45 comments

[ 24.6 ms ] story [ 1374 ms ] thread
Why would you'd want to obfuscate instead of block the ads?
"It’s increasingly hard to “opt out” of online tracking. “Unless you want to go live in a cave away from society,” Nissenbaum notes, you need to be online—often for work or to access government services. Online services claim they’re voluntary, but the cost of being a refusenik grows every day."
(comment deleted)
(comment deleted)
Spending over $100,000 per month on advertising online, we do analyze traffic under the microscope. Blocking ads only means Publisher has to display more of it to even out the good traffic.

Continuesly bringing people that are totally off te chart in re to our vertical (due to someone fooling system of their true interests) would bring down ROI to near-zero and have us stop using said Publisher althogether.

Genius move!

Because there are 14 trackers on wired.com. Because:

>One, AdNauseam, clicks every ad on every page I visit

Wired would like you do install addons that click on every ad on wired.com.

I would bet good money those clicks are never counted. Each exchange should rapidly flag 100% clickers.
Blocking breaks webpages sometimes.

Part time blocking can create even more focused profiles Poisoning the well is better if you aren't willing to or can't commit to 100% blocking.

Obfuscating snoopers' profiles is more satisfying.

I use uBlock Origin and unlike with NoScript which I was using for a while before, haven't had a single problem.
Since most advertising and tracking currently happens by loading third-party Javascript, it's trivial for clients to detect and block. If advertiser-hostile clients proliferate, the industry will shift towards techniques that are more difficult to block.

Proxy ads through software on the actual webserver; make them part of the markup like any other page element. Ingest the Apache access logs. Use website-level cookies and relay them to the ad network on the server side. Etc.

Would not that require the advertiser to trust the publisher ?
Any tips on fighting browser fingerprinting?
on the topic of chaff, I use an extension that rotates randomly between combinations of {Windows,OS X,Linux}, {Firefox,chrome} and various versions of those things.

though sadly this doesn't work alone, because it only solves the stuff sent to server (but is far more pleasing to screw with them than to just send nothing). you still have to use noscript to stop things like the canvas font rendering trick :(

What is this extension?
I have used user agent switcher in the past. It sounds like the extension that rickycook was referring to.
that still leaves over 100 bits if info on the table, resolution, fonts installed, localstorage, indexed storage, cookies etc.
Does it cycle through user-agents? I could see an extension that rotates through those contributing nicely to creating noise.
get a cryptostorm (or cryptofree) account.
The only real bullet proof solution I can think of is to use Qubes (or VMPlayer / VirtualBox on a more common OS) to launch a new VM every browsing session. You loose your browser preferences and bookmarks though. You could organize your bookmarks in a local HTML file so your browser don't "broadcast" them.
Nope. If you're using Qubes you are (as far as an ad network is concerned) a young middle to upper class white male with an interest in technology and computer security who probably lives near the Bay Area or another tech hub (depending on GeoIP). That's exactly what an advertiser would be tracking you to find out, and you just put it in the user agent string.

The only way to defeat browser fingerprinting is for everyone (or a lot of people including you) to use exactly the same version of the same browser on the same platform on the same device configured the same way. Even the, which browser-device-screen resolution-version cohort you are part of probably says a lot about your demographic.

It's easy to hide in 2560x1440 Macs running latest Chrome under Yosemite. Not so much on Ubuntu Phone in middle America.

Couldn't you just use a browser that doesn't send user-agent?
The lack of one itself is a datapoint.
If your browser is in a VM how could they know you're using Qubes ? They're gonna get the Linux version that is used in the VM but that's it.
It's unfortunate that AdNauseam is incompatible with uBlock
That is a shame :(
Somewhere in another comment is a link to the relevant issue in their Github. Might not be a problem for long.
> One, AdNauseam, clicks every ad on every page I visit, baffling ad networks.

