If legal action would be taken, shouldn't browser have the controls regarding tracking preference? Setting up each page (provided that 'No' would still load page in either full or stripped-down variant) on each devices owned and/or reapplying choices whenever browser cache is cleared would be frustrating.
Maybe DNT should return as respected feature within browser and user choice shouldn't affect the access to the content but only its form.
Exactly. That's how we ended up with the terrible cookie warnings. The funny thing is that GDPR has language about respecting the DNT but no one cares.
Those who abuse it the most will just move to a jurisdiction where it is allowed. Or they'll do it anyway, since many of the worst threats on the internet are already criminal. On the internet, technical solutions > legal solutions.
There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.
Tracking only pays if you can track a huge number of people and sell ads to a huge number of advertisers. The profit per tracked user is too small to pay for running a criminal enterprise.
Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
> There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.
True, most illicit ads tend to be non-targeted. But some criminals do things like blackmail, fraud, espionage, etc. using tracking data.
> Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
That all depends on the specific business model, business partners, and their presence. Regardless, what I describe is not conjecture, many companies are shuffling around data to avoid GDPR rather than comply.
A different company without a physical presence or business partner in the jurisdiction in question, might have little to no incentive to follow the law.
In the end, even if companies are breaking the law, or even if they are fined, your data won't be protected unless they actually change their behavior as a result. Calculated non-compliance is a commonplace strategy for corporate legal compliance.
I don't dispute any of that. But what it means is merely that compliance will never be perfect. Companies will always test the limits of the law and look for loopholes.
Like with tax compliance, this will always be an arms race. But if the law raises the bar, they will jump a little bit higher on average.
It doesn't have to be perfect. Privacy is not black or white, and trackers themselves are anything but perfect.
I recently looked at the list of what Google thinks I'm interested in. It's funny. Supposedly, I have a particularly strong interest in vehicles and buying cars. In fact I don't even have a driving licence, never owned a car, never will.
The list goes on and on like that. They must have rolled the dice to come up with things like "Flowers" and "American Football". I feel my privacy is completely safe with these geniuses :)
For sure, mass marketers prefer quantity to quality. Google/Facebook are not doing anything particularly novel in the realm of what is possible, nothing more than is needed to get accurate enough across a large number of users.
It's the more targeted uses of fingerprinting and data collection that are scary. If you're a person with lots of money or influence, there's already someone out there who is specifically trying to collect data about you in particular. Those people and organizations are looking at the data in much more detail than mass marketers.
I think it worked wonders with GDPR which exposed all this pus. Unfortunately, there EU has been too slow acting on it. Only British Airways has been slapped with a significant fine so far.
IANAL, but this is not entirely true. Under GDPR data can be used by claiming "legitimate interest" [0]. In the case of legitimate interest, the user needs to opt-out rather than opt-in.
I rarely see opt in GDPR popups, it's typically "accept tracking" or "more options...", the latter seemingly sending you down an infinite rabbit hole. Well, now that I think about it, this might count as opt in, but this is definitely a dark pattern.
The other thing I often see is an "accept tracking" button, and a tiny "more options" link that just goes to a page explaining how to switch off cookies on your browser. I'm pretty sure that's not OK with GDPR as well.
Cause at this stage opting out included navigating many stages of dark pattern and deceptive pages, including semi hidden links and fake slow progress bars. Even on the biggest sites.
If, and I say If, these gangsters ever get hit with major fines, and we get the simple yes/no option that a few pages have, then it will be better.
Right now, the ad industry (or should i say Mafia) is trying to actively circumvent this legislation
The problem with fines against Google (and Facebook, too) is that it's peanuts for them. They just factor this in the same category as "legal costs", and it never affects them even remotely.
Nah, we just need enforcement so people actually have a way to opt out rather than being fobbed off with dialogs like "apparently we have to display this annoying popup to tell you we are using cookies because this is how the internet works now. [whatever, just take me to the page]", or "more options" buttons that take you to a never-ending maze with no actual way to opt out.
Actually stamp down on the sites taking the piss. Without teeth, GDPR is useless, but so would any other toothless solution be.
Many sites actually do follow it properly, i.e. they have the popup tell you that tracking ads are all OFF and if you want you can ENABLE them to get more relevant ads, but you are free to just dismiss it.
Once one of the big players that don't do this and instead have it e.g. opt-out are actually fined, I suspect more sites will begin to behave correctly.
It's also one of the reasons why people have become so acutely aware of the problem. When the umpteenth site asks you to consent to over 200 ad providers/trackers, there's clearly something wrong.
It also deals with 1st party cookie tracking. It clears cookie/storage on every page load as long as it detects that you're not logged in to the website (still buggy) using machine learning (NLP).
The next minor version (under development) will also allow you to block websites/domains from appearing from google search results, facebook feed, twitter feed and basically the entire internet.
It also blocks cookie/gdpr banners on websites.
(Signup on mobile does not work for now)
You can also add summaries/TL;DR for any link on the internet (right click) so others dont have to click.
For people that are fine with a manual whitelist there's also Cookie Autodelete: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete. It removes all cookies when you navigate away from a website after a (customizeable) grace period. Usually this works fine, you just need to be careful when you tell it to erase cookies when the domain changes (rather than when the tab closes), some 2-step sign in procedures need the cookies from the original webpage to work.
I want a browser that allows first-party cookies, but auto-expires them if I don't visit the domain for an hour. It should also only allow one level of requests (i.e. if a site requests a resource, that resource cannot request additional resources from other domains).
The latter part won't prevent bad behavior, but it will force that behavior to be proxied -- which carries technical, financial and legal implications that will cause companies to be more careful about their downstream redirects.
I'm very curious on how 1st party cookies will be used for tracking.
How can they connect one website's cookies to another's?
All I can think of is fingerprinting, but afaik you can't really be sure "who's that" since fingerprinting filters people out, and isn't good enough to target a single individual.
I guess they can improve it, but there are ways to work around it too, it will probably be easier to fix fingerprinting than blocking 3rd party cookies.
Its seems that if 1st party cookies were as good they would have switched to it by now.
The interesting thing to me is that despite having 5M domains in their blocklist, they only have 8.2% of requests blocked. My dashboard currently says 36% of requests are blocked while having 125k blocked domains.
You might want to check if it's Firefox, VSCode or some other telemetry that's getting blocked. I had a similar percentage blocked until I disabled those apps phoning home.
Yeah, on our Pi-hole 45% of the blocked domains are only four domains. Three Microsoft at about 35% and one Google at 10%. But we also have uBlock on everything that accesses internet so that lowers the amount of google lookups.
pi-hole shows blocked DNS requests, it doesn't show the the number of the AJAX/Static request your browser tried to make, which is going to be quite larger and that may match your 36%.
Humans have always been experimental and some of us have never hesitated to use shady practices to increase profits. For instance, back in the day empires tried their best to restrict foreign products in their territory, no matter how much inferior their own products were.
Media advertising really started about 1850-1860, when there were mass-market goods produced that required advertising to create a market. Yes, there were earlier ads, largely of the classified variety, selling one-offs (often real estate).
You didn't have advertising without mass production, mass literacy, and mass media.
Hamilton Holt wrote in 1909 of the effects of advertising on his industry in Commercialism and Journalism, a short, easy, but highly informative read:
Yes, there were earlier ads, largely of the classified variety, selling one-offs (often real estate).
People were not literate.
Printing and publishing were expensive.
There were very few mass products.
Wikipedia: "The history of advertising can be traced to ancient civilizations. It became a major force in capitalist economies in the mid-19th century, based primarily on newspapers and magazines."
Barkers, criers, the odd promotional papyrus or clay tablet, a shop signboard, are not the mass advertising of the latter 19th, 20th, and early 21st centuries.
Mass advertising, such as it might be thought to exist, was largely propagandistic, in that word's original sense.
These kinds of sites are already behind a paywall for most of the content you'd want to see, as Graham notes. I do not understand why sites like the New York Times, which generate massive amounts of traffic as far as I know, cannot use other real estate on their websites to serve static ads with zero nefarious tracking enabled. The model already exists for their physical product. I fail to see why we can't have a version of the Internet that ports over that previously successful system.
I don't work in Internet ads; I work in hardware. So maybe someone here can help me understand why what I would otherwise assume to be a simple implementation is viewed as impossible. I'm obviously missing something.
https://www.theatlantic.com/business/archive/2014/06/a-dange... I suppose the explanation is that classic ads can be easily served by a multitude of agents and there will be no billion-dollar business. Nowadays, invested vendors have created a smokescreen so thick, noone ackknowledges that most of their ads are having 0 effect...
I think I get that "classic" ads are ineffective relative to installing a surveillance apparatus that has designs on influencing your behavior. So, perhaps you're right that it's investors that are causing this, who are demanding higher returns every quarter.
I also don't work in Internet ads, but my assumption would be that advertisers are unwilling to pay for a static ad to be displayed to e.g. 100k users when they could instead pay for ad that uses tracking to display only to the 500 users that might actually be interested.
And from NYT (or other publisher) perspective, 20 of the later is presumably more lucrative than 1 of the former
Availability of alternative business models doesn't matter. They'll just make advertisers pay even more money to reach an audience with disposable income and willingness to spend it. The fact is some executive is always going to show up and say "think of all the money we could be making if we just served ads and sold our user data in addition to our current business model!"
The answer is to make ads unprofitable. When someone pays for advertising, they must get no return on their investment. Only then will ads disappear from the web. In order to achieve this, all ads must be blocked automatically and by default, no exceptions must be made, and the blocker software must be pre-installed for all users.
You can present ads without serving thousands of cookies and tracking every movement of every customer, no problem. Magazines and newspapers did that for the 20th century, no problem.
Advertisers are overpaying for a more "targeted audience" but I suspect in the end the point is moot.
Simple case: ads that retarget you to something you googled previously (but they don't know you just bought it or gave up on buying it)
Yeah, but this ad cancer has spread everywhere. My Samsung TV just yesterday started showing ads for chocolate in the home hub, the TV that I bought full price, not subsidised, no nothing, started showing ads in my living room for chocolate. I saw threads on reddit about this some time ago this, but never experienced it,. Now, happening to me, it felt so weird and wrong, like my home was being invaded by a big Mondelez brand that I would never in my life buy.
Newspaper ads don't have tracking. TV ads don't have tracking. Why should web ads?
They don't have a right to a business model. I do have a right to privacy. If they can't come up with a viable business model that respects privacy, they don't deserve to exist.
It's like when people claim Google can't afford decent tech support. If that's the case then Google shouldn't exist.
Without actually digging into it, I would assume that nytimes loads js assets from a third party, that's the direct nodes from the center. The size of the more is the size of the js asset. That third party then injects yet another script onto the page. The next connected nodes represent these scripts and their size. And so on and so forth. These scripts ensure to the advertiser that their ad is actually being shown. The advertiser doesn't trust the hosting page to correctly display their ad, so the ad injects their own tracking script. That tracking script injects their dependencies. Thus this madness.
