> For what it's worth, I don't think it's strictly fair to call all plugins that inject ads onto pages "malware."

Quite a bit of malware runs with user "consent", and purports to provide some value to the user. However, "malware" does often has the connotation of something that exploited a security vulnerability to end up on the system, hence terms like "adware" to cover software that introduces advertisements and often gets installed along with some other software package the user actually wanted. And given the extensive tracking associated with most advertising, pretty much any adware will also qualify as spyware, though not to the same degree as software like keyloggers and similar.

Some people have also introduced broader terms like "badware" to encompass many different categories (https://stopbadware.org/), but that term hasn't caught on nearly as much as "malware", "spyware", and "adware".

If a user truly did intentionally install a piece of software that explicitly said it would add advertising to arbitrary websites, and the software installed with the full knowledge and consent of the user, then by all means let the user annoy themselves. But for every user somehow simultaneously knowledgeable enough to figure that out and yet not knowledgeable enough to avoid it, there exist several million users with unwanted adware, spyware, and malware on their systems.

(And in many cases, such a "choice" affects more than just that one user; most spam comes from infected systems, for instance, since that has a lot more "value" than just spamming the user of the infected system.)

> Quite a bit of malware runs with user "consent", and purports to provide some value to the user.

You're right, but merely injecting ads on a page doesn't malware make. Period.

Sure it does. Malware, from wikipedia: "Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent."

User consent is typically given to yield some kind of functionality not to inject ads on pages the functionality is just bait.

That's just misdirection, it's not even clever it is simply bad. And whether we're talking about data in transit or stored on the computer is bickering over details.

By that definition, websites that advertise are themselves malware.

If I make a toolbar that, I dunno, provides human-edited translations of Wikipedia articles that's active when you're on Wikipedia.com, and I monetize that by putting ads on the page, and a user downloaded and installed the app (as opposed to me paying to bundle it with another app) that is not malware.

Look, to the generally-non-technical audience that the original Wikipedia article had to write for, I think it's fair to cast a wide net and name all offending apps malware.

But here, amongst professionals in this industry, it's absurd to me to not see the nuance.

> If I make a toolbar that, I dunno, provides human-edited translations of Wikipedia articles that's active when you're on Wikipedia.com, and I monetize that by putting ads on the page, and a user downloaded and installed the app (as opposed to me paying to bundle it with another app) that is not malware.

I agree that in that particular case it wouldn't necessarily qualify as malware, if you've made it clear to the user what you're doing. I would certainly call it adware, though.

And as you suggest, if you snuck it in along with some other application where the user didn't necessarily give clear and well-informed consent to install it, then I would absolutely call that malware.

As long as the plugin explicitly warns you that this is happening, I don't see it as being any worse than running AdBlock.

Publishers might disagree with you. Not only are they denied the income of their work, someone else profits from it.