147 comments

[ 3.5 ms ] story [ 123 ms ] thread
Very nice and simple explanation. Worth reading if you still do not know.

I am not a bot despite sounding like one.

That's what a bot would say.
>Safari and Firefox both block many third-party cookies by default (which is why I had to change Firefox’s privacy settings to get this experiment to work), and as of today Chrome doesn’t (presumably because Chrome is owned by an ad company).

Wow. I am very strongly considering switching to Firefox now, just from this paragraph.

Actually, this has been a strong focus of Mozilla foundation for years. The good news is that Mozilla has done a lot of refactoring / rewriting of its FIrefox codebase during the last year, and Firefox is now on par with Chrome regarding the technical aspects.
FF also makes it easy to run tabs in their own containers. They've thought a lot about privacy.

Plus they fixed their issues with performance, so it works just as well as the other browsers on my mbp.

I was highly amused just a few days ago when a 1080p60 YouTube video was not playing correctly in Chrome (dropping frames), but played perfectly fine in Firefox. Resource utilization was not the problem on that machine. I tried restarting chrome, disabling extensions, etc but it seemed to just be some weird bug.

I will also take a moment to rant about the fact that YouTube allows you to select from a bevy of lower resolutions, but doesn’t allow you to select a lower frame rate. Many times I would rather watch a 1080p30 video on slower hardware instead of the 720p60 I am forced into selecting.

> I will also take a moment to rant about the fact that YouTube allows you to select from a bevy of lower resolutions, but doesn’t allow you to select a lower frame rate. Many times I would rather watch a 1080p30 video on slower hardware instead of the 720p60 I am forced into selecting.

I've thought about this too. I'm not certain, but I suspect this has to do with streaming video compression, specifically the fact that most video compression schemes I know of are temporal (i.e. they can eliminate the need to transmit a lot of data based on unchanged or productively changing pixels between consecutive frames). With a lower frame rate, the probability that pixels in consecutive frames being related decreases. That's my guess anyway.

In these cases 1080p30 is typically available. AFAIK there is a setting, only available to logged in users. If you are not logged in then youtube-dl is also an option. I also used a browser extension before to reenable the lower framerate options, but it stopped working.
Firefox even has its own Facebook container these days.

I recently went to a website which had 250 (!) tracking cookies for marketing purposes... As you might suspect it was ridden with ads.

I don't understand why they don't have the same for Google. The FB container does not only force the facebook and instagram sites into that container, but keep the rest out, and disable buttons on websites that open in other tabs. Google is such an obvious candidate for this, but maybe their relationship with Google comes into play here?
The Google container is less useful than just manually putting your Google session into a container because I would assume you don't want all your searches to go through your logged on session.
250? Geek Tyrant injects 400 just for marketing and 500+ in total!

I stopped recommending them.

If you block third party cookies without having built out fingerprinting prevention, trackers switch from cookies to fingerprinting, which on balance is probably worse. And if you prevent that, sites need to serve ads without any information about the user they're serving them to, and make about half as much money.

Chrome is working on fingerprinting resistance and developing privacy preserving APIs that can replace third party cookies: https://www.chromium.org/Home/chromium-privacy/privacy-sandb... https://blog.chromium.org/2019/08/potential-uses-for-privacy... https://www.blog.google/products/chrome/building-a-more-priv...

(Disclosure: I work on ads at Google, speaking only for myself)

I would assume that trackers always do what's in their best interest. Your claim that fingerprinting is both just a fallback and probably worse for the user thus does not add up to me. Wouldn't they always use fingerprinting if that is more powerful?

> Chrome is working on fingerprinting resistance and developing privacy preserving APIs that can replace third party cookies

And what will their (business and thus vital) interest in doing this probably be? Probably not what's in my, the user's interest. But what's in their customers' interest - advertisers.

> I work on ads at Google

Well...

(Thank you for the disclosure though.)

Chrome doesn't need fingerprinting at all. If you are using that browser, you are already being tracked at all times. So by implementing fingerprinting resistance in the most popular browser, Google can thus hurt the competition while merrily continue their tracking business as usual.
Yep, on the occasion I need to use chrome it's very upset by the fact I'm not logged into my Google account. I'm sure most users log in. So Google really, really knows who you are.
The profile will connect to Chrome if you use any Google products with a login. changing this is opt-out
Is it possible to get Chrome to never nag me to create and log into a profile? When I open Chrome right now it asks me to authenticate or "Browse as Guest."