Every blob on the map is a loaded resource and an line connects every resource with whatever pointed to it. The reason you can get a tree is because of things like iframes that can then themselves request other resources. It might also be some 3rd party javascript requesting other third party resources.
This is obvious but I had Firefox containers & Decentraleyes enabled. This makes comparing the results to the output of the DevTools Network tab a little difficult.
Turn off all the protection to see the issues in the DevTools Network tab.
This isn't any better on the NYTimes mobile site. Everyone should be running Firefox for Android with uBlock extension enabled. Bonus: it reduces the network traffic so dramatically, it's like getting a new phone.
I use Firefox Focus. It's great for things like reading news articles because there no tabs. Just one page at a time. It has built-in tracker blocking but doesn't support extensions like ublock.
Normal Firefox for iOS with "Strict" setting enabled in the "Tracking Protection" section of Firefox's in-app settings menu reduces nytimes.com advertisements on the front page for me to basically 0. In my experience, it's just as good as Firefox Focus for blocking trackers and ads.
I use both on iOS. I generally open in Focus because it actually tends to be stricter. I find that if I open something in Focus I can, from there open in Firefox if blocking is too strict and sometimes it works. Another plus to using Focus, if a site is completely broken, I can just disable all blocking and not worry much about it because nothing gets persisted when I leave and blocking is automatically re-enabled the next time around.
Same workflow is pretty much possible without it, but it does make ephemeral browsing a bit easier.
I prefer using a browser on Android that has integrated ad blocking with no extension needed. As with ad blocking extensions, browsing becomes lightening fast.
Ublock origin uses public, transparent, editable block lists, I can not say the same about built-in ones and browser vendors could always have ulterior motives, be strongarmed into whitelisting exceptions and so on.
Brave on android also broadcasts your phone model in the user agent, unlike FF. They've said they would fix this and then let the GitHub issue languish for at least a year at this point.
I used to be conflicted about using ad blockers on sites I frequent and enjoy and used to actively maintain my block list. After all, I want them to earn money.
But almost all websites are getting out of control and I no longer have the time and energy to do that. So Firefox+uBlock all the way
>But almost all websites are getting out of control
And they don't care if you're a paying user! I susbcribed to the NYT, paying them fair money every month for a couple of years now, just to be subjected to the same mess regardless.
It's infuriating. Why should I even pay for the service when they still bombard me with ads and tracking?!
I used to feel that way too, until I got redirected to scam "you won an ipad" sites from mainstream sites I respected. They served me a bad ad, so I blocked and never looked back. Who knows how many times they silently tried to serve me malware?
You can make fast, light-weight websites without AMP. In fact, it's easier to make a fast, light-weight website than to make the modern request-heavy monstrosities you see today.
Just stop using 20 trackers and 10 ad networks, and stop loading so many parts of your page asynchronously. A news article should require zero JavaScript.
Shout out to nextdns.io, they run a global pi-hole grid. OK, it’s better, but conceptually.
”Block ads, trackers and malicious websites on all your devices. Get in-depth analytics about your Internet traffic.
Protect your privacy and bypass censorship. Shield your kids.”
All you do is point your DNS at it. (Or let one of their apps point DNS for you.)
But I really like the ethos:
”NextDNS was founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.”
”We are true supporters of the net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principals. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.”
In ~8 months it’s gotten mom proof while also being something I can recommend to techos. For me, it’s been more reliable than the enterprise Zscalar DNS filtering, and more configurable than other filters, particularly in allowing ad blocking and custom block lists and white lists along a rich set of built-ins.
I’m at 7% blocked out of 4 million queries in last couple months.
Pricing is surely very reasonable, but I'm not comfortable with the idea of paying for not getting something.
The whole system is flawed and building businesses on a flaw is a step in the wrong direction if we want to fuel motivation to solve that flaw.
The city of flint has a lot of water theyd like to sell you, it comes with extra so it follows your model. You should also love basic Hulu, they sell you a version that comes WITH added ads, such benefit.
In reality there are plenty of places you are paying for refined or filtered products. Organic or pesticide free foods, gas (you or your supply chain use it), higher end CPUs (less defects), it goes on and on.
Ok, but by paying you basically hand them your personal information which they can now tie to your internet access patterns. So now, besides your ISP, there's one more party with this info.
EDIT: they accept cryptocurrencies, so the problem is slightly less critical.
I do something similar by running CoreDNS on a pi with a bunch of blocks on domains. Works very nicely with caching as well, and the data stays where I expect it.
In this particular case I find it very dishonest: they talk about net neutrality and privacy protection but use Google Analytics. It does not matter if GA or Matomo is the best solution, they made the decision to use GA and thus don't seem to value their customers data that much.
What is it with this all-or-nothing attitude? GA provides objectively superior data and they probably get a lot of value from it, otherwise they wouldn't be using it - value which allows them to grow their business which ultimately benefits their users.
(at least for me) Considering the value of their service, GA on their marketing page seems like a very small compromise. If you don't like it you are free to block it - hell, they literally provide a service to do so.
The age, gender, etc. distributions of the people who visit your website. I don't know anything about GA, but I'm guessing they'd know this from the currently signed in Google account.
Sound like you're not arguing against Matomo but arguing that you really in fact do want to share data with a third party to extract information that your users very much did not consent to.
It's terrifying what comes out of the wood works sometimes.
This is not about all or nothing. This is about being dishonest in my opinion. It's like a doctor who recommends you to stop smoking because it's bad, but smokes on its own.
Sure thing, but the gigantic Google Analytics machine is hardly a small compromise versus all the other ubiquitous tracking.
I don't even consider it a compromise, because literally no one arguing to use GA anyway seems to be able to present both sides of the scale considering the compromise.
There is no dishonesty there. Merely acting inconsistent to one's advice. It's not a serious deficiency.
BTW, in a number of countries a large percentage of doctors smoke. It's a cultural thing: They pick up the habit during the stress of medical school. Would you suggest that a large percentage of doctors in those countries not inform patients that smoking is bad for them?
As a politician recently complained about: Purity tests are usually a bad idea.
It's fair to criticize. It's silly to reject their word/work because of it.
Except there's no doctor-patient discrepancy, most people in this thread are in the business and actually do have to make these choices based on their own expertise in the field.
It's a lot more like if all doctors were telling each other they should wash their hands before surgery, but many of them don't really because the tap water is cold and kinda too far away and everybody is doing it and what's the harm really and at least I'm not actively sneezing into the wound, you know?
Consider a doctor that smokes during consultations subjecting you the patient to the ill effects of their secondhand smoke whilst simultaneously recommending that you give up. Perhaps a more accurate analogy. Would you trust the doctor in this scenario?
> GA provides objectively superior data and they probably get a lot of value from it
Which is why everyone uses it and we just sit back and accept the consequences. You can't be expected to be taken seriously if you simultaneously argue that other's shouldn't do something while yourself use it for precisely the same reasons everyone else does.
It's indicative of a lack of respect for their users.
> GA provides objectively superior data and they probably get a lot of value from it
That's certainly true. Also, that's orthogonal to the point. Being very valuable to website operators doesn't make its use any more acceptable to others.
> Considering the value of their service, GA on their marketing page seems like a very small compromise.
It's not a compromise until you consider the value of both sides of the equation. Please do elaborate on that, with some details on the negative externalities of blindly sharing your tracking data with Google.
Otherwise your argument just became "superior data has got some value to me, which is more than none, so yeah I got mine".
It's not less of an all-or-nothing attitude if you fail to seriously consider the other side of the supposed compromise.
It seem like most people have forgotten that before Google Analytics, we all just looked at our server logs.
Sure, you can't get the exact same information, but you can get enough to do capacity planning and some basic stats.
I've started to wonder why people care about Google Analytics, what does it tell you that you actually need to know. Again capacity planning is useful, but other than that, isn't sort of pointless?
you could actually get more from plain old log parsing in some cases. First of all with GA you can't access the raw data. With logs you can create new type of stats/metrics/charts and apply them on past data.
Also, IIRC GA uses random sampling - only a % of connections are recorded and the data being shown is extrapolated from those samples. While I'm not arguing that given the vast amount of data at disposal, huge capacity and great engineers they can make those extrapolations very accurate, I'm not entirely convinced it is precise for (very) small traffic websites. And since a small traffic logging requires both small storage space and small processing capacity the resources needed for keeping and processing your own logs are insignificant while the results might be useful.
Some of the larger website builders/hosting , e.g. Wix don’t even give you access to server logs.
Sure you can setup and run your own site and CMS easily enough, but running even hourly bulk log ingestion is usually not as straight forward and the information you can derive is very limited comparative to js based tracking.
Matamo ( formerly Piwik) is decent but still takes some time to setup and get right.
The main thing that the analytics tells you if you are promoting anything, is which of those promotions is actually working and driving visitors to your site.
>Some of the larger website builders/hosting , e.g. Wix don’t even give you access to server logs.
I don't think it's unreasonable to require them to provide you some sort in insight into your traffic data in that case.
You can to promotion tracking with just log parsing, depending on how your system is built. There's a large number of sites that handle that by simply having unique URL for each promotional partner.
> what does it tell you that you actually need to know?
Have you actually used Google Analytics? Doesn't sound like it.
First, being able to get stats on real traffic and not bots/crawlers is very important and GA does an excellent job of this.
Google Analytics also allows you to see how people actually use your site. Stats like how long, what their visit path looks like, and when they leave your site. It also lets you see demographic info, like age group and gender.
I've only touched the surface of what GA does. Yes, it is equally frightening and amazing how it tracks users.
To see what content is popular, to see what countries users are coming from, to how long a given page is retaining a visitor... all of this lets a business know what they need to change/offer/stop to better serve their customers and attract more customers.
I had a very niche ecommerce site for a couple of years, for ease I was only shipping to U.S. customers. I noticed that something like 20% of my traffic was coming from Canada so I decided to enable shipping to Canada but added a 5$ premium on top of the actual shipping cost. I had a sale to Canada the first hour of enabling it in my cart and Canada ended up being roughly 10% of my orders, even after I raised the premium/handling fee to 10$.
Looking at my GA page once caused more money to be going into my pocket and filled a need for Canadian customers. I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.
My question then would be, why do you need to use especially Google Analytics for that? Stats like "visitors per country" are a core feature of all major analytics suites. I set up analytics for many site on my job and I never experienced a use case where GA offered that specific feature no other software had.
GA is free and takes seconds to set up. Not everyone knows how to code, not everyone is a professional web dev or CS ninja, not everyone has piles of VC money to throw at such things. GA works, is well organized, and is often integrated with a lot of cart/web builder services where you simply have to plug in a short string and pop over to the GA website.
I needed a vegetable knife recently. I could have (and I do have the skills, and have made many knives over the past 25 years) purchased some appropriate steel and made one myself in 3-5 hours and had it incredibly sharp but I opted to buy a Mercer stainless steel one on Amazon for 20$~ because it required much less effort.
