines or what behaviour their browser is exhibiting in relation to their private activities. It’s not okay. It’s illegal,” Hanff claims, echoing his complaint. We have a fundamental right to privacy under Article 7 of the European Charter of Fundamental Rights. We have a fundamental right to data protection under Article 8.”
YouTube reportedly started implementing anti-adblock measures in May 2023, and in June was still describing its ad blocker detection as a “experiment.” European users have reported seeing detection messages since at least mid-October. Not every user is affected, and you’ll only see these anti-adblocker messages if you’re signed into your YouTube account.
When YouTube detects an ad blocker or other privacy tool that blocks ads as part of its functions, you’ll see a warning stating that “Ad blockers violate YouTube’s Terms of Service” or “Ad blockers are not allowed on YouTube.” There are a few different versions of this message, including some that entirely prevent you from playing videos and others that allow you to view a number of videos with your blocker enabled before streaming is blocked.
A pop-up asking you to turn off your ad blocker is hardly an unusual sight on the internet, but could it be against the law?
All versions of YouTube’s ad blocker detection that WIRED is aware of use a JavaScript program that runs in the client browser, although YouTube says that it could use non-invasive server-side methods to identify if a video ad served to a user has not been played.
Hanff’s complaint claims that YouTube’s client-side detection code meets the description, in Article 5(3) of the ePrivacy directive 2002/58/EC, of a process used to “gain access to information stored in the terminal equipment of a subscriber or user." If that’s the case, the user must be provided with “clear and comprehensive information” about what this information will be used for and given the “right to refuse such processing.”
You’ll be familiar with this process from the cookie consent forms that appear whenever a website wishes to capture non-essential information about you and your browser. Right now, neither an explicit notification nor an opt-out are displayed when YouTube obtains data about whether ad blocking tools may be active on your device or network connection.
YouTube representative Christopher Lawton tells WIRED that “ads support a diverse ecosystem of creators globally and allow billions to access their favorite content on YouTube. The use of ad blockers violate[s] YouTube’s Terms of Service.”
YouTube’s current terms, last updated on January 5, 2022, don’t explicitly mention the use of ad blocking tools, nor any detection measures, although a Permissions and Restrictions clause that forbids user activity to “circumvent, disable, fraudulently engage, or otherwise interfere with the Service” could be read as covering this scenario.
But Hanff, who holds an advanced master of laws in privacy, cybersecurity and data management from Maastricht University, maintains that, “under EU Consumer Protection Law, you’re not legally allowed to enforce any terms in the contract which infringe on the fundamental rights and freedoms of an EU resident.” The reason cookie consent forms are so intrusive is because consent for device access can’t be bundled up with other terms and conditions.
Breyer, the German MEP, echoes Hanff’s beliefs, telling WIRED that “ad blockers protect us from illegal tracking of our online life and online harms. YouTube’s terms and conditions likely violate EU law. YouTube should offer surveillance-free advertising and stop its anti-adblock campaign now.”
YouTube obviously wants to make money—that server bandwidth isn’t going to pay for itself. In 2022, ad-free YouTube Music and Premium had 80 million subscribers, while YouTube reported ad revenue of $7.95 billion in the third quarter of 2023 alone.
Priced at $13.99 (or €12.99 in Europe), YouTube Premium’s primary benefit is ad-free video and music streaming. But if you can use an ad blocker to obtain most of the benefits of a subscription, there’s little incentive to pay.
YouTube also needs its content creators to make enough money to justify their efforts. If you don’t watch the ads on a video, and aren’t paying for YouTube Premium, the video you’re watching doesn’t make any money for its uploader. That includes if you have ads enabled but press the “skip ad” button as soon as it appears on a skippable ad.
YouTube also reserves the right to serve ads on videos by creators who are not in the YouTube Partner Program or under a monetizing agreement, without sharing any revenue from those ads with said creators.
The arguments in favor of ad blocking range from reducing bandwidth consumption to avoiding psychologically harmful ads. (YouTube, for example, runs ads for alcohol, diets, and online casinos.) But the most compelling argument in favor of ad blocking is online security. Security researchers regard online ad networks as a key threat vector when it comes to cybersecurity, and ads on YouTube have previously been cited as serving crypto-mining malware and links to scams and pornographic content.
Most ad-blocking browser extensions look for specific file paths and filenames (such as those in the ad blocking Easylist) being called from within a page, and remove them from the version of the page that is rendered in your browser.
For example, a JavaScript program called “clever_ads.js” (the name of a script produced by the Clever Ads advertising automation service, which embeds ads in your page) would be identified by the ad blocker and removed, along with any content it would normally load. In the case of YouTube, the ad API returned JSON files, which the ad blockers would replace.
There are a few methods of detecting whether a user is blocking ads, most of which involve another JavaScript program that checks the rendered page for evidence that ad content has been removed. A frequent approach is to have your ad-loading script also insert a JavaScript variable or an HTML element that can be checked for.
Of course, ad blockers can look for and remove the anti-adblocker scripts as well, and that’s what’s happening in the case of blocking tools, such as Adblock Plus and uBlock Origin, that regularly provide extra filters to download and add to the blocker so that it can remove the latest scripts.
But as its anti-adblocker scripts are added to the filter lists, YouTube releases updated versions of those scripts. So now there’s an adblock detection arms race going on, embodied by the “Is YouTube Anti-Adblock Fixed” website, which monitors whether the uBlock Origin browser plugin is successfully circumventing YouTube’s adblock detection or not by comparing a list of YouTube anti-adblocker script IDs with the list of script IDs that are blocked by the plugin.
Fundamentally, the EU says that random websites aren’t allowed to rummage around in your stuff without permission. That’s something most people agree on. Google itself forbids Android app developers from using the QUERY_ALL_PACKAGES permission, describing a user’s installed apps as “personal and sensitive information.”
The question facing the DPC is whether YouTube’s adblock detection scripts are invasive enough to qualify: Is downloading and running a JavaScript routine equivalent to downloading and storing a cookie?
It looks like YouTube intends to argue that it isn’t, and is emphatic that it only seeks to identify whether ads have been served but not played. When WIRED asked the company if it was using or testing server-side ad blocker detection, YouTube’s Lawton said that it was currently carrying out ad blocker detection within YouTube and not on users’ devices. That doesn’t line up with our observations or those of the ad blocker developers, as a JavaScript detection routine on a website has to be run by the browser to function.
Lawton says that YouTube “will of course cooperate fully with any questions or queries from the DPC.”
The Irish Data Protection Commissioner’s office did not provide a comment for this feature, but Hanff says that the DPC has confirmed to him that it’s investigating the case.