I don't really have a problem with first party tracking, unless it can correlate my identity across websites. But otherwise I have no problem with website X knowing that I browse website X.
Can first party tracking do this sort of correlation other than through browser fingerprinting?
If I'm understanding this correctly, it's only first party tracking in that it comes from a subdomain of the domain of the website you are browsing. But that subdomain points at a third party tracking provider. So this still seems like a single tracking provider on multiple website being able to correlate your browsing.
You still get full cookie separation because each website has a different subdomain and thus a different cookie. The analytics provider can track you across the internet, but they have to invest work and resources instead of getting it basically free.
The provider a) is the other parts of the internet (think big cdn) and b) they communicate with other data brokers via a side channel instead of via cookie syncing.
This is already happening with large web publishers.
Well, I'm hardly about to accept that it's legitimate to spy on me "because they invested work and resources instead of getting it basically for free".
It's like, a peeping Tom who just looks through a window - yuck that's gross. But a peeping Tom who spies by building a microdrone that can fly in the door when it opens and mount itself on the ceiling with suction pads - oh that's perfectly legitimate because of the work and resources Tom invested.
I mean, if it's gross to do something by accident and it's gross to do something without any investment, it's super gross to do it with resources.
It's not all that hard to track someone across the internet. I think many people have demonstrate hacks that steal legitimate functionality and get you there.
I think we'll probably have to go for a containerised internet (separate apps) and just deal with the disadvantages.
This is about 3rd party trackers masquerading as the 1st party by asking the hosting page to provide a CNAME under their own domain. With the tracker hosted under the 1st party's domain, they work around people that deny 3rd party cookies.
The example at the top of the thread: https://www.liberation.fr/ has a tracker from f7ds.liberation.fr, which is really part of tracking provider Eulerian.
f7ds.liberation.fr. 3599 IN CNAME liberation.eulerian.net.
TL;DR - the entire point of this is to let 3rd parties continue to correlate your identity by hiding as part of the 1st party.
Google and Facebook have been adding gclid and fbclid arguments to outgoing links for a while. Click one of those, and the linked site can conspire with googbook to correlate identities.
More sites could do that.
This is generally better than 3rd partyies because the sites would have to actually conspire, cooperate and trust each other, which is a huge hurdle.
And if the trust is actually there, they could correlate offline without any indication. Facebook already does that (with credit records, likely phone records and medical records as well) and I wouldn’t be surprised if others don’t.
Correlation is less than perfect this way - but e.g. zip, gender and age are enough to give a pretty good correlation, and name makes it almost perfect - if you have an account somewhere, you probably gave these details.
gclid seems to be for adwords only. imo, if you're already the type to click on ads, you shouldn't object to tracking of which site you came from. fbclid on the other hand applies to all links from facebook. it was a major story on HN: https://hn.algolia.com/?query=fbclid
This was always coming. Next we will have unblockable ads delivered through first party and using obfuscated techniques like canvas or webassembly. The endgame will be all/most websites embedding 1st party ads and tracking and the only way to not see them would be to not use the WWW at all. At that point we will have lost.
Thank W3C for caving into the Corporations that want to remove the Openness from the web-standards that allow for this kind of nonsense.
Google is the biggest offender after all their entire business is Tracking and Ads but it seems they get a pass as being an "offender" from most people
> Google is the biggest offender after all their entire business is Tracking and Ads but it seems they get a pass as being an "offender" from most people
Note that "most people" (even individuals) also happily insert Google Analytics snippets on their own blogs or websites. I see that all the time thru uMatrix. So it's far from "Google being a bad actor" alone.
I wasn't aware putting trackers on subdomains was a working adblocker workaround. Now that I know it, I'm surprised it hasn't been a massive problem since much earlier.
Essentially most sites are not "owned" by a single technical authority in the business - this is the main reason such a simple workaround goes unused.
The key parts there are:
- single
- technical
- authority
Watching businesses attempt an integration of a line code anywhere to download the third party tool is painfully hilarious.
Getting them to set up a DNS record to point to you is often so far off the table its playing in the forest with the faeries. Having them pull your code and serve it statically alongside their site... I couldn't imagine
I believe you, but this still seems strange to me with the overdesigned behemoths, on the verge of toppling over at any moment, most big corporate sites appear to be nowadays.
Websites get bloated because the companies aren't aware of all the tracking going on in the first place.
What usually happens is that the marketing team signs a contract then developers copy and paste a JavaScript snippet to embed on the website and move on.
The work arounds require much more intention and the solutions can be hacky like modifying urls in a minified JS file.
If that tracking is blocked, it is invisible to the company especially if only the third party who has access to the data.
I agree, but given enough incentive these barriers can be overcome. I thing these are signs that ad-blocking is becoming sufficiently painful to provide that incentive.
It is not, on its own, a workaround. Cookies are still separate, and any foolproof online correlation call must go through the browser and can be blocked.
Not going through the browser is possible but requires trust between organizations; publishers have an incentive to inflate numbers, and trust has so far been lacking (and rightly so). That may change.
i actually had this conversation with a friend last night, and we figured the effort put in to serve ads to an audience so vehemently blocking them probably costs way more than the potential revenue, considering if a user is blocking ads they are probably hostile to any messaging anyways. But that's before getting into the rabbit hole of saturation strategy and any press is good press type of theories
This was probably correct until a couple of years ago. Ad-blocking has now become much more commonplace, hence the advertisers innovating so hard to get around it.
'normal' people are starting to run ad-blockers now, not just tech-savvy users.
Yes, I think that's the right approach. You just forgot to mention that in order to prevent tracking a new VM is spun up for fetching each page. (Of course this wouldn't be necessary if the browser were implemented by someone who was on the same side as the user.)
Ad blocking is supposed to improve performance. If you still need to download ad and then perform additional computations, I, personally, would opt-out from that ad-blocking, it's not hard to ignore ad myself.
I’d say it’s not a drain, but even as a long-time ad-blocker, I still am conditioned to ignore things screaming for attention. It’s been very often that I’m looking for something (eg. a link) but I don’t see it because it’s more visible than the rest of the page and my brain is conditioned to filter that out.
but this is all we ever asked, wasn't it? That the content creator take direct responsibility for their advertising instead of shipping us off someplace else.
I feel like it at least makes the arrangement explicit and IMO its as much as we could ever ask for. This was always the technological trick that ad-blocking employed.
Agreed. If ads are served by the site I'm visiting and don't include cross-site tracking bugs, then I think that should be acceptable to most.
Speaking for myself, I've never been opposed to ads on sites (within reason - popovers are trash), because I understand that creating content costs money, but I don't like all the tracking that comes with them.
I did actually click the link and read the whole Github issue thread, and the discussion here, before commenting.
But I was actually responding to the parent's comment (this is a threaded discussion, yes?) about how actual first-party ads are less objectionable than third-party tracking.
There's no reason code served from the "first party" can't also participate in cross-site tracking, just by using cross-site API's on the back-end to report user actions to a central tracker.
It is more technically challenging to implement. If it becomes necessary, I'm sure there will be plenty of money invested in making it easier for the content providers to participate in such things.
It’s still a 3rd party doing the tracking. They are just using DNS tricks to make it look like it’s a 1st-party domain, thus defeating tracker blocking.
There's no losing if people voted with their attention instead. If the terms of exchanging data are unacceptable then don't accept any data from that source. The digital equivalent of voting with your wallet.
Kind of like climate change, there are actions we all know would help but individually giving up those conveniences is difficult.
Exactly. In theory they are effectual, if people actually did it...
I'm a big proponent of top down climate change policy to force change as opposed to hoping if we virtue signal enough people will be shamed into driving a bit less etc.
With regards to climate change, definitely not. I just wanted to highlight that it's a similar mechanic at play. Perhaps I phrased it oddly.
With regards to Ads I don't take as much a hard line approach as yourself (I remember our last discussion!). I'm very pro ad blocker use but not to go as far as banning them in any way.
Something I've been thinking about is sending a header to websites informing them I'm going to block their ads so they decide not to send me the content if they don't want to. I feel no entitlement to their content as they should not feel any entitlement to what code gets to run on my machine once it reaches me. I might expand on this in a blog post some time soon but it's probably closer to an art project than something actually viable.
I'm impressed. I don't think I ever remember individual usernames.
>Something I've been thinking about is sending a header to websites informing them I'm going to block their ads so they decide not to send me the content if they don't want to.
I've actually played with similar ideas in the past (my more moderate days). But my philosophy at this point is that they can choose to give me the data or not give me the data. And I'm free to do with it as I please as long as I don't distribute it without permission. And I'm even softening up on that limitation.
> Something I've been thinking about is sending a header to websites informing them I'm going to block their ads so they decide not to send me the content if they don't want to. I feel no entitlement to their content as they should not feel any entitlement to what code gets to run on my machine once it reaches me. I might expand on this in a blog post some time soon but it's probably closer to an art project than something actually viable.
An advantage of this is we'd skip the whole ad blocker and anti ad blocker charade and gain a metric ton of performance back.
This. I normally just avoid commenting in these threads, but clearly most users don't see this as quite as big of a problem as the HN users that comment in these threads. And maybe, just maybe, they're right.
> unblockable ads delivered through first party and using obfuscated techniques like canvas or webassembly
When I said basically the same thing 4 years ago[1], most people seemed to think it wasn't a serious concern or could be easily bypassed. However, after observing how certain types of businesses use the World Wide Web over the past 3 decades, it's obvious what they want: to send an opaque binary blob to the user that nobody can investigate or modify, that gives them full control over what the user sees and is allowed to do. Just like TV.
The only safe response to this is to stop allowing documents (or docs with 3270-styole forms) to embed software in a Turing complete language. Add functionality that is used declaritively, or the answer to "should this be blocked" is undecidable. Give them the ability to run a Turing complete language that renders to a canvas, and adblocking becomes a hard image recognition problem (or requires solving the Halting Problem).
I'm not saying no one will try to do this, but YouTube had the technical option of splicing ads directly into the video stream and simply not sending the actual video content for the duration of the ad for several years now. They chose not to do it. Potentially the lost revenue from people not using YouTube as much anymore / migrating to a different platform would be bigger here than the increase in ad traffic.
People who don't want to see ads (i.e. a large part of adblock users) are also more likely to engage in toxic (to advertisers and YouTube) behavior, such as intentionally clicking on ads but never buying anything (or even writing scripts to do that), or intentionally avoiding the advertised product, etc.
Is paying to remove the ads a big deal? Presumably the content creator wants to earn something for putting the effort into creating something. Ads are one way to support content creation. Directly paying is another. Many advocates to remove ads say they want a direct pay model.
I agree, as long as no ads means really no ads I think premium is something they are doing correctly. If the take downs, demonitizing, and political deplatforming weren't an issue they would be all set. Also, the horrible compression. I takes the same data to binge wath a series on Netflix as to watch a few short computer security or safe firearm maintenance videos, er well it did until those videos all disappeared.
Then the solution is to stop consuming things with unacceptable levels of advertisements. Unfortunately, given what the situation is on television channels, movies, and social media these days, that level is extremely high for most people.
The thing is, that solution will only work if enough people do it, and apparently as it stands not very many people are willing to give up their favorite content to avoid ads.
I can only control what I do, and if I must give up consuming media that will give me a temporary high (but it won't since I'll be annoyed by the ads), then so be it.
Netflix has TONS of ads in the form of product placement.
HBO does product placement too, though they sometimes pretend they don't or pretend it doesn't count when they do it because they do it "pro bono" (The Pope only drinks Coca Cola™ brand Coca Cola Zero™ for purely narrative reasons, and we're going to mention the brand Coca Cola™ explicitly several times by name to drive home the point that the character you enjoy watching enjoys the cool refreshing taste of Coca Cola™ brand Coca Cola Zero™. Don't worry Coca Cola™ hasn't paid us to shill their sugar water, we do it for free! Drink Coca Cola Zero™!)
We have fire tv and Amazon has added more and more advertising to the point it’s nauseating (an ad for Shameless in the middle of a bunch of baby pictures is jarring).
I’d be happy to pay an extra dollar / month to amazon to not see ads there. Actively looking at htpcs that I can put Adblockers on (pihole doesn’t work since ads and content come from same places, I think)
Pihole helps with native ads and ads in apps, though. Not as much as a real blocker, but you can't really use one of those in native apps with webviews (if you use bromite webview on android, it might be possible, not sure, but that still doesn't help with true native trackers or with your tv)
You mean like cable TV, where you paid for premium, commercial free content for years until they realized that they could charge you AND put ads in? Or Twitch Prime? Or any of the dozen other paid services that have done this..
Twitch prime doesn't affect the content at all anymore. It gets you a monthly channel subscription and a bunch of video games. Also I'd guess that the vast majority of people with twitch prime didn't go out and buy it either, Amazon just gave it to them.
The thing you can buy a la carte is twitch turbo, and that still removes all ads.
The original content creators made their content for the love of whatever they're making content about. Giving CCs an easy avenue to getting paid is what got us into this whole mess in the first place.
I don't totally follow what you're saying. Are you suggesting content creators should have no expectation of ever earning anything, let alone a living, from creating content?
It is not only about the adds. Even if you pay, they will still spy on you and sell/use this data to show you adds somewhere else on the internet. I will start paying only if they treat me as customer and not as product.
Possibly it's also self-preservation by the people involved. I imagine that even the YouTube developers and project managers hate watching ads. A solution only for them would probably look bad to the outside.
Twitch does do this with its SureStream ads and its much worse for a livestream than a video since with a video you can resume where you left off after the ad finished whereas for a livestream you just lose what was happening during the ad.
Twitch also removed the ad-free benefit from twitch prime.
Such poor behavior creates gaps in the canopy, providing sunlight for other services to grow. If you don't like how a service is treating you, switch to a better one and make the case to your peers why they should do likewise.
A healthy internet is ultimately up to us to build and maintain.
This is actually interesting right now because Microsoft, Google and Facebook all seem to be trying to get into streaming. I would definitely like to see more competition in this space so that Twitch doesn't get complacent.
The issue is that an alternate service can only grow in the gaps if it has a viable business model: so far, monetizing internet services for the general public without advertising and tracking is a mostly-unsolved problem, despite interesting efforts like Brave.
> monetizing internet services for the general public without advertising and tracking is a mostly-unsolved problem
I feel like that's not a real problem. Or, maybe only a problem for services that care more about having a ton of users than being profitable and sustainable.
There are quite a few services (SmugMug, Vimeo, NetFlix, etc.) that charge money, don't have advertisements, and are doing just fine.
It's weird that so many web companies decide to go the sleazy advertisement/tracking/malware route rather than just charge money for the services they provide.
> It's weird that so many web companies decide to go the sleazy advertisement/tracking/malware route rather than just charge money for the services they provide.
You will find very quickly how reluctant people are to pay for anything despite a few cultural-phenomenon-level exceptions like Netflix.
I'm amazed how many people, like my own coworkers making $100k+, listen to Spotify all day every day yet will endure advertisement after advertisement in their stream of music instead of paying $10/month. If someone isn't even going to pay for Spotify despite it being a central part of their day to day experience, GG to your little service.
I think advertising has played a major hand in shepherding us into this position that divorced us from the idea of paying for content we enjoy. There is going to have to be a major cultural change to bring us back into a healthy relationship with content.
One common response to this is "well, maybe everyone should be hobbyists again making content for free," but surely we can find a better middleground than structuring things such that we depend on people toiling away in their freetime to produce the content we happen to want. For example, I'd rather my favorite content providers be able to feed themselves working on this content. We both benefit: I get to enjoy more content. Depending on hobby work doesn't get us there.