I also couldn't care less about Google or the NSA or Lectroids from another dimension tracking me so I don't rush to go "I'd better cater to the small percentage of my potential customers that want to leave zero trace on the internet, there are countless tools out there they can use to minimize that trail of breadcrumbs. This data is usable to me and Google makes it easy" and I imagine, even the company in question was like "some people want privacy but those that are concerned can easily block this with a browser extension, in their hosts file, and/or at a hardware level so we'll go ahead and use it and save a bunch of time".
You're essentially saying that violating your users' privacy is OK because not everyone has the skill or money to do it the right way?
In this case would you also say it's OK to be stealing in stores because it's cheaper than getting things the correct way by paying for them, and that stores concerned about theft should just do a better job at preventing you from stealing by using the real-life-equivalent of a hosts file to prevent you from entering the store?
>You're essentially saying that violating your users' privacy is OK
I'm not holding a gun to their head and telling them to visit my site. If I walk into a business, or someone's house, I assume I'm being monitored. Websites are the same thing.
I think his point is that he doesn't consider it a violation of privacy and that the people who do usually are better at controlling the data that is leaving their computer anyways.
> GA is free and takes seconds to set up. Not everyone knows how to code, not everyone is a professional web dev or CS ninja, not everyone has piles of VC money to throw at such things.
Imagine if restaurants had this attitude about hygiene.
I mean not everybody is a professional cleaner ninja or has money to hire them. Just wiping the counter a little is all everybody sees anyway, and everybody can do it.
If you're simply not skilled to do it properly, does that mean you get to earn the profit of doing it over your customer's backs anyway?
Your attitude really reminds me of, say, street food carts in some places. Because some of people just didn't receive food hygiene training, and they only have to get out there with a cart and something that looks edible.
Or with a couple of mouse clicks it can be done with GA. Most people don't want to stare at lines of code, write cod, and fiddle around in logs for hours and hours. I have literally no idea how to extract that data in a comparable fashion and it would likely take me many hours of reading and trying to copy paste random bits of code I find in articles together to attempt to do the same. Obviously the company in question should have someone capable of doing that but most smaller companies and small business website owners don't, hiring someone to create that would cost money.
Stuff like GA you can copy paste an identifier or line of code, make it live and you're done. You now have a bookmark you can go to and see lots of actionable data in a nice visual form.
Most people don't care about a website tracking their OS/location/time spent on change etc so why would I, or someone else, put a bunch of extra work into fashioning something from scratch when there's a perfectly usable product that takes seconds to deploy and is easily blocked by those that don't want you to easily access that information about them?
If you need a knife most people would buy a knife. They would not buy a length of steel, cut it to rough shape, file or grind it down to the final shape, then spend an hour or more putting an edge on it with wet stones. Besides, the people that don't want tracked by Google are probably already blocking google via software and/or hardware solutions.
I am out of that game. Once upon a time, I labored over WebTrends for about a hundred different sites. It was not a great time.
I am not sure what would be a good replacement for Google Analytics these days but I had an absolutely terrible time with WebTrends and server-side logs. I was pretty doubtful about the results produced, as well.
This is an honest, detailed answer from an end user. Basically, he values simple demographic information about his visitors and doesn’t care about privacy. This is what countless other GA users have said here on HN and elsewhere.
If you want more privacy then build a better GA (from the typical end user perspective, recall the famous comment here that no one will use Dropbox because they can instead just run some Unix commands).
> I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.
Tens of hours, people. THIS is what your privacy is worth to some.
You forget that, while doing the unethical thing might seem a lot less hard, simply NOT doing the thing is also not hard at all! So that's not an excuse.
You seem to think you have a right to the earnings of the difference between those two, over the backs of your visitors' privacy.
THAT is the argument you have to explain. Not the part of how you managed to get fancy analytics for free by selling out your visitors.
What do you mean drilling down beyond one level? I use Matomo and find it just as useful as Google Analytics. Actually, I like their interface better than Google's.
And none of these offer the ease of setup, ease of analysis, or ease of recognizing what actions to take that GA offers for $0 license and no hosting fees. These on the list are all admirable (esp. Snowplow) but all assume savvy users to be able to get things that are out-of-box with GA.
Can you qualify that? In what sense is GA "nothing in comparison"?
Because the other companies are less well-known?
Because it's just one among 200 others? Even though it's owned by the largest adtech corp in the world?
Or is it because you told yourself that Google will probably do "less bad things" with that same data, after you give your users data away, completely out of your control.
I love how in this thread about, ostensibly, why tracking is bad and trackers should be blocked people are arguing that using GA is ok because doing anything else is "too hard". Why can't this same argument be applied recursively to any of the trackers in the NYT tracking sphere? I'm sure it can, and I'm sure that's why loading a NYT page loads dozens of various third-party tracking scripts: because doing anything else would have been "too hard" for the NYT marketing & technology departments.
I'm not into the analytics business, but how does it come that, somehow, of all the major tech companies, it just happens to be Google to provide the one irreplaceable analytics service?
In particular, how that apparently never worried anyone before they became the "seriously nothing else can scratch this itch" quality analytics??
Because I saw it happen and it worried me. Some people must remember, about a decade (!!) ago, that half-joking nervous realisation that there was a single corporation whose server-controlled javascript ran on 90% of all webpages.
Or the part where you share all of your site's analytics with a third party you had no choice in? That wasn't even a thing before GA came around.
What is Google Analytics doing that it can't be replaced by anything that's not quite as ruthless with your visitor's data? (I really want to ask "is it that hard?" but I'm gonna assume there's something hard about it that I'm not thinking of)
Personally I'm afraid the reasons are dumb and shameful. I suppose Google Analytics is providing some additional details and data that it just happens to be unable to provide unless it tracks the everloving shit out of your visitors and accumulates this data on, say, Google servers. And people don't want to give that up, because weeeeell if it's spying on everybody and combining and keeping data anyway, they might as well get a slice of that pie, right? Flawed reasoning that work very well in unscrupulous people's heads.
And then you get someone complaining that the UX of the alternative isn't top notch. Which really tells you everything you need to know someone is willing to even begin thinking about sticking out a limb for.
I get this sinking feeling that in large parts of this industry there's less than 5% of people who actually think about and critically look at the ethics of what THEY are building, and they're probably listened to even less. It's probably even less, I've been talking to people that I consider very responsible engineers whose principles just wither as soon as you ask where the analytics data goes ... usually pointing at the client's choice. Except they're working on it and it's built into the infrastructure of the company and they provide it.
So easy to get the top thread in this comment section arguing fervently against any and all forms of tracking ... and then you get this massive back peddling when someone dares to suggest not using GA.
However beware that it's not a "set and forget" solution.
Example: This morning I did my occasional sweep of what I've blocked where, and to see if there's a new allowed domain in top N that should've been blocked. What I found is that ocsp.int-x3.letsencrypt.org.edgesuite.net is blocked by "kowabit.de - bl*cklist of death". I've added that to my whitelist now, I want certificate revocation to not be blocked.
"He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic"
There is something about CDNs and DNS, usually not good. According to Paul Vixie, that is how we ended up with EDNS0 despite the objection of IETF. Wonder if this company gets permission to share data with Netflix. I would read the terms carefully.
Hopefully people will choose to run their own Pi-Holes on their home networks, preferably without pointing them at third party "upstream" DNS providers.
By distributing its requests across the many authoritative servers for the domains you visit. The only one that still sees all your DNS requests is the ISP.
> They see all of your traffic anyway, so it doesn't really matter if they also see your DNS traffic, it's not like HTTPS hides who you are visiting.
Given a lot of traffic goes to cloud providers with IP pools that are discriminated largely by the HTTP Host header, it absolutely does somewhat hide "who you are visiting".
No. The SNI is transmitted in plain text as part of the ClientHello but TLS does not care about application implementation details. The HTTP Host header is encrypted along with the rest of the request.
> is it the certificate handshake where host header is leaked?
Yes, because of SNI [0].
In short, the ClientHello message sent by your browser as the first step of TLS negotiation (After the TCP connection is made, obviously) includes the hostname of the server you are trying to connect to unencrypted so that the server knows which certificate to present in the case of multiple sites being served on one IP/port combo.
It's sent un-encrypted in the very first handshake setup so the server knows which public key to return. Details here[0].
There is, as you can see from Wikipedia[0], an encrypted version(esni), but that only sort of solves the problem. See [1] for more details on those.
The high level overview is, perfect secrecy of who you are talking to is a very hard problem on the Internet, and while some of these new features might help, there are a LOT of leaks to plug, so if someone is able to watch your traffic go by, chances are they can tell who you are talking to, but they maybe can't figure out what you are saying. Which may or may not matter, depending on your security threat(s).
In other words, virtual hosting does provide some incidental "privacy". However, looking at the web as whole, not simply focusing on certain large CDNs, most HTTPS websites actually do not require the SNI extension. "Modern" browsers send domain names in the ClientHello plaintext automatically, by default, even though it is not required.
Then there are HTTPS websites who require SNI but do not actually check the name in ClientHello is the same as the name in the Host header.^1 Any name sent in the ClientHello will suffice to retrieve the correct web page. "Modern" browsers again blindly send more than what is required in that situation.
As such, it is the HTTP client, e.g. major browser, that is leaking information in plaintext unecessarily. "Modern" browsers are useful for displaying web content. However when it comes to retrieving it, they are less trustworthy. Too much is happening in these programs outside the user's awareness and control.
1. AWS Cloudfront is one example. It is possible to send a less descriptive, arguably more private, CNAME in the ClientHello whilst sending the known domain name in the Host header. https://news.ycombinator.com/item?id=21977961
Some CDN rely on DNS for load balancing. They need information on end user network to properly resolve ( sending you to a server in the right geo for instance). If you use a third party resolver and it is not providing enough info, you may get poor performance.
That's not some fancy tracking, in the end the CDN will get your IP and traffic. (Not saying it's impossible to use it for tracking purpose)
NextDNS is great. However with these tools, problems appear when you specifically want to display your Firebase dashboard etc. directly going to a service from the "tracker" itself = analytics.google.com
Marking at domain level is too generic to wrestle with this problem.
As a fallback for standard UDP DNS over IPv4, they do use your IP address in a rather clever way: they have multiple IPv4s so you can have different rule sets for different devices under the same IPv4 and they identify which ones by linking the two addresses together (NET1->DNS1 gets RULES1, NET1->DNS2 gets RULES2, etc.).
and what prey, does a global pi-hole grid give that an actual RaspPi and pi-hole can't? What does it add?
Given they are based in Delaware, USA my starting point is far below zero privacy trust: Nextdns are gathering maximum possible data from everyone's DNS queries and selling it, or proposing to use it for advertising soon(tm). Enough independent reviewing and auditing might eventually persuade me that's unfair, maybe. If they actually cared for privacy why not incorporate in the EU and proudly wear full GDPR compliance? Or CA's upcoming privacy legislation?
