Ad tags are
|“||hypertext markup language (HTML) code sent between online advertising entities, which will ultimately call up the correct advertisement to be delivered to a user.||”|
That HTML code conveys information about the advertisement space to be filled. The ad tag includes basic details about the size of the space to be filled as well as cookie-based identifiers to facilitate targeting of the ad. The functioning of ad tags explains how online advertising companies can send advertisements to users' browsers without the advertising companies actually directly knowing what that advertisement is.
Ad tags are the messages that tell online advertising companies what ad to deliver without actually having to send the advertisement itself between multiple companies. When a user visits a website, that host website sends an ad tag out to its ad network. That tag will contain some form of cookie identification so that the ad network will recognize the user. The host website does not need to know anything about the user in order to facilitate data collection; all it must do is notify the ad network of the user's cookie identifier. The ad network's server will then rapidly call up all available data on the user and decide which advertisement to deliver (or call upon another outside party to decide which advertisement to deliver). The ad network will then send an ad tag back through the user's browser, telling it to retrieve the proper advertisement at a URL that the advertiser (the customer of the ad network) has specified.
This is where a key vulnerability in the online advertising system lies. The ad network often performs some manner of initial quality control on the advertisement by examining what happens when it calls the particular URL of the advertiser. However, the actual file at that URL can be quietly changed after that initial quality control check so that when a user actually encounters the ad, an innocuous and safe ad may have been transformed into a vehicle for malware.z
- Overview section: Online Advertising and Hidden Hazards to Consumer Security and Data Privacy, at 15.