Honestly it's kind of a rhetorical question because by having the nag screen the damage is already done to Google's reputation and it makes me feel really icky. Opting out of the nag screen just hides the grossness, and I would rather be reminded that using Chrome, and by extension all Google products, is just a bad idea.

If you read the links I posted above, Chrome's plan is not "implement fingerprinting resistance while leaving third party cookies alone". It's "implement fingerprinting resistance, add new APIs that give privacy preserving ways of doing some of the things third party cookies are used for today, and remove third party cookies".
The problem is Google tracking, not just third parties.
Google ads don't have any special access in Chrome. They use regular cookies.
Why would Google even need to use cookies inside of its own browser which is linked to your personal identity? It's like saying Facebook uses regular cookies on its own website to figure out which pages you visit. I guess they could, but they already have your page view history so it's kind of pointless. If anything it sounds like a red herring argument.
Facebook does use cookies to handle identity on their website; that's how they know you're you.

Google's ad networks do use cookies for ad targeting, even in Chrome.

I'm not saying they don't. I'm saying they have a litany of other tools (I've spoken at length with engineers at Facebook about how they do this) that really make those unnecessary. Obviously you know more about how Google does it, and admittedly ads is not my wheelhouse at all. But from what I understand: it's overkill.

If you can point me towards a source that discusses the technical details of how Google tracks its users, I'd be interested in reading it.

> I'm saying they have a litany of other tools (I've spoken at length with engineers at Facebook about how they do this) that really make those unnecessary.

That's not how identity works on the web. Cookies are how every site tracks logged-in identity, including Facebook. To test this, clear your facebook.com cookies and observe that you're logged out.

I think we're talking about different things. I'm saying they don't need cookies to identify you, not that they don't use cookies for anything. Saying Facebook can fingerprint its users without cookies isn't even a controversial statement. Otherwise how would they track users without accounts?
FB can track users without accounts via cookies; you don't have to have a login to use cookies.

But they may also be fingerprinting; I don't know how they do things.

The key thing from my perspective, though, is that Google ads don't have any sort of special treatment in Chrome.

> Wouldn't they always use fingerprinting if that is more powerful?

Fingerprinting is less reliable and more difficult to use, but it's powerful enough that multiple companies will have a clear picture of your browsing history whether your browser blocks third party cookies or not.

Fingerprinting is worse for users because you don't have control over it. If you open a private browsing window, close it, and open another one you're a different user from a cookie perspective but the same user from a fingerprinting perspective.

> what will their (business and thus vital) interest in doing this probably be?

My understanding from what Chrome has said publicly is that they're trying to get both (a) websites can make similar money from ads as they do now, keeping browsing free and (b) users have much more privacy than they do now, keeping third parties from being able to compile browsing histories for users.

Users benefit from (a) because they value these sites and from (b) because they don't want their browsing histories leaked.

> And if you prevent that, sites need to serve ads without any information about the user they're serving them to, and make about half as much money.

So the reason why Facebook (that I rarely use and block using the Facebook container extension) serves me better ads than Google (that has known me since before I left school) is because Google is clueless?

Seriously, for a long time I gave you the benefit of doubt but now you are just annoying. You make and then destroy products I love and can't even use the 23 282 192 million signals I have left behind over the years to give me ads that isn't directly insulting to me and my family!

Seriously: I think even your ads were better before even though I never bought anything (didn't gave the money back then).

At this point, they're not that great at either ads or search. They just have a huge amount of market share momentum behind them. They're then able to then use this to influence and mold the web in the direction that suits/grows their business. E.g. AMP, HTTPS, google-play lock-in, no-root access on devices, and a host of things that all synergize with each other to make it next to impossible to fight back as a consumer (even a skilled/informed one).

Regarding them not being that great at search. It's non-trivial to see how blog-spam and fake generated websites are pummeling google's results. We've all encountered it, and have learned to kinda skim/ignore it to get to what we really want, but it's there, and it's dragging us all down.

Not only that, but here we are more than 2 decades since they started, and being one of the largest data companies in the world with untold amounts of potential training data, and they can barely do basic search inference. They practically guess the most likely "thing" you are actually searching for and don't bother to go further. Checking whether the content of the site speaks to the "thing" or "noun" that you want instead of just having it as text inside of it? Forget it. Maybe if I append certain things it means I want the thing I'm searching for to be somehow related to this additional term?