Which is great, because then you can configure your Android to use nextdns as the private DNS provider and thus all adverts and tracking in your mobile apps and websites are covered too, even when you're away from your home network.
> 1. We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity.
Which is easily said. Whereas their pricing page tells a different story:
It would work off of your network. If you are using their DNS it would work when you took your laptop to a coffee shop or when your phone switched to 4G/5G. That seems like a big benefit to me.
Reliability, speed, accessibility, ease of use, more secure defaults... Enough?
The founders appear to live in the US so a US company is a lot more convenient for them, and Delaware has some very nice benefits for companies that AFAIK don't have any privacy drawbacks. Your assumption that they "are gathering data [...] and selling it" is beyond baseless.
EU users are protected by the GDPR anyways and despite what ProtonMail etc. would like you to believe, founding your company in Switzerland or whatever does not make you magically trustworthy.
From where I see it, they deserve no more and no less initial trust than any other company.
> Reliability, speed, accessibility, ease of use, more secure defaults... Enough?
Very glib, but not helpful nor accurate. Reliability of a web service? Speed faster than local network or local VPN tunnel? Convenience appears to be the top and bottom of it from other replies.
> assumption that they "are gathering data [...] and selling it" is beyond baseless
Not at all. US freedom of information goes far beyond everyone else's and leaves the expectation that personal data is collected, shared, sold, misused and abused, and that's been the case since long before the web. Personal data that most places consider private and inappropriate to share, and often have laws for, is frequently easily available in the US.
The web just brought it further into the gutter.
Europe has had freedom of information with constraints on personal data. Data protection has been around since the mid 90s, and prior to that there were other restrictions on certain types of data collection. The discrepancy between the two approaches has been there for probably seventy years, perhaps more, and it's widening not narrowing.
Those national norms set starting point of expectations, and what each nation tends to take as axiomatic. For a typical European, for the reasons mentioned, US privacy provision and expectation starts negative. Certain industries and categories get very antsy about data going, even briefly, to the US as a consequence of that. If it's any consolation I start with the presumption every company is untrustworthy.
Given numerous examples from the past this is what "no trust" equals to. I'm not advocating publicly accusing them of being evil without evidence, but assuming they are when deciding if and how to use their services is at least reasonable.
In other words in public my opinion on them is "neutral" until I have some information/data/signs to form/change my opinion, but internally I assume they are doing[0] something evil until proven otherwise.
[0] or at least assume they are capable of doing something evil and there is a non-zero chance that they will engage in evil-doing. (but again, not accusing them publicly until there are reasons to do so; I'm just describing internal thought-process)
True, but my point was that incorporating in Delaware doesn't prevent the GDPR from applying to you (for EU customers). It's true that taking action against a non-EU company for GDPR violations is harder, but not impossible.
1. You can a share your config across all your devices. Also works on desktops (AFAIK Blokada is just for mobile)
2. You can create multiple configs and easily switch between those
3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)
4. On my smartphone Blokada regularly stopped, probably because I use an energy saving profile. I could never keep it running for longer than a few days, no matter what I tried. NextDNS seems to work fine so far, had it running for some weeks without a single crash
>On my smartphone Blokada regularly stopped, probably because I use an energy saving profile.
I had an issue with it stopping every couple of minutes, recently I figured out it was Google Fi's VPN causing it to stop after noticing it was only doing it on my phone with a Fi sim and not on my device with a Sprint sim. At some point Fi updated it so that the VPN is always on instead of only turning on when it finds an unsecured wireless network and automatically connected you (which is extremely rare where I live).
> 3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)
I run a PiHole on an AWS EC2 instance, then VPN to it on my phone. The VPN is configured so that only DNS requests get sent to it and all other traffic just goes straight through the LTE connection so that I'm not paying for all the traffic through AWS.
Could you please elaborate on your setup. How do you achieve sending only DNS traffic over VPN? What do you do when your phone is connected to your home WiFi network?
> What do you do when your phone is connected to your home WiFi network?
Nothing. The phone still uses the PiHole in AWS. I don't run a PiHole on my home network, as I use uBlock Origin to block ads on my desktop. I make my phone use a PiHole to prevents apps that aren't my web browser from getting ads, such as Google Now.
But at the current time I feel CloudFlare has more reputational skin in the game, that they're merely selling off spare capacity as opposed to making a separate business model work, and they don't offer logging as a service although they can certainly break their promises at a reputational risk.
In time NextDNS can build up their reputation perhaps to a point even exceeding CloudFlare, but right now I feel those who are joining early are "paving the way" via risk to their privacy.
They're most likely referring to the provider reselling your data (basically you're trading scattered tracking on many providers to NextDNS getting all your DNS lookups, which can be resold without your knowledge)
> founded [..] in Delaware, USA by two French founders
This sets off my spidey sense. Delaware is known to be a hot bed of fly-by-night corporations and front companies used exclusively for shady dealings[1]. I'm not saying that's the case here, but proceed w/ caution.
Delaware is used as the base for a lot of corporations of all stripes. It's because they provide an enormous tax advantage.
I actually had an argument with my business attorney about this many years ago. He wanted me to incorporate in Delaware for the tax benefit. I wanted to incorporate in my own state because that's the right thing to do.
I'm sorry for my ignorance, but how does NextDNS compare to 1.1.1.1 by Cloudflare?
I've been using 1.1.1.1 for some time. For me it has worked fairly well in the USA where my connection speed is ~200mbps. While I was in India, 1.1.1.1 caused substantial slowdowns, in some cases made a few websites unusable. Typically I had it disabled. I'm unsure why this was happening because the website says it makes web browsing faster--I do not have the technical chops to understand this, so would anybody be kind enough to explain in a layman's language? Would NextDNS and 1.1.1.1 differ in terms of speed?
I dont think the increase in speed is a result of you getting responses to DNS queries any faster, it's simply that if you only need to load the content you want and none of the content you dont (ads and whatnot), then the stuff you do want to see has that much more bandwidth available.
I do the same and together they work the best I find. Ad-blockers act at a different level than DNS blockers so can catch things that the DNS didn't (DNS only had domain, while ad-blockers have the full path)
Thank you for sharing this! I have never heard of them before, but I switched from Cloudflare to it after reading your comment and I’ve been a very happy user for the past 4 days :-)
For uBlock Origin, you should block 3rd party scripts, frames and 1st party scripts on NYTimes. It also has the unintended benefit of getting around the paywall.
Going in a big for-profit news paywall thingie that require I shut down anonymous browsing or ad blocking is to me the mental equivalent of picking up an unindentified pile of trash in the street. You know you'll have to wash hands afterwards.
Really, I think people will realize at one time that there is no way around simply forbidding advertisements to make internet sane again.
If 10% of the ingenuity spent in the ad/tracking system went towards microtransactions, instead of having to swim through a sewer of ads on any website, we would be rewarding each other with micro-dollars for insightful comments and giving 5% of it to the host.
I think the big problem is choice. I have no choice but to accept ads on every blippin’ website (if I use a vanilla browser setup) and be tracked. The choice is taken away from me/us and thats the core of the problem. The early internet was way more diverse in content, less converged, and one reason for that is there was no/less incessant need yet to ‘grab eyeballs’ and push for clicks.
That www hasn’t fully gone, but its just burried under the tons and tons of marketing fluff. Both content provider and user have become the poorer because of it.
Greedy people deceiving users... I hardly see micro-transaction as a solution.
Just like ad/tracking, we would be rewarding big corps and click baiters, not each other.
Ever since an iOS update last year Firefox (well, the Firefox-branded Safari browser for iOS) doesn't block ads for me anymore. I really noticed that my mobile data usage spiked since then.
There's all these adblocker apps in the app store, but they seem rather scummy and the few I've tried don't appear to be working with Firefox anyways.
It's ridiculous considering Apple is declaring itself the champion of privacy. I might really have to rethink if I get another iphone next time I'm buying a smart phone. Not that Android isn't equally terrible for different reasons..
FOSS Android really isn't that bad, and probably the main thing stopping me from switching to iOS is that Firefox for Android has basically full extension support. uBlock Origin's UI is just slightly wonky since it's designed for the desktop browser, but it works great and stuff doesn't really seem to slio through. It's great to be kinda in control, even if it's not perfect.
Uh, what? Content Blockers on iOS aren't scummy, they can't track you because all they do is provide filter lists to the OS, which then runs them against your browser traffic. They work just fine in Firefox. Firefox Focus provides its tracking protection list as a Safari Content Blocker, which is nice. Other than that, I use AdGuard because it's free and lets you choose which filter lists to use.
You have to enable content blockers in Settings → Safari → Content Blockers. Just downloading the app without following the instructions is not enough.
I'm sorry, but that's nonsense. AdGuard doesn't have any scummy stuff like "acceptable ads", they make money by providing a fully functional free ad-blocker and selling a version that has more features. That's as un-scummy as it gets. (I have no relation to them. I use the free version. It does everything I want.)
If this is your website, please make the table header sticky, so it stays in view as you scroll down. Having to scroll up to check it is a bit annoying. Also, another column for Firefox (with it's default tracker blocking enabled) would probably be useful.
The advanced metrics page should also have a css media query for screen size; either split the table rows into a list or set a min-width on the table as a whole. On my phone, the first column has only 1-3 characters per line, and other columns seem to only show part of the contents (even the 0 is only half-visible).
I run uBlock for the sake of not getting bogged down by resource heavy ads/cryptominers and to mitigate the threat of malware, not so much tracking. I would assume most major ad companies have already vastly improved fingerprinting and will be able to track unique devices despite all conventional trackers being blocked. Add to that how more and more sites require you to be signed in to be functionally useful that ad tracker blocking is becoming less useful as time goes on.
In any case ad personalisation does work with me as I never click on any ad, personalised or not.
My "objection" with having some things ONLY on the browser, is that there are other applications that speak with the internet (e.g. Windows Telemetry).
I didn't see anyone mentioning this, a very useful site for Browsers' filters: https://filterlists.com/
I cannot endorse the app but it is made by dnscrypt-proxy enthusiasts. Had been removed from AppStore and brought back thanks to support of German incubator
That’s quite interesting. I’ve used DNS Cloak in the past, but I’ve never tried the blacklists or whitelists. How would one get started with it? I mean, from what sources would one populate it and how?
Go to advanced options. You can generate your own list and load as a file on iPhone, you can also set forwarding and cloaking.
But I think it is more practical for your personal fine tuning of DNS behavior. For larger lists it is easier to point to a DNS servers that already has some block lists on.
Personally I point to my personal doh/dnscrypt server which is refreshing blacklists twice a day with cron job.
What really grinds my gears: they do the same thing when you're a paying subscriber.
I'm with the nyt for two years now, and I can vividly remember seeing the first ad that was displayed despite me being logged in. How is that okay?! And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours. I appreciate the times for their journalism, but their business practice with respect to selling their customers data is beyond inacceptable. I'm already paying you money, get your act together please...
