168 comments

[ 4.8 ms ] story [ 201 ms ] thread
Seems awesome. Hope Firefox does something similar.
Firefox's private browsing mode has been doing this for a while now, so they've got the tech in place and tested; I get the impression that they're waiting for other browsers to start the ball rolling on turning this on by default so that ad-supported websites don't just start outright blacklisting Firefox in retaliation. Safari doesn't have to worry about that, because of Apple's platform effect. Makes one wish that FirefoxOS worked out...
This is coming. Chrome is implementing a built in ad blocker.

Advertisers and content providers can either start getting used to the idea now and get ahead of the trend. Or they can watch their business model suffer and scramble to catch up later.

When their main revenue is ads? Will there be "acceptable ads"?
Yes, of course. Even ad block plus has 'acceptable' ads. Especially in the case of Google, their ads are def 'acceptable' :)
That seems like it will lead to some monopoly-style legal trouble
Which is exactly why most friends and colleagues have switched to uBlock Origin or similar plugins.

Whitelisting is not the solution. Letting the entire industry die in the pit they've dug for themselves is the solution.

What happens to the freemium game industry?

I think opt-in, rewarded advertising is the path forward for the minority of publishers wise enough to learn to align with the end-user's goals. App monetization platform providers like Tapjoy -- who have customers on both supply side (publishers) and demand side (advertisers) might view end-user UX as the 3rd leg of a stool.

They stop taking good games and hitting them with the micro-transaction stick until they're awful?

Bring back the OLD PopCap. Let me BUY good games. I pay. I'll be happy to buy more.

Instead people are trying to make Candy Crush look downright saintly.

If I remember correctly, the idea is to block ads that don't conform to the standards set by the Coalition for Better Ads [0]. Google is (as you can expect) a member of this coalition (just like Facebook and many other companies [1]).

[0]: https://www.betterads.org/standards/ [1]: https://www.betterads.org/members/

Gotcha. That makes sense
I get Google ads on mobile that flash and mislead. Virus Scan! Battery Scan! Clean Your Phone! With yellow and red. So at least on Android, Google serves tons of shit deserving blocking.
(comment deleted)
Of course Google's ads will be deemed as "acceptable" with their own ad blocker. What are the chances that Google will add the capability to allow for third party "content blockers" that block ads in Chrome for Android?

Apple has allowed third party content blockers for iOS for years.

Well I see this playing out similar to the Adblocker scandal (i.e. pay Google to get on a special "Google Approved" list, and then you'll bypass the blocker.)
Do you really think that advertising company will block advertising?

If you do, I have a slightly used bridge in NY City to sell you for cheap.

I think they'd happily block other providers' ads.
At that point between their dominance in ads and their dominance in browsers I could see other ad providers getting very upset and asking the government to intervene. And I think they may be right.

Will the government do anything? I doubt it.

hahaha - they're only just now getting upset?
I wonder if advertising companies will end up fighting for decades to protect their parasitic ways like big tobacco, oil companies etc.
The Law of Unintended Consequences may yet have the next laugh.
I fear you're right. There are already techniques like canvas fingerprinting (https://en.wikipedia.org/wiki/Canvas_fingerprinting) on top of what the browser already shares (https://en.wikipedia.org/wiki/Device_fingerprint).

You aren't safe from tracking unless you disable javascript entirely. The only winning move is not to play.

Expand?
I'm posing the question: Will the cure be worse than the disease?

They won't just roll over and say "oh well".

Fair enough. Though Google seem to be trying to specify a minimum standards floor.
What's especially infuriating about the advertisers' spin here is that Apple appears to have gone to a lot of effort to not destroy their business model. They're not simply blocking third-party tracking cookies, they're expiring or partitioning them more rapidly based on how infrequently the user interacts with a given website.

https://webkit.org/blog/7675/intelligent-tracking-prevention...

Conveniently, some parties like mostly Google but also Facebook and Twitter have both a big presence in the tracker space and also a site users often visit directly. Their information is going to get much more valuable.
Do Google ad tracking cookies actually live on the google.com domain? Seems like an ethical violation of some kind if so.
None of these changes really affect Google, since users typically use their services every day. It's almost like Apple is helping Google get more powerful. It's the smaller ad networks and exchanges that will suffer a lot.
So.. I'm assuming Apple is not full on ignoring the `Set-Cookie` http response header, or persistent sessions as we know it are gone. ..Right?
They are giving the cookies a lifespan, which is more aggressive if the user never interacts with the domain in question. This mainly affects tracking cookies as the user never interacts with anything on the tracking domain.
I'm guessing they aren't messing with first-party cookies, just third party ones.
Isn't disabling third-party cookies common already? Are advertising companies alarmed because this "Intelligent Tracking Prevention" is on by default?
Common for tech people maybe, doubt it for the vast majority of "normal" users.
> They argue it'll hurt user experience and campaign targeting

Uh, it's the ads that are hurting the user experience. And I don't particularly care if your targeting suffers.

Here's a better euphemism:

> “Blocking cookies in this manner will drive a wedge between brands and their customers, . . ."

How about: . . . will drive a wedge between brands the those who they want to exploit.