> You will find very quickly how reluctant people are to pay for anything despite a few cultural-phenomenon-level exceptions like Netflix.
That's absolutely not true, though. People buy stuff all the time. Clothing, shoes, sporting goods, dishes, food, housewares, books, DVDs, etc.
The "freemium" approach Spotify takes is a poor example because they're not charging for their real service of music streaming, but instead to get rid of advertisements. They've moved their own goalposts, and the question isn't "Is streaming music worth $10 a month?" but "Is it worth $10 a month to get rid of this commercial?" If the options were "Pay $10 to stream music" or "Listen to nothing," the results might be a lot different.
> One common response to this is "well, maybe everyone should be hobbyists again making content for free," but surely we can find a better middleground than structuring things such that we depend on people toiling away in their freetime to produce the content we happen to want. For example, I'd rather my favorite content providers be able to feed themselves working on this content. We both benefit: I get to enjoy more content. Depending on hobby work doesn't get us there.
I'm not making that argument, and you're setting up a false dichotomy. There's no reason content creators need to use advertisements and can't charge for their content instead. It worked fine for music and movies for over a hundred years, and books have been using that model for hundreds of years before that.
I think the world of consumption has changed though. People expect things (music, games, etc) to be free and balk at paying for them. Why would they when there is likely someone offering something comparable for free but supported by ads?
Maybe you could ship them a real item as part of the service somehow
I'd never pay $10 for a character in a game, but I'd happily pay $15 for a plastic toy that coincidentally unlocks something in a game I was enjoying anyway
That's a very good observation. I think it's true that having the free option changes the context very much.
There are people who pay for paid password managers when free alternative products available. I myself pay for a number of services (very reasonably priced) when I could have used free alternatives. The difference is the guys I pay don't offer a free edition without ads and nonsense like that. They just build a great software and ask to pay for their effort.
That's not what Spotify is doing. The choice is pay us cash or pay us with your attention by watching ads.
Why go to work, earn cash with your attention, and pay for Spotify when you can directly monetize your attention on-demand in real-time at the rate you consume? That's what advertising allows.
It's not just removing advertisements. Spotify Premium lets you listen to any song they have anytime you want. I thought the free version only let you listen to their pregenerated stations?
> One common response to this is "well, maybe everyone should be hobbyists again making content for free," but surely we can find a better middleground than structuring things such that we depend on people toiling away in their freetime to produce the content we happen to want. For example, I'd rather my favorite content providers be able to feed themselves working on this content.
If you do it as a hobby, it's not toiling. It becomes toiling when you do it as work, especially if you have to please advertisers instead of making the content you love.
Vimeo was so well positioned to beat out youtube back in the day. Stage6 had just shut down and vimeo was offering HD while youtube was stuck with low res. But then they made the mistake of banning video game content for not being artsy enough which led to youtube jumping in popularity.
The distribution of content might be quite different - but remember that ads aren't free - they're just another middleman that has to be paid, priced in in the cost of goods, a net drain from the point of view of the consumers (on first approximation at least).
It's the streamer who decides when the ads should show (this is because those ads hide the stream, so they should be used when nothing is happening). If they never tell Twitch to show ads, SureStream ads won't appear.
I watch at least one streamer who runs ads in her breaks, she is a partner. So does she have a to specifically select those surestream ads? Maybe they only show in certain geographic locations?
You may be ad-free for another reason such as a grandfathered twitch prime that will expire when it next renews, twitch turbo, or a subscription to a channel that opts-in to the ad-free sub benefit. You might also just be in a region or demographic where ads aren't being bought, so you wouldn't get any then.
Maybe uMatrix is blocking them somehow? I've never seen an ad, even on channels I don't follow or subscribe to. My rulesets are very strict, but you're right, if they really come through the video stream I don't know how I'm blocking it.
Maybe you buy a lot of subscriptions and currency? I bet they avoid annoying their most profitable users. While it might have been coincidental, I never got ads until I unsubbed from the vast majority of streamers I follow. Same for other things like gifted subs. I used to receive a ton of gifted subs until I started lowering my sub count. They are obsessed with performance metrics. Big spenders have a very different experience.
Now, whenever I get an ad, I immediately close twitch and find something on YT/Mixer to watch. I'm training their algorithms to leave me alone.
I get no ads on Twitch, and I currently don’t have Twitch Prime or any subscriptions. I’ve spent maybe 50 bucks on Twitch in the 3-4 year lifespan of my account. I’m running Vivaldi (which uses Chromium) with uBlock Origin, Ghostery (I know), and HTTPS Everywhere, on MacOS.
I get ads when I use Twitch, with the same account, on a stock installation of Chrome (which I use as my backup browser for when I don’t want to figure out which extension is breaking a website). So it’s not related to my account, location, etc.
Weird, I saw the ads get through for a few days but then they stopped again. I watch twitch vods pretty regularly still, but I guess I stick to a few channels and don't jump around; maybe the specific channels I watch didn't enable this type of ad.
Twitch is running two kinds of ads, one type is "normal" and can be blocked by ublock, the other one is weird - it's definitely not just spliced into the video stream either, as far as I remember (I have Amazon Prime so I don't see ads), but ublock also wasn't able to block it.
However, I would argue that it is not actually worse for several reasons. For one, the streamer decides exactly when and how to play ads - so if the ad timing bothers you, you're going to start watching someone else, which in turn creates an incentive to keep streams ad-free or at least run ads at specific times.
The second reason is that the usage pattern of Twitch is different. I go to twitch (if it's a livestream) to actually watch the content, whereas I use YouTube in many cases like I would use an article, skipping through videos and back and forth looking for a specific part or specific information, and if the information isn't there quickly trying the next video. This workflow gets completely destroyed by ads. To the point where if YouTube would somehow force me to watch ads, I would simply stop using it except for the 2-3 weekly videos I actually plan to watch beforehand.
I don't think Twitch Prime has the ad-free benefit anymore, they moved that into Twitch Turbo. The ads are also definitely stitched into the HLS playlist as segments, so even if you were to block them you would see a black screen for the duration of the ad, although Twitch does seem to be doing something where if a segment fails to load it tries to load the next one a few seconds later, so you might only see the black screen for 5s or so.
It's hard to know until they perform the bait and switch. It's certainly not the only reason that brand loyalty is dead, but it's one that's often on my mind. I don't have any confidence that my trust in a brand will mean anything in the long term. A new service exists? Well, it might be nice right now, but if I let myself rely on it the service will become slightly worse over the years.
This. This is the solution. AdNausium will destroy the ad market. Adblocking users will engage in toxic behaviors if you force them to.
The problem is that sites trying some insane techniques is a bad arms race.
Sites like the wallsteet journal made a adblock-wall, see ads or don't use the site. That's fine. They can do that. And they lost lots of traffic. But they can decide if they like that.
Websites want a have-your-cake-and-eat-it option -- forcibly show ads, no opt out.
Why ask a vague winky-face question when you can make your assertion instead? Now I have to wait for you to respond just for you to clarify what you were trying to say.
This link is very vague: they only talk about a “global data panel” without saying how it’s constructed. You can’t build a representative sample if you don’t have an idea of what the global traffic might be like. See also https://blog.alexa.com/alexa-panel-increase/:
> our traffic estimates are based on data from our global panel, which is a sample of millions of Internet users using one of many different browser extensions. However, we don’t just rely on browser extensions. We also gather much of our traffic data from direct sources, including sites that have chosen to install the Alexa script and certify their metrics. It is this unique combination of data from our global panel, plus data from directly measured sources, filtered through our advanced statistical models that allow us to provide you with robust and comprehensive metrics.
Engaging with these threads for a couple of years. I will say though that there seem to be more people here in the biz of tracking than there used to be.
That would be extremely counterintuitive. Ads are visible; they give people reason to object to them even without knowing much about them, because their existence is intentionally intrusive.
Nothing stops google from banning your account if you are using AdNausium, not only from youtube, but from gmail and all other properties. Joys of SSO. Maybe a TOC change or two. Few public cases like that and AdNausium is dead in the water.
That's why I'm not using it personally, even though I'd love to...
I remember the first software I tried that automatically removed ads while recording a video stream. It was back in the previous century and then required an SGI workstation, but I suppose the same sort of ad-detection tech could be included into youtube-dl in about 5 minutes....
I've been thinking about this too: it's odd that YouTube doesn't try harder to stop ad blocking. Maybe the low amount of users with adblockers just make it not worth it?
It's far more likely that the data obtained about what videos you watch is far more valuable than the cash value of the ads you're not being served. Youtube videos are a very good early interest indicator for advertising.
I think this is an unstable equilibrium. YouTube is incentivized to continually recalculate this equation or find new approaches that maximize the number of ad-blocking users forced to give up the ad-blocker without leaving the website. Potentially the new terms of service allow them to use your other Google accounts as leverage to prevent users from using a malicious "Ad-Nauseam" style retaliation.
> but YouTube had the technical option of splicing ads directly into the video stream and simply not sending the actual video content for the duration of the ad for several years now
I don't think that's true, video encoding is expensive. This is not trivial to do without investment in hardware.
Google doesn't just sell ads, they sell targeted ads. Yes, YouTube currently does some processing on every video uploaded. But they only do that once.
It's trivial to send a different stream, though, and stop sending content for the primary stream for the duration. I believe a comment elsewhere says Twitch is doing this with HLS
I'm far from an expert, but isn't this what WebAssembly gives them? My understanding is that webassembly is a binary file that is an opaque binary. Why not have webassembly build out the entire page dynamically?
WASM doesn't need DOM access. You can just implement a browser in WASM and target canvas. I'm really surprised somebody hasn't done this already and marketed it as an unblockable ad delivery platform.
You can be certain that, when this does happen, these considerations will be dealt with. I feel very strongly that this is going to happen. The chance to execute arbitrary code on clients will be too alluring for adtech companies to ignore.
For accessibility compliance, you _need_ text and a DOM. Screen readers rely on HTML element semantics, ARIA attributes, and text content. The only way to make a canvas element (which is what you'd typically need to render custom UI) accessible is to have a textual fallback.
Outside accessibility there's also the issue of responsive design, huge SEO impacts, rendering performance... I'm probably missing a bunch.
Lifting a sedan with my bare hands is obviously easier than lifting a 10 wheeler, but it's still a massive problem. Rendering stuff is not the biggest issue.
Embed a browser with all that stuff into a page. Whatever APIs are missing to make the "inner browser" unable to fulfill all the requirements that the "outer browser" will eventually be filled-in by well-meaning developers who want the Javascript VM in the "outer browser" to be able to host general purpose applications.
You won't be able to block the binary, because the binary will be what renders the content. Your browser is going to act as a VM to run a browser that will display the content. The "inner" browser will be running on your computer, but short of binary reverse engineering, you won't be able to control it.
> Your browser is going to act as a VM to run a browser that will display the content.
Gary Bernhardt's talk "The Birth & Death of JavaScript"[1] was an ominous portent of a terrifying future. Unfortunately, some people apparently saw it as development roadmap.
Functionally, nothing. WASM being a compiler target just lowers the bar (although we've had Emscripten for years). The browser developers are working hard to make it performant, too. Sufficiently obfuscated Javascript is as difficult to reverse engineer as a binary, though.
I don't do web, but I imagine there must be some webpack plugins that make an obfuscated mess out of your code, so the barrier to entry must already be quite low.
WASM at least is standardized, so there will be a whole ecosystem dedicated to it. Think IDA Pro for WASM.
> although we've had Emscripten for years
We did. And I didn't see the "asm.js apocalypse" you seem to fear.
I don't "fear" an "asm.js apocalypse". It's just the next step in the arms race between those who would have the Internet be like television, and those who would prefer it not. I'm one of the people who would have rather had the web stay more like Gopher and less like Java, but that's not the predominant opinion. We're going to lose the document-oriented declarative web because the web is financed by advertising. The spice must flow-- the ads must not be allowed to be blocked.
WASM is different between Emscripten was always a fun curiosity, and WASM is being "marketed" to developers as "get native app performance in a browser". "Modern" Javascript has been able to deliver this future for a few years now, but it lacked the marketing and tooling to make it mainstream. Flash and Java were attempts to move to that future that didn't pan out.
Having IDA Pro for WASM is all well and good, but doing binary reverse engineering on every single website isn't practical.
The web, as it has been, was nice. We're not going to get to keep it. I'm unhappy with it, but I'm resigned to it.
Take Facebook or Gmail. Last time I looked -- a couple of years ago -- Facebook served some 18 MB of JavaScript. I imagine it's not hand-written, but compiled from ReasonML and whatever other languages they're using. There's nothing nice in that, it's a mess. You can't crack open Developer Tools and figure out how the timeline updates when you scroll. You can't figure out where the ads are inserted into the DOM.
So WASM doesn't take away anything from us, because we haven't had the "nice" you mention for 10 or 15 years. Sites like HN will stay like this, sites like Facebook will get even bigger. It will happen with or without WASM.
But yes, I do see where you're coming from. You want a less bloated Web, and you're worried that WASM is not going to lead to that, which I pretty much agree with. While I'm saying that cat is already out of the bag and WASM at least has the potential to bring performance improvements over JavaScript (which will be promptly negated by the sites getting even more bloated).
The cat absolutely is out of the bag. It has been. I'm not railing against WASM.
I want a declarative web. I wish there wasn't a VM in my browser. I want a web where my user agent, under my control, dictates how documents are interpreted and displayed.
So much of information security relies on not letting third parties execute arbitrary code on your computer. The price to view "mainstream" websites is increasingly becoming "allow third parties to execute arbitrary code on your computer". I can sandbox that code and perhaps limit the impact to my privacy (though thanks to processor microarchitecture "features" that's increasingly difficult), but I lose virtually all ability to control the presentation experience.
To be blunt: The kind of assholes that delighted in using Javascript to block opening context menus, blocking "Paste" into password fields, etc, have won. That pisses me off. Developers with good intentions who wanted to make something "cool" end up being the architects of the tools that will be used turn the web into cable TV.
It doesn't need to. Don't think about it as documents being delivered to the browser anymore. Think of it as a binary executing inside the browser. You're not going to have HTTP requests to block, apart from the one that downloads the binary.
Absolutely. I'm not railing against WASM. WASM just has better marketing and tooling than straight Javascript.
Putting a VM into our browsers, along with sufficient API support to make that VM useful, is what spells the eventual end of the document-based web. I think that future arrived a few years ago and it's just not evenly distributed yet.
That sounds like the worst future possible. I love the fact that I can go to any web page and look at all of the HTML, CSS, JS (even if I need to use a tool to un-obfuscate it). Have you never wondered how someone did something and then looked at their code to find out how they did it? I love being able to use curl and wget to grab a web page. How would that work in a non document-based web? I really think this would be a terrible thing if it actually came to fruition. I truly hope I'm retired or dead before it occurs.
TVs allow the user to mute the audio, switch channels and fast forward past ads in recorded video. What publishers are doing to the web is like sending a control message that reconfigured the TV and disabled some of its functions. "You can't mute the audio, you're obligated to listen to this. Also, we're turning the volume all the way up in order to reach you even if you leave. You can't turn it off either."
Publishers simply don't want users to have any control over the experience. It's their way or the highway.
People sometimes leave the room during commercial breaks. Advertisers realized this and started increasing transmitting much louder audio to make sure the audience can't get away. So I use the mute button and the problem is solved.
What if broadcasting companies sent signals during commercials that told the TV to disable these features? "They've enjoyed the movie, now it's time to make them pay. Don't let them change the channel, mute the audio or lower the volume". How long would it take before TVs that didn't follow these intructions entered the market?