For the FT specifically, I get the impression that a pretty large portion of subscriptions are corporate/paid for by employers so I'm not sure how true that really is.
This. Also, some of those eyes are going to belong to people who make purchasing decisions on the behalf of their employer. Those people are exceptionally valuable to advertisers.
I pay for NY Times (as well as several other papers, like the WSJ).
NY Times runs giant banner "subscribe" ads even if you're a paid, logged-in member. I still need ad blocking on!
I wouldn't mind ads equivalent to what you see in the real paper -- a Macy's ad at the end of an article, etc. But they should be in the page, and not popping up on top, on the bottom, or over the article.
It annoys me too, but I'm playing devil's advocate to reason it out.
When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.
Perhaps there are two possible ends of the spectrum. On one side, you have to pay for all news that you access and there is no advertising. The news will be expensive, so only the wealthy will have access. The government can subsidise it, but that runs the risk of politicising it.
At the other, there is only advertising-supported news. The content you see is decided by whoever bids the highest.
A blended subscriptions plus advertising model tries to find a middle ground. I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?
>I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies.
Honestly: no. I'd rather pay more than selling my attention, because that's what ads are doing. My time is more valuable than whatever margin they're making by showing me ads, and I'm very confident that I'm not alone with this position.
>Is that even possible now? Would advertisers pay if they didn't get that information?
This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?
A sliding-scale subscription model would be nice, where I could say "I'll pay $100 per month and have no adverts at all" or "I'll only $5 per month, and I'm happy to have a lot of adverts".
But the advertisers probably want access to the kind of people who are prepared to part with a lot of money to avoid advertising. You see this in the FT and Economist where it's more expensive to advertise to subscribers, because the advertisers know those people have higher disposable income. If all they can have access to is lower-paid people, I guess there’s a risk a lot of the advertisers will not bother.
Maybe there's just an inherent problem here. News can be good quality, independent from government, free from advertising, and available to all. But it can't be all of those things at the same time at a national level.
>"I'll pay $100 per month and have no adverts at all" or "I'll only $5 per month, and I'm happy to have a lot of adverts".
there is another problem with that model. As long as ads revenue is a significant portion of publisher's income there is a risk of advertisers influencing the content. At $100/month you won't see the ads, but the news themselves could still be influenced by advertisers in some way. I'm afraid that this would need all or nothing approach to be effective.
I am afraid there is a high probability in that $100 wont work. And the question is a little more complex.
This is not about I am willing to paid $100 to get rid of ads as the OP stated, it is how many are willing to paid $100. Or more precisely, we need X ( Say 10 ) monthly million revenue form customers to sustain the business. Are there enough customers to share the $10 million expense. We could price it at $50, are there 200K customers wiling to subscribe, and if not, how many more paying the $5 + Ads will make it sustainable. Given the Ads money with the $5 subscription will be lower since the subscribers of $5 are likely not worth anywhere as much as the $50.
Like you said most of the high paying subscribers are already concentrated in FT , Economist or WSJ. And precisely the reason why Apple news didn't include any of those three. They still dont get it. It might work for casual, gaming, sports magazine. Not Quality Daily news.
> This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?
After Ars Technica's most recent revamp/relaunch of their pay-for subscription, it took them a few additional weeks to clean it up to remove all third party domain calls for paying user.
> I'm very confident that I'm not alone with this position.
You are not alone. There are plenty of services I pay to eschew ads. The moment they start inserting advertising, they'll lose me as a customer. I don't have cable, don't listen to FM or AM radio, and I don't have satellite radio, all because they have ads.
> The news will be expensive, so only the wealthy will have access.
I think this is correct, although HN readers may have some bias to disagree. I think the HN crowd is generally fairly well off financially (but not rich) and cares more about privacy than other groups.
> When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.
For print and online the advertising covers the cost and the subscription is just a bonus on it, same thing you said but from the end users perspective. Why pay a bonus for nothing?
> I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?
They would, if they had no choice. Thay have to be forced, both technically and legally, to advertise without using that kind of fidelity. Simple as that.
Print ads don't call home with your identity when you see them, they don't tell a dozen different companies who you are. The magazine may have some general statistics on it's customers (maybe differentiated by region?), but they certainly don't give the advertiser enough information to uniquely identify every person who sees an ad, along with individual demographic information and information on what ads the reader has seen elsewhere. The print customer database is (probably, hopefully) not linked into other third party databases that list what your hobbies are, what shelves you look in at the store, and what other publications you subscribe to.
If online news only had static first-party ads that were the same for every customer (or possibly every customer in X region), uninformed by Amazon/Google/other browsing, I'd be more than happy to turn off my ad blocker.
If the newspapers produced a daily epub, I'd be happy to pay for it. Even then, epubs can contain references to third party images and other resources (not sure about PDF, I despise PDF for lack of text reflow). My personal ideal for online subscriptions would be an OPDS catalog that I could subscribe to; this supports login-based access, and I could use fbreader or any other app to read.
> And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours.
There's existing NL law (maybe based on EU regulation?) that makes this impossible. Basically: the way you cancel should be as easy as you subscribe. Meaning, if you could subscribe online, you must be able to cancel the subscription online. If subscribing was utterly difficult, then cancelling can be utterly difficult.
If there's EU regulation behind it, usually you can force any foreign company to abide by this. Unfortunately it was difficult to figure out if this NL law was based on any EU regulation (e.g. Consumer Rights Directive from https://ec.europa.eu/info/law/law-topic/consumers/consumer-c...).
I had the same experience with the Globe and Mail in Canada. You get ads regardless of whether or not you're a paying subscriber, and while you can sign up online, you can't cancel. It was a total pain in the ass to do that over the phone, and it's a glaringly-obvious (and misguided) retention tactic.
I'll never subscribe to them again. What a short-sighted way to optimize for revenue at any cost.
Ads have gotten to the point I'm once again getting the feeling I'm on IE with 80% of the page blocked by toolbars. But this time it's ads and video's blocking any content I want to consume.
Blockers are a valuable thing to simply be able to read or watch anything on most sites now a days. I also happily pay for proper media, but not when you complicate this by blocking parts of this action with ads to begin with.
I think they would benefit from a more dumbed down FAQ/set up. For context I'm at the upper end of non technical people in some respects (I write pandas queries everyday etc) but know nothing about DNS and this lost me pretty quickly.
I'm still not sure whether this should be used in addition to or instead of ublock (which is what I use now). The setup page is also a bit intimidating given I don't understand what 99% of the things on it are.
388 comments
[ 3.9 ms ] story [ 298 ms ] threadWith advertisers switching to 1st party cookies it will get harder to avoid tracking, unfortunately.
Maybe DNT should return as respected feature within browser and user choice shouldn't affect the access to the content but only its form.
But I would prefer a PTM (please track me) header with legally binding semantics.
Tracking only pays if you can track a huge number of people and sell ads to a huge number of advertisers. The profit per tracked user is too small to pay for running a criminal enterprise.
Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
True, most illicit ads tend to be non-targeted. But some criminals do things like blackmail, fraud, espionage, etc. using tracking data.
> Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
That all depends on the specific business model, business partners, and their presence. Regardless, what I describe is not conjecture, many companies are shuffling around data to avoid GDPR rather than comply.
https://www.theguardian.com/technology/2018/apr/19/facebook-...
A different company without a physical presence or business partner in the jurisdiction in question, might have little to no incentive to follow the law.
In the end, even if companies are breaking the law, or even if they are fined, your data won't be protected unless they actually change their behavior as a result. Calculated non-compliance is a commonplace strategy for corporate legal compliance.
Like with tax compliance, this will always be an arms race. But if the law raises the bar, they will jump a little bit higher on average.
It doesn't have to be perfect. Privacy is not black or white, and trackers themselves are anything but perfect.
I recently looked at the list of what Google thinks I'm interested in. It's funny. Supposedly, I have a particularly strong interest in vehicles and buying cars. In fact I don't even have a driving licence, never owned a car, never will.
The list goes on and on like that. They must have rolled the dice to come up with things like "Flowers" and "American Football". I feel my privacy is completely safe with these geniuses :)
It's the more targeted uses of fingerprinting and data collection that are scary. If you're a person with lots of money or influence, there's already someone out there who is specifically trying to collect data about you in particular. Those people and organizations are looking at the data in much more detail than mass marketers.
There would be ways to get control over this, but law is slow.
0: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...
Pushing all this through the legal system will take some time but the watchdogs in different countries are not sitting idle.
[1] https://fil.forbrukerradet.no/wp-content/uploads/2018/06/201...
If, and I say If, these gangsters ever get hit with major fines, and we get the simple yes/no option that a few pages have, then it will be better.
Right now, the ad industry (or should i say Mafia) is trying to actively circumvent this legislation
The problem with fines against Google (and Facebook, too) is that it's peanuts for them. They just factor this in the same category as "legal costs", and it never affects them even remotely.
Actually stamp down on the sites taking the piss. Without teeth, GDPR is useless, but so would any other toothless solution be.
Once one of the big players that don't do this and instead have it e.g. opt-out are actually fined, I suspect more sites will begin to behave correctly.
It's also one of the reasons why people have become so acutely aware of the problem. When the umpteenth site asks you to consent to over 200 ad providers/trackers, there's clearly something wrong.
Compare the request map for CNN from
- Dulles, VA: 511 requests https://requestmap.herokuapp.com/render/200123_JH_ed7b9b27df...
- Paris, France: 77 requests https://requestmap.herokuapp.com/render/200123_87_39fdca38ac...
I don't know if it's for sure because of the cookies/gdpr law, but there is a clear difference, and that's a big win in my opinion.
It also deals with 1st party cookie tracking. It clears cookie/storage on every page load as long as it detects that you're not logged in to the website (still buggy) using machine learning (NLP).
The next minor version (under development) will also allow you to block websites/domains from appearing from google search results, facebook feed, twitter feed and basically the entire internet.
It also blocks cookie/gdpr banners on websites.
(Signup on mobile does not work for now)
You can also add summaries/TL;DR for any link on the internet (right click) so others dont have to click.
The latter part won't prevent bad behavior, but it will force that behavior to be proxied -- which carries technical, financial and legal implications that will cause companies to be more careful about their downstream redirects.
How can they connect one website's cookies to another's?
All I can think of is fingerprinting, but afaik you can't really be sure "who's that" since fingerprinting filters people out, and isn't good enough to target a single individual.
I guess they can improve it, but there are ways to work around it too, it will probably be easier to fix fingerprinting than blocking 3rd party cookies.
Its seems that if 1st party cookies were as good they would have switched to it by now.
https://pi-hole.net/2020/01/19/announcing-a-beta-test-of-pi-...
[0] https://git.sr.ht/~moviuro/moviuro.bin/tree/master/lie-to-me
People are simply not willing to pay: https://twitter.com/paulg/status/1219911533070897153
Media advertising really started about 1850-1860, when there were mass-market goods produced that required advertising to create a market. Yes, there were earlier ads, largely of the classified variety, selling one-offs (often real estate).