I don't think brands are the ones doing the exploitation. They just want me to buy their new doodad. AdTech is doing all the exploiting here, it seems to me, on both sides.
In house marketing can be just as aggressive as third party, so I don't think we can fault one more than other.
I disagree, we absolutely can. Bounty and Charmin don't aggressively shove cookies onto my machine, or execute arbitrary javascript on anywhere near the same scale that ad networks do.
> Uh, it's the ads that are hurting the user experience

Amen to that. Not only do they slow down page loads by several orders of magnitude, they also frequently slow down the website after page loads. The shenanigans some of them try is really infuriating and blatantly disrespectful to the end user. Embedded cryptocoin mining, firing off HTTP requests rapidly and endlessly, changing the page's scrolling behavior, loading right in the middle of the page's main content, etc.

Any change to a web browser that interferes with or defeats online advertising is one that I welcome. Until online advertising becomes unobtrusive and malware-free again, I, along with millions of others, will keep the adblocker enabled.

A translation of the open letter from advertising companies to Apple:

  September 14, 2017
We're just now realizing what this means.

  An Open Letter from the Digital Advertising Community
"Community" means we're down to earth and neighborly.

  The undersigned organizations are leading trade associations 
  for the digital advertising and marketing industries, 
  collectively representing thousands of companies that 
  responsibly participate in and shape today’s digital 
  landscape for the millions of consumers they serve.
We sell ads. Lots of ads. So much money. We're "responsible" for certain definitions of responsible. Like your teenager is "responsible" for crashing your new Porsche into a ravine. Speaking of Porsches, have we mentioned how much money we make selling ads?

  We are deeply concerned about the Safari 11 browser update 
  that Apple plans to release, as it overrides and replaces 
  existing user-controlled cookie preferences with Apple’s own 
  set of opaque and arbitrary standards for cookie handling.
That 99% of users think a cookie is a type of desert is neither here nor there. And by "user-controlled", we mean "defaults that benefit us".

We're also annoyed they didn't ask us. We're a bit hit at parties.

  Safari’s new “Intelligent Tracking Prevention” would change 
  the rules by which cookies are set and recognized by 
  browsers. In addition to blocking all third-party cookies 
  (i.e. those set by a domain other than the one being 
  visited), as the current version of Safari does, this new 
  functionality would create a set of haphazard rules over the 
  use of first-party cookies (i.e. those set by a domain the 
  user has chosen to visit) that block their functionality or 
  purge them from users’ browsers without notice or choice.
"Haphazard" meaning "we disagree". Also, we 100% agree with user notice or choice, unless the user chooses to block ads or desires notice on how we're using their data. That's, uh... proprietary.

  The infrastructure of the modern Internet depends on 
  consistent and generally applicable standards for cookies, 
  so digital companies can innovate to build content, 
  services, and advertising that are personalized for users 
  and remember their visits. Apple’s Safari move breaks those 
  standards and replaces them with an amorphous set of 
  shifting rules that will hurt the user experience and 
  sabotage the economic model for the Internet.
Can we talk about innovative advertising for a minute? We're piloting this pop-up that completely replaces boring content and downloads an awesome new app automatically. That app then opens with videos on housewife inventions.

We've put a lot of hard work into sandwiching ourselves as the economic model for the internet, and it really grinds our gears that anyone would suggest there are other ways to make money besides working with us.

  Apple’s unilateral and heavy-handed approach is bad for 
  consumer choice and bad for the ad-supported online content 
  and services consumers love. Blocking cookies in this manner 
  will drive a wedge between brands and their customers, and 
  it will make advertising more generic and less timely and 
  useful. Put simply, machine-driven cookie choices do not 
  represent user choice; they represent browser-manufacturer 
  choice. As organizations devoted to innovation and growth in 
  the consumer economy, we will actively oppose any actions 
  like this by companies that harm consumers by distorting the 
  digital advertising ecosystem and undermining its 
  operations.
For example, how will users know which #brand to choose without advertising? How will our customers survive without us? Might as well shut down this whole internet thing.

...
Sometimes you can judge the merit and effectiveness of an action based on who is complaining about it. It seems that what Apple is doing is effective in limiting tracking. Kudos to Apple!
Glad to see it happening, props to Apple actually standing up for their customers.

Then again, I'm sure it's fairly easy for a company that doesn't rely on scraping data from their customers.

Were there a publicly-traded company that manufactures small violins (preferably the one that makes "world's smallest"), I'd go long on their stock right now.

I mean, who do they expect to persuade with this? Is there anyone not tied to the adtech industry shouting, "Damn you, Apple, and your assault on open web standards!" 'cuz me, I'm thinking, "without even reading the article, if the ad industry is upset about it, it must be good."

"We routinely send you malware without an iota of shame or responsibility, but how dare you not store for us the tools we need to track, productize, and sell you like livestock!"

Is there any reasonable response to this besides, "yeah, go fuck yourself"?

This is bullies crying that their victim didn't show up by the flagpole at 3pm for his beating.

I sincerely hope they go out of business -- these companies are toxic and canerous. But that's a rant long enough to fill a book.

There is money in "creative communications", money in semi-captive audiences. (Every time you want to read an article that has a hundred ads around it.)

There will be people exploiting that.

AdBlock works pretty well though.

The real problem is that people don't have the intrinsic need of blocking those fucking ads, because they are dumb as fuck :(

But we have YouTube and a lot of sites that live off ad revenue. (That search engine thing too, you might have heard about it.)