Call me crazy, but I would have imagined that at this point we would be living in an actual digital super age instead of what we have now. I am no longer going to say that we have "all of humanity's combined knowledge" at the tips of our fingers. We simply don't. We have basic facts and a whole host of brain-vomit content that I have to read/watch in order to extract the information I need, without even being able to tell how authoritative it is.

> So the reason why Facebook (that I rarely use and block using the Facebook container extension) serves me better ads than Google (that has known me since before I left school) is because Google is clueless?

While Google has a lot of information, most of it is not eligible to be used for ad targeting. For example, Gmail data can't be used at all, and Search data can only be used in cases where information about what you were searching about won't be leaked.

A site could make a lot more money by selling its users' passwords to the highest bidder — that doesn't mean we shouldn't try to deny them that income. Without sharing personal data, ads can still be relevant to the scope of the site itself (less so for incredibly 'broad' sites such as facebook, of course, but they get compensated by having a much larger audience). A site can also gather whatever personal data it wants, and serve its own ads.
My immediate reaction to your comment was "How do you not know that?!" (I'm sorry.)

However, if people frequenting a tech forum are not aware of the privacy benefits that Firefox has been pushing for a long time now, we as "tech folk" have a responsibility to push out the message.

So you can find out more about Firefox tracking here - https://blog.mozilla.org/blog/2019/09/03/todays-firefox-bloc...

And the Firefox Facebook Container may also be of interest - https://www.mozilla.org/en-US/firefox/facebookcontainer/

Hopefully, you're now reading replies to your initial comment in Firefox!

I knew Firefox was working when within about 6 weeks of switching over on my computer and phone (along with using DuckDuckGo and the Facebook container feature), I started getting ads telling me to practice law in Pennsylvania and to fix my weird sideways penis.

Both of which were thankfully completely off target. Apparently those two categories are the birdshot of advertising.

Genuine question: why do you prefer ads for things that are irrelevant to your interests over ads that aren't?
I can't speak for the person you're replying to, but for me it's a sign that the advertising brokers/sellers don't know enough about me to advertise intelligently. Therefore they have less of my data (or less specific/identifying/informative data), which is a good thing for several reasons that have been discussed many times on this forum.

Worse advertising is a sacrifice I'm willing to make (as much as I do really like ads for things that are on sale when I happen to need them).

From context, the OP likes it because it provides evidence that surveillance efforts against them are failing.

For me, a second reason to prefer them is that ads are noise. If the semantic content of that noise stays irrelevant, it is easier to ignore.

People can have a ton of other reasons, like avoiding temptation.

My turn - genuine question: did you honestly not know people feel this way?

As evidenced by your and the other comments, there's more than one answer to the question. The parent's explanation for knowing if their defensive measures were working were novel to me, so I was curious as to the motivation.
I know for myself, I always find it curious how people are against targeted advertising in certain areas, but completely willing to accept it in others, sometimes without realizing it. It's always amusing to me reading this on HN where targeted advertising takes place and no one bats and eye.
Are you a targeted ad by your own definition then? If everything is targeted advertising then nothing is, which seems to be your thesis.
> Are you a targeted ad by your own definition then?

How am I a targeted ad? I didn't say everyone on HN is a targeted ad. However, HN does show targeted ads.

> which seems to be your thesis.

Not even close. You should reread my comment for what it says, not what you want it to say so you can try to reply with a witless comment.

Sorry I thought you were saying something worth commenting on, but you were saying something else. Can you point me to some examples of targeted advertising here? I mostly see comments and submissions and if those can count as ads then that’s not a useful definition of ads to me. Maybe you mean something else though.
I am not totally against targeted advertising when I am being targeted based on my activity on that site, but I find it really creepy when ads are targeted based on things I've done outside of the internet, or conversations I've had. I don't like the idea that my activity unrelated to a specific site is being stored somewhere and sold to companies that could theoretically use it for whatever they want.

I don't mind supporting companies by not blocking ads on a page, but I do mind being "followed" by them around the internet and IRL.