You didn't have advertising without mass production, mass literacy, and mass media.
Hamilton Holt wrote in 1909 of the effects of advertising on his industry in Commercialism and Journalism, a short, easy, but highly informative read:
https://archive.org/details/commercialismjou00holtuoft
Even if we only take the age of the printing press in Europe, it's still over 500 years of advertisement without tracking.
Even if we only take the age of mass-produced media, it's almost 200 years without tracking.
Yes, there were earlier ads, largely of the classified variety, selling one-offs (often real estate).
People were not literate.
Printing and publishing were expensive.
There were very few mass products.
Wikipedia: "The history of advertising can be traced to ancient civilizations. It became a major force in capitalist economies in the mid-19th century, based primarily on newspapers and magazines."
https://en.wikipedia.org/wiki/History_of_advertising
The point is scale and pervasiveness.
Barkers, criers, the odd promotional papyrus or clay tablet, a shop signboard, are not the mass advertising of the latter 19th, 20th, and early 21st centuries.
Mass advertising, such as it might be thought to exist, was largely propagandistic, in that word's original sense.
These kinds of sites are already behind a paywall for most of the content you'd want to see, as Graham notes. I do not understand why sites like the New York Times, which generate massive amounts of traffic as far as I know, cannot use other real estate on their websites to serve static ads with zero nefarious tracking enabled. The model already exists for their physical product. I fail to see why we can't have a version of the Internet that ports over that previously successful system.
I don't work in Internet ads; I work in hardware. So maybe someone here can help me understand why what I would otherwise assume to be a simple implementation is viewed as impossible. I'm obviously missing something.
If you didn't use them you'd have to explain to your shareholders why you decided to leave money on the table.
And from NYT (or other publisher) perspective, 20 of the later is presumably more lucrative than 1 of the former
The meassurement of this being true is just as good as a Game ad published in a computer magazine.
The answer is to make ads unprofitable. When someone pays for advertising, they must get no return on their investment. Only then will ads disappear from the web. In order to achieve this, all ads must be blocked automatically and by default, no exceptions must be made, and the blocker software must be pre-installed for all users.
https://adnauseam.io/
https://adnauseam.io/free-adnauseam.html
https://github.com/dhowe/AdNauseam/wiki/Install-AdNauseam-on...
This being said, the current W3C Advertising API draft proposal on serving ads is possibly inspired by it.
What is this?
The draft of the proposed new standard for ads on the web
But I guess it's not a perfect solution or more publications might have adopted it.
Advertisers are overpaying for a more "targeted audience" but I suspect in the end the point is moot.
Simple case: ads that retarget you to something you googled previously (but they don't know you just bought it or gave up on buying it)
Hopefully if enough people did this, the manufacturers would get the message.
They don't have a right to a business model. I do have a right to privacy. If they can't come up with a viable business model that respects privacy, they don't deserve to exist.
It's like when people claim Google can't afford decent tech support. If that's the case then Google shouldn't exist.
Turn off all the protection to see the issues in the DevTools Network tab.
Same workflow is pretty much possible without it, but it does make ephemeral browsing a bit easier.
Ublock origin uses public, transparent, editable block lists, I can not say the same about built-in ones and browser vendors could always have ulterior motives, be strongarmed into whitelisting exceptions and so on.
[0]: https://brave.com/brave-saves-batteries/
[1] : https://brave.com/brave-one-dot-zero-performance-methodology...
https://github.com/brave/brave-browser/issues/7758
But almost all websites are getting out of control and I no longer have the time and energy to do that. So Firefox+uBlock all the way
And they don't care if you're a paying user! I susbcribed to the NYT, paying them fair money every month for a couple of years now, just to be subjected to the same mess regardless. It's infuriating. Why should I even pay for the service when they still bombard me with ads and tracking?!
Just stop using 20 trackers and 10 ad networks, and stop loading so many parts of your page asynchronously. A news article should require zero JavaScript.
But tell that to the hundred-tracking-cookies-js-bloat website with the ridiculous "We care about your privacy" popup
If AMP cuts that crap from the website, I'll go to the AMP version, thank you.
To users, AMP is a godsend that greatly enhances the user experience.
I will happily use AMP pages. Web developers brought this on themselves with ridiculous amounts of JS code.
https://f-droid.org/en/packages/org.jak_linux.dns66/
It's been flawless for me since I installed it. The maintainer is a user on here but I don't remember who.
https://github.com/bromite/bromite
https://internetfreedom.in/venom-venom-venom-bsnl-engaging-i...
To this day I avoid Belkin products because of that, even power strips.
”Block ads, trackers and malicious websites on all your devices. Get in-depth analytics about your Internet traffic. Protect your privacy and bypass censorship. Shield your kids.”
All you do is point your DNS at it. (Or let one of their apps point DNS for you.)
But I really like the ethos:
”NextDNS was founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.”
”We are true supporters of the net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principals. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.”
In ~8 months it’s gotten mom proof while also being something I can recommend to techos. For me, it’s been more reliable than the enterprise Zscalar DNS filtering, and more configurable than other filters, particularly in allowing ad blocking and custom block lists and white lists along a rich set of built-ins.
I’m at 7% blocked out of 4 million queries in last couple months.
I should note that I don’t use Facebook, Spotify, Messenger, Snapchat, or Twitter.In reality there are plenty of places you are paying for refined or filtered products. Organic or pesticide free foods, gas (you or your supply chain use it), higher end CPUs (less defects), it goes on and on.
It seems to be free for the first 300,000 queries per month, then switches to a regular DNS (no blocking). Unlimited queries are $1.99 per month.
https://nextdns.io/pricing
EDIT: they accept cryptocurrencies, so the problem is slightly less critical.
(at least for me) Considering the value of their service, GA on their marketing page seems like a very small compromise. If you don't like it you are free to block it - hell, they literally provide a service to do so.
You don't get that from server logs.
Sound like you're not arguing against Matomo but arguing that you really in fact do want to share data with a third party to extract information that your users very much did not consent to.
It's terrifying what comes out of the wood works sometimes.
For more reasons why (some/small) compromises should be allowed and not considered completely against the core value, see religious extremism.
I don't even consider it a compromise, because literally no one arguing to use GA anyway seems to be able to present both sides of the scale considering the compromise.
BTW, in a number of countries a large percentage of doctors smoke. It's a cultural thing: They pick up the habit during the stress of medical school. Would you suggest that a large percentage of doctors in those countries not inform patients that smoking is bad for them?
As a politician recently complained about: Purity tests are usually a bad idea.
It's fair to criticize. It's silly to reject their word/work because of it.
It's a lot more like if all doctors were telling each other they should wash their hands before surgery, but many of them don't really because the tap water is cold and kinda too far away and everybody is doing it and what's the harm really and at least I'm not actively sneezing into the wound, you know?
Doesn't mean she can't clean my teeth and drill holes in my skull or whatever with high proficiency.
In comparison here this company is giving out all their user's browsing data to a huge advertising company without the user's explicit consent.
Which is why everyone uses it and we just sit back and accept the consequences. You can't be expected to be taken seriously if you simultaneously argue that other's shouldn't do something while yourself use it for precisely the same reasons everyone else does.
It's indicative of a lack of respect for their users.
> GA provides objectively superior data and they probably get a lot of value from it
That's certainly true. Also, that's orthogonal to the point. Being very valuable to website operators doesn't make its use any more acceptable to others.
It's not a compromise until you consider the value of both sides of the equation. Please do elaborate on that, with some details on the negative externalities of blindly sharing your tracking data with Google.
Otherwise your argument just became "superior data has got some value to me, which is more than none, so yeah I got mine".
It's not less of an all-or-nothing attitude if you fail to seriously consider the other side of the supposed compromise.
Or server logs, if they really must.
Sure, you can't get the exact same information, but you can get enough to do capacity planning and some basic stats.
I've started to wonder why people care about Google Analytics, what does it tell you that you actually need to know. Again capacity planning is useful, but other than that, isn't sort of pointless?
you could actually get more from plain old log parsing in some cases. First of all with GA you can't access the raw data. With logs you can create new type of stats/metrics/charts and apply them on past data. Also, IIRC GA uses random sampling - only a % of connections are recorded and the data being shown is extrapolated from those samples. While I'm not arguing that given the vast amount of data at disposal, huge capacity and great engineers they can make those extrapolations very accurate, I'm not entirely convinced it is precise for (very) small traffic websites. And since a small traffic logging requires both small storage space and small processing capacity the resources needed for keeping and processing your own logs are insignificant while the results might be useful.
Sure you can setup and run your own site and CMS easily enough, but running even hourly bulk log ingestion is usually not as straight forward and the information you can derive is very limited comparative to js based tracking.
Matamo ( formerly Piwik) is decent but still takes some time to setup and get right.
The main thing that the analytics tells you if you are promoting anything, is which of those promotions is actually working and driving visitors to your site.
I don't think it's unreasonable to require them to provide you some sort in insight into your traffic data in that case.
You can to promotion tracking with just log parsing, depending on how your system is built. There's a large number of sites that handle that by simply having unique URL for each promotional partner.
Yep, and lots of us still do. I wouldn't feel right throwing my users under the bus by subjecting them to GA.
Have you actually used Google Analytics? Doesn't sound like it.
First, being able to get stats on real traffic and not bots/crawlers is very important and GA does an excellent job of this.
Google Analytics also allows you to see how people actually use your site. Stats like how long, what their visit path looks like, and when they leave your site. It also lets you see demographic info, like age group and gender.
I've only touched the surface of what GA does. Yes, it is equally frightening and amazing how it tracks users.
Good luck doing these with your server logs.
I had a very niche ecommerce site for a couple of years, for ease I was only shipping to U.S. customers. I noticed that something like 20% of my traffic was coming from Canada so I decided to enable shipping to Canada but added a 5$ premium on top of the actual shipping cost. I had a sale to Canada the first hour of enabling it in my cart and Canada ended up being roughly 10% of my orders, even after I raised the premium/handling fee to 10$.
Looking at my GA page once caused more money to be going into my pocket and filled a need for Canadian customers. I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.
I needed a vegetable knife recently. I could have (and I do have the skills, and have made many knives over the past 25 years) purchased some appropriate steel and made one myself in 3-5 hours and had it incredibly sharp but I opted to buy a Mercer stainless steel one on Amazon for 20$~ because it required much less effort.
I also couldn't care less about Google or the NSA or Lectroids from another dimension tracking me so I don't rush to go "I'd better cater to the small percentage of my potential customers that want to leave zero trace on the internet, there are countless tools out there they can use to minimize that trail of breadcrumbs. This data is usable to me and Google makes it easy" and I imagine, even the company in question was like "some people want privacy but those that are concerned can easily block this with a browser extension, in their hosts file, and/or at a hardware level so we'll go ahead and use it and save a bunch of time".