The end result for the customer is that the ad industry will switch to cross-device tracking for everyone.

Right now, you had an option to opt-out, by setting cookies to block. You were relatively safe.

Now the default will become a net of machine learning algorithms which can track you cross-device without requiring cookies. It is not possible to safeguard against that, unless you completely randomize your online browsing behavior.

Interesting point: If the despicable ad industry "ups their game", it might get harder to evade.

What techniques exist in that space? Anything beyond browser footprints ( https://panopticlick.eff.org ) and super cookies?

Any reasonably realistic suggestions for evading tracking in that scenario?

Learn a few new languages, browse on each device thinking with that language. It could be enough to fool some algorithms.
There is probabilistic vs. deterministic cross-device tracking.

Deterministic assigns a unique device identifier to each device and then uses more data to connect device IDs to an individual.

Probabilistic cross-device tracking uses machine learning algorithms to match up devices and identities. For this they can use basically any data that you happen to give them, including behavioral data (you check a website both at home and during transit on your mobile phone, you use the mouse to select text during reading an article, you accidentally gave an application access to your location data and they have resold this, etc.). Probabilistic cross-device tracking can work with and without cookies. Of course ad companies employing these techniques for their customers claim very optimistic accuracy, but know that the accuracy is at least accurate enough to provide them with useful tracking data on individuals. This accuracy will go up if you push ad companies in a corner and confront them with a 10% (or whatever marketshare Apple browsers have) non-cookie-able surfers (as opposed to a fringe small sample of users that block cookies and did so for years).

When cookies got banned/required permission in Europe, European websites just started buggering everyone to accept cookies before you were able to read what you were coming for. While everyone already had the option to only allow cookies from trusted domains, now everybody gets pestered with giant pop-ups. Companies also switched to server-side analytics/tracking, or started requiring log-in to track you.

If cookies were accepted, one could just join a cookie swap program to mess with the advertisers. Probabilistic cross-device tracking is very hard to avoid, as not using javascript and a general browser like TorBrowser is also an informative fingerprint. And you can't realistically change your browsing habits, which exposes you to gender and age identification (they need this to identify individuals in a household using a single IP).

Probabilistic cross-device tracking uses machine learning algorithms to match up devices and identities

Is there any application of machine learning that isn't evil? Genuine question. It seems to be exclusively used to exploit people.

(comment deleted)
I think you're running up against the fact that ML is a tool that can solve classification problems, which just like search in years past, has the potential to be very political.

We've mostly gotten used a world with search -- in the past it was a big political controversy that powerful groups could scan huge volumes of data for advertising, tracking, or criminal activity. There were jokes in chatrooms about using the word bomb because the FBI would pick up on it. Or that your search queries and web history would be scanned for keywords and used for ads.

Now there's this new tool that allows people/things to be grouped and classified very precisely by imprecise rules. Combine the hype about the different problems this new tool will help people solve and the inexperience that people have with the ethical ramifications of the things they build, with the crudeness of the initial implementations and it's easy to get the sense that ML will be a net bad for society -- just like search.

Sure there is! ML helps with medical diagnosis, cures, and treatment, ML helps automate services that are unavailable to third world countries, ML helps catch criminals, money laundering, and fraudsters, ML saves wasteful energy consumption, ML improves customer support, ML helps optimize resources to focus on those in immediate need, ML supports science like high-energy physics, ML creates a new generation of digital artists.

All good uses of ML, but maybe not so sexy.

I bet the majority of ML is used neutrally: to add business value to a company. Depending on your view of capitalism of course.

ML helps with medical diagnosis, cures, and treatmen

Sure that's what IBM says with Watson but that's just exploiting people too.

An example of what I was aiming at is to use ML methods like deep nets to detect early-onset diabetic retinopathy. Diabetic retinopathy is the leading cause of blindness and at least 90% of new cases could be reduced with early detection and proper treatment. [1]

Especially in third world countries where there is no eye doctor in sight, these cheap automated methods can be deployed on a mobile phone and achieve near-human expert level accuracy. [2]

Then organizations like Watsi can use data science and predictive modeling to reduce fraud and get both detection and treatments to those most in need. [3]

[1] https://en.wikipedia.org/wiki/Diabetic_retinopathy

[2] http://blog.kaggle.com/2015/09/09/diabetic-retinopathy-winne...

[3] https://dssg.uchicago.edu/

About IBM Watson, the entire thing is unfortunate, I completely agree. Their marketing department upsold IBM Watson for cancer treatment. But I know that a lot of great research scientists worked at IBM on Watson. What they were doing was legit advancing machine learning too. That's the thing about marketing: if IBM were to deploy 10.000 phones with a neural net to improve early detection of disease in a third world country, I probably won't even hear about it, and I work with ML. But for IBM Watson, everybody and their grandmother goes: That's the AI that beat Jeopardy. It's a thin line between being majorly successful in marketing and crossing the line into damaging your reputation and goodwill (or in this case: the entire ML industry).