Browsers have features publishers don't want people to have. We can download copies of "their" content. We can delete their ads. We can filter out their user tracking malware. This is possible because the browser serves us, not them.
One other thing that's tangentially related to this: Region restrictions on DVD players, and gaming consoles. Those were built right into the hardware/firmware of some of these devices.
WebAssembly can still be detected; the filepath or subdomain can be blocked as normal (would already work) and optionally you can run a fingerprinting method similar to AVs to detect scripts similar to trackers.
Exactly. The only way to create a black boxed env on devices outside of the attackers premises is if the attackers built the devices themselves and have thrown decades of iterative development out the window to create equipment resistant to endless physical attacks. Transporting state secrets is a simpler task.
That just moves the goalposts though. People will still deconstruct and reverse engineer the black box, or sniff the lines it uses and attack the traffic. Or anything else. There are countless attack vectors against a device in physical possession. So unless the devices are melting down into slag and can perfectly detect even passive attacks then the advertisers will always lose.
This doesn't stop them from trying. If advertising can be made more expensive then the roi the advertisers will stop. Some will irrationally throw money at the problem way past the point they should've given up but even they will taper off eventually.
Like in security, could work with a "block all" with an explicit whitelist of HTML that can be used. If it needs a canvas to display, then it isn't part of the trusted environment. That would mean you couldn't use sites that required both the ads and the content were in canvas/webassembly, but at that point they aren't really a trusted actor.
We could start blacklisting such websites (with opt-in and toggle-able blacklists) and move to search engines that allow such blacklist opt-in features.
I'm already seeing a big use case for having such a (opt-in) domain filtered search engine since there's soo many spammy and SEO-hacking web sites out there.
Perhaps a solution is for websites to have to request authorization to run javascript/wasm on browsers (enforced by the browser). It will allow legitimate uses of client side code, while eliminating the vast majority of abuses.
I wonder if it is also not how GDPR should have been implemented. Forcing browsers to implement a request for storing tracking data, which would avoid dark patterns in consent forms and would keep websites honest. It would also allow to remember the decision. If you delete cookies when the browser closes, you get asked for the same consent you denied on every visit.
I guess the solution at that point will be to develop a free (foss) internet alternative.
The internet will partition: the corporate internet will be what you say, and the independent internet will be people writing and hosting their own content, like the internet of the olden days. Some of them might interact with corporate services via apis.
The independent internet will be small, but it will be enough. If you want to buy something anonymously, go to a shop and pay cash with your phone turned off.
I'm intrigued by the possibilities offered by decentralized technologies like IPFS and the like. I think whomever can come up with a viable economic model that allows for the sustainable decentralization of web services will change the world.
That will be the time we switch from ad-blockers to content-allowers. It can already be seen with distraction free modes.
Maybe there is a market for a proxy that converts any page you visit to bare and functional HTML with just content and navigation. No ad's, distractions, disfunctional scrolling, etc.
Maybe there is a market for a proxy that converts any page you visit to bare and functional HTML with just content and navigation. No ad's, distractions, disfunctional scrolling, etc.
https://en.wikipedia.org/wiki/Proxomitron and other MITM-proxies can do that and more, although the security-paranoid may disapprove (but then again --- what are you more concerned about, what is your threat model, etc.) The recent "security vulturism" and things like DoH and other anti-user ostensibly-privacy things certainly doesn't help.
Browsing with no-script is essentially that. In my configuration every page opens with no JS, and I temp enable or whitelist the domains I want scripts to load from.
I’m not sure if it can also enable individual scripts, that might become necessary very soon if this article is an example of what is coming.
There is definitely a market for this and has been an idea I've been toying with for some time. Instead of a proxy per se, it'd be an API on top of a headless browser scraper then a simple web UI that uses that API. It'll have easy-to-update content extraction/interaction scripts for popular sites. Essentially you'll have "craigslist-ified" much of the popular web into an almost AOL like portal. Users will be encouraged to run client side (this won't be hosted, too many legal issues) and while this won't prevent tracking per se (headless browser still tracks), it is an easily exposed web server from your desktop. So you could even expose via Tor (time lost is made up for lack of content) and if you wanted to share, you could. Caching/storage and eager ahead of time loading/scraping of common sites, and it'll perform even better. Anyone can use the API for whatever they want.
Wrap it up with an easy to install bow and easy self updating to keep up with sites (and easy fallback to original sites/links), and I'll never browse the mainstream sites again. There are a couple of things that do this, but none as well as I'd like to see.
There are certain kinds of websites that usually have category->list->individual image/video that are otherwise obnoxious to use, but all follow this structure, where this is the only way to get reasonable UI. Fetch data and make a simple UI yourself.
Fetching data from such websites is the only thing so far where I've found ES async generators very very useful.
You don't even need a browser. Most of the time simple HTTP requests from node work just fine, and makes tor use safer and more effective since you're not running any foregin JS code, just parsing data. Other thing that improves privacy is that you're downloading everything, so it's hard to see from the service's side what you're actually consuming.
Actually many usual services follow this pattern. List of accounts->list of transactions->transaction details. List of categories->list of articles->article detail. List of product categories->list of products->product detail.
Simple abstraction can get you very far, even with a fairly simple DB schema.
I'd like a locally-hosted IFTTT+Appium type thing that'd use my local hardware/software/applications in place of myself... basically turning all interactions (viewing data, posting data, checking for updates/changes) into an API for accessibility software, home automation software, custom notifications, etc.
Brow.sh has nearly this exact functionality already in built-in http server; you can open up basically any website in your browser and get plain html (though rendered in a single font size/style, as it's really intended for console use). It basically runs headless firefox and with a custom stylesheet and scrapes the screen for colors.
There will hopefully always be those personal/ad-free sites that are plain HTML and don't require any JS, but they might get a lot harder to find through the search engines...
Suppose I have an apache module (or the equivalent in some modern http server) that's (a) injecting the necessary code (b) forwarding the traffic information to my nefarious third-party tracking provider. Or, heck, just a third-party solution that consumes my apache logs. It's doing all of this without using the browser itself as a middleman, like the clumsy CNAME masking discussed in the linked Github discussion.
This could never be stopped client-side since one's web browser would have no say.
Only reason this isn't more widespread already is because a lot of web properties don't have full control over their shared hosting environments.
First-party ads are theoretically kinda sorta maybe blockable via various levels of heuristics, which of course adblockers are already doing to various extents today.
But as far as preventing your information from being forwarded behind the scenes, there's no technical solution. Legislation is the only hope to curb it.
As far as I know, Urchin [0] (Google Analytics predecessor) was that third-party solution that consumes Apache logs. However, Google bought and discontinued the product.
Google still has an old help site referencing its log analysis features [1].
> Urchin WebAnalytics Software is discontinued and is no longer supported. All Urchin documentation applies only to the Urchin product as it was at the time of discontinuation, and does not apply to any Google Analytics products or services.
I don't understand why that isn't already a thing, just set up a proxy on your own domain to the ad / tracking server and you'll already avoid existing blocklists.
I don't think that has much value because the ad provider wouldn't know who you are to begin with.
First time you open said website no cookies would exist for the domain.
Then the ad provider wouldn't know who you are.
Ex: Access foo.com and search for shoes, shoe cookies set for foo.com
Then access bar.com which hits foo.com for the ad suggestions
Now foo.com knows you searched for shoes, since the 3rd party cookies are there.
Now if you do it without 3rd party cookies bar.com wouldn't have any access to the cookies which identify you as a shoe buyer, because those are set for foo.com
It should be clear at this point the www is a not what it was. Honestly the ads could still be 3rd party, but they would just be stored on the same web server as the site. Then the 3rd party would just collect the info from the site instead of directly through the user.
I'm ready to move on. In my eyes we already lost the www.
You could also try to provide paid content. I am more than willing to pay for content I like, if the price is reasonable and I can avoid ads and tracking -- I already support a number of media-outlets and podcasts with donations.
If you provide paid content AND try to track me or make even more money with me via ads: goodbye...
On the other hand: If you rely on ads only, it is doubtful that your media-outlet is truly neutral -- would you really do analysis and investigations on your highest paying ad clients (?) -- I doubt it...
The next step after that will be machine vision based transformation of the rendered output. I think as long as end users can keep control of the browser and computing device hope is not lost.
There is also the option of actively attacking the business model of the ad and tracking industry. Ad blockers could simulate lots of "fake" traffic to make ad analytics harder (this is another arms race against attempts to filter out the fake traffic)
The first thing is, how do you distinguish between the ad and a non-ad? If my friend mentions a famous brand in a chat with me, should there be some entity to remove the name of that brand from the chat, so that I don't see it?
There are many videos on Youtube recommending stuff. You never know if the author has been paid. Even if you try to detect popular ad networks and services, the ad techniques will also evolve.
If ads were the only source of my income, and my content was unique, I would show the user a "quiz" every 5 minutes, asking him to answer, what is shown in the ads at the moment :D and deny the access, if the answer is wrong.
The common motivation for ad-blocking is to prevent third-party tracking (the discussion here is about first parties proxying that tracking), JS attack surface, cryptominers, auto-playing videos, etc. - not to prevent advertising per se. Back when Google sold text-only ads, people were quite happy with them for doing it.
> Back when Google sold text-only ads, people were quite happy with them for doing it.
Those are some rose-tinted glasses. People on forums like HN were always annoyed that they looked like navbar links and you were only clicking them out of confusion with actual links.
Nah; presuming the page’s real content continues to just be plain HTML, the worst things will get is that you’ll have to browse some sites with JavaScript disabled.
Also, re: “inline” static images, there could totally be client-side ML-model cosmetic filters that recognize and remove known as images, regardless of how they got to the page. The filter could even just throw a floating rectangle over then, so it wouldn’t even have to understand how they’re made in the DOM. This is the “thermonuclear backup plan” we’ve been expecting to need to pull out for a while now, though advertisers have been lazy about getting sneaky enough to necessitate it.
My issue is that while blocking third-party scripts breaks a small part of the "Web", this now requires me to block even the first-party JavaScript, breaking most of the Web !
> The endgame will be all/most websites embedding 1st party ads and tracking
The problem with first party tracking from the PoV of the advertisers is that the feedback they need goes through the site their ad is on so it is possible to be faked: "Yes Mr Advertiser, we really did send x000 ad impressions to {addresses} this day, honest guv'ner."
And from the site's point of view the adverts now become a little more admin to manage beyond just slapping in a reference to 3rd party JS and adding a <div> for that code to target to insert the advert.
They could address that by going the other way. Instead of serving the ads from the content provider's server, serve the content from the ad provider's server.
Essentially, the ad providers would also become hosting services.
Many content providers won't like handing over as much control as such a situation may imply though.
It also creates single points of failure that did not exist before. If the ad service is down, your content is (potentially) down too rather than just being served without working ads.
Well, if it's first party you've at least mitigated some of the privacy concerns, and it's then about the privacy policy of the company in question.
If they want to make ads extremely hard to block but reduce privacy concerns, I'm all for that. It puts the discussion back on a more even level, and if you don't like the ads, don't use the service. The only reason I'm okay with running an ad blocker now is because of the privacy concerns. If those were eliminated (which isn't the case in this theoretical situation, they're just reduced) then I'm not sure how to justify running an ad-blocker. To my eyes, it's basically stealing cable or satellite service. I understand other people don't see it the same way though.
I run a SaaS with tens of thousands of users and am not even tempted to run ads or even add third party analytics. Firefox, Safari, and Chrome all work fine on it.
Just because there are a lot of bad actors and massive amounts of advertising doesn't mean the entire internet needs to go down that path.
well, at least the most bit. to be honest huge portion of pages would not be missed. myself avoiding quite some already, just out of principle. and I am fine without those!
1st party ads are not unblockable. They only lack one aspect that helps identify them (the 3rd party hostname). But they still can be dealt with.
One way browsers try to take away that freedom is by limting what extensions can do. If that continues, at one point we would need a new browser to accomplish it.
My favorite vision of the future would be if Debian would provide a version of Chrome or Firefox that: a) is stripped of all tracking and b) gives extensions full access to everything.
So what is the strategy to deal with legitimate 1st party subdomains and tracking/ads subdomains if they use random strings as identifiers? (I am guessing this is where we will need a combination of crawlers and machine learning algorithms)
You would have to block entire wordlists to combat subdomains like that. It would make more sense to whitelist subdomains instead, but it would require much more effort in order to determine what subdomains are required for the website to function. Additionally, if the site in question ever decided to change anything around, someone would have to catch the breaking change and have it corrected on the whitelists for the site to function again.
Machine learning by analyzing what displays on the page by blocking different domains. Bots can be automated to do that continuously and update a decentralized database with such information.
Couldn't you blacklist all subdomains of the 1st party and whitelist the few that are actually real?
Or, assuming they have a small list of subdomains that redirect to ad servers, you could generate a list with a script that checks all their subdomains and creates a block list based on that. For example, the site discussed in the OP has all their subdomains listed here: https://crt.sh/?q=%25.liberation.fr
Edit: looking at the OP case, it seems like they only have one ad domain. I'm not sure I see this as a serious issue until multiple sites start rolling out thousands of subdomains, some pointing to back to the real server, others pointing to the ad server. Maybe that will happen but it's a pretty big barrier to entry, and just short of proxying everything through the 1st party.
I'm speculating that the balance is in the reverse favor. Last night I was looking at some file on GitHub which was redirecting to what looked like an S3 bucket subdomain named with a pattern like "github-production-f7e281a2", which I simply presumed to be cache-busting via subdomain instead of appending the hash to the filename. If my assumptions were correct, every time GitHub deploys a new build, you would have to whitelist that subdomain.
This problem can be solved easily with using an open-source extension that has reproducible builds. Make sure it doesn't have built-in tracker as easy as looking to the source code. And we can make sure the final hash (without software signature blob) of the extension is the same as your built, so it is not tempered before uploaded to the extension store.
You can also track people if they install your adware.exe. The emphasis on install. What software you install is an entirely different threat scenario then visiting a website.
Because one likes the features available only in Chrome? I haven’t check recently and don’t know if this is still accurate, but Chromium used to not have the PDF reader and DRM support (for Netflix, etc.)
There are a number of foss and proprietary pdf readers for chromium/chrome. There are also netflix apps outside of chrome. You don't have to use Chrome...
Yes, pretty much, except that Canonical is nice enough to open source their patches. And they layer a ton of patches on top of the official kernel trees, mostly backports but also some new features. Their linux_5.0.0-36.39.diff is close to 35MB.
Yes, it's pretty easy to disassemble it and find out. It's basically auto-updates, some closed-source extensions like Chromecast (although you can manually download the Chromecast bits for Chromium if you'd like), some branding differences as compile-time #defines. https://chromium.googlesource.com/chromium/src/+/master/docs...
(Do you know that all of Chromium is in fact open source? Have you looked at the source and the build process? Are there any parts in it that are actually precompiled binary blobs?)
Netflix will play a 720p version if you don't have a DRM supported browser. Also netflix distributes native apps to all platforms, which means you don't need chrome to use netflix in full fidelity on any device except maybe linux?
We can't solve a political problem with purely technical solutions. We can provide workarounds for 5 to 10 years but the core problem has to be shut down at one point.
The hacker seeking a technical solution is, I think, at least in part a consequence of the individualism that's so much a part of especially the Silicon Valley hacking era; along with the libertarian leanings of especially early hacker culture.
Seeking change at a societal level is the exact opposite of the hacker's free-wheeling individualism, but it's the only way to actually accomplish change at a societal level.
