373 comments

[ 3.3 ms ] story [ 328 ms ] thread
The root problem here is that there's no legitimate way to monetize browser extensions. Extensions are meant to be simple, so it's hard to sell premium features. Extensions usually don't "own" any space to embed ads in.
I think the only way is to treat access like we do web apps, then enable/disable features accordingly.

That's kinda lame because now you have to have a backend setup, just so you can charge for some features.

The issue with that is that "Gets to read and/or write the DOM" happens to be the only permissions a nefarious extension needs while also being those that a vast number of useful extensions require.
I think you're thinking from the browser level. I was thinking from the standpoint of what I could do as an extension developer.

If we approach it from that angle, then your extension can only restrict access to it's features via a round trip to your own servers to validate access and/or show a checkout view to purchase access.

That's why it'd be nice to have a general "access the internet" permission, since DOM reads are usually harmless if they can't get any data back.
I suspect it would be a very hard permission to implement. There are a lot of ways to exfiltrate data from a website if you have DOM access. But yeah, agreed.

Some of the difficulty around securing extensions boils down to the fact that Javascript permissions could be better. Websites do a decent job of sandboxing the website, but sandboxing within websites (without relying on iframes) is much more difficult.

Per-site permissions and click-to-activate are also really useful features here. It's easy to forget how recent they are. But it would be good to go further if possible and having barriers in front of exfiltration would be a big part of that -- there are many browser permissions that would become less dangerous if you could know for sure that the data they generate can't get off your device. I just think it would be really difficult to try and build browser permissions around that in a user-legible way.

Do you believe that if there was a way to monetize extentions devs would not be approached by data thives?
Not sure if sarcasm but will respond as if it's not.

There are lots of business models to choose from

  - subscription
  - affiliate links
  - sponsors
  - one time charge, this one is tricky as restricting access requires a back-end that needs ongoing maintenance and server costs
[edit: formatting, spelling]
It is not clear what problem you are solving.

Extension devs know the rules of the game up front and have no expectation of profit.

I may have misunderstood your prior comment so please excuse me if I got it wrong. The problem I was solving was how to make money from an extension that I publish. I was outlining different business models where you could give the user access to the extension, and make money without having to accept this arrangement with data thieves.
I don't see this as problem that needs to be solved. It is freeware from the start.

It's wonderful that people are willing to share their knowledge and time for free - why not let it be the way it is?

I believe problem isn't the right word. I think OP is challenging your assumption that it's inherently freeware. There are methods for monetizing an extension and they're infrequently used or associated with a much larger experience (e.g. my BitWarden extension is critical for using BitWarden, but I pay for BitWarden's subscription elsewhere).
Perverse incentives being one, you make the extension for free, for the purpose of selling out later.

Project being maintained by a single dev being another, there needs to be incentive to keep the project going and not abondon or sell out.

Yes, most extension devs probably start out with no intentions of profit. They wrote their extension to scratch an itch. However, once they get an installed base and start getting offers to do shady stuff, it seems obvious that they might be tempted by easy money. If they had a more legitimate way to make money, they may be less tempted by the shady stuff.
That is indeed obvious but I'd argue that in this case the problem is weak moral spine. Fortifying it with money will not make it go away.
> one time charge, this one is tricky as restricting access requires a back-end that needs ongoing maintenance and server costs

If a browser extension is allowed to use license keys (not sure on the various store rules i.r.t. browser extensions), you could create a timed license key that is cryptographically signed.

No back-end required for that.

Not the OP, but I'd presume that it would be significantly less tempting to sell out.

Everyone has a price, and when everything is going smoothly, that price goes up.

An extension user could theoretically be willing to pay for the value the extension provides them. The malicious actors sending these emails are willing to pay for the value that a user's data provides them. These two numbers are not related in any way, and the value of user data will often be much higher than the value of the extension's functionality.

There is no way for monetization to solve this, because the two potential customers are not purchasing the same product.

Yeah. We've already seen user data win over paid software in other spaces. Someone charitable or just not-so-bad has to buy it out instead.
The root problem is that extensions are such a good platform for ads/tracking.

If monetization was better, it would just end up like Google Play, with adtech spam crowding out the "legitimately" monetized apps.