There's definitely truth to this. However, website developers who rely on this data to monetize their sites with ads will suffer.
I work on a checkout product that is implemented as a third-party iframe. We set a cookie so that a user can have their information remembered for the next time, so that if you've shopped at merchant A, you won't have to fill out your information again when you want to shop at merchant B or C. We don't use it to track you or profile you, it's literally just to make it easier for you to check out (which makes our merchants happy because they see less drop-off). We have a very simple and obvious way of opting out of this, directly in the checkout itself, if you for whatever reason don't want to be remembered.

Unfortunately, because most people don't visit us in a first-party context, we are classified as a tracker, so we can't read our cookie anymore. The result being that our customers have a worse experience. If they want to get prefilled, they'll now have to go through this weird redirect song and dance so that we can interact with them in a first-party context.

So yeah, while I'm generally for enhanced privacy, I think this specific implementation is harmful. I think that all it achieves is that it consolidates the ability to track users to a small number of giants that you routinely interact with in a first-party context on a daily basis (Facebook, Google, etc).

While that sounds user friendly and genuinely useful, to me it's acceptable collateral damage in order to stop the rampant abuse by ad networks. As a user I'm also not sure it's a huge loss, since at least the browsers I use can auto-fill addresses and credit cards.
(comment deleted)
> When Apple first announced the limitations to cross-website tracking in June, the company said the changes are meant to improve trust with users, explaining that “users feel that trust is broken when they are being tracked and privacy-sensitive data about their web activity is acquired for purposes that they never agreed to.”

This!

I switched from Windows+Android to the Apple ecosystem in 2015. Because I love so many things about Apple products. But this alone (Apple taking measures to protect its customers' privacy concerns) is a huge huuuge selling point and a competitive advantage for them.

I've been PC since DOS, and I've switched too. Who the hell wants to be treated like a cross between a product to be monetized, and an enemy to be spied on?!
(comment deleted)
I have to say I was a little put off by the feeling with Windows 10 that rather than my computer being a machine that follows my instructions, it had become one that Microsoft controls over the internet and maybe does what I ask it if that doesn't annoy Microsoft. I downgraded that one back to 7 and mostly use OSX.
Going back to Windows 7 on my Windows drive I only used for Steam games that don't have a Mac version. Fuck Microsoft with their deadline for a "free" upgrade turned date rape and switch.
Privacy is important, but breaking the functionality of cookies is the wrong way to address it. Not all cookies are used for tracking. Be prepared to start losing your settings in web apps or being logged out after 24 hours if you use Safari.

What's more, the claim that Apple is doing this for the sake of user trust is a lie. The real reason they're breaking the functionality of cookies is the same reason they refuse to implement progressive web apps, and the same reason they've become the slowest browser to adopt new standards, and the same reason you see "Safari is the new IE" all over the place. They're deliberately trying to hold back web technology so that people will be forced to create and use native apps instead. They're desperately trying to cling to the annual developer license fees and app commissions.

I say this as a die-hard MacBook user. I prefer Apple to Microsoft, but I hope Google wins in the web-vs-native holy war.

As I understand it, this doesn't affect cookies set by the page/domain the user is actually visiting, and it isn't blindly deleting all cookies after 24 hours.
Third party cookies have very few non-tracking legitimate uses, I block them and nothing I actually want has been broken.
Privacy is important, but breaking the functionality of cookies is the wrong way to address it.

Apple wasn’t the one that broke the “functionality” of cookies. Though I’ll allow that one could think that third-party tracking cookies were part of the original intent.

Be prepared to start losing your settings in web apps or being logged out after 24 hours if you use Safari.

Be prepared to start reading articles on how this actually works before sharpening the pitchfork. I’ll give you a hint: none of what you describe will come to pass.

... what the hell did I just read. Let me correct the record so those that end up here don't actually buy into this.

> Not all cookies are used for tracking.

No, but third-party cookies are basically used for tracking. A legitimate site does not depend on a third-party cookie to handle features or login. At all, full stop no ifs, ands, or buts.

> Be prepared to start losing your settings in web apps or being logged out after 24 hours if you use Safari.

Again, not going to happen because those are not associated with third-party cookies.

> They're deliberately trying to hold back web technology so that people will be forced to create and use native apps instead.

God no, or there would be no icloud.com, online shopping app, or their other web offerings. There is no conspiracy or holding back, this is purely to protect the user.

> I say this as a die-hard MacBook user.

Then you should be prepared with more research and have your homework done ahead of time on this matter. This is all nonsense and just false.

> Not all cookies are used for tracking. No, but third-party cookies are basically used for tracking. A legitimate site does not depend on a third-party cookie to handle features or login. At all, full stop no ifs, ands, or buts.

I'd point out that in the case of DocuSign signing sessions powered by iframes that without being able to set this third party cookie prevents the session from loading. Probably the only use case of a third party cookie being useful that I can think of.

Aren't the site in the iframe uses its own cookie? (So it doesn't count as 3rd party, no?)
That's not how it works. Even if you're setting the cookie on your own domain, if you're embedding your site in an iframe on a different domain, you won't be able to read your own cookies from within the iframe after this change.
Oh! Could you show the relevant post/source from webkit for this?

After reading the webkit blog post on ITP I had no idea they changed this, but yeah, they are probably going to anyway if haven't yet. Otherwise it'd be too easy game this.