You're right, we'll never change advertising just by running individual ad blockers, and we'll never change privacy controls by trying to mask our identities; that has to happen through laws and larger society. We have to have a right to privacy and freedom from advertising be a thing that everyone wants, the bus driver, the butcher, hair stylist, etc., not just what we can foist on our immediate family and social circle.
I think the catch is that a hacker mindset can easily come up with 3 different laws that people would try to pass and then 4 different hacks to each of those laws. It enables easily seeing how to exploit the very poor quality of code (and yes, while many of those exploits are forbidden by judges who don't take kindly to them, others are deemed acceptable and some lawyers specialize in).
With the current trend in EU I think it could happen that they regulate web-advertisement if it becomes too much of an issue. But there's loads of money in the market - so I would expect loads of lobbyism.
This is why when people say they don't take money from big corporations or rich donors, it's such an important factor. It's not just that you as a political party are incentivized to what they want so they will keep giving you money. Even if you donÄt directly succumb to their demands, you are incentivized to keep them rich so they will keep having all that money to give you.
With the style of regulation preferred by the EU, I’m afraid the end result will be the death of independent websites and the establishment of a handful of de facto official websites that have the resources to follow all of the regulations, just like TV.
This may just be some inevitable fact about humanity. We’ve seen this sort of regulation and ultimate centralization of every single communications medium going back to the printing press. When I was younger, I legitimately believed the web would be different. I thought it would be a decentralizing, democratizing force for peace in the world. Now it seems destined to be the opposite of those things: a centralized tool for polarization and control.
> We can't solve a political problem with purely technical solutions.
I hear that a lot but historically, we've seen a lot of the opposite, a lot of political problems were solved with technical solutions. Technology so far had an even bigger impact than politics on society.
Could you qualify that statement... politics encompasses most conflicts throughout history. Short of the moon landing... technology hasn’t really featured.
Technology can enable a political will and can create an opportunity for change, but if the political will goes in one direction, no amount of tech will be able to resist it forever.
We could ban ads easily with a law. It would not need any tech. Scrubbing all the ads while there are incentives to develop them, however, is a lost fight.
That would be great, but realistically I think that's never going to happen.
Legislation-wise, I think the best the web can hope for is forcing websites to label ads. It doesn't sound unobtainable, especially as similar legislation already exists for political ads in many places. For example, legislation could require websites to label all ads with some kind of strictly defined watermark. In addition, some kind of software-readable indication would be required for accessibility purposes. Could be a special HTML tag or attribute. That would make ad blocking much easier.
> some kind of software-readable indication would be required for accessibility purposes. Could be a special HTML tag or attribute. That would make ad blocking much easier.
I don't share your pessimism about the feasability of politically banning all advertising, but I agree that something like this would be the next best thing, and a great step.
Can you refer to specific laws on restrictions to building a website?
The only one I could find was related to the Americans with Disabilities Act (ADA) and of course GDPR, but that's related to handling of personal data.
I think the cookie law is a bit misguided. The problem (that they should want to solve) is privacy invasion and tracking, but instead of saying that, they flipped it around and allowed an exception for a vaguely defined category of "strictly necessary" cookies. I believe their intent was entirely good.
If they said what they wanted to say, the law would essentially say "don't violate privacy without explicit consent." I'm relatively OK with that; that's not telling me how to build websites, that's just making certain harmful activities illegal. It wouldn't be very different from saying "don't distribute malware that attacks your users."
In its current form, I'm not too thrilled with the cookie law. And I sure as hell don't want lawmakers adding more, worse, laws on top of that. Go too far in that direction and they're turning software into nagware (I loathe cookie popups, I loathe google's "privacy reminder", I loathe applications that blast me with notifications and hints, I loathe permission dialogs, I like Unix's Rule of Silence) while making its development a legal minefield.
I want to be able to write FLOSS software (or websites) with a user interface that pleases me, and EU is looking for ways to make that illegal. In a manner of speaking, I hope they do just that, then people who want pleasant software have more reason to organize an underground software liberation movement where no fucks about shit laws are given.
> legislation could require websites to label all ads with some kind of strictly defined watermark. In addition, some kind of software-readable indication would be required for accessibility purposes. Could be a special HTML tag or attribute. That would make ad blocking much easier.
The legislation would have to be very explicit about the format of the label and that it be machine readable, otherwise you'll get obfuscation like Facebook is doing:
> This is not the first time Facebook has changed its code in a way that has broken our tool. For example, all ads are supposed to contain the word “sponsored” as part of a mandatory disclosure, so users can distinguish between ads and their friends’ posts. Our tool recognized ads by searching for that word. Last year, Facebook added invisible letters to the HTML code of the site. So, to a computer, the word registered as “SpSonSsoSredS.” Later, it also added an invisible “Sponsored” disclosure to posts from your friends. Many of the participants in our project noticed the effects of this change because it caused some menus to pop open unexpectedly or the page to scroll to the top repeatedly. Nowadays, the disclosure says “SpSpSononSsosoSredredSSS.” Some of these changes were likely also intended to thwart ad blockers.
Printed media can have ads. So should digital media?
That said, I wish digital media stopped wholesale delegating the work of serving ads to third parties and had proper control over experience and privacy—what is delivered how and who tracks whom.
The difference between printed, radio, and television ads is that they are tracking distribution rather than people. (I realize that this is not strictly true, but people had to opt-in to tracking with traditional media.)
The web has taken an industry that already had reputation for deceptive tactics and have handed them tremendous powers through data collection.
Should advertising be banned because of that? I doubt that it would be effective since the advertising industry has created an environment where tracking people is the norm. Banning advertising would simply shift the focus of that data collection so that it is less visible.
It would also be incredibly difficult to ban advertising. Legislation would have to create a clear definition of what advertising is and deal with a medium and business world that crosses national borders. If you don't consider the former, such legislation would have unintended consequences of the freedom of speech. In the case of the latter, it would be far more difficult to reach international agreements than with other online regulations (regulations that are already difficult to enforce) since advertising is considered legitimate in many cases while standards for advertising will differ.
Require a strictly unconditional opt-in you can revoke at any time and the problem of data collection solves itself. None of these business models would work if they required meaningful consent. The missunderstanding about who is allowed to use my data is at the core of this problem. We tend to talk a lot of the lawless west that (was) the internet, but we somehow fail to mention an industry who has exploited missing regulations on private data. Just because they werent banned from exploiting this until now, doesnt mean it should continue any longer.
Because the digital ads are something else entirely. They're often an order of magnitude larger (in MB), they contain tracking, they sell my information whether I want them to or not, they often contain malware. Maybe of them play audio or video.
I'm in favor of banning ads everywhere. I think they provide a negative overall value on the economy by distorting competition and consumers' perception.
But... Ads are useful. I remember once maybe ten years ago when I noticed an ad about an event in a nearby library that was absolutely amazing and without ads I would not have been there.
(This is sarcasm. There is no reason why manipulating other people to do things should not be regulated heavily.)
Why is it a “problem”? Outlawing ads seems hugely regressive for society as a whole.
Without ads there would be basically no free content online, and those who cannot afford content would simply go without. Consider how much better the world has become due to easy access to information. To yank that away seems like bringing a dark age.
I am given valuable content and did not give money. For all reasonalble intents and purposes it’s free. For as far as any person without means cares, it is free.
You either use that brain time to generate income at work and then hand over that money, or use it in real-time to pay for the content. Ads are much faster and easier in that regard.
It might be free as in gratis (free beer), but it's not free at all. Your behaviour, your profile, your data: you are the one giving that away in exchange. That data of yours is valuable.
It isn't free as in speech without ads either. You give up your behavior, profile, data no matter the site showing ads or not. What you wrote sounds like a pro-ad argument when thought about for a second.
And IMHO even more importantly, with advertising the dynamic between content provider and user completely changes. The user no longer primarily is a customer, but rather becomes the product for the advertisers.
The content provider no longer only has to cater to the user, but also to the advertiser, with the conflicts of interest that can bring (e.g. unpopularity of critical product reviews).
Restricting the legality of advertisements in general might have the nice effect of leveling the playing field, by making it harder for content providers to benefit by-generally covertly-selling out their users (or their users' interests) to such third parties.
> Without ads there would be basically no free content online
Citation needed. I don't believe that for one moment. Already people are producing far more content for free each second than one person could ever consume in a lifetime on sites like Youtube and Instagram. The urge is there, even without any monetary reward.
> Consider how much better the world has become due to easy access to information.
Now consider how much worse the world has become due to the incentive to hide wanted information behind commercial information. Simple example: there was a time before adblockers when it was not a rare sight to have a page with 80% advertising and 20% actual content. Think unskippable ads before videos. Think of the mountains of useless content that SEO spam produces that hide the interesting pages in search engines.
Marketing does not give access to information. On the contrary, it takes it away.
Firstly, I honestly don’t believe citation is needed on “people don’t work for free”.
We’re seeing it already. Many if not most news sites are pay gating their once free content. Cite: Wall Street Journal, New York Times, The New Yorker. All charge for access. All we’re free before the proliferation of ad blockers.
Yes there would be hobbyist information for free, but WebMD? News sites in general? Any sort of resource that takes money to pay people to maintain? It will all be pay gated.
As someone who does not use an adblocker, I have genuinely no problems finding the content I’m looking for.
> We’re seeing it already. Many if not most news sites are pay gating their once free content. Cite: Wall Street Journal, New York Times, The New Yorker. All charge for access. All we’re free before the proliferation of ad blockers.
See? They found a way to put content online without relying on ads.
Yeah, what a weird example. Youtube and Instagram only gave bandwidth and storage away for free because they wanted to grow and be able to eventually monetize. They weren't charities one day that suddenly went "evil".
I meant to say that a lot of people are willing to do this "work" for free. That is not just content creators, but also system administrators e.d. I would be perfectly willing to run a forum for a group of like-minded people for free, but I'm not going to bother if there is already a subreddit for it.
Before Youtube, Facebook and the like, internet service providers included basic means of publication. Mail/mailing lists, homepages/blogs with RSS. They could do that again.
But, even if the barrier to publishing became higher and only 1/50th of the video's were put up on Youtube, it would still be far more than anyone could ever consume.
Most of the free content is generally crap outside of a few channels/sites. Almost all popular content on youtube/web is made with the intent to profit.
> Without ads there would be basically no free content online, and those who cannot afford content would simply go without.
There was plenty of free content online before ads, in fact I claim that the web was better before ads arrived, and it is getting worse by the day. Marketeers ruined it.
It happens over and over. YouTube had plenty of great content for free before monetization. Now it is becoming worse by the day, because everything is ad-related. "Influencers", etc.
> Consider how much better the world has become due to easy access to information. To yank that away seems like bringing a dark age.
Easy access to information is a consequence of the Internet and then the Web, both technologies having been developed by government-funded programs, respectively in the US and in the EU.
Ads brought us re-centraliztion, targeting and erosion of democracy through extreme polarization and fake news.
I know this is hard to believe for a lot of people here, but human beings are motivated by many things other than monetary profit.
No there wasn't. The commercial internet is a trillion times bigger than anything that came before and services billions of users around the world, many for free, paid for by ads.
This is a tired old myth that everything was somehow better in the good old days but that's all it is.
Yes there was. Go to archive.org and check for yourself.
> The commercial internet is a trillion times bigger than anything that came before and services billions of users around the world, many for free, paid for by ads.
Bigger doesn't mean better. The web is now flooded with malicious and manipulative content. The ads pay for that content, while taxpayers and consumers pay for the infrastructure that actually makes the Internet possible. Ads pay to keep the web centralized, they don't pay for what makes the web possible.
> This is a tired old myth that everything was somehow better in the good old days but that's all it is.
There is indeed, but notice that I did not say that "everything was somehow better in the good old days". I made a very specific comment about a very specific topic. My comment: there was plenty of quality content on the web before ads arrived. Ads made the web worse. Argue against this if you like, but not about things I did not claim.
What does internet infrastructure have to do with ads? We're talking about content, and ads are the subsidy that lets billions consume for free.
That there's more content for more people across more channels is objectively true, and advertising pays for much of it. You seem to be conflating ad UX with economics.
> What does internet infrastructure have to do with ads?
It is the medium that makes the ads possible, and it is payed by you and me.
> We're talking about content, and ads are the subsidy that lets billions consume for free.
And I have been telling you every step of the way that there was good content before the ads arrived.
> That there's more content for more people across more channels is objectively true,
That is hardly surprising. There was no moment in the history of the web when the total amount of content available was not increasing. This was already the case before the ads.
Did it grown more than it would have without ads? Maybe. Is it better? I don't think so.
> and advertising pays for much of it.
And yet here you are, consuming content that someone created for free (me) in a platform without ads (Hacker News). So it doesn't pay for all of it, and even you, at least sometimes, seem to prefer the non-ad-funded corner.
Yes, there was. The Internet was most interesting from 1999-2005, there were plenty of good searchable websites from private individuals or universities.
Literally the only site that is better now than back then is YouTube with an ad-blocker.
Everything else has deteriorated: Google (search) is worse, Ebay is worse, Amazon is worse, banking sites are worse.
Heck, even Java stock tickers from 2000 were better than now.
The art of presenting information in a meaningful way has been lost entirely.
Exactly, but most people here are unwilling to listen to any of this, because their salaries are funded by the very thing that has ruined the web - advertisement.
How would one formalize what's an ad and what's not? And what about sneaky things like sponsored content or, say, amazon reviews? It's hard sometimes to tell whether a review is legitimate or an ad in disguise.
Don't forbid to say good things about a product, forbid paying someone to do it. I don't mind Apple fanboys saying why they think Steve Jobs was a genius. I mind the big fucking 5m ads they put on historical monuments.
Paying someone is speech. See Citizen United v. FEC.[0]
And before you claim it’s a bad ruling, think about all the times you’ve used your money. Are you not supporting the EFF in some form of speech by donating to them? Are you not supporting a product in some form by buying it? I don’t like it as it allows money in politics, but it’s a ruling that makes sense.
It is a bad ruling that is often used in EU to show how fucked up the US system is.
No, "speech" is something, that you can argue extend to written declarations and publications, but "paying someone to support their actions" is something different. It is something that can be used to promote a political expression and it makes some sense to protect some form of it but certainly not on the same grounds as protecting free speech.
Paying someone to put forward an opinion has other names: corruption, lobbying and, yes, advertisement. None of them should be practice protected under freedom of expression laws.
See, why is freedom of expression good? Because of the core philosophical belief that truth and good opinion emerge from the confrontation of different point of views. Alvin tells me why we should not bomb Eastasia, Barbara tells me why we should. Charles comes with additional facts. Daniele points out some lies and incoherence in some of the past arguments. They all make their points, then I think for myself to make my opinion.
This is how opinions of voters but also lawmakers, leaders, journalists, magistrates, citizens are supposed to be formed.
In no way would this process be helped by paying the person that is forming their opinion. Quite the contrary.
So yes, this ruling was bad. Incredibly bad. It is bad for philosophical, moral, practical reasons.
The fact that I should be allowed to donate to EFF does not rely on the 2nd amendment. And in fact I do want the law to forbid me to give 10 millions to the EFF to drop a lawsuit that would go against my interests.
I don't see how this could be done without strongly impacting free speech and even some other freedoms.
For example, where is the difference between me talking about a game I like to play and someone talking about a game they like to pay that they were given a free copy to play?
I think looking at forbidding tracking is a better path to pursue. Or maybe making someone legally responsible for their ad codes as if they knowingly placed it there.
Advertising is everywhere, and a core driver of economic growth for companies. Everyone with a job is working for a company that advertises to some degree and grows because of it.
Some bad or annoying ads on the web is not cause to forbid advertisements and completely misses all the content that it pays for.