I don't mind being targeted as well and if they push me cheaper and better promo all the better. It's despicable however if they start to skew the prices in their favor due to your interest in the item.
Not GP, but: for me it’s never been about the ads. Poorly targeted ads are a sign that the advertising companies don’t have that much data on me, which is what I really care about.
My perspective - I do not want to see ads relevant to my interests. If I want to buy something that I care about I'll do my own due diligence for what a good product is. I don't want to be lied to and distracted by junk marketing trying to convince me I should buy something.
Neither of those things you described are useful to me in any way. I would prefer the one that has respect for my privacy.
Irrelevant ads are way easier to ignore. It's so off-target that your mind doesn't even loose a cycle trying to make sense of it. Then you get so used to not paying attention that the occasional relevant ad gets ignored too.

In short, this allows me to strengthen my focus. Even though this all happens semi-unconsciously, it makes me more immersed in the content I'm actively trying to pay attention to.

And then there are irrelevant video popups...
It's not only about the relevancy of advertisements.

I'm sure they'd prefer or even like advertisements that are relevant from page content NOT invasive personal tracking or profiling.

IE: You go to a bathtub website and see an ad for rubber ducks and soap because those products make sense with bathtubs, not with the users browsing history.

Sadly, sacrificing relevancy is currently the only move to speak out about tracking, as a consumer.

Simply because things I'm not interested in don't look interesting and therefore don't distract me.

Let's say I like cars and I don't care for travelling.

If both sides of the page are background image of a car, I will check what car it is because I like cars. If it's a huge picture of a beach I won't even notice because I don't care for beaches.

The ads can be made relevant relative to website's content, not my previous activity. If I'm reading a tutorial on how to fix something there may be ads for tools that are required for that. This is very relevant to me and at the same time does not need any information about my previous browsing history or other activities.

On the other hand, when I'm later visiting pornhub I'm unlikely to consider purchase of those tools even though they may appear relevant to my interests based on my previous browsing history. On the other hand, I am more likely to be interested in meeting hot moms from my area then - which is again solely context based.

Not op but I'll answer:

Advertising works, on everyone, including on me.

No matter how hard I try to not be affected by advertising, I can't stop it from working.

Now, with that said, if I have the option to be exposed to an advertisement for a category of products that I am likely to purchase anywhay, or a category that I will never purchase: Isn't it obvious that my behaviour is more likely to be influenced by the relevant add than the irrelevant one?

Some people might think that the word "brainwashing" is too strong to be used for describing advertising, and maybe it is, but is it really that strange that I would prefer a tiny amount of "brainwashing" over a small amount?

I want sensible target advertising. As both a consumer and once shop owner I find the advert to be very powerful. The problem is I think current was of Digital Data Gathering and target advertising is going way off track.

I dont have a solution, as often it is with all these questions, but I hope there is a better way going forward.

I use firefox focus on mobile to erase my history everytime I close the browser.

So I am in a similar position as you in terms of getting the ad companies to just throw random guesses at me.

But here is what gets me. There is this new push by YouTube that let's you clearly label your videos just for kids.

If I am on YouTube and I am playing a video that clearly is made for only kids, why does YouTube show advertising that is targeted for adults?

I use Focus for ephemeral browsing (about 70-80% of what I do), and Firefox Mobile proper on iOS for anything I need to hold history or state within. Hope more people recognize the value of Focus for that reason alone.

Perfect mobile duo for me.

> if people frequenting a tech forum are not aware of the privacy benefits that Firefox has been pushing for a long time now

Maybe it's because this is a tech forum. I take care of cookies and third party (and even first party) resources myself - so I don't know and don't care what Firefox does by default. Defaults are good for the other 99% of the people (who usually don't visit tech forums).

Doesn't Chrome have a "Block third-party cookies" setting (disabled by default) that you can enable in Settings > Site Settings > Cookies and site data > "Block third-party cookies"?

I'm under the impression that Safari and Firefox have this enabled by default. Is the only difference that it's disabled by default in Chrome?