Well, that's how cookies in iframes have always worked. The only difference is that these changes explained in the blog post you mentioned means that since you never interact with the domain in a first-party context, you won't be able to read the cookies while in a third-party context. See the heading "Actions Taken After Classification" in https://webkit.org/blog/7675/intelligent-tracking-prevention...
> A legitimate site does not depend on a third-party cookie to handle features or login. At all

Sites which use Disqus, or similar, for comments.

I hate Disqus with a passion and wish horrible flaming death upon it, and am actually quite pleased that this will break it. But nonetheless it's a "legit" use of third-party cookies to provide a feature (remembering login on an embedded commenting engine).

As a newspaper developer, let me tell you, a horrible flaming death isn't good enough for it.
>I hate Disqus with a passion and wish horrible flaming death upon it

I mostly just ignore it, why do you hate it with such intensity? hahah

3rd party cookies are not really required for most apps, they are mostly for ads.
> They're deliberately trying to hold back web technology so that people will be forced to create and use native apps instead.

If that was the intent they wouldn't have already killed the native APIs for device identifiers ages ago.

Quite simply YES!
If they really wanted to protect the privacy of it's customers, FaceID would be really different... I think that they just don't want 3rd parties selling your information.
How so? FaceID is local to the phone.
I wonder if Apple is protecting its customers from everyone except Apple.

I really can't trust any closed-source OS, and very few closed-source applications.

Unless I can build and install a completely custom version, it isn't open enough to be safe.
Can't trust the OS without all the code. Can't trust the code if you can't trust the compiler. Can't trust the compiler if you can't trust the CPU. Can't trust the CPU if you can't trust the microcode. Can't trust the microcode unless you've visually inspected the die.

You can't win. Make compromises that are reasonable.

> Make compromises that are reasonable.

When it's so easy to use a community-vetted Linux distribution, I think "reasonable" gets shunted down a layer.

It's not all or nothing. Every reasonable step counts.

> community-vetted

i wonder if this sort of confidence makes you less-safe. something like this should've prevented heartbleed, in theory, right?

It's not confidence that I'm secure, it's a belief that this software development process makes me more secure.

You and your friend down there seemingly have more faith that a closed source process, what, would have identified this bug before it was deployed? Why? That it would have been found by good actors first? Why? That it would have been fixed promptly? Why? Announced with disclosure of its existence and ramifications? Why?

It's not a money question for this stuff either. There are hundreds if not thousands of paid engineers for known good-actors all working to break and responsibly disclose security issues in the same software stack I use.

The only thing you know about the comings and goings of closed source software is when public disclosure happens (and it's later fixed). Why would I be more confident in that process? It's not good enough.

"Community-vetting" didn't stop the HeartBleed bug to linger for over a year.
And we have no idea how many bugs worse than HeartBleed haven't been found yet in closed-source software.
It depends on the development process. Some companies aggressively re-visit older code, others never look at it.

Open-source is not inherently better or worse, it's all a matter of motivation on the part of the developers.

Cross-compiling and multi-device compiles are a thing.
i feel like this is just shuffling concerns rather than addressing them, but i'm open to being shown otherwise.
Suppose you suspect compiler A or CPU X.

Recompile on compilers B and C and compare results. Or on CPUs Y and Z.

In reality, there will almost certainly be differences (different compiling algos, different CPU instruction sets), but if you can pinpoint behavioural distinctions or encoding distinctions which are not explained by known compile or instruction-set distinctions, well, you've got something interesting to explore.

The point being that you don't have to descend the entire stack of turtles. Just compare different stacks of turtles.

It's going to be really hard to compare binary A vs. binary B and determine functional differences. clang and gcc emit entirely different machine code, but they do their best to be functionally identical, at least as far as their respective specs are concerned.
You get my upvote, because I respect your perspective and I agree in principle.

But at its logical conclusion, this idea puts up some serious practical barriers. Even if you only use an OS that you’ve personally audited, and even if you’ve gotten past the potential Thompsonian compiler issues, you’re still left with a minefield of possibly-adversarial pieces of software that might interfere with your computing experience.

Have you audited your BIOS/UEFI firmware [0]? Your CPU’s microcode [1]? Your WiFi/Bluetooth adapter’s firmware [2]? Your HDD controller’s firmware [3]?

I acknowledge that I’m advancing something of a “slippery slope” argument here, but I still care about the question. Where do you draw the line? Obviously being able to audit all of it yourself perfectly would be awesome. But to me that just seems impossible. So how much is enough?

EDIT: beaten by astrodust!

[0] https://www.pcworld.com/article/2948092/security/hacking-tea...

[1] https://www.dcddcc.com/docs/2014_paper_microcode.pdf

[2] https://blog.exodusintel.com/2017/07/26/broadpwn/

[3] http://spritesmods.com/?art=hddhack&page=1

You compile (After reading and understanding the source) of the firmware used on your machine? You take your time to read & understand the millions lines of code of all libraries needed? You know & trust your compiler?

As much as I appriciate the sentiment, I have to admit I personally gave up trusting OSS for the soul reason that I / someone might be able to read and understand it.

That sounds like irrational threat-modeling based on paranoia: you're so focused on one concern (abuse by a closed-source vendor) that you're accepting routine abuse by other vendors to avoid the theoretical abuse.

Your concern seems like a security negative.

Also, Apple has demonstrated a great deal of care in the statistics we know they collect, eg by making it impossible to determine your actual input while collecting aggregate statistics.