Can’t an ad blocker do the CNAME resolution and then not load the URL if it resolves to a 3rd-party hostname?
Using an A/AAAA record would be harder, you’d need to have an IP blacklist, and the trackers would probably be constantly shifting IPs, using a low TTL on the record.
This might require giving your tracker programmatic access to your DNS, not sure if many first parties are ready to go there.
That is one of the proposed solutions in that thread. I think somewhat to that effect is what will have to happen. Though it seems like it's possible, in some browsers, for the adblocker with the right permissions to inject itself in the original DNS resolution process and just stop the process when it encounters a blocked domain.
I've done something like that some years ago to ensure that the tracking we were using on our website worked even if a user had an AdBlock. (it wasn't a tracker as in ad tracker, but a tracker nontheless)
It was fairly trivial: instead of asking for the tracking script directly I put a small service of ours in front of it, so our website asked for foo.mycompany.com/stats.js that fetched the correct script and changed all URLs inside of it from mycomp.mytrack.com to foo.mycompany.com. Our service than acted as a proxy to mycomp.mytrack.com.
A simple solution that worked out for a while, lost by now, in a server, somewhere in Ireland...
Thanks for the cleverness! As for the evil, it was a tracker whose data wasn't shared with 3rd parties, we needed to gather as much data about our users as possible since we are incredibly understaffed (one handles the business, one sells the product and I do the tech)... it helped us a lot with support requests and customer acquisition
In this way, you are opening a lot of things of your site to the advertizer. They can grab your users session cookies or even intercept everything they send to you
Just to clarify, as I said it was not an ad tracker, all data was ours and ours only. It was 1st party tracking using a 3rd party service that was blocked by ad blockers. Anyway we don't use cookies for *.mycompany.com, and it was a session-less website.
If these first party ads are just showing me some sponsored message, then I'm totally ok with that. It's the tracking and arbitrary execution of third party code that drives me to block ads. And if a site has a truly awful first party ad experience and I can't block it? I'll probably stop using it, because I don't use sites that frustrate me if I don't have to.
This. If HN decides to put their own sponsored post on the first page that's OK. If they start serving random ads, scripts, and generically crap from who knows what ad (malware) network that's not OK.
Ok... feels to me like many people on HN don't realize this already happens. The first page does show "sponsored posts" (you'll easily spot them by the fact that there's no upvote arrow) and it's a good way for HN to promote its own stuff without ever delivering any crap to the user's browser.
Those are two separate things. You can track without code, and you can make a page terribly slow without any tracking.
Interestingly, for most people it's primarily the code size and slowness leads them to adblocking, tracking is secondary.
> I can't block it? I'll probably stop using it,
As a publisher I 'd welcome that behaviour. Of course i should be partly responsible for the ads my users see, I actually try to be but it's impossible with today's technology.
It's a total fallacy that the adtech of today is the best we can have. It has become a pissing contest about "who can give you the biggest, most complex analytics dashboard" rather than providing actual value to advertisers. There is also tons of unsold inventory due to the duopolization of ad platforms by google&FB. In that sense, i 'm thankful that adblocking is expanding to upend this ecosystem.
I'm generally on the same page as you. I don't have an inherent problem with sponsored messages like some folks seem to have (ex. "outlaw advertising"). My primary issues are with the current ad network framework as it exists today. The bloat, the vulnerabilities, and to a lesser extent than most people are concerned, the privacy invasions. That is why I run adblockers. It's why I go through the effort of maintaining a pi-hole setup on my network.
I visit some sites than sell, manage, and host their own ad inventory. I make zero effort to block those ads and will even click on them if they're interesting. Most of the time they're images wrapped in an anchor tag, maybe the occasional SVG animated with CSS. I don't want personalized ads, I'd rather see contextually relevant ads if I have to see any at all.
No, it doesn't make it magically better, there is no magic. But it does make the site accountable for the content they're serving me, instead of saying, "Oh, that's not our fault you got malware, it was the third-party ad network we use." It may not protect me much more than I am now, but it shifts the accountability to the first party I am dealing with instead of allowing them to pass the buck, because I can block all third party requests if I want to.
Would this change any legal basis? I do not know, I'm not a lawyer, but I sure hope we find out.
Depending on implementation it could make correlated tracking across sites more difficult. With an external element, your same browser could be sending the same cookie to the ad service from many different sites. With first party ads, each request will be site-specific.
The technique described here is still third party tracking. They’re just (mis)using DNS to make it look like you’re talking to the first-party, to defeat tracker blocking.
As gorhill mentioned in the comments, this isn't really a 1st-party tracking, it's "3rd-party disguised as 1st-party". Tracking URL is on a subdomain of 1st-party domain, but it resolves to 3rd-party IP ang request goes to 3rd-party infrastructure.
That doesn't need to be true at all. You could imagine a service that acts as a can and proxy for the 1st party that injects ads into the HTML directly and handles certain urls on the main domain.
Also, 3rd party infrastructure could be something like aws. Are you really going to block all ec2 address ranges?
There are already companies that do this for other thing. It's basically the model cloudflare uses, but they don't have the ad injection part. I believe brandingbrand did the same model for mobile sites.
To the site owner, they're just pointing dns at the ad company and treating it like a cdn.
I doubt we will win anything from this. Some advertising provider will provide an easily-runnable proxy and say "we give you double CPM if you give us the logged-in user's email address". Now you have even less privacy.
Third-party requests with cookies made it easy to start tracking people across sites... but there are other ways if that is made to stop working. Given how much money flows through the advertising industry, I am sure someone will pay for the week or so of engineering to make advertising more invasive.
Just georestrict your website to not allow visitors from Europe. What I learned from the whole Blizzard fiasco is that the future is selling products to China. China doesn't really care about the GDPR.
liberation.fr is the site you want to access, blocking it will kinda defeat the purpose.
Blocking *.liberation.fr also is not really an option as it contains some legitimate subdomains.
You would have to look up the CNAME for every subdomain and block those on the fly (it seems to randomly rotate)
Maybe it's just the circles I move in, but I feel like there are enough users who don't want to be tracked and enough websites that don't want to track that maybe some sort of code of ethics would work.
Sign up, promise not to track your users and be open to lawsuits if you're found to be lying.
Granted, it would just be another whack in the game of whack a mole, but we have to keep whacking.
You get the GDPR and a ton of little banners people click through or a disable button no one sees where, if you click it, you get confusing sliders that you can't tell if they're on or off (intentionally).
People will care about that as much as they care about ceasing to use websites that are hostile towards them: pretty much not at all.
The entire ad-blocking concept shows that people will do anything to continue visiting a website they are desperate to consume no matter how user-hostile it might be.
Also, this "No-Tracking" pledge seems like a thought experiment that only considers the rare website with more or less drop-in alternatives. So, maybe just general news and some brochure info sites?
I guess it's possible at any moment in history to say that nothing will change because nobody cares. There will always be some truth to that.
But I feel like we're reaching some sort of tipping point. 200k+ people just signed up to a new social network whose only real usp is no tracking.
I don't know what a drop in alternative is so I can't answer your question, but if your assertion is that generally speaking sites need to allow their users to be tracked I would disagree.
A possible solution proposed for this problem is to do DNS checks, which is already done by PiHole. So, yes if you have the 3rd party in your filter, it will be blocked.
The GDPR doesn't outlaw tracking. It outlaws tracking without consent.
People will allow the tracking pretty much whenever they have to when not doing so is an obstacle to accessing a website (Or simply because they get annoyed at the popup or it doesn't allow opting out).
uBO (in the common case) prevents tracking even when consent has been given. Subverting that is not against the GDPR because for the law, the consent is the only thing that matters.
uBlock Origin aside, it feels like browsers should have built-in support for dealing with this technique (I'm thinking of Safari content blockers and Chrome declarative net requests). Otherwise it's all too easy for trackers to get around browser protections, rendering content blocking APIs almost useless. You should be able to block the resolved domain for a CNAME, not just the source domain...
CNAME is a red herring - it would not take that much more effort to delegate the subdomain to a name server controlled by the tracking service or just dynamically update the A/AAAA records yourself.
A good example of why taking away the blocking feature of chrome.webRequest cripples full featured ad blockers. Gorhill shows both a DOM based rule and a CNAME uncloak that kills this tracker. Neither will work post manifest V3.
This does sound like “the user decide” indeed. The issue is: allowing that will likely be popular among people who should know better (like me) and it puts uBO into a position to be able to do some shady things that are hard to prove.
They’ve been in that situation before, with the original uBlock, and they’ve learned not to trust their own team.
Tech savvy developers could opt in to send their data and only do so from a controlled environment. If they notice a site misbehaving, open up an incognito window, go into "call home" mode and start collecting useful info. Sure, it's not for "regular people" but this type of reporting never will be if you also want to respect the integrity of your users.
Hosting ads server side rather than served from client side javascript networks has always been around though.
Originally ad networks were something you rendered out on server side hitting their APIs from the server, and in some cases dns via subdomain. Content hosts were more careful of the content of the ads because it hits their main host ranking.
First party / server side ads are actually preferred if you have to choose as you can limit the ads server side and rogue ads can be dealt with.
Ad networks from the late 90s to early 2000s were this way. Once popup ads took off they started making ad networks client side to not impact rendering on the server and ads could show progressively when inlined into the layout/script.
Today the ads/trackers are almost all client side as it is easier to integrate as more of a widget and less resources used on the server. The ad networks and trackers of today want to own all the data and not share it with content providers, plus being client-side it makes it easy to link data without the need for integration in each endpoint backend just the third party endpoints. Additionally third party ad networks may not trust that page views are organic with the api calls being implemented first-party server side, so they went client-side where they can validate actual page renders and lots of other time/click based metrics.
Ultimately sponsor ads that show up on sites/blogs/portals are usually first party server-side ads still. So as long as there aren't rogue ad networks on the server side or via DNS/subdomain then it may improve ads overall. Since first party ads are server side, unless routed via DNS to the ad network, at least the content provider incurs some cost from hosting it at least in bandwidth. If it is a subdomain that goes to an ad network that is full of dark patterns, that is not so great but it will still impact the host reputation in ranking.
Right now ads are a mess for a few reasons: so much tracking, taking up screen real estate and the marketing team pushing people to subscribe making the free content experience painful. Email/subscribe and ad popups are more prevalent than the behind the browser popups in the early days, very bad experiences.
I sometimes think the days of server side/first party ads and popups from the early internet are preferable to today's inline ads with videos that follow you down and autoplay nightmares all over the page with dozens of trackers and networks all in one. At least first party server side ads that are served up from a backend API hit to a third party or sponsors doesn't cause excessive connections, it also puts an upper limit on the amount of ads that can be shown before it hits costs of hosting and rogue ad networks impact the url reputation so the content hoster may be more of a curating check on ad quality.
Don't worry though, google is safe. They 'll strongarm people to use AMP and Signed HTTP Exchanges for first party access.
I think however it's time to grow up and stop playing this cat-and-mouse game. Advertising is crucial to the web and should be allowed. We should be shifting towards ideas that decentralize the tracking itself (like Brave does) or allow users to completely control and explicitly switch their advertising tracking identities
Same, I've been avoiding domains that I know will just show me an unacceptable banner (on mobile) or paywall (desktop). It's funny that I've trained myself to avoid them. I wouldn't really mind them being blocked in these lists, as long as I can optionally disable/enable the domains, or whitelist them if I want (there are some news websites I've paid for)
The problem is that the links to these sites already grab my attention. If ads can't be blocked on a web site, links to the web site should be blocked, so I never see them in the first place.
A website with unblockable ads is surely distracting. I mean, isn't the entire point of an ad to be distracting? "Instead of paying attention to what you want to pay attention to, remember that I have bridge to sell you at basement bargain rates just buy my kettle for 20 euros"
uBlock is too aggresive, I stopped using it. As an example it's blocking live-chat widgets like Intercom. Also, as a website owner, I don't see how web can work without any sort of tracking like uBlock suggests, simply you won't see any high quality services if all tracking, even safe one is blocked. You can't optimize a service from both technical and business perspective if you are blind/have no data to base your assumptions on.
The issue is not with uBlock itself but the filter set you are using.
Also, 95% of the time the live-chat functions on websites are obnoxious. If I have a concern, I am happy to open a dedicated chat page. Having a chat widget on every single page is annoying and unnecessary. But that's just my opinion.
Are you sure you are not able to do your website performance analytics from your server logs? More often than not, user agent side analytics end up collecting lots of unnecessary sensitive data, and sharing it with third parties like Google.
It's not about having access to server logs, you need tools to make business and technical decisions and no tool will use server logs to show you how users interact on your app or website.
What's the privacy concern if I'm tracking on what pages my users visit? I'm not sharing those with anyone.
Small business owners like myself are hurt by these things, I can't afford to pay 4-5 figures to a developer to build a tool to analyze my server logs and won't give even 5% of the quality of data analysis Google Analytics or Mixpanel gives.
I understand well. If it becomes a problem then perhaps ask your users to allow tracking on your site, and tell them why you want to. Then they can make an informed decision.
One of my ecommerce clients has grown from absolutely nothing to the biggest online retailer in their market segment in 6 years (£10million+ turnover) - and we don't track users at all.
I can see a future where safe browsing of the web will only be possible through some sort of whitelisting. Search engines or crowdsourced lists will exist to tell you which places you should or shouldn't go in the web based on Ads or tracking features, just like you can find out the relatively few places that serve Vegan or Kosher food.
This isn't exactly a great future but we need to accept that nowadays most people don't care about tracking or ads. This might change one day, but it's the status quo.
I think that anti-ads and anti-tracking, if trying to work alongside the full feature set of the Internet, is fighting a honorable but eventually losing war. Even if someone sorts out this particular issue, you are still tracked by 1) Your ISP and 2) other subtle client fingerprinting technologies. You can use Tor/VPN/disable JS but all of these have downsides.
All we can do is to fight with our time and wallets by not visiting places that don't support our values. This is possible and not different from the world we live in already.
Next step in ad blocking is using local trained AI to figure out what is an ad and what is not based on the content that it shows (regardless of origin).
May be more of a challenge with trackers as they don't to show ads per se, but may be the same technique can be used with "randomly" generated URLs - train an AI to dynamically make a guess whether the sub-domain (even first party) is a tracker or not. There may not be a clear marker, but there is always a pattern...
Interesting idea, I like the sound of that.
Currently I use uBlock Origin's "Block Element" function to block "non-ad" components of websites that bother me (HN orange top bar for example). Something similar that was "trained" based on my/crowd input would be an interesting start.
> I can see a future where safe browsing of the web will only be possible through some sort of whitelisting.
Which is unfortunate, because it's already started that many places won't even render plain text without javascript.
> I think that anti-blocking and anti-tracking, if trying to work alongside the full feature set of the Internet, is fighting a honorable but eventually losing war.
For me it's less about "tracking" and more about tracking with aggregation. Self-hosted things like AWStat and Matomo (formerly Piwik) are fine in my book. It's bringing together those analytics across different sites which is problematic.
I mean this is nothing compared to what you can accomplish with a multi origin cdn or how about a scriptable edge cdn... fastly, cloudflare or cloud front with edge lambda... then you can effectively proxy everything on the same origin with zero ip or domain difference... only content analysis could be effective and even then it’ll become a real arms race
You lose out on cookies from those other origins. When we reach the point where ads served from the same site are the primary problem, a partial victory has been gained.
I already suggest people use these edge workers to anonymize-then-collect analytics (e.g. via [0]) if they can't be bothered to host their own solution. Of course we all prefer self hosted, but even this is better than third party js.
596 comments
[ 8.1 ms ] story [ 406 ms ] threadCan first party tracking do this sort of correlation other than through browser fingerprinting?