Safari and Firefox both have a blacklist of known trackers in addition to cookie blocking. Not only that, these browsers also fight against other means of fingerprinting.
Safari does not have a blacklist of known trackers; it generates one dynamically based on tracker-like behavior it sees as you browse.
Even if it's true it's a huge difference. Very few people are going to a) think about this issue and b) know the right terms to google for a solution and/or c) dig around in their browser settings to find the setting.
It feels telling that Firefox puts their Enhanced Tracking Protection settings pretty close to upfront as possible, and Chrome’s “Block Third Party Cookie” setting is for all intents and purposes to a non-technical user, both buried and off by default.
That paragraph alone just made me decide to switch to Firefox. In only 30 minutes, it blocked 120 (!) tracking cookies.
I use Firefox and what is ironic is the integration with Pocket - an on-by-default service that has tracking pixels [1]

[1] https://getpocket.com/privacy#passive

Huh. I didn't know that.

But I've always disabled it, on general principles.

nice, quick intro in to how this crap works. combining DNS blackholing, plus adblockers and firefox or brave will make the biggest difference. :)
(comment deleted)
https://jvns.ca is full of explanations that bridge the gap between general, layperson understanding and actual technically applicable knowledge. She’s helped me relearn the Linux/bash ecosystem after a decade of absence.
@jvns you can fix that ugly content overflow [1] with this:

  .entry-content code { word-break: break-all }
[1] https://i.imgur.com/ajiycSw.png
Heads up that there's a repeated word in the first sentence too:

"I spent some time yesterday talking to a reporter yesterday"

Thanks for the post — I enjoyed it!

That's all nice, and I thank Firefox for blocking all these, but once there are too many browsers or extension doing the blocking, I wonder what will prevent sites to implement tracking server-side instead of client-side ?
Serverside doesn't have access to my tracking cookies. It has to be a request initiated by my browser to the third party domain
They will definitely keep tracking users based on info available to the server, like IP address. However that is orders of magnitude less precise than what is in place now.
Is it less precise? http://uniquemachine.org/
It certainly should be. You can make it much more precise with the tracking mechanisms that browsers like Firefox are blocking now (tracking pixels, 3rd party cookies). It's the difference between having a snapshot in time available to a specific site vs. a whole history across the internet.

Facebook can't show you customized ads if all it can recognize is that it's you. It already knows who you are, you told it by logging in, now it needs to know everything you're doing everywhere else so it can connect all those dots to you. This can't work if all it can say is "this is definitely voidmain0001 from their home computer but I know nothing else about them". The only way is to share that tracking between companies which is more difficult and still more limited in scope than 3rd party cookies.

I know you are voidmain0001 here and can read all your comments. But if I have no idea who you are on amazon.com so I can sell you your favorite tech in my ads then the usefulness of this information is limited.

Just as a rule of thumb, if those mechanisms weren't adding to the precision then nobody would have invested so much in constantly developing them.

P.S. The site above keeps failing half way for me. "Computer says no" type of thing.

Just like first party ads (hosted by the same domain) first party tracking is really hard to block.

But its a lot safer and better in many ways. It forces the site you are visiting to keep the ads safe an only track you when you are on their property (an in turn follow laws were they are located, GDPR in the EU for example).

> tracking pixels: it’s not the gif, it’s the query parameters

Sometimes it’s also the base URL too.

Exactly, You're just a mod_rewrite away from serving a single gif under infinitely many names. All you have to do is include a unique name in every email, and then look through your log files to see if anyone came for that gif.

Tracking pixels are a pretty ancient technique and for good reason. It's basically no effort at all to set up the basics, and only a tiny bit more effort to get fancy at it and stick the accesses in a database instead of in the server logs.

The first party website can’t see the tracking cookie so now tracking is compartmentalized for every first party and there is no more tracking across sites. Quite a win.
Hey, I ran one of those trackers once. Good stuff, though you only captured one aspect of the domain. Enabled lots of content. Good times, good times.

There are a couple of other use-cases other than the 3rd party ID-syncing use-case without a 3rd party cookie. You can record information through one of the client-side onboarding providers on their side. Though, to be honest, they have pretty big latency.

If anyone's curious about why tracking pixels use a gif, here's a great explanation: https://stackoverflow.com/a/6639140
You can do a png instead of a gif. It would be ~68 bytes instead of ~35 bytes. A webp image would actually be 1 byte smaller than the gif. So perhaps Google will move to that if Safari ever caves and supports it.
I was going to say: isn't "Content-type: image/webp" one byte larger than "Content-type: image/gif", making this useless?

But apparently 204 No Content allows you to omit Content-type. Leaving this up in case anyone else was wondering :)

In most cases, you can simply just return 204 status code (for empty response) to shave away the bytes used to serve 1X1 pixel.