So it is a theoretical concern, but in any practical threat model, it's also a better concern to have than the alternatives.

That sounds like irrational threat-modeling based on paranoia: you're so focused on one concern (abuse by a closed-source vendor) that you're accepting routine abuse by other vendors

Who? Who do you think I accept abuse from?

In this case, most alternative browser vendors for phones.

Or the terribleness of Android (-- I certainly wouldn't pick it over iOS for security reasons).

(comment deleted)
So have you personally vetted all of your open source software personally going through every line of code?
(comment deleted)
So how would websites earn money?

Is everyone going to pay 3$ / month every website? Apple should have fixed that first, but is now blocking everyone because their own iAd failed. I think a lot is going to blow up, eg. Apple users requiring membership for websites + a subscription.

What if those companies suddenly require an email to read more content, then their backend syncs all the required data. ( yes, we will submit a fake email, but a lot of people won't)

Also, i see >1/2 of the frontpage from these "ad supported companies" that "everyone" hates, i don't want more paywalled articles appearing here...

I can understand blocking the ever cookie. But this is probably a bridge too far, i don't want to see more paywalled articles on HN.

And yeah, this will not be a popular opinion here... I'd appreciate responding with arguments instead of down voting :)

Edit: Failed, downvoting begins as expected

Correct. By adding sufficient value that customers will pay (perhaps with the applepay integration). Or by adding sufficient value that a customer switches browsers.
Websites don't inherently deserve to earn money. They have to earn it.
> So how would websites earn money?

There's so much good content that I just don't care if the ad-supported stuff dies. In its absence, free community-driven sites will have a reason to exist and paid options will stand a fighting chance. Maybe magazine-style non-tracking ads will be viable again. Anything that doesn't make the transition to one of those models doesn't matter to me—I don't have anywhere near enough time for it all as it is.

If i currently look at the frontpage of HN i see bloomberg, tomshardware, nytimes, nextplatform, theconversation, washingtonpost, ... That's only the 10 first articles.

All of these are ad-supported for the content. I think most people don't have a correct interpretation of what it is to have money to pay journalists for articles and then get paid for content through ads, because 99,9% of the people won't pay a subscription.

Fyi, the public content is paid by ads right now and most of them have a digital-subscription on the side.

Removing spying ads for everyone changes the entire landscape, though. What if spying ads weren't an option? Print versions of many of these get by with non-tracking ads (well, subscribers are a little, but nothing like web tracking) and have basically forever. Absent spying ads, they'll adopt non-spying ads, or charge money. Or somehow not find a way to make that work even though it did before spying ads were a thing, and die. It'll be fine. We didn't have spying Internet ads not-that-long-ago and things were fine. All the stuff I actually need from the Internet is already totally free (Wikipedia) or supported by paying customers.
One site ( a non profit, where donators also complain about how much money they spend on servers and wages), can't be a reference for an online business. The chance to duplicate this is minimal + it has thousands of free employees / volunteers that don't need to be paid.

The change, cookies can't track users. Will probably be a loss of ad revenue per user, more companies that will have paid subscriptions and a lot of knowledge / news / interesting stories will be behind a paywall --> Personal opinion.

If you only need a encyclopedia, then you don't need to pay anywhere or "free payment through ads". If you sometimes scroll HN and read content for free, then i'm not sure if the content, that you want to read, is only available on Wikipedia.

I think a lot of that content is actually produced by paid journalists, that work for big media companies.

> One site ( a non profit, where donators also complain about how much money they spend on servers and wages), can't be a reference for an online business. The chance to duplicate this is minimal + it has thousands of free employees / volunteers that don't need to be paid.

It was one example, not every single free thing on the Internet that I find highly valuable. Open source would be another, which is mostly supported by volunteers and straight-up paying customers.

> If you only need a encyclopedia, then you don't need to pay anywhere or "free payment through ads". If you sometimes scroll HN and read content for free, then i'm not sure if the content, that you want to read, is only available on Wikipedia.

HN is mostly a replacement for playing Minesweeper or is displacing doing something actually valuable. Or hanging out on IRC. If I actually need news I'd be fine with paying for it (I mostly don't, though).

> I think a lot of that content is actually produced by paid journalists, that work for big media companies.

We had those (journalists, big media companies) before spying ads were a thing. We'd have them after. You think that, for some reason, if no one can use spying ads anymore, that'll mean the end of online media? Or even just online news? Or that Internet advertising would even do more than hiccup for a moment and keep going? Think about it: you're responsible for advertising at Coca Cola. Tracking ads go away, everywhere, for everyone. Do you stop spending ad dollars online? No, obviously not.

My guess is the result would be a concentration of ad dollars on bigger sites, with little or no reduction in total spending. Probably more shitty "native advertising" too, especially for smaller players, which sucks, but we already have tons of that so oh well. Point is, we've all been pining for the days when news orgs had actual money to spend on reporters, and I'd not be a bit surprised if eliminating tracking gave bigger players enough of an advantage that those days came back.

> It was one example, not every single free thing on the Internet that I find highly valuable. Open source would be another, which is mostly supported by volunteers and straight-up paying customers

Paying customers receive more value in most cases, it's not the same content. A good reference is a paywall in this case. I love open source, but how many people get a wage out of it? You only see success stories here and not that much I'm afraid.