In this case would you also say it's OK to be stealing in stores because it's cheaper than getting things the correct way by paying for them, and that stores concerned about theft should just do a better job at preventing you from stealing by using the real-life-equivalent of a hosts file to prevent you from entering the store?
I'm not holding a gun to their head and telling them to visit my site. If I walk into a business, or someone's house, I assume I'm being monitored. Websites are the same thing.
And I'm not threatening to skin you alive if you don't stop it.
How are threats of violence okay again?
"Don't track me!"
I can't, you are blocking it
"You shouldn't be tracking me!"
Imagine if restaurants had this attitude about hygiene.
I mean not everybody is a professional cleaner ninja or has money to hire them. Just wiping the counter a little is all everybody sees anyway, and everybody can do it.
If you're simply not skilled to do it properly, does that mean you get to earn the profit of doing it over your customer's backs anyway?
Your attitude really reminds me of, say, street food carts in some places. Because some of people just didn't receive food hygiene training, and they only have to get out there with a cart and something that looks edible.
Stuff like GA you can copy paste an identifier or line of code, make it live and you're done. You now have a bookmark you can go to and see lots of actionable data in a nice visual form.
Most people don't care about a website tracking their OS/location/time spent on change etc so why would I, or someone else, put a bunch of extra work into fashioning something from scratch when there's a perfectly usable product that takes seconds to deploy and is easily blocked by those that don't want you to easily access that information about them?
If you need a knife most people would buy a knife. They would not buy a length of steel, cut it to rough shape, file or grind it down to the final shape, then spend an hour or more putting an edge on it with wet stones. Besides, the people that don't want tracked by Google are probably already blocking google via software and/or hardware solutions.
I am not sure what would be a good replacement for Google Analytics these days but I had an absolutely terrible time with WebTrends and server-side logs. I was pretty doubtful about the results produced, as well.
If you want more privacy then build a better GA (from the typical end user perspective, recall the famous comment here that no one will use Dropbox because they can instead just run some Unix commands).
All of those things can be determined by using a web server log analyzer.
Tens of hours, people. THIS is what your privacy is worth to some.
You forget that, while doing the unethical thing might seem a lot less hard, simply NOT doing the thing is also not hard at all! So that's not an excuse.
You seem to think you have a right to the earnings of the difference between those two, over the backs of your visitors' privacy.
THAT is the argument you have to explain. Not the part of how you managed to get fancy analytics for free by selling out your visitors.
Piwik, GoatCounter, GoAccess, Open Web Analytics, clicky, Snowplow, Gauges, etc.
The correct solution is to self-host all analytics involving data that can be used to identify, track, or analyze individuals.
everybody, this is what your privacy is worth to some people.
Because the other companies are less well-known?
Because it's just one among 200 others? Even though it's owned by the largest adtech corp in the world?
Or is it because you told yourself that Google will probably do "less bad things" with that same data, after you give your users data away, completely out of your control.
That's seriously disappointing. While I block GA and it's commonly used, my opinion of a site/service falls a fair amount when I see they're using it.
In particular, how that apparently never worried anyone before they became the "seriously nothing else can scratch this itch" quality analytics??
Because I saw it happen and it worried me. Some people must remember, about a decade (!!) ago, that half-joking nervous realisation that there was a single corporation whose server-controlled javascript ran on 90% of all webpages.
Or the part where you share all of your site's analytics with a third party you had no choice in? That wasn't even a thing before GA came around.
What is Google Analytics doing that it can't be replaced by anything that's not quite as ruthless with your visitor's data? (I really want to ask "is it that hard?" but I'm gonna assume there's something hard about it that I'm not thinking of)
Personally I'm afraid the reasons are dumb and shameful. I suppose Google Analytics is providing some additional details and data that it just happens to be unable to provide unless it tracks the everloving shit out of your visitors and accumulates this data on, say, Google servers. And people don't want to give that up, because weeeeell if it's spying on everybody and combining and keeping data anyway, they might as well get a slice of that pie, right? Flawed reasoning that work very well in unscrupulous people's heads.
And then you get someone complaining that the UX of the alternative isn't top notch. Which really tells you everything you need to know someone is willing to even begin thinking about sticking out a limb for.
I get this sinking feeling that in large parts of this industry there's less than 5% of people who actually think about and critically look at the ethics of what THEY are building, and they're probably listened to even less. It's probably even less, I've been talking to people that I consider very responsible engineers whose principles just wither as soon as you ask where the analytics data goes ... usually pointing at the client's choice. Except they're working on it and it's built into the infrastructure of the company and they provide it.
So easy to get the top thread in this comment section arguing fervently against any and all forms of tracking ... and then you get this massive back peddling when someone dares to suggest not using GA.
However beware that it's not a "set and forget" solution.
Example: This morning I did my occasional sweep of what I've blocked where, and to see if there's a new allowed domain in top N that should've been blocked. What I found is that ocsp.int-x3.letsencrypt.org.edgesuite.net is blocked by "kowabit.de - bl*cklist of death". I've added that to my whitelist now, I want certificate revocation to not be blocked.
matches
edgesuite.net
I whitelisted only the FQDN and left edgesuite.net largely blacklisted.
There is something about CDNs and DNS, usually not good. According to Paul Vixie, that is how we ended up with EDNS0 despite the objection of IETF. Wonder if this company gets permission to share data with Netflix. I would read the terms carefully.
Hopefully people will choose to run their own Pi-Holes on their home networks, preferably without pointing them at third party "upstream" DNS providers.
Given a lot of traffic goes to cloud providers with IP pools that are discriminated largely by the HTTP Host header, it absolutely does somewhat hide "who you are visiting".
Yes, because of SNI [0].
In short, the ClientHello message sent by your browser as the first step of TLS negotiation (After the TCP connection is made, obviously) includes the hostname of the server you are trying to connect to unencrypted so that the server knows which certificate to present in the case of multiple sites being served on one IP/port combo.
[0] https://en.wikipedia.org/wiki/Server_Name_Indication
There is, as you can see from Wikipedia[0], an encrypted version(esni), but that only sort of solves the problem. See [1] for more details on those.
The high level overview is, perfect secrecy of who you are talking to is a very hard problem on the Internet, and while some of these new features might help, there are a LOT of leaks to plug, so if someone is able to watch your traffic go by, chances are they can tell who you are talking to, but they maybe can't figure out what you are saying. Which may or may not matter, depending on your security threat(s).
0: https://en.wikipedia.org/wiki/Server_Name_Indication
1: https://tools.ietf.org/html/draft-ietf-tls-esni-05#section-7
Then there are HTTPS websites who require SNI but do not actually check the name in ClientHello is the same as the name in the Host header.^1 Any name sent in the ClientHello will suffice to retrieve the correct web page. "Modern" browsers again blindly send more than what is required in that situation.
As such, it is the HTTP client, e.g. major browser, that is leaking information in plaintext unecessarily. "Modern" browsers are useful for displaying web content. However when it comes to retrieving it, they are less trustworthy. Too much is happening in these programs outside the user's awareness and control.
1. AWS Cloudfront is one example. It is possible to send a less descriptive, arguably more private, CNAME in the ClientHello whilst sending the known domain name in the Host header. https://news.ycombinator.com/item?id=21977961
Marking at domain level is too generic to wrestle with this problem.
Or maybe that's the right level... if tracker should be blocked then I guess it's better to not fuel this business.
For example, if your id is abc123
DNS-over-HTTPS https://dns.nextdns.io/abc123
DNS-over-TLS abc123.dns.nextdns.io
You also have ipv6 hostnames, which has the id in it
https://my.nextdns.io/configuration/abc123/logs
Can anyone who knows your id also view your logs?
Given they are based in Delaware, USA my starting point is far below zero privacy trust: Nextdns are gathering maximum possible data from everyone's DNS queries and selling it, or proposing to use it for advertising soon(tm). Enough independent reviewing and auditing might eventually persuade me that's unfair, maybe. If they actually cared for privacy why not incorporate in the EU and proudly wear full GDPR compliance? Or CA's upcoming privacy legislation?
Which is great, because then you can configure your Android to use nextdns as the private DNS provider and thus all adverts and tracking in your mobile apps and websites are covered too, even when you're away from your home network.
I think the value is convenience, all this is done for you, no maintenance.
Are you saying that it does?
I've just looked and cannot find mention of it.
I know one can install stubby to achieve this, but now the convenience of nextdns is greater.
You have to run Unbound, as well.
https://nextdns.io/privacy
> 1. We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity.
Which is easily said. Whereas their pricing page tells a different story:
https://nextdns.io/pricing
> Completely free during the beta, then free up until about 300,000 DNS queries/month — $1.99/month for unlimited queries.
... which makes for a very particular business model indeed.
There is no such thing as a free lunch. Which makes me wonder how they keep the lights on, and where the money comes from.
This business model is like literally every other SaaS platform that has a free tier. Would you trust them more if they had no free tier?
The founders appear to live in the US so a US company is a lot more convenient for them, and Delaware has some very nice benefits for companies that AFAIK don't have any privacy drawbacks. Your assumption that they "are gathering data [...] and selling it" is beyond baseless.
EU users are protected by the GDPR anyways and despite what ProtonMail etc. would like you to believe, founding your company in Switzerland or whatever does not make you magically trustworthy.
From where I see it, they deserve no more and no less initial trust than any other company.
Very glib, but not helpful nor accurate. Reliability of a web service? Speed faster than local network or local VPN tunnel? Convenience appears to be the top and bottom of it from other replies.
> assumption that they "are gathering data [...] and selling it" is beyond baseless
Not at all. US freedom of information goes far beyond everyone else's and leaves the expectation that personal data is collected, shared, sold, misused and abused, and that's been the case since long before the web. Personal data that most places consider private and inappropriate to share, and often have laws for, is frequently easily available in the US.
The web just brought it further into the gutter.
Europe has had freedom of information with constraints on personal data. Data protection has been around since the mid 90s, and prior to that there were other restrictions on certain types of data collection. The discrepancy between the two approaches has been there for probably seventy years, perhaps more, and it's widening not narrowing.
Those national norms set starting point of expectations, and what each nation tends to take as axiomatic. For a typical European, for the reasons mentioned, US privacy provision and expectation starts negative. Certain industries and categories get very antsy about data going, even briefly, to the US as a consequence of that. If it's any consolation I start with the presumption every company is untrustworthy.
that is they deserve none. No company gets any trust from me until they prove that they deserve it.
In other words in public my opinion on them is "neutral" until I have some information/data/signs to form/change my opinion, but internally I assume they are doing[0] something evil until proven otherwise.
[0] or at least assume they are capable of doing something evil and there is a non-zero chance that they will engage in evil-doing. (but again, not accusing them publicly until there are reasons to do so; I'm just describing internal thought-process)
2. You can create multiple configs and easily switch between those
3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)
4. On my smartphone Blokada regularly stopped, probably because I use an energy saving profile. I could never keep it running for longer than a few days, no matter what I tried. NextDNS seems to work fine so far, had it running for some weeks without a single crash
Mobile browsing on the go without ads!