The pixel is simply there to make the request.

This article is brushing a lot of stuff very fast. In reality there is much more to it:

1. You don't need to visit Facebook properties for them to link your activity to you. Unless you're a brand new user and they have never finger printed you...

2. Referrer might be in the pixel tracker, but there is way more to that, including product IDs, product costs, your stage in the funnel (have you Added to Cart but not Purchased?), product category, etc.

3. Everytime a Facebook owned property (or piece of: Like button, FB connect) is 'used' by a device you use, then you can be sure the relation between you and that Pixel call is made (ahem, improved).

Install the Chrome Extension Facebook Pixel Helper, and check what happens when you use an ecom site. You'll be amazed to see what is shared with Facebook (no PII though).

In particular it would be interesting to go into why and how these 3rd party trackers get included on a page. I mean, the answer to both is obviously "money", but how does it work in practice? Old Navy agrees to implement a facebook tracking pixel in every page? Or it comes "for free" with a like button? etc.
The Like button primarily allows Facebook to monitor your presence across the internet. Tracking pixels can be deployed on a page by page or site-wide level (included like analytics scripts) to enable remarketing or retargeting.

The site-wide implementation will, for example, enable URLs that meet %string% to be grouped into a "segment". And then you can serve specific ads to that segment while excluding others

It's part of the onboarding of any Facebook Ads user (i.e., advertiser) to implement the Facebook Pixel on their site.

Without it you're not going to achieve much on Facebook as you need to feedback their system when a particular ad had an impact so that they can model the ad delivery accordingly and get you more converting users. Whatever your conversion is (viewing a page, registering, purchasing).

The pixel is something Old Navy might actually seek out. They want the insights and increased ad roi that they provide.
For anyone marketing something, installing browser add-ons to cleanly parse tracking params, event calls and adtech/martech used on sites can yield some valuable competitive business insights.

You'd be surprised at how many businesses do things like label things identifying their high value audiences, creative or products just to have it human readable in other reporting with zero obfuscation. Likewise, you can see if they are using any interesting tech you are not.

(comment deleted)
Social media ("like") buttons are the ultimate tracking pixels, and they're not even hidden.
Most end users don't know that it's used for tracking their behavior online, so a lot of the meaning on what that's used for is hidden.
I don’t see how, in 2020, any conscientious member of this site could justify their use or advocacy of Chrome. It’s an evil product peddled by an evil company for evil means. The alternatives are as good if not better from a usability perspective.

Safari is great if you’re a regular Mac user.

Firefox is great if you’re a dev on any platform.

Chrome is toxic evil that needs to die for the good of humanity.

To be fair, one of the biggest reasons I still kinda stick to Chrome is due to its speed when it comes to Google products and other "web apps". Maps, Outlook365, Gmail are all absolutely horrendously slow on Firefox on Linux. And seeing as the entire web is going down this schmancy route of making everything under the sun a bloated, interactive "PWA/WebApp", it puts as in a corner when it comes to wanting to avoid using Chrome.
Microsoft’s IIS used to skip a lot of protocol if you were using Internet Explorer. It made pages load a lot faster.

Seems like Google is running the same hustle.

I think so... Could be anything from hidden JS optimizations, SPDY, server-throttling. Last time I looked, my anecdotal and probably biased investigation into it appeared to indicate that the actual requests were slower on Firefox. Nevermind the question of why Gmail needs to make 230+ requests to the server to start up.
There's still some sites where chrome just works and Firefox does not including major sites like Periscope. I'm confident I could clear my cache/cookies, disable plugins, or other wizardry to get it working but in reality I just use chrome for these sites. That's why I'm a Firefox user but not an advocate. My mom can't handle the idea of using a different browser for some sites.
I can have some weird cases on firefox Linux, where it isn't rendering perfectly. This might be me though, it's generally when I'm developing.

Just sometimes I'll go 'display: flex; justify-content: center; align-items: center;' and the content will end up about 5px above center. I'll be like 'WTF?' for a minute, then run it in chrome with no issue.

Not sure why you're being downvoted, this is sad but 100% true. For me, it's only a very rare site that doesn't work in Firefox, but one of them is my medical account. No choice but to have Chromium installed, otherwise I can't view my lab results, read my doctor's notes, and pay the bill. I assure you I don't like it but it's a fact of life.