Dracionian restrictions on web access (like requiring a prompt whenever an extension wants to upload/download data) might help a little.

Google could easily find a way to display ads for all extensions: pre-roll ads before extension launches, mid-roll ads when user is using extension for some period of time; not sure what is stopping them.
There used to be.

https://developer.chrome.com/docs/webstore/money/

"The web has come a long way in the 11 years since we launched the Chrome Web Store. Back then, we wanted to provide a way for developers to monetize their Web Store items. But in the years since, the ecosystem has grown and developers now have many payment-handling options available to them."

Another failed Google product...of course every company has huge back catalogs of deprecated products but the sheer % of fails by Google is almost unbelievable.
This is the reason I removed my extension from the Chrome Web Store.
Just want to put a plug in for https://extensionpay.com/ - I've used it in extensions in the past. It takes away the headache of setting up a backend for payment. They do take an extra 5%, but it's worth it especially. for smaller projects
I don't think this is necessarily true. I run a software licensing API with quite a handful of customers running browser extensions with respectable user bases.

So there are monetization opportunities, just like any other distribution channel.

You can easily monetize Safari extensions by selling them through the App Store.
I wouldn't say "easily", but you can.
Might at least make these attacks harder if users could disable extension updates, or had to opt into them. Most of these extensions are simple and don't really need to be updated, yet the update mechanism is silent full auto bada bing bada boom no rollbacks. I can't think of any updates more aggressive, not even Steam.
Yet another opportunity to recommend Firefox to readers.

I'm not sure I advise doing it, but you can go to about:addons and hit the gear icon and you can uncheck "Update Addons Automatically". Even better, click on an extension and under the "details" tab there's an option per-addon to set whether you want automatic updates or not, so you can disable updates just for the one addon you don't trust (or enable updates just for the one addon you do trust).

Also, want to run older version of an extension? The Mozilla Addons page for each extension has a list of every release and you can download each version independently as a signed XPI file if you want to sideload it.

The big thing I wish Mozilla would add is self-compiled releases like F-Droid does, especially since their ill-advised signing process means it's hard for users to compile an extension from source -- it's way too easy for a submitted extension to deviate from its source code. But that (admittedly large) issue aside, Firefox offers a lot of control for users who want to manage their own extension versions. Forced automatic updates are a Chrome problem.

Yeah, that's very nice. The only reason I'm even aware of how Chrome does it is because we're forced to use Chrome at work. We're allowed to use some vetted internal extensions with it, and I do, but someone pushed an update that broke an extension by accident. Then I was like, why is this a thing.
Unbelievable how persistent redacted were over the years.
"And how do you spell your name, sir?"

"It's lowercase-italics 'r', lowercase-italics 'e', lowercase-italics 'd', lowercase-italics 'a', lowercase-italics 'c', lowercase-italics 't', lowercase-italics 'e', lowercase-italics 'd'"

"Ha, ha, your name is 'redacted'?"

"No"

Oh, it didn't occour to me before but you could have so much for naming your child redacted.
To see this many aggressive offers over an extension with ~300k users, it makes you wonder how intense the offers are for the likes that reach in the millions.

The incentives seem entirely misaligned in the extension space.

Hell I have gotten offers like this on a Discord bot, even. Wherever user data can be found, there are those who'd like to have their finger on the pulse
Can confirm. A couple years ago, I had a Chrome extension with ~100k users; I was receiving these types of emails every week.

One of them straight up offered $10k, whether that was a real offer or not I don't know because I never replied to any of them.

I've since taken down the extension as I'm no longer maintaining it, but weirdly I still get these emails, albeit less frequently.

I had a legit $13k offer for 180k users recently (even though it looked super shady, and the result for end-users would probably have been gross).
(comment deleted)
ChatGPT for Google was #1 on HN earlier this year. Check out the GitHub repo now: that person sold the extension.

I had a small side project extension, ~25,000 installs & free to use. I got enough inbound interest trying to "help me monetize" that I thought it would be worth cataloguing all the different unsavory avenues: https://mattfrisbie.substack.com/p/the-ugly-business-of-mone...