This is already happening with large web publishers.
It's like, a peeping Tom who just looks through a window - yuck that's gross. But a peeping Tom who spies by building a microdrone that can fly in the door when it opens and mount itself on the ceiling with suction pads - oh that's perfectly legitimate because of the work and resources Tom invested.
I mean, if it's gross to do something by accident and it's gross to do something without any investment, it's super gross to do it with resources.
It's not all that hard to track someone across the internet. I think many people have demonstrate hacks that steal legitimate functionality and get you there.
I think we'll probably have to go for a containerised internet (separate apps) and just deal with the disadvantages.
For example, you could spin up an instance of Matomo (formerly Piwik) for your own website and still see no traffic from adblock users by default.
https://translate.googleusercontent.com/translate_c?depth=1&...
The example at the top of the thread: https://www.liberation.fr/ has a tracker from f7ds.liberation.fr, which is really part of tracking provider Eulerian.
TL;DR - the entire point of this is to let 3rd parties continue to correlate your identity by hiding as part of the 1st party.Just because there are worse things to do does not make Piwik the right thing. The right thing is not to collect the data at all.
More sites could do that.
This is generally better than 3rd partyies because the sites would have to actually conspire, cooperate and trust each other, which is a huge hurdle.
And if the trust is actually there, they could correlate offline without any indication. Facebook already does that (with credit records, likely phone records and medical records as well) and I wouldn’t be surprised if others don’t.
Correlation is less than perfect this way - but e.g. zip, gender and age are enough to give a pretty good correlation, and name makes it almost perfect - if you have an account somewhere, you probably gave these details.
Can you you send me an example of both of those please?
Google is the biggest offender after all their entire business is Tracking and Ads but it seems they get a pass as being an "offender" from most people
Note that "most people" (even individuals) also happily insert Google Analytics snippets on their own blogs or websites. I see that all the time thru uMatrix. So it's far from "Google being a bad actor" alone.
Might as while pile on the bad/abusive actors for causing the scenario that makes people use captchas at all.
The key parts there are: - single - technical - authority
Watching businesses attempt an integration of a line code anywhere to download the third party tool is painfully hilarious.
Getting them to set up a DNS record to point to you is often so far off the table its playing in the forest with the faeries. Having them pull your code and serve it statically alongside their site... I couldn't imagine
What usually happens is that the marketing team signs a contract then developers copy and paste a JavaScript snippet to embed on the website and move on.
The work arounds require much more intention and the solutions can be hacky like modifying urls in a minified JS file.
If that tracking is blocked, it is invisible to the company especially if only the third party who has access to the data.
Not going through the browser is possible but requires trust between organizations; publishers have an incentive to inflate numbers, and trust has so far been lacking (and rightly so). That may change.
'normal' people are starting to run ad-blockers now, not just tech-savvy users.
https://www.emarketer.com/content/ad-blocking-in-the-uk-2018
https://www.socialmediatoday.com/news/global-ad-blocking-beh...
If you're willing to get cpu/gpu intensive on the page rendering a lot can be done.
Make sure the travel to a different country between clicks. Just in case.
It's a constant cognitive drain on your mental resources. That's even ignoring the fact that almost everyone is influenced by ads to varying degrees.
We reached the point that this is the argument to avoid ads... People will go to such a length to justify blocking ads, it's crazy.
Yes, I also take the Intel Inside stickers off my laptop.
Every once in a while I get a page that buries a CPU core. It's either bad Javascript (most likely) or something mining cryptocurrency on my PC.
I can ask for a lot more, don't worry.
Speaking for myself, I've never been opposed to ads on sites (within reason - popovers are trash), because I understand that creating content costs money, but I don't like all the tracking that comes with them.
But I was actually responding to the parent's comment (this is a threaded discussion, yes?) about how actual first-party ads are less objectionable than third-party tracking.
But thanks for adding your thoughts.
It is more technically challenging to implement. If it becomes necessary, I'm sure there will be plenty of money invested in making it easier for the content providers to participate in such things.
Kind of like climate change, there are actions we all know would help but individually giving up those conveniences is difficult.
And like voting with your wallet, it will be completely ineffectual in actually addressing the problem.
> Kind of like climate change
Another area where the need for comprehensive societal solutions gets dumped on the individual instead, rendering it ineffectual.
I'm a big proponent of top down climate change policy to force change as opposed to hoping if we virtue signal enough people will be shamed into driving a bit less etc.
With regards to Ads I don't take as much a hard line approach as yourself (I remember our last discussion!). I'm very pro ad blocker use but not to go as far as banning them in any way.
Something I've been thinking about is sending a header to websites informing them I'm going to block their ads so they decide not to send me the content if they don't want to. I feel no entitlement to their content as they should not feel any entitlement to what code gets to run on my machine once it reaches me. I might expand on this in a blog post some time soon but it's probably closer to an art project than something actually viable.
I'm impressed. I don't think I ever remember individual usernames.
>Something I've been thinking about is sending a header to websites informing them I'm going to block their ads so they decide not to send me the content if they don't want to.
I've actually played with similar ideas in the past (my more moderate days). But my philosophy at this point is that they can choose to give me the data or not give me the data. And I'm free to do with it as I please as long as I don't distribute it without permission. And I'm even softening up on that limitation.
An advantage of this is we'd skip the whole ad blocker and anti ad blocker charade and gain a metric ton of performance back.
When I said basically the same thing 4 years ago[1], most people seemed to think it wasn't a serious concern or could be easily bypassed. However, after observing how certain types of businesses use the World Wide Web over the past 3 decades, it's obvious what they want: to send an opaque binary blob to the user that nobody can investigate or modify, that gives them full control over what the user sees and is allowed to do. Just like TV.
The only safe response to this is to stop allowing documents (or docs with 3270-styole forms) to embed software in a Turing complete language. Add functionality that is used declaritively, or the answer to "should this be blocked" is undecidable. Give them the ability to run a Turing complete language that renders to a canvas, and adblocking becomes a hard image recognition problem (or requires solving the Halting Problem).
[1] https://news.ycombinator.com/item?id=10211050
People who don't want to see ads (i.e. a large part of adblock users) are also more likely to engage in toxic (to advertisers and YouTube) behavior, such as intentionally clicking on ads but never buying anything (or even writing scripts to do that), or intentionally avoiding the advertised product, etc.
HBO does product placement too, though they sometimes pretend they don't or pretend it doesn't count when they do it because they do it "pro bono" (The Pope only drinks Coca Cola™ brand Coca Cola Zero™ for purely narrative reasons, and we're going to mention the brand Coca Cola™ explicitly several times by name to drive home the point that the character you enjoy watching enjoys the cool refreshing taste of Coca Cola™ brand Coca Cola Zero™. Don't worry Coca Cola™ hasn't paid us to shill their sugar water, we do it for free! Drink Coca Cola Zero™!)
We have fire tv and Amazon has added more and more advertising to the point it’s nauseating (an ad for Shameless in the middle of a bunch of baby pictures is jarring).
I’d be happy to pay an extra dollar / month to amazon to not see ads there. Actively looking at htpcs that I can put Adblockers on (pihole doesn’t work since ads and content come from same places, I think)
The thing you can buy a la carte is twitch turbo, and that still removes all ads.
source: ex-googler
In most countries, any YouTube user can pay a subscription fee to disable ads. It's called YouTube Premium: https://support.google.com/youtube/answer/6308116?hl=en
This has existed since 2015, so presumably Google employees have it on their personal accounts.
Twitch also removed the ad-free benefit from twitch prime.
A healthy internet is ultimately up to us to build and maintain.
I feel like that's not a real problem. Or, maybe only a problem for services that care more about having a ton of users than being profitable and sustainable.
There are quite a few services (SmugMug, Vimeo, NetFlix, etc.) that charge money, don't have advertisements, and are doing just fine.
It's weird that so many web companies decide to go the sleazy advertisement/tracking/malware route rather than just charge money for the services they provide.
You will find very quickly how reluctant people are to pay for anything despite a few cultural-phenomenon-level exceptions like Netflix.
I'm amazed how many people, like my own coworkers making $100k+, listen to Spotify all day every day yet will endure advertisement after advertisement in their stream of music instead of paying $10/month. If someone isn't even going to pay for Spotify despite it being a central part of their day to day experience, GG to your little service.
I think advertising has played a major hand in shepherding us into this position that divorced us from the idea of paying for content we enjoy. There is going to have to be a major cultural change to bring us back into a healthy relationship with content.
One common response to this is "well, maybe everyone should be hobbyists again making content for free," but surely we can find a better middleground than structuring things such that we depend on people toiling away in their freetime to produce the content we happen to want. For example, I'd rather my favorite content providers be able to feed themselves working on this content. We both benefit: I get to enjoy more content. Depending on hobby work doesn't get us there.
That's absolutely not true, though. People buy stuff all the time. Clothing, shoes, sporting goods, dishes, food, housewares, books, DVDs, etc.
The "freemium" approach Spotify takes is a poor example because they're not charging for their real service of music streaming, but instead to get rid of advertisements. They've moved their own goalposts, and the question isn't "Is streaming music worth $10 a month?" but "Is it worth $10 a month to get rid of this commercial?" If the options were "Pay $10 to stream music" or "Listen to nothing," the results might be a lot different.
> One common response to this is "well, maybe everyone should be hobbyists again making content for free," but surely we can find a better middleground than structuring things such that we depend on people toiling away in their freetime to produce the content we happen to want. For example, I'd rather my favorite content providers be able to feed themselves working on this content. We both benefit: I get to enjoy more content. Depending on hobby work doesn't get us there.
I'm not making that argument, and you're setting up a false dichotomy. There's no reason content creators need to use advertisements and can't charge for their content instead. It worked fine for music and movies for over a hundred years, and books have been using that model for hundreds of years before that.
I'd never pay $10 for a character in a game, but I'd happily pay $15 for a plastic toy that coincidentally unlocks something in a game I was enjoying anyway
There are people who pay for paid password managers when free alternative products available. I myself pay for a number of services (very reasonably priced) when I could have used free alternatives. The difference is the guys I pay don't offer a free edition without ads and nonsense like that. They just build a great software and ask to pay for their effort.
Why go to work, earn cash with your attention, and pay for Spotify when you can directly monetize your attention on-demand in real-time at the rate you consume? That's what advertising allows.
If you do it as a hobby, it's not toiling. It becomes toiling when you do it as work, especially if you have to please advertisers instead of making the content you love.
Also lots of people can't afford all the content they consume today, and would much rather have access with ads than nothing all.
I mean, on the whole, the vast majority of ad supported content is in fact clickbait trash.
Are those special and only run for large streamers? I never see ads on twitch, but the biggest streamer I watch has under 300 viewers.
You may be ad-free for another reason such as a grandfathered twitch prime that will expire when it next renews, twitch turbo, or a subscription to a channel that opts-in to the ad-free sub benefit. You might also just be in a region or demographic where ads aren't being bought, so you wouldn't get any then.
Now, whenever I get an ad, I immediately close twitch and find something on YT/Mixer to watch. I'm training their algorithms to leave me alone.
I get ads when I use Twitch, with the same account, on a stock installation of Chrome (which I use as my backup browser for when I don’t want to figure out which extension is breaking a website). So it’s not related to my account, location, etc.
However, I would argue that it is not actually worse for several reasons. For one, the streamer decides exactly when and how to play ads - so if the ad timing bothers you, you're going to start watching someone else, which in turn creates an incentive to keep streams ad-free or at least run ads at specific times.
The second reason is that the usage pattern of Twitch is different. I go to twitch (if it's a livestream) to actually watch the content, whereas I use YouTube in many cases like I would use an article, skipping through videos and back and forth looking for a specific part or specific information, and if the information isn't there quickly trying the next video. This workflow gets completely destroyed by ads. To the point where if YouTube would somehow force me to watch ads, I would simply stop using it except for the 2-3 weekly videos I actually plan to watch beforehand.
This seems standard: acquire users, then make the service worse for users. (and better for shareholders and/or advertisers)
The problem is that sites trying some insane techniques is a bad arms race.
Sites like the wallsteet journal made a adblock-wall, see ads or don't use the site. That's fine. They can do that. And they lost lots of traffic. But they can decide if they like that.
Websites want a have-your-cake-and-eat-it option -- forcibly show ads, no opt out.
https://support.alexa.com/hc/en-us/articles/200449744-How-ar...
Why ask a vague winky-face question when you can make your assertion instead? Now I have to wait for you to respond just for you to clarify what you were trying to say.
> our traffic estimates are based on data from our global panel, which is a sample of millions of Internet users using one of many different browser extensions. However, we don’t just rely on browser extensions. We also gather much of our traffic data from direct sources, including sites that have chosen to install the Alexa script and certify their metrics. It is this unique combination of data from our global panel, plus data from directly measured sources, filtered through our advanced statistical models that allow us to provide you with robust and comprehensive metrics.
The next anti-tracking technology should include fake tracking.
What makes you say you’re speaking for most of us?
Tracking doesn't mean anything to most people.
That's why I'm not using it personally, even though I'd love to...
then you can go mad on everything outside the container
I don't think that's true, video encoding is expensive. This is not trivial to do without investment in hardware.
Google doesn't just sell ads, they sell targeted ads. Yes, YouTube currently does some processing on every video uploaded. But they only do that once.
Outside accessibility there's also the issue of responsive design, huge SEO impacts, rendering performance... I'm probably missing a bunch.
Lifting a sedan with my bare hands is obviously easier than lifting a 10 wheeler, but it's still a massive problem. Rendering stuff is not the biggest issue.
Gary Bernhardt's talk "The Birth & Death of JavaScript"[1] was an ominous portent of a terrifying future. Unfortunately, some people apparently saw it as development roadmap.
[1] https://www.destroyallsoftware.com/talks/the-birth-and-death...
You can even implement a WASM interpreter in JS.
WASM at least is standardized, so there will be a whole ecosystem dedicated to it. Think IDA Pro for WASM.
> although we've had Emscripten for years
We did. And I didn't see the "asm.js apocalypse" you seem to fear.
WASM is different between Emscripten was always a fun curiosity, and WASM is being "marketed" to developers as "get native app performance in a browser". "Modern" Javascript has been able to deliver this future for a few years now, but it lacked the marketing and tooling to make it mainstream. Flash and Java were attempts to move to that future that didn't pan out.
Having IDA Pro for WASM is all well and good, but doing binary reverse engineering on every single website isn't practical.
The web, as it has been, was nice. We're not going to get to keep it. I'm unhappy with it, but I'm resigned to it.
So WASM doesn't take away anything from us, because we haven't had the "nice" you mention for 10 or 15 years. Sites like HN will stay like this, sites like Facebook will get even bigger. It will happen with or without WASM.
But yes, I do see where you're coming from. You want a less bloated Web, and you're worried that WASM is not going to lead to that, which I pretty much agree with. While I'm saying that cat is already out of the bag and WASM at least has the potential to bring performance improvements over JavaScript (which will be promptly negated by the sites getting even more bloated).
I want a declarative web. I wish there wasn't a VM in my browser. I want a web where my user agent, under my control, dictates how documents are interpreted and displayed.
So much of information security relies on not letting third parties execute arbitrary code on your computer. The price to view "mainstream" websites is increasingly becoming "allow third parties to execute arbitrary code on your computer". I can sandbox that code and perhaps limit the impact to my privacy (though thanks to processor microarchitecture "features" that's increasingly difficult), but I lose virtually all ability to control the presentation experience.