I only use it for those very few sites (less than 1% for sure), but not having it handy at all is just not an option.

As for my mom, luckily she hasn't had any complaints so far, so she just uses Firefox as it's what's installed by default. I certainly don't think I could train her to switch between two different browsers, though. If it came to that it would have to be Chromium full time, there.

One site that deserves a plug here is binance.com. They stopped working with Firefox a couple of months ago, but it was fixed in 2-3 days after I reported it. I guess a little healthy (heh) competition goes a long way.

Whilst I largely agree the quality of life developing in chrome was better than any competitor for a long period of time. Expecting everyone to stay in the loop and switch over night as firefox / alternatives have caught up seems silly

V8 is a powerful runtime and has enabled some great products regardless of Google's history in areas

I guess this will probably be unpopular on HN, but...

I still use Chrome. I don't feel the need to "justify" my use of Chrome. I like Chrome. I care about internet privacy - I use ublock origin and have JavaScript disabled by default, and only reenable it for sites I really care about.

But I don't really have strong opinions about internet browsers. I used to use Firefox, but a few years ago I started using Chrome and just found it to be better for my habits. I like the tight integration between Chrome and my Google account.

I use a Google Home and several Nest products at home (granted they're on their own VLAN). I use GSuite for my personal email, and Google domains for my domain names. Chrome is just another drop in the bucket, and I can't be bothered to change it. I also tried using other search engines, and somehow still found Google to be more helpful for me despite everyone saying DuckDuckGo has reached parity.

I guess that makes me morally compromised, or supporting a "toxic evil" or whatever, but I just don't care that much. I'm self-aware in my apathy, I guess.

Don't let them make you feel bad about yourself. It was a little overboard in my opinion, I thought they were about to say you're a Nazi if you use Chrome.

Knowledge is power, just be aware of what is going on with your apps and make a judgement call for yourself. Lately I've been enjoying going to brick and mortar stores and don't go to Facebook at all. Who still uses Facebook? And if I end up seeing an ad, I don't let it ruin my day.

Firefox and Netscape before it go through weird phases of “we have to do a rewrite!” And then for the next 3 years they fall horribly behind and lose a huge chunk of market share.

After the rewrite they become quite good again but you can’t blame the people that jumped ship during the dark period where it seemed like nothing was happening.

This comment breaks the HN rules against name-calling. Would you mind reviewing them? https://news.ycombinator.com/newsguidelines.html The idea here is curious conversation, not "evil ... evil ... evil ... toxic evil". If you post like that, you're inevitably going to provoke someone else into doing the same and worse, and then we get destructive flamewars.

Also, denunciatory rhetoric isn't helpful and isn't interesting. Google and Google and Chrome is Chrome. Both are behemoth topics on HN. They can't be substantively reduced to "evil evil evil", though thoughtful critique is always welcome.

We detached this subthread from https://news.ycombinator.com/item?id=21833134.

My apologies, dang. I’d had a long day and a few too many beers.
(comment deleted)
(comment deleted)
Its only a matter of time before the ad companies make their tracking unblockable e.g. by hosting something critical to the page, e.g. "make the webpage download jquery.js from our mirror, and you get all this tracking that can't be blocked!"

Isn't this happening already, and if not, why not?

Ad companies very much are building out cdn so they can do this. But it’s a complex marketplace and e-commerce/media folk are very reluctant to cede control.

Amp is probably the ad tracker cdn that has been most successful.

I was working for a web analytics company 5 years ago that would build in-house/on-premise solutions.

The on-premise solution allows an easy setup of reverse proxy tracking, which isn't blockable in any way.

I know a few companies who run well known sites that use this technique and I could imagine every one with money does it like that.

This is called CNAME cloaking[0] and it’s already happening in the wild[1].

  [0]: https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a
  [1]: https://9to5mac.com
Good and short description, but it's only a little part in digital marketing.

This is just retargeting, an old hat. You can do even more sophisticated things, like predicting what's the best next step in the sales funnel. In general, every step you take before you purchase online is recorded to build your customer journey. And there's a lot more data, like referrers, user agent, times and so on.

This crudely represents one way law enforcement and intelligence agencies (friend and foe) identify targets for further analysis. Think about ways this is weaponized a little more. We saw an example of this in the US Navy prosecution of Gallagher for war crimes.
> This crudely represents one way law enforcement and intelligence agencies (friend and foe) identify targets for further analysis.