+ I don't know any newspaper online that earns money without ads or subscriptions. For now, there are only 2 business models and currently subscriptions gain importance -> paywalls

>if no one can use spying ads anymore, that'll mean the end of online media? Or even just online news?

My guess is more paywall. Interesting articles will be found less on HN

>I'd not be a bit surprised if eliminating tracking gave bigger players enough of an advantage that those days came back.

Not sure if I agree. You mean that, people will have to choose for paying for subscriptions, so the best quality articles after a paywall will get the money by creating better articles. But it leaves less space for everyone else. I'm not sure if that is a good thing, but I understand the reasoning

> Not sure if I agree. You mean that, people will have to choose for paying for subscriptions, so the best quality articles after a paywall will get the money by creating better articles. But it leaves less space for everyone else. I'm not sure if that is a good thing, but I understand the reasoning

No. Again, paying for subscriptions would not be the only option. Internet advertising would still exist without tracking. It'd just be harder to sell as a small-time operator. Winners in a no-tracking world: large, trustworthy sites. Losers: ad networks/spying companies, small ad-supported sites.

This doesn't block advertising, it specifically blocks the cookies used to track users, even then it doesn't completely block them, it just partitions them off such that you can't correlate between multiple sites, and introduces a shorter time out so that an advertiser can't remember you for longer than is reasonable.

People aren't unhappy that ads exist, they are unhappy that ads (and ad networks in general) run rough trod over their privacy, and track them everywhere that they go.

Unless you believe that ads /only/ work if the advertiser knows your age, sex, religion, political affiliation, your living arrangements, your relationship with your family, ....

I would argue that the current obsession with tracking users has not only violate our privacy but also made the ads worse. e.g.

I once bought a washing machine over the internet. For about 6 months I continued to get ads offering me deals to apparently help me expand my new washing machine collection. It didn't matter what I was looking at, the sum total of what they got from all of the information they collected is that while looking at books I was secretly yearning for more washing machines.

Good arguments.

None the less, i think it's usefull to know the age, sex and interests of readers ( small client websites with some blogs).

Religion, political affiliation, your living arrangements, your relationship with your family, ... are none of the concern.

But i'm not sure that people are unhappy that ads are there. They just don't want to see them, without knowing why they are there or that it's privacy related ... ( subjective opinion of working with a lot of consumers)

I'm not even saying people don't want to see ad, I'm saying that users don't want you tracking them across other sites.

A user doesn't want site A knowing that they went to site B, and that is what tracking based ads appear to be to the user. In reality it's even worse because while sites A & B, which the user does trust, don't know it is in fact a separate business they've never seen or heard of that know about you visiting A and B. and also C, D, E....

I think it's the opposite in most cases, you are correct in HN-context.

Yes, we ( HN readers), don't want them tracking us. So that is what you think it is. But we are only a "small" percentage.

Non-HN readers ( mostly non-technical readers), just don't want to see ads and don't want to pay. They also don't know how the tracking works and mostly don't care ( in my experience)

(comment deleted)
I work in advertising.

I've even worked literally trafficking ads.

Targeting any more specific than a good contextual match is usually a waste and not any more effective. Advertisers do not need this information and should not be given it. The agreement is that they show an ad in return for you seeing the page, that does not (and should not) mean that they get access to any more information than is absolutely necessary to display said ad.

If I go onto a site about bikes, I expect to see bike ads. If I go on a tech/programming site, I expect to see tech/programming ads. I don't like going somewhere and seeing random ads for something unrelated to where I am because some advertiser thought I might like Caribbean holidays or something. The solution is not to give them more of your information just so they can "serve you a better ad" (a trade that they benefit off far more than you do), the solution is for them to advertise contextually.

I work in advertising. I've even worked literally trafficking ads.

+1 from me for admitting it. That's the first step. Good luck!

> Targeting any more specific than a good contextual match is usually a waste and not any more effective.

I'd like to believe this. But why then does user tracking adtech exist? Why is the advertising industry opposed to this move to limit user tracking? Advertisers (the ones paying $ for adtech) are conned? Can you point at evidence for your claim?

(comment deleted)
Most of HN is probably too young to remember the old brokerage ad, but websites can earn money the old-fashioned way: they EARN it. And there are plenty of websites that earn my money: NYT, The Economist, some music-related websites, a podcast or two. Whatever shall I do should, say, Buzzfeed go away? Probably make more productive use of my time. I mean let's face it, if a web page has stuff from Taboola at the bottom, you're probably reading the equivalent of ice cream for breakfast: make it a little dirty little secret, but for $DEITY's sake don't make a habit of it. (And that was a general example, Captain Pedantic; don't bother with the two examples on the entire internet that don't fit that description.) If it turns out as you say, and I have to buy a subscription to access a site, I'll do it if I find the content valuable. Odds are, though, it'll turn out like the sites that want me to turn off my ad blocker: I'll decide the content isn't that important and just close the tab.

So, in summary, I'll repeat the ad blocker discussion: I don't care if a lot of sites that depend on ad revenue go under. I've done just fine without network TV and cable for the last ten years, I'll do alright if I don't get the latest from OutBrain.

NYT and the Economist ( the first you mentioned) are both websites that give content here away for free ( for ads), the others are probably niche related to your interests from fans.