The most galling offer we saw on the mobile app side was something that would turn on the user's microphone, and listen for ads on tvs around them to track what they'd been exposed to offline. Adtech is such a thoroughly gross field.
so this really does happen then? Because I used to be convinced it wasn't a coincidence when I saw ads online for some niche uncommon topic I had recently talked out loud about.
This matches the audio signature of the TV ad - basically, it's like Shazam, but for TV ads.

It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that. It would cost orders of magnitude more in processing power than you could get from the extra sales.

This might change in the future, of course

Wouldn't cost that much if the transcribing is done on device
This would be immediately obvious in a cursory analysis of performance. On-device transcription is not only computationally infeasible, it would also require model capabilities far beyond what is currently SOTA.

Google had (and has afaik) significant challenges implementing multiple wake-word detection for precisely this reason.

Transcribing a couple of words accurately on-device without a major performance penalty (so that it can be running in the background always) is just _barely_ coming out now.

I would have to take your word for it but my phone is able to transcribe speech with no problem and no internet connection.

Of course running it 24/7 in the background would ruin my battery, you would have to be smarter than that.

Which phone/app? I would be very surprised if a manufacturer has an entirely on-device real-time ASR model, maybe I'm behind.
rewind.ai has entered chat.
There's this weird narrative I see that "computers just aren't powerful enough" to do things I remember them already doing on Pentium 1 class machines in the 90s.
Yeah, my understanding was that it was audio fingerprinting tv ads, not transcribing anything, but I wouldn’t be surprised if they were trying to vacuum up other stuff. That said, I think it should be feasible to do basic low-accuracy transcription on-device, especially with all the neural engine hardware making inference more efficient.
> It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that.

Anedoctally I belive Meta does something like that because I consistently get ads on Instagram about topics I talk with a friend on Whatsapp and sometimes that is done completely via audio messages. Though I might be wrong and leaked the topics in text messages among other possibilities.

I think it can be economically feasible. They can have a model optimized for their topics which can be orders of magnitude faster than general-purpose speech recognition. Low accuracy probably wouldn't be an issue as they are able to fine tune the user topics of interest via its interactions with the ads (e.g. click rate, time spent before scroll).

But every time this comes up the threads are flooded with people saying it doesn't actually happen and the ad companies just work out what you're interested in by what you're browsing.
And that all this information gathering for targeting absolutely matters.
Fly-by-night ad networks might engage in this. Ad networks that are in the sights of regulators, and can be slapped with $X billion fines, that may well exceed the marginal revenue produced by improved tracking[1] are going to be a bit antsier around doing that sort of thing.

[1] How much more money will a $100B ad business make if they improved tracking accuracy by %1? It's some positive number, but significantly less than $1B.

Would a top tier ad network be exposed to any liability if the fly-by-night did the sketchy work, then the top tier bought that “anonymized” data?
Probably not direct legal risk[1] if they weren't the ones collecting the data, but integrating with all that shit has the incredible risk that your counterparty might just go up in smoke next week, while leaving you with a busted product, and all the reputational damage fallout.

It's picking up pennies in front of a steamroller. You'd have to be a truly desperate PM to consider it.

[1] Still all the legal risks of holding that data, but they are easier to mitigate.

So instead they buy that data from the fly-by-night operators and carry on as usual. That's the key problem here, this data only needs to be collected by one shady operator, "the market" will handle the rest.
Two different things. The popular conspiracy theory is that the phone listens to and presumably transcribes your conversations, sending them to a third party. The example the OP gave is specifically listening for TV content: they’ll have hashes of known ads/shows/whatever to compare against rather than do something like live transcription.

Don’t get me wrong it’s shitty and gross. But they are different things.