This seems like a bad idea for everyone involved:

* You leak more information to the ad network (or at least make your datapoint it more prominent in the database)

* You get worst ads (if the ad network uses a smart algorithm to serve personalized ads)

* The ad network gets info with worse information, so it will probably serve worst ads to everyone else (if a lot of people use this)

* The site you visited might end up receiving less money, as it can be accused of click fraud (if a lot of people use this)

Using an ad blocker seems like a much better option (I believe they actually block most of the tracking javascript from even being loaded, so you are probably not tracked anyway).

Am I missing something here?

I think that's sort of the point - to drive ad networks and those who support them into the ground. It's certainly taking the offensive side: "they track which ads we click to find out our interests? Let's click everything so they can't figure out a single thing."

Ad networks do have protections against click fraud already, and just block/ignore users who click much more than usual - which to someone who doesn't want ads could be seen as a good thing.

1) I don't care if my datapoint is prominent, if it's bogus.

2) I've never once thought about the quality of the ads I see. I can't imagine being disappointed that the ads "are worse". They're ads, they're bad to begin with.

3) Again, not concerned with the quality of ads others get.

4) If lots of people use this, then it will be impossible for advertisers to distinguish between click fraud by the site and click fraud by the end-users. The goal is to make click-tracking futile.

The point of AdNauseam is to make tracking useless. So your points are all endorsements of its effectiveness.

I think you're simply completely missing the goals at play here.

To your points about getting worse ads and creating an environment were worse ads are served ... that's the point. "Serving good ads" and "Having a reasonably accurate and reasonably complete profile of me" are different ways of saying the same thing in this context. The fact that you feel "I get good ads" is a good thing for users is the core disagreement you are looking for, this what you are missing.

To the last point: Yes, those who benefit from the collection of their users personal data may be penalized by the system they benefit from when their users act against the interests of the ad networks. Again though, given the implied goals at play here, this likely isn't seen as a bad outcome but as incentive to stop funnelling your users information to a 3rd party for money.

As an aside, your first point is wrong: You leak less personal information by this kind of fuzzing, they already have your browser fingerprint and so on, getting more copies of them isn't useful.

Using an ad blocker is defensive, this is offensive. Which is better depends on your goals.

I prefer to compartmentalize and hide. Each area of interest and associated communities has its own persona, or set of more-or-less linked personas. Each persona has its own VM, and setup for Internet connectivity (various nested chains of VPN services and Tor). I also take basic steps to reduce tracking. I use Disconnect for search, block ads, and allow only scripts essential for rendering pages.
Another thing to do is to run bogus Google searches to obfuscate your own and have plausible deniability about what you were actually doing. Bogus searches could even be selected from topics related to your interests so as not to be easily identified by Google.

Another protection would be to automatically screen what information goes out and stop all leaks of sensitive data, like your name, email, card, ad-related cookies etc on untrusted sites. Dangerous searches could be routed to a different search engine automatically (say, for example, searches related to political activism). Making it easier for people to protect their information goes a long way to achieving privacy.

Related to this, there was (some time ago) an initiative to build out a "haystack" proxy, which went a step further than this. For every link on the page, it would randomly follow 3-4 of them. On every page on those linked page, another random 3-4 links were followed, up to a random depth. The idea being that you ended up generating so much noise (the haystack) that the signal (the needle) was lost.

Of course, this wouldn't prevent a dedicated snooper from watching you, using statistical analysis to find your real trail, but it would certainly hinder your average tracking network.

from AdNauseum's website (adnauseam.io):

>Working in coordination with your ad blocker, AdNauseam quietly clicks every blocked ad, registering a visit on the ad networks databases.

Are they sure the visit is registered? This seems like a trick that would work strictly off clicks in circa ~2009-2012, where now, adnetworks tend to check if you've downloaded some snippet of content (like a pixel tag) before it registers a hit.

In order to "click everything" you'd essentially have to download a ton of pages, content, and 3rd party scripts that are never rendered on your screen.

I think the idea is wonderful, but ad trackers have grown more sophisticated now. I'll have to check out the source later!