I don't have cable also and OutBrain / Taboola really suck. Don't visit buzzfeed and don't pay currently for articles. Because i pay them with ads.

I'd like to see numbers of how much people actually pay for content, before i believe that "the old way" works on the web 15 years later and with a lot more competition... I already hate the paywalled gardens that sometimes show up on HN. The problem will only get worse

Buzzfeed actually do, no matter how much it pains me to admit it, produce some exceptionally high-quality journalism. It's a small subset of their output, but it's there.

One argument is that they're using the dreck to subsidise this. I don't know if that's long-term sustainable, but it's an interesting approach.

There's a long (nearly 200 year) history of this in journalism, dating to the Penny Press of ~1830. See Tim Wu's Attention Merchants.

NYTimes.com is a site I've subscribed to for years.

Yet they still serve me ads and 3rd-party tracking scripts when I'm logged in.

Increasingly, I'm becoming unhappy with this and I will soon write to NYTimes.com to complain about this.

If I'm paying for access to your website I don't want to see ads. Ever.

At the very least, make ads opt-outable for subscribers.

If you want to earn money through advertising, use ad networks which do not deliver malware, do not track users' every move, and do not attempt to build dossiers about users in order to trade in a secondsry market the users never consented to.

The Deck was a great option while it lasted.

Ad Tech is the problem. There's a tremendous amount of media scholarship which says that advertising itself is also the problem.

See:

Jonathan Albright: "Who Hacked the Election? Ad Tech did. Through “Fake News,” Identity Resolution and Hyper-Personalization" https://medium.com/@d1gi/who-hacked-the-election-43d4019f705...

Robert McChesney, Communication Revolution (an excellent history of media failures): http://www.worldcat.org/title/communication-revolution-criti...

And, one of my personal favourites, a brief, very readable, and information-packed 1909 account, Hamilton Holt's Commercialism and Journalism: https://archive.org/details/commercialismjou00holtuoft'

As to what to replace this with: treat information as the public good it is:

https://www.reddit.com/r/dredmorbius/comments/1uotb3/a_modes...

Am I the only one here who actually clicked on an ad... no more than a handful of times?

The last ad I clicked was an image, organically hosted and relevant to the web site.

It seems this is not about commerce - selling goods and services - but about malware, scams and PR by giant corporations for "low information" people.

Cue the ad industry apologists: how would I know about their great products? I would research something I NEED (not WANT) WHEN I need it.

Firefox (w/ ublock origin), Firefox Focus, and the various on device VPN-style ad/tracking blockers (I use DNS66, there are others) make Android much improved over system defaults if you are concerned about tracking or ads. None of them require root or other non-stock-OS modifications.
If I understood the workings of the intelligent tracking prevention correctly ( https://webkit.org/blog/7675/intelligent-tracking-prevention... ) then this looks painful for ad networks which don't serve their ads from a domain with lots of organic traffic. Google and facebook should be fine given that lots of users go there at least once a month.
Actually though it blocks all the targeting. So, for example (and you can try it yourself now -- it's live in the High Sierra beta that you can download right now), when you go to Facebook, you will no longer see ads that are targeted to your interests/sites you've visited. Facebook makes it's money off of ads that are personalized -- generic ads don't sell. Same with Google's Ad network -- it's targeting you based on demos that it will no longer be able to track. Yes, Apple may be protecting its users but this is a direct hit at Google and Facebook's ad revenues, particularly on mobile, where Safari has a much higher browser share. Download it yourself and try it out; it really is fascinating to see the difference.
sounds like Apple is doing something right!
If this their reaction to mere cookie blocking, I wonder how they'll react next year when Chrome starts blocking certain types of ads entirely.
I'm waiting to see how it plays out, because if they whitelist their ads while blacklisting third party ads for arbitrary reasons edicted by them, while being an ad company themselves I can foresee some legal challenges/complaints.
I thought they were just adding the functionality to block ads but they weren't creating a filter list. So I would assume adoption would be similar to how it is now, but with the actual blocking being much more performant for users who add filter lists.
(comment deleted)
Of course it will hurt campaign performance and targeting, which is exactly why they need to block those cookies.

I have never seen such a group so spoiled as marketing peeps. These guys and gals demand blood from stones to justify their "spend", and have been single-handedly responsible for so much of the web's dark patterns and annoyances.

Anything to cast these louts back to the stone age is a good innovation. Once advertising goes back to products selling you on themselves, and not this emotional "lifestyle" BS, we can throw the marketeers a bone. Until then, piss off!

You know who's not? B2B publishers. Because if this spreads, if you want to buy a niche market, you have to buy directly from that niche seller (for example, if you want to reach pig farmers, you'll need to buy ads on a pig farmer site -- it's the only way). So the ad networks hate it; direct sellers LOVE it.
Honestly, it tickles me pink to see ad companies having a public sook about a company standing up for the end-user.

What is amazing is the level of arrogance these ad companies have to accuse apple of damaging the "infrastructure of the modern internet", and speaking as though they care at all about the consumer when if it meant that these ad companies could make even a single dollar more or could track people even a little bit more they would burn the internet to the ground to achieve that goal.

As someone who works partly in the ad ecosystem, all I can say is: YESSS!!!!