To be blunt: The kind of assholes that delighted in using Javascript to block opening context menus, blocking "Paste" into password fields, etc, have won. That pisses me off. Developers with good intentions who wanted to make something "cool" end up being the architects of the tools that will be used turn the web into cable TV.
Change your `dom.event.clipboardevents.enabled` in about:config to false.
Putting a VM into our browsers, along with sufficient API support to make that VM useful, is what spells the eventual end of the document-based web. I think that future arrived a few years ago and it's just not evenly distributed yet.
That sounds like the worst future possible. I love the fact that I can go to any web page and look at all of the HTML, CSS, JS (even if I need to use a tool to un-obfuscate it). Have you never wondered how someone did something and then looked at their code to find out how they did it? I love being able to use curl and wget to grab a web page. How would that work in a non document-based web? I really think this would be a terrible thing if it actually came to fruition. I truly hope I'm retired or dead before it occurs.
You can easily generate a static document with ads, doing the heavy lifting on the server.
TVs allow the user to mute the audio, switch channels and fast forward past ads in recorded video. What publishers are doing to the web is like sending a control message that reconfigured the TV and disabled some of its functions. "You can't mute the audio, you're obligated to listen to this. Also, we're turning the volume all the way up in order to reach you even if you leave. You can't turn it off either."
Publishers simply don't want users to have any control over the experience. It's their way or the highway.
What if broadcasting companies sent signals during commercials that told the TV to disable these features? "They've enjoyed the movie, now it's time to make them pay. Don't let them change the channel, mute the audio or lower the volume". How long would it take before TVs that didn't follow these intructions entered the market?
Browsers have features publishers don't want people to have. We can download copies of "their" content. We can delete their ads. We can filter out their user tracking malware. This is possible because the browser serves us, not them.
That just moves the goalposts though. People will still deconstruct and reverse engineer the black box, or sniff the lines it uses and attack the traffic. Or anything else. There are countless attack vectors against a device in physical possession. So unless the devices are melting down into slag and can perfectly detect even passive attacks then the advertisers will always lose.
This doesn't stop them from trying. If advertising can be made more expensive then the roi the advertisers will stop. Some will irrationally throw money at the problem way past the point they should've given up but even they will taper off eventually.
I'm already seeing a big use case for having such a (opt-in) domain filtered search engine since there's soo many spammy and SEO-hacking web sites out there.
I wonder if it is also not how GDPR should have been implemented. Forcing browsers to implement a request for storing tracking data, which would avoid dark patterns in consent forms and would keep websites honest. It would also allow to remember the decision. If you delete cookies when the browser closes, you get asked for the same consent you denied on every visit.
The internet will partition: the corporate internet will be what you say, and the independent internet will be people writing and hosting their own content, like the internet of the olden days. Some of them might interact with corporate services via apis.
The independent internet will be small, but it will be enough. If you want to buy something anonymously, go to a shop and pay cash with your phone turned off.
Maybe there is a market for a proxy that converts any page you visit to bare and functional HTML with just content and navigation. No ad's, distractions, disfunctional scrolling, etc.
https://en.wikipedia.org/wiki/Proxomitron and other MITM-proxies can do that and more, although the security-paranoid may disapprove (but then again --- what are you more concerned about, what is your threat model, etc.) The recent "security vulturism" and things like DoH and other anti-user ostensibly-privacy things certainly doesn't help.
I’m not sure if it can also enable individual scripts, that might become necessary very soon if this article is an example of what is coming.
Wrap it up with an easy to install bow and easy self updating to keep up with sites (and easy fallback to original sites/links), and I'll never browse the mainstream sites again. There are a couple of things that do this, but none as well as I'd like to see.
Fetching data from such websites is the only thing so far where I've found ES async generators very very useful.
You don't even need a browser. Most of the time simple HTTP requests from node work just fine, and makes tor use safer and more effective since you're not running any foregin JS code, just parsing data. Other thing that improves privacy is that you're downloading everything, so it's hard to see from the service's side what you're actually consuming.
Actually many usual services follow this pattern. List of accounts->list of transactions->transaction details. List of categories->list of articles->article detail. List of product categories->list of products->product detail.
Simple abstraction can get you very far, even with a fairly simple DB schema.
Suppose I have an apache module (or the equivalent in some modern http server) that's (a) injecting the necessary code (b) forwarding the traffic information to my nefarious third-party tracking provider. Or, heck, just a third-party solution that consumes my apache logs. It's doing all of this without using the browser itself as a middleman, like the clumsy CNAME masking discussed in the linked Github discussion.
This could never be stopped client-side since one's web browser would have no say.
Only reason this isn't more widespread already is because a lot of web properties don't have full control over their shared hosting environments.
First-party ads are theoretically kinda sorta maybe blockable via various levels of heuristics, which of course adblockers are already doing to various extents today.
But as far as preventing your information from being forwarded behind the scenes, there's no technical solution. Legislation is the only hope to curb it.
Google still has an old help site referencing its log analysis features [1].
> Urchin WebAnalytics Software is discontinued and is no longer supported. All Urchin documentation applies only to the Urchin product as it was at the time of discontinuation, and does not apply to any Google Analytics products or services.
[0]: https://en.wikipedia.org/wiki/Urchin_(software)
[1]: https://support.google.com/urchin/answer/28570
Ads need to know what you googled, what you did in the competitors website, 1st party domains are a huge handicap for it.
They either will need excellent fingerprinting or accept subpar tracking.
The max they can do is track you in their website, but that's terrible, they need to know more.
edit: this means the 3rd party server can't know who you are, even if they get your tracking events, they can't know what you did in the other sites.
thats why fingerprinting could fix this, the 3rd party server could find your profile with a good enough fingerprint.
I'm talking about a sameSite cookie made for the publisher, via a proxy on the server.
When a client send you this cookie (sameSite) your server forward it to the ad provider using a RPC call.
The ad provider replies to this call with new data they want you to add to the cookie.
You set the "forAdProvider" cookie on the client, using the data specified by the ad provider.
I don't think that has much value because the ad provider wouldn't know who you are to begin with.
First time you open said website no cookies would exist for the domain.
Then the ad provider wouldn't know who you are.
Ex: Access foo.com and search for shoes, shoe cookies set for foo.com Then access bar.com which hits foo.com for the ad suggestions Now foo.com knows you searched for shoes, since the 3rd party cookies are there.
Now if you do it without 3rd party cookies bar.com wouldn't have any access to the cookies which identify you as a shoe buyer, because those are set for foo.com
I'm ready to move on. In my eyes we already lost the www.
If you provide paid content AND try to track me or make even more money with me via ads: goodbye...
On the other hand: If you rely on ads only, it is doubtful that your media-outlet is truly neutral -- would you really do analysis and investigations on your highest paying ad clients (?) -- I doubt it...
There is also the option of actively attacking the business model of the ad and tracking industry. Ad blockers could simulate lots of "fake" traffic to make ad analytics harder (this is another arms race against attempts to filter out the fake traffic)
This would be awesome!
Mandatory : "Why Rosyna Can't Take A Movie Screenshot"
http://web.archive.org/web/20180919021829/https://www.alexra...
There are many videos on Youtube recommending stuff. You never know if the author has been paid. Even if you try to detect popular ad networks and services, the ad techniques will also evolve.
If ads were the only source of my income, and my content was unique, I would show the user a "quiz" every 5 minutes, asking him to answer, what is shown in the ads at the moment :D and deny the access, if the answer is wrong.
Those are some rose-tinted glasses. People on forums like HN were always annoyed that they looked like navbar links and you were only clicking them out of confusion with actual links.
Also, re: “inline” static images, there could totally be client-side ML-model cosmetic filters that recognize and remove known as images, regardless of how they got to the page. The filter could even just throw a floating rectangle over then, so it wouldn’t even have to understand how they’re made in the DOM. This is the “thermonuclear backup plan” we’ve been expecting to need to pull out for a while now, though advertisers have been lazy about getting sneaky enough to necessitate it.
Small community sites are still interesting, distributed web technologies may start to rise, or there's always gophernet...
The problem with first party tracking from the PoV of the advertisers is that the feedback they need goes through the site their ad is on so it is possible to be faked: "Yes Mr Advertiser, we really did send x000 ad impressions to {addresses} this day, honest guv'ner."
And from the site's point of view the adverts now become a little more admin to manage beyond just slapping in a reference to 3rd party JS and adding a <div> for that code to target to insert the advert.
Essentially, the ad providers would also become hosting services.
So.. Google AMP?
It also creates single points of failure that did not exist before. If the ad service is down, your content is (potentially) down too rather than just being served without working ads.
If they want to make ads extremely hard to block but reduce privacy concerns, I'm all for that. It puts the discussion back on a more even level, and if you don't like the ads, don't use the service. The only reason I'm okay with running an ad blocker now is because of the privacy concerns. If those were eliminated (which isn't the case in this theoretical situation, they're just reduced) then I'm not sure how to justify running an ad-blocker. To my eyes, it's basically stealing cable or satellite service. I understand other people don't see it the same way though.
Just because there are a lot of bad actors and massive amounts of advertising doesn't mean the entire internet needs to go down that path.
Hackers have protected users since years. It's time for politicians to protect their citizens.
I'm actually hoping it paves the way for more independent publishers that focus on quality content and charging.
Ads have ALWAYS sucked and been a horrible solution to funding news, journalism, etc.
The problem is that ads basically cause other users to defect to platforms that are free (but sponsored by ads).
One way browsers try to take away that freedom is by limting what extensions can do. If that continues, at one point we would need a new browser to accomplish it.
My favorite vision of the future would be if Debian would provide a version of Chrome or Firefox that: a) is stripped of all tracking and b) gives extensions full access to everything.
Or, assuming they have a small list of subdomains that redirect to ad servers, you could generate a list with a script that checks all their subdomains and creates a block list based on that. For example, the site discussed in the OP has all their subdomains listed here: https://crt.sh/?q=%25.liberation.fr
Edit: looking at the OP case, it seems like they only have one ad domain. I'm not sure I see this as a serious issue until multiple sites start rolling out thousands of subdomains, some pointing to back to the real server, others pointing to the ad server. Maybe that will happen but it's a pretty big barrier to entry, and just short of proxying everything through the 1st party.
I'm speculating that the balance is in the reverse favor. Last night I was looking at some file on GitHub which was redirecting to what looked like an S3 bucket subdomain named with a pattern like "github-production-f7e281a2", which I simply presumed to be cache-busting via subdomain instead of appending the hash to the filename. If my assumptions were correct, every time GitHub deploys a new build, you would have to whitelist that subdomain.
And remember the time when Debian layered some changes on top of openssl? http://faq.caslavka.cz/attachments/196/randomness.png
Now, what changes does Google layer on top of chromium to make Chrome? Do you know exactly?
(Do you know that all of Chromium is in fact open source? Have you looked at the source and the build process? Are there any parts in it that are actually precompiled binary blobs?)
We can't solve a political problem with purely technical solutions. We can provide workarounds for 5 to 10 years but the core problem has to be shut down at one point.
I'm glad I'm not the only one saying it in a thread, for once.
> We can't solve a political problem with purely technical solutions.
This is something that is sometimes hard to accept for the hacker mindset, but it's absolutely true and an important thing to realize.
Seeking change at a societal level is the exact opposite of the hacker's free-wheeling individualism, but it's the only way to actually accomplish change at a societal level.
You're right, we'll never change advertising just by running individual ad blockers, and we'll never change privacy controls by trying to mask our identities; that has to happen through laws and larger society. We have to have a right to privacy and freedom from advertising be a thing that everyone wants, the bus driver, the butcher, hair stylist, etc., not just what we can foist on our immediate family and social circle.
This may just be some inevitable fact about humanity. We’ve seen this sort of regulation and ultimate centralization of every single communications medium going back to the printing press. When I was younger, I legitimately believed the web would be different. I thought it would be a decentralizing, democratizing force for peace in the world. Now it seems destined to be the opposite of those things: a centralized tool for polarization and control.
I hear that a lot but historically, we've seen a lot of the opposite, a lot of political problems were solved with technical solutions. Technology so far had an even bigger impact than politics on society.
Technology can enable a political will and can create an opportunity for change, but if the political will goes in one direction, no amount of tech will be able to resist it forever.
We could ban ads easily with a law. It would not need any tech. Scrubbing all the ads while there are incentives to develop them, however, is a lost fight.
Legislation-wise, I think the best the web can hope for is forcing websites to label ads. It doesn't sound unobtainable, especially as similar legislation already exists for political ads in many places. For example, legislation could require websites to label all ads with some kind of strictly defined watermark. In addition, some kind of software-readable indication would be required for accessibility purposes. Could be a special HTML tag or attribute. That would make ad blocking much easier.
I don't share your pessimism about the feasability of politically banning all advertising, but I agree that something like this would be the next best thing, and a great step.
Tracking technology and terrible analytics platforms that slow everything down are much lower hanging fruit.
It's like:
The only one I could find was related to the Americans with Disabilities Act (ADA) and of course GDPR, but that's related to handling of personal data.
If they said what they wanted to say, the law would essentially say "don't violate privacy without explicit consent." I'm relatively OK with that; that's not telling me how to build websites, that's just making certain harmful activities illegal. It wouldn't be very different from saying "don't distribute malware that attacks your users."
In its current form, I'm not too thrilled with the cookie law. And I sure as hell don't want lawmakers adding more, worse, laws on top of that. Go too far in that direction and they're turning software into nagware (I loathe cookie popups, I loathe google's "privacy reminder", I loathe applications that blast me with notifications and hints, I loathe permission dialogs, I like Unix's Rule of Silence) while making its development a legal minefield.
I want to be able to write FLOSS software (or websites) with a user interface that pleases me, and EU is looking for ways to make that illegal. In a manner of speaking, I hope they do just that, then people who want pleasant software have more reason to organize an underground software liberation movement where no fucks about shit laws are given.
>EU is looking for ways to make that illegal
I'm sorry, but what are you smoking? Willy nilly data collection is illegal, they don't say much about UI.
The legislation would have to be very explicit about the format of the label and that it be machine readable, otherwise you'll get obfuscation like Facebook is doing:
https://www.propublica.org/article/facebook-blocks-ad-transp...:
> This is not the first time Facebook has changed its code in a way that has broken our tool. For example, all ads are supposed to contain the word “sponsored” as part of a mandatory disclosure, so users can distinguish between ads and their friends’ posts. Our tool recognized ads by searching for that word. Last year, Facebook added invisible letters to the HTML code of the site. So, to a computer, the word registered as “SpSonSsoSredS.” Later, it also added an invisible “Sponsored” disclosure to posts from your friends. Many of the participants in our project noticed the effects of this change because it caused some menus to pop open unexpectedly or the page to scroll to the top repeatedly. Nowadays, the disclosure says “SpSpSononSsosoSredredSSS.” Some of these changes were likely also intended to thwart ad blockers.
That said, I wish digital media stopped wholesale delegating the work of serving ads to third parties and had proper control over experience and privacy—what is delivered how and who tracks whom.
The web has taken an industry that already had reputation for deceptive tactics and have handed them tremendous powers through data collection.
Should advertising be banned because of that? I doubt that it would be effective since the advertising industry has created an environment where tracking people is the norm. Banning advertising would simply shift the focus of that data collection so that it is less visible.
It would also be incredibly difficult to ban advertising. Legislation would have to create a clear definition of what advertising is and deal with a medium and business world that crosses national borders. If you don't consider the former, such legislation would have unintended consequences of the freedom of speech. In the case of the latter, it would be far more difficult to reach international agreements than with other online regulations (regulations that are already difficult to enforce) since advertising is considered legitimate in many cases while standards for advertising will differ.