What, using tracking pixels?

Ever since I enabled Dark Mode on Mac I started seeing so many 1x1 white tracking pixels on recruiter emails. Now I’ve disabled loading images by default in my email client.
I think I assumed 'tracking pixel' was just a metaphor — you mean they're literally serving 1x1 images? Why not 0x0 images? Why not a single transparent pixel?
Because no one thought that the background would change or something like dark-mode would appear ;) 1x1 image was "good enough".
I remember learning ~20 years ago to always set `background-color: #fff` since, in those days of Netscape, a user could easily customise their browser's default background color. It was very useful to have someone on the dev team who was weird enough to have done just that! :)
Well, you still can.. (browser.display.background_color in Firefox)
Sure, but that's why I said "easily" - iirc, it was more an end-user feature than a power-user one.
All of tracking pixels I've worked with come with a css attribute "hidden", so they don't actually show except in some edge cases.
Huh... I thought browsers didn’t fetch hidden images. Or is that only if the image or its parent elements are "display: none"?
I don't _think_ either case it true.
The pixels are transparent. Gif was the earliest format that supported this.

0x0 pixels arent a valid image, iirc.

I know it's possible to load remote images in emails, but I don't think I've heard of anyone doing so until now.
I use a browser extension on Chrome called PixelBlock to (hopefully) kill those email tracking pixels. The extension displays a small icon on emails where blocking occurred.

This is the description supplied for the extension: "PixelBlock is a Gmail extension that blocks people from tracking when you open their emails."

Yeah, but this is about the Internet as a whole not just Gmail IMHO. You need more than that extension to block it then.

I use Privacy Badger by the EFF. They block all kinds of tracking.

Also using Firefox will prevent Browser fingerprinting and such.

Wait, so it's a literal pixel?
everyone should do this.

On mac turn off: Mail -> Preferences -> Viewing -> Load Remote Content in Messages

Without it, viewing a spam or phishing email will confirm your email address.

Viewing other emails will confirm that you viewed it, when you viewed it, how many times you viewed it, etc.

sigh, what a cesspool.

The "how many times" isn't always true. I work with email a lot at my job and email image caching is getting more aggressive.
Thank you for sharing this. I work with marketing tech, and having this laid out allows me to share with them a little more of the tech that we rely on.

And, it allows me to remind them that our work is utterly terrifying in terms of privacy. That's (part of) why I use Pale Moon, I have control of what gets downloaded or sent to servers.

Do any browsers or popular blockers object to these things if they aren't setting cookies?

I've used a 1x1 transparent image on many pages on my site for a long time, with a simple page identifier attached to the URL, such as "?index" for the main page.

This was simply for convenience in analyzing logs. If I wanted to know which of those pages were visited in the last N days, it was a simple matter at the command line to take the logs for those data and make a quick report that counted how many times that image was fetched, broken down by page identifier.

So Google is hosting fonts because they are a nice company that is just providing us with free fonts?

Think again.

If you block tracking pixels you should also block the loading of external fonts. Extra bonus: fast loading pages.

Some CDN also exist for this reason.

Not only fonts but any resource.
The font resources are hosted on a cookieless domain and sent with caching headers. None of this applies.

The reason Google is hosting fonts is to make the web an attractive platform, so they can monetize you in other ways.

So my IP address never ends up in their logs?
IPV6 privacy extensions make IP addresses have very little tracking value, but this article is about tracking pixels, and Google Fonts clearly don't apply here. If you set your Referrer-Policy headers correctly, Google doesn't know which pages your users are visiting.
The trouble with this is that many websites nowadays use fake fonts where the glyphs are the icons that make up the UI. Without the font, you don't see the icons, and thus have no idea what the various buttons and labels do or mean.

It annoys the crap out of me because I'd love to disable fonts for the simple reason that having every page use its own font for text is distracting. I don't need my eyes to adjust to a new font for every page. I want to pick my favorite font and only ever see that one.

On a completely unrelated note, I'll never forgive Mozilla for removing support for gopher urls in the browser.

Would also recommend Brave for privacy-conscious users.
A future web browser will allow fine-grained access control for 1x1 pixel images (and other objects) that are retrieved from other domains...