I had an issue with it stopping every couple of minutes, recently I figured out it was Google Fi's VPN causing it to stop after noticing it was only doing it on my phone with a Fi sim and not on my device with a Sprint sim. At some point Fi updated it so that the VPN is always on instead of only turning on when it finds an unsecured wireless network and automatically connected you (which is extremely rare where I live).
I run a PiHole on an AWS EC2 instance, then VPN to it on my phone. The VPN is configured so that only DNS requests get sent to it and all other traffic just goes straight through the LTE connection so that I'm not paying for all the traffic through AWS.
I use OpenVPN on both my phone and the server with the "redirect-gateway def1 bypass-dhcp" option enabled on the server. See https://docs.pi-hole.net/guides/vpn/only-dns-via-vpn/
> What do you do when your phone is connected to your home WiFi network?
Nothing. The phone still uses the PiHole in AWS. I don't run a PiHole on my home network, as I use uBlock Origin to block ads on my desktop. I make my phone use a PiHole to prevents apps that aren't my web browser from getting ads, such as Google Now.
In time NextDNS can build up their reputation perhaps to a point even exceeding CloudFlare, but right now I feel those who are joining early are "paving the way" via risk to their privacy.
This sets off my spidey sense. Delaware is known to be a hot bed of fly-by-night corporations and front companies used exclusively for shady dealings[1]. I'm not saying that's the case here, but proceed w/ caution.
[1] https://www.transparency.org/news/feature/delaware_the_us_co...
> More than 50% of all U.S. publicly traded companies and 63% of the Fortune 500 are incorporated in Delaware.
https://en.m.wikipedia.org/wiki/Delaware
I actually had an argument with my business attorney about this many years ago. He wanted me to incorporate in Delaware for the tax benefit. I wanted to incorporate in my own state because that's the right thing to do.
I've been using 1.1.1.1 for some time. For me it has worked fairly well in the USA where my connection speed is ~200mbps. While I was in India, 1.1.1.1 caused substantial slowdowns, in some cases made a few websites unusable. Typically I had it disabled. I'm unsure why this was happening because the website says it makes web browsing faster--I do not have the technical chops to understand this, so would anybody be kind enough to explain in a layman's language? Would NextDNS and 1.1.1.1 differ in terms of speed?
https://1.1.1.1
That's why I wish the Signal foundation started building 1. Password managers 2. DNS providers
[0]https://adguard.com/en/adguard-dns/overview.html
EDIT: They have a lot more products than just DNS (if you poke around the site)
Really, I think people will realize at one time that there is no way around simply forbidding advertisements to make internet sane again.
If 10% of the ingenuity spent in the ad/tracking system went towards microtransactions, instead of having to swim through a sewer of ads on any website, we would be rewarding each other with micro-dollars for insightful comments and giving 5% of it to the host.
That www hasn’t fully gone, but its just burried under the tons and tons of marketing fluff. Both content provider and user have become the poorer because of it.
[1] Actually, not just to be cheeky.
Ever since an iOS update last year Firefox (well, the Firefox-branded Safari browser for iOS) doesn't block ads for me anymore. I really noticed that my mobile data usage spiked since then. There's all these adblocker apps in the app store, but they seem rather scummy and the few I've tried don't appear to be working with Firefox anyways.
It's ridiculous considering Apple is declaring itself the champion of privacy. I might really have to rethink if I get another iphone next time I'm buying a smart phone. Not that Android isn't equally terrible for different reasons..
You have to enable content blockers in Settings → Safari → Content Blockers. Just downloading the app without following the instructions is not enough.
I'm sorry, but a closed-source ad blocker offered by a for-profit company and offering a pro version seems scummy to me.
By the way, you can get the source code at https://github.com/AdguardTeam/AdguardForiOS.
There's also a list of open-source content blockers at https://old.reddit.com/comments/btlwda/, some of them are non-commercial.
I didn't see any ads in a quick test with Firefox on iOS, but maybe that was Firefox's tracking protection, not a content blocker.
https://twitter.com/Jaruzel/status/1220262127958659073
I think it's worth someone collating all these together into a website-of-shame.
The advanced metrics page should also have a css media query for screen size; either split the table rows into a list or set a min-width on the table as a whole. On my phone, the first column has only 1-3 characters per line, and other columns seem to only show part of the contents (even the 0 is only half-visible).
Can block everything else
That's genius though, and I love it. You're clearly very dedicated to both the NYT and privacy.
In any case ad personalisation does work with me as I never click on any ad, personalised or not.
So, with a strong hosts file, a blocker/noscript/privacy badger we are in a better place. It is always a cat and mouse game though..
My go-to for HOSTS is: https://someonewhocares.org/hosts/
I don't know if it is maintained any better than any other curated HOSTS files, but its been around for 20 years.
I've just confirmed that it is still a Filter Lists option in uBlock Origin.
The web page sure gets points for being state-of-the-art circa 1998. At least there's no Blink tags. :)
[0] http://winhelp2002.mvps.org/hosts.htm
I didn't see anyone mentioning this, a very useful site for Browsers' filters: https://filterlists.com/
https://github.com/StevenBlack/hosts
[1] https://apps.apple.com/us/app/dnscloak-secure-dns-client/id1...
I cannot endorse the app but it is made by dnscrypt-proxy enthusiasts. Had been removed from AppStore and brought back thanks to support of German incubator
https://techcultivation.org/#overview
https://github.com/DNSCrypt/dnscrypt-proxy/issues/42#issueco...
https://github.com/s-s/dnscloak
But I think it is more practical for your personal fine tuning of DNS behavior. For larger lists it is easier to point to a DNS servers that already has some block lists on.
Personally I point to my personal doh/dnscrypt server which is refreshing blacklists twice a day with cron job.
I'm with the nyt for two years now, and I can vividly remember seeing the first ad that was displayed despite me being logged in. How is that okay?! And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours. I appreciate the times for their journalism, but their business practice with respect to selling their customers data is beyond inacceptable. I'm already paying you money, get your act together please...
I estimate that the ads only generate a miniscule amount of revenue, yet it really detracts from the user experience.
NY Times runs giant banner "subscribe" ads even if you're a paid, logged-in member. I still need ad blocking on!
I wouldn't mind ads equivalent to what you see in the real paper -- a Macy's ad at the end of an article, etc. But they should be in the page, and not popping up on top, on the bottom, or over the article.
When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.
Perhaps there are two possible ends of the spectrum. On one side, you have to pay for all news that you access and there is no advertising. The news will be expensive, so only the wealthy will have access. The government can subsidise it, but that runs the risk of politicising it.
At the other, there is only advertising-supported news. The content you see is decided by whoever bids the highest.
A blended subscriptions plus advertising model tries to find a middle ground. I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?
Honestly: no. I'd rather pay more than selling my attention, because that's what ads are doing. My time is more valuable than whatever margin they're making by showing me ads, and I'm very confident that I'm not alone with this position.
>Is that even possible now? Would advertisers pay if they didn't get that information?
This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?
But the advertisers probably want access to the kind of people who are prepared to part with a lot of money to avoid advertising. You see this in the FT and Economist where it's more expensive to advertise to subscribers, because the advertisers know those people have higher disposable income. If all they can have access to is lower-paid people, I guess there’s a risk a lot of the advertisers will not bother.
Maybe there's just an inherent problem here. News can be good quality, independent from government, free from advertising, and available to all. But it can't be all of those things at the same time at a national level.
there is another problem with that model. As long as ads revenue is a significant portion of publisher's income there is a risk of advertisers influencing the content. At $100/month you won't see the ads, but the news themselves could still be influenced by advertisers in some way. I'm afraid that this would need all or nothing approach to be effective.
This is not about I am willing to paid $100 to get rid of ads as the OP stated, it is how many are willing to paid $100. Or more precisely, we need X ( Say 10 ) monthly million revenue form customers to sustain the business. Are there enough customers to share the $10 million expense. We could price it at $50, are there 200K customers wiling to subscribe, and if not, how many more paying the $5 + Ads will make it sustainable. Given the Ads money with the $5 subscription will be lower since the subscribers of $5 are likely not worth anywhere as much as the $50.
Like you said most of the high paying subscribers are already concentrated in FT , Economist or WSJ. And precisely the reason why Apple news didn't include any of those three. They still dont get it. It might work for casual, gaming, sports magazine. Not Quality Daily news.
After Ars Technica's most recent revamp/relaunch of their pay-for subscription, it took them a few additional weeks to clean it up to remove all third party domain calls for paying user.
You are not alone. There are plenty of services I pay to eschew ads. The moment they start inserting advertising, they'll lose me as a customer. I don't have cable, don't listen to FM or AM radio, and I don't have satellite radio, all because they have ads.
I think this is correct, although HN readers may have some bias to disagree. I think the HN crowd is generally fairly well off financially (but not rich) and cares more about privacy than other groups.
For print and online the advertising covers the cost and the subscription is just a bonus on it, same thing you said but from the end users perspective. Why pay a bonus for nothing?
They would, if they had no choice. Thay have to be forced, both technically and legally, to advertise without using that kind of fidelity. Simple as that.
They could offer a no-tracking tier. When you consider how little revenue most ads generate per user, the price increase wouldn't be very much.
If online news only had static first-party ads that were the same for every customer (or possibly every customer in X region), uninformed by Amazon/Google/other browsing, I'd be more than happy to turn off my ad blocker.
If the newspapers produced a daily epub, I'd be happy to pay for it. Even then, epubs can contain references to third party images and other resources (not sure about PDF, I despise PDF for lack of text reflow). My personal ideal for online subscriptions would be an OPDS catalog that I could subscribe to; this supports login-based access, and I could use fbreader or any other app to read.
There's existing NL law (maybe based on EU regulation?) that makes this impossible. Basically: the way you cancel should be as easy as you subscribe. Meaning, if you could subscribe online, you must be able to cancel the subscription online. If subscribing was utterly difficult, then cancelling can be utterly difficult.
If there's EU regulation behind it, usually you can force any foreign company to abide by this. Unfortunately it was difficult to figure out if this NL law was based on any EU regulation (e.g. Consumer Rights Directive from https://ec.europa.eu/info/law/law-topic/consumers/consumer-c...).
They do the same thing to the US: They force you to call them.
I tried to cancel my credit card to get rid of the charge: soon after, they started charging me again.
In the end I had to call my credit card company and block all transactions from them, forever.
Super scummy, super annoying. Fuck the NYT.
I'll never subscribe to them again. What a short-sighted way to optimize for revenue at any cost.
Blockers are a valuable thing to simply be able to read or watch anything on most sites now a days. I also happily pay for proper media, but not when you complicate this by blocking parts of this action with ads to begin with.
I'm still not sure whether this should be used in addition to or instead of ublock (which is what I use now). The setup page is also a bit intimidating given I don't understand what 99% of the things on it are.
Where did the setup lose you? I would say you just got unlucky with a specific term or concept you aren't aware of.