But... Ads are useful. I remember once maybe ten years ago when I noticed an ad about an event in a nearby library that was absolutely amazing and without ads I would not have been there.
(This is sarcasm. There is no reason why manipulating other people to do things should not be regulated heavily.)
Without ads there would be basically no free content online, and those who cannot afford content would simply go without. Consider how much better the world has become due to easy access to information. To yank that away seems like bringing a dark age.
Restricting the legality of advertisements in general might have the nice effect of leveling the playing field, by making it harder for content providers to benefit by-generally covertly-selling out their users (or their users' interests) to such third parties.
Citation needed. I don't believe that for one moment. Already people are producing far more content for free each second than one person could ever consume in a lifetime on sites like Youtube and Instagram. The urge is there, even without any monetary reward.
> Consider how much better the world has become due to easy access to information.
Now consider how much worse the world has become due to the incentive to hide wanted information behind commercial information. Simple example: there was a time before adblockers when it was not a rare sight to have a page with 80% advertising and 20% actual content. Think unskippable ads before videos. Think of the mountains of useless content that SEO spam produces that hide the interesting pages in search engines.
Marketing does not give access to information. On the contrary, it takes it away.
We’re seeing it already. Many if not most news sites are pay gating their once free content. Cite: Wall Street Journal, New York Times, The New Yorker. All charge for access. All we’re free before the proliferation of ad blockers.
Yes there would be hobbyist information for free, but WebMD? News sites in general? Any sort of resource that takes money to pay people to maintain? It will all be pay gated.
As someone who does not use an adblocker, I have genuinely no problems finding the content I’m looking for.
See? They found a way to put content online without relying on ads.
Before Youtube, Facebook and the like, internet service providers included basic means of publication. Mail/mailing lists, homepages/blogs with RSS. They could do that again.
But, even if the barrier to publishing became higher and only 1/50th of the video's were put up on Youtube, it would still be far more than anyone could ever consume.
There was plenty of free content online before ads, in fact I claim that the web was better before ads arrived, and it is getting worse by the day. Marketeers ruined it.
It happens over and over. YouTube had plenty of great content for free before monetization. Now it is becoming worse by the day, because everything is ad-related. "Influencers", etc.
> Consider how much better the world has become due to easy access to information. To yank that away seems like bringing a dark age.
Easy access to information is a consequence of the Internet and then the Web, both technologies having been developed by government-funded programs, respectively in the US and in the EU.
Ads brought us re-centraliztion, targeting and erosion of democracy through extreme polarization and fake news.
I know this is hard to believe for a lot of people here, but human beings are motivated by many things other than monetary profit.
This is a tired old myth that everything was somehow better in the good old days but that's all it is.
Yes there was. Go to archive.org and check for yourself.
> The commercial internet is a trillion times bigger than anything that came before and services billions of users around the world, many for free, paid for by ads.
Bigger doesn't mean better. The web is now flooded with malicious and manipulative content. The ads pay for that content, while taxpayers and consumers pay for the infrastructure that actually makes the Internet possible. Ads pay to keep the web centralized, they don't pay for what makes the web possible.
> This is a tired old myth that everything was somehow better in the good old days but that's all it is.
There is indeed, but notice that I did not say that "everything was somehow better in the good old days". I made a very specific comment about a very specific topic. My comment: there was plenty of quality content on the web before ads arrived. Ads made the web worse. Argue against this if you like, but not about things I did not claim.
That there's more content for more people across more channels is objectively true, and advertising pays for much of it. You seem to be conflating ad UX with economics.
It is the medium that makes the ads possible, and it is payed by you and me.
> We're talking about content, and ads are the subsidy that lets billions consume for free.
And I have been telling you every step of the way that there was good content before the ads arrived.
> That there's more content for more people across more channels is objectively true,
That is hardly surprising. There was no moment in the history of the web when the total amount of content available was not increasing. This was already the case before the ads.
Did it grown more than it would have without ads? Maybe. Is it better? I don't think so.
> and advertising pays for much of it.
And yet here you are, consuming content that someone created for free (me) in a platform without ads (Hacker News). So it doesn't pay for all of it, and even you, at least sometimes, seem to prefer the non-ad-funded corner.
> You seem to be conflating ad UX with economics.
Sorry, I have no idea what you mean by this.
Literally the only site that is better now than back then is YouTube with an ad-blocker.
Everything else has deteriorated: Google (search) is worse, Ebay is worse, Amazon is worse, banking sites are worse.
Heck, even Java stock tickers from 2000 were better than now.
The art of presenting information in a meaningful way has been lost entirely.
Before Youtube, we were sharing files directly. There was far more content online!
There are even advertisements in North Korea (for the ruling party).
This idea isn’t realistic.
Saying a thing always existed is a pretty bad argument to keep it alive.
How would one formalize what's an ad and what's not? And what about sneaky things like sponsored content or, say, amazon reviews? It's hard sometimes to tell whether a review is legitimate or an ad in disguise.
"Did you receive compensation to say good things about this product?"
Yes: corruption.
No: you're clear.
And before you claim it’s a bad ruling, think about all the times you’ve used your money. Are you not supporting the EFF in some form of speech by donating to them? Are you not supporting a product in some form by buying it? I don’t like it as it allows money in politics, but it’s a ruling that makes sense.
[0]: https://en.wikipedia.org/wiki/Citizens_United_v._FEC
No, "speech" is something, that you can argue extend to written declarations and publications, but "paying someone to support their actions" is something different. It is something that can be used to promote a political expression and it makes some sense to protect some form of it but certainly not on the same grounds as protecting free speech.
Paying someone to put forward an opinion has other names: corruption, lobbying and, yes, advertisement. None of them should be practice protected under freedom of expression laws.
See, why is freedom of expression good? Because of the core philosophical belief that truth and good opinion emerge from the confrontation of different point of views. Alvin tells me why we should not bomb Eastasia, Barbara tells me why we should. Charles comes with additional facts. Daniele points out some lies and incoherence in some of the past arguments. They all make their points, then I think for myself to make my opinion.
This is how opinions of voters but also lawmakers, leaders, journalists, magistrates, citizens are supposed to be formed.
In no way would this process be helped by paying the person that is forming their opinion. Quite the contrary.
So yes, this ruling was bad. Incredibly bad. It is bad for philosophical, moral, practical reasons.
The fact that I should be allowed to donate to EFF does not rely on the 2nd amendment. And in fact I do want the law to forbid me to give 10 millions to the EFF to drop a lawsuit that would go against my interests.
For example, where is the difference between me talking about a game I like to play and someone talking about a game they like to pay that they were given a free copy to play?
I think looking at forbidding tracking is a better path to pursue. Or maybe making someone legally responsible for their ad codes as if they knowingly placed it there.
Some bad or annoying ads on the web is not cause to forbid advertisements and completely misses all the content that it pays for.
Using an A/AAAA record would be harder, you’d need to have an IP blacklist, and the trackers would probably be constantly shifting IPs, using a low TTL on the record.
This might require giving your tracker programmatic access to your DNS, not sure if many first parties are ready to go there.
It was fairly trivial: instead of asking for the tracking script directly I put a small service of ours in front of it, so our website asked for foo.mycompany.com/stats.js that fetched the correct script and changed all URLs inside of it from mycomp.mytrack.com to foo.mycompany.com. Our service than acted as a proxy to mycomp.mytrack.com.
A simple solution that worked out for a while, lost by now, in a server, somewhere in Ireland...
Those are two separate things. You can track without code, and you can make a page terribly slow without any tracking.
Interestingly, for most people it's primarily the code size and slowness leads them to adblocking, tracking is secondary.
> I can't block it? I'll probably stop using it,
As a publisher I 'd welcome that behaviour. Of course i should be partly responsible for the ads my users see, I actually try to be but it's impossible with today's technology.
It's a total fallacy that the adtech of today is the best we can have. It has become a pissing contest about "who can give you the biggest, most complex analytics dashboard" rather than providing actual value to advertisers. There is also tons of unsold inventory due to the duopolization of ad platforms by google&FB. In that sense, i 'm thankful that adblocking is expanding to upend this ecosystem.
I visit some sites than sell, manage, and host their own ad inventory. I make zero effort to block those ads and will even click on them if they're interesting. Most of the time they're images wrapped in an anchor tag, maybe the occasional SVG animated with CSS. I don't want personalized ads, I'd rather see contextually relevant ads if I have to see any at all.
Before:
Ad providers tell you to throw an external element in your page to display an ad.
After:
Ad providers tell you to add a library to your code directly that pulls down ads and serves them front the same place your site comes from.
This doesn’t magically make the website selling advertisement space aware of what code they’re running on your browser via those ads.
Would this change any legal basis? I do not know, I'm not a lawyer, but I sure hope we find out.
Also, 3rd party infrastructure could be something like aws. Are you really going to block all ec2 address ranges?
This reduces the attractiveness of adverts, which means they won't be as prevalent, which means tracking concerns are lessened.
That's a win, no?
To the site owner, they're just pointing dns at the ad company and treating it like a cdn.
Third-party requests with cookies made it easy to start tracking people across sites... but there are other ways if that is made to stop working. Given how much money flows through the advertising industry, I am sure someone will pay for the week or so of engineering to make advertising more invasive.
Sign up, promise not to track your users and be open to lawsuits if you're found to be lying.
Granted, it would just be another whack in the game of whack a mole, but we have to keep whacking.
The UI has nothing to do with this.
The entire ad-blocking concept shows that people will do anything to continue visiting a website they are desperate to consume no matter how user-hostile it might be.
Also, this "No-Tracking" pledge seems like a thought experiment that only considers the rare website with more or less drop-in alternatives. So, maybe just general news and some brochure info sites?
But I feel like we're reaching some sort of tipping point. 200k+ people just signed up to a new social network whose only real usp is no tracking.
I don't know what a drop in alternative is so I can't answer your question, but if your assertion is that generally speaking sites need to allow their users to be tracked I would disagree.
People will allow the tracking pretty much whenever they have to when not doing so is an obstacle to accessing a website (Or simply because they get annoyed at the popup or it doesn't allow opting out).
uBO (in the common case) prevents tracking even when consent has been given. Subverting that is not against the GDPR because for the law, the consent is the only thing that matters.
This is why I love UBlockOrigin, that basic principled approach is a great thing.
They’ve been in that situation before, with the original uBlock, and they’ve learned not to trust their own team.
Originally ad networks were something you rendered out on server side hitting their APIs from the server, and in some cases dns via subdomain. Content hosts were more careful of the content of the ads because it hits their main host ranking.
First party / server side ads are actually preferred if you have to choose as you can limit the ads server side and rogue ads can be dealt with.
Ad networks from the late 90s to early 2000s were this way. Once popup ads took off they started making ad networks client side to not impact rendering on the server and ads could show progressively when inlined into the layout/script.
Today the ads/trackers are almost all client side as it is easier to integrate as more of a widget and less resources used on the server. The ad networks and trackers of today want to own all the data and not share it with content providers, plus being client-side it makes it easy to link data without the need for integration in each endpoint backend just the third party endpoints. Additionally third party ad networks may not trust that page views are organic with the api calls being implemented first-party server side, so they went client-side where they can validate actual page renders and lots of other time/click based metrics.
Ultimately sponsor ads that show up on sites/blogs/portals are usually first party server-side ads still. So as long as there aren't rogue ad networks on the server side or via DNS/subdomain then it may improve ads overall. Since first party ads are server side, unless routed via DNS to the ad network, at least the content provider incurs some cost from hosting it at least in bandwidth. If it is a subdomain that goes to an ad network that is full of dark patterns, that is not so great but it will still impact the host reputation in ranking.
Right now ads are a mess for a few reasons: so much tracking, taking up screen real estate and the marketing team pushing people to subscribe making the free content experience painful. Email/subscribe and ad popups are more prevalent than the behind the browser popups in the early days, very bad experiences.
I sometimes think the days of server side/first party ads and popups from the early internet are preferable to today's inline ads with videos that follow you down and autoplay nightmares all over the page with dozens of trackers and networks all in one. At least first party server side ads that are served up from a backend API hit to a third party or sponsors doesn't cause excessive connections, it also puts an upper limit on the amount of ads that can be shown before it hits costs of hosting and rogue ad networks impact the url reputation so the content hoster may be more of a curating check on ad quality.
<a href='http://doubleclick/adid'><img src='http://doubleclick/ad.jpg</a>
I never ran puch the monkey stuff, but I think that was something like <object src='http://hell.com/argh'>
I think however it's time to grow up and stop playing this cat-and-mouse game. Advertising is crucial to the web and should be allowed. We should be shifting towards ideas that decentralize the tracking itself (like Brave does) or allow users to completely control and explicitly switch their advertising tracking identities
there comes a point when the content is just not worth it
doesnt scale obviously
we're headed back to the "golden age" of TV advertising except via http instead of radio waves/cable
https://addons.mozilla.org/en-US/firefox/addon/hohser/?src=s...
at least we've had ad blockser on browsers that work well up to now
the tracking of web ads obviously vastly overshadows what happened with TV.
they obviously want the best of both worlds "avoidable ads" and "extreme tracking"
I don't think you can categorise those as "distracting".
Also, 95% of the time the live-chat functions on websites are obnoxious. If I have a concern, I am happy to open a dedicated chat page. Having a chat widget on every single page is annoying and unnecessary. But that's just my opinion.
Are you sure you are not able to do your website performance analytics from your server logs? More often than not, user agent side analytics end up collecting lots of unnecessary sensitive data, and sharing it with third parties like Google.
What's the privacy concern if I'm tracking on what pages my users visit? I'm not sharing those with anyone.
Small business owners like myself are hurt by these things, I can't afford to pay 4-5 figures to a developer to build a tool to analyze my server logs and won't give even 5% of the quality of data analysis Google Analytics or Mixpanel gives.
You can get this very easily on the backend side.
> I can't afford to pay 4-5 figures to a developer to build a tool to analyze my server logs
No need to bother, there are tons of easy SaaS tools like Splunk in that marketplace already.
Frankly, that's your problem, not mine as a consumer. If I want to give you feedback, I'll let you know. You could always ask me, too.
Individually maybe it's not your problem, but taking that as a larger group becomes a big problem.
This isn't exactly a great future but we need to accept that nowadays most people don't care about tracking or ads. This might change one day, but it's the status quo.
I think that anti-ads and anti-tracking, if trying to work alongside the full feature set of the Internet, is fighting a honorable but eventually losing war. Even if someone sorts out this particular issue, you are still tracked by 1) Your ISP and 2) other subtle client fingerprinting technologies. You can use Tor/VPN/disable JS but all of these have downsides.
All we can do is to fight with our time and wallets by not visiting places that don't support our values. This is possible and not different from the world we live in already.
May be more of a challenge with trackers as they don't to show ads per se, but may be the same technique can be used with "randomly" generated URLs - train an AI to dynamically make a guess whether the sub-domain (even first party) is a tracker or not. There may not be a clear marker, but there is always a pattern...
It need not be a subdomain. Analytics could be proxied from the main domain.
Which is unfortunate, because it's already started that many places won't even render plain text without javascript.
> I think that anti-blocking and anti-tracking, if trying to work alongside the full feature set of the Internet, is fighting a honorable but eventually losing war.
For me it's less about "tracking" and more about tracking with aggregation. Self-hosted things like AWStat and Matomo (formerly Piwik) are fine in my book. It's bringing together those analytics across different sites which is problematic.
Ironic ain't it?
I already suggest people use these edge workers to anonymize-then-collect analytics (e.g. via [0]) if they can't be bothered to host their own solution. Of course we all prefer self hosted, but even this is better than third party js.
0 - https://developers.google.com/analytics/devguides/collection...