The only reason they don't do that is because our devices aren't powerful enough to do it all the time.
I don’t disagree with you but the fact remains: they aren’t doing it.
Both iOS and Android show when your microphone is active so the whole conspiracy theory about it always listening to you and sending it back is pretty bullshit. And no one has yet found evidence of such network traffic either.
True, but the theory is far older than the indicators. So maybe Facebook stopped being sneaky once those controls came in? Not saying I believe them, but there's still room for doubt there.
Facebook doesn't have to be the one doing it - a 3rd party that controls an app on users' phones could be selling transcribed data to companies that want to run individually tailored ads on Facebook.
except it's always listening for you to say "siri" or "google assisstent". Some androids also show what music is playing nearby. You can thankfully opt-out but the ability to is still there.
They do that with local processing. For the music thing it calculates a hash locally and send it to their servers.
That still requires the microphone to be active, right?
Yes, but it doesn't record anything. It calculates a hash locally and sends that hash to their servers, where it is then identified.
(comment deleted)
Couldn't you do the same with tv shows and ads?
At least on iOS, not without hacking the operating system. Siri’s ability to listen for a wakeword without an microphone indicator requires privileges that normal apps don’t get. On Android, as far as I can tell, the same is true, except that some phones ship with preinstalled third-party apps which can then get extra privileges.
It runs on a specific coprocessor, even.
This seems very similar in principle to the perceptual neural hash that Apple created and uses to check every file on any Apple device. I recall that some people had an issue with that, because there is no guarantee what hashes will be added to the database, and no real way to know what file they will map. So, the hash could be anything, and could send anything, which is entirely up to the whins of whatever company or entity that deploys such a product. Effectively, this just means that you can in fact check nearly anything happening on an input, if it maps to some perceptual hash that is similar enough to one the server has in its db.
...They don't even need to hash content. Advertisers can just add ultrasound beacons to the audio track.

Imperceptible to human hearing, but readily picked up by a listening mic. In fact, there are static analysis tools for picking out apps that access such API's in FDroid, along with taking measures to feed said apps dummy data. At least for Android anyway.

Your phone notifies you when an app accesses the microphone. If this is happening so much, how is it not blatantly obvious?
Android phones that are 8 major versions out of date because the OEM won't support them probably don't have that feature.
8 major versions, that is surely less than 5% of the Android population. I'm sure the security flaws in those non-updated phones is far more serious than the lack of microphone indicator.
I was being a bit tongue-in-cheek with the 8. However, it is just as valid to talk about unpatched security flaws.
According to https://source.android.com/docs/core/permissions/privacy-ind..., the microphone indicator is only in there since Android 12. Android 12 and 13 cover only 50% of Android phones, according to https://gs.statcounter.com/os-version-market-share/android/m.... There were some "access to the microphone is restricted for background apps" changes earlier, reported for Android 9. But I wouldn't rely on them, and even if those restriction always worked, that still made ~10% of Android phones vulnerable.
It seems highly inefficient to listen to users 24/7 given the other more specific signals that are available. Rather have a transaction data point around everything someone has purchased then what they talk about.
For context, this is the worldwide stats that Google reports:

https://imgur.com/a/mqBE8wM

30% on Android 13 is absolutely not believable, both from personal experiences and data collected.

Ice Cream Sandwich was the best android, and nobody can tell me otherwise.
Agreed. Android 4 was peak Android. Most of my favorite Android games are from that era and very few of them run anymore. I wish Google either make a sandboxed emulation layer for those old abandoned games.
Wait... what? As someone who's always tried to target the oldest Android version I can which Google Play will still allow uploading (for a long time, Android 2.3), this is alarming. Why don't they run now? I don't actually play games on Android myself.
No idea of what API they're hitting but basically half of my old humble library won't run anymore - they show a warning about old APIs, show the title screen, then crash to desktop.

Even some old games I paid for are gone from the Play Store too. Like, I paid for Puffle Launch and it's just plain gone from my library.

Edit: ahah, I was looking in the wrong spot! Its still in my "not installed" list, just not in my "family library". Either way, not compatible with any device I own.

Ah, 2011, the age of so many Angry Birds clones...

I just found https://archive.org/details/PuffleLaunchAPK and https://archive.org/details/PuffleLaunchAmazonAPK (both point to each other), with a note that says that the latter generally works and the former crashes. I can verify this; on my (Android 8, 32-bit compatible) device the Play version crashes with:

  08-10 14:55:03.864 25995 25995 E linker  : ERROR: OOPS:     0 cannot map library 'libmono.so'. no vspace available.
  08-10 14:55:03.864 25995 25995 D AndroidRuntime: Shutting down VM
  ...
  08-10 14:55:03.865 25995 25995 E AndroidRuntime: FATAL EXCEPTION: main
  08-10 14:55:03.865 25995 25995 E AndroidRuntime: Process: com.disney.PuffleLaunch, PID: 25995
  08-10 14:55:03.865 25995 25995 E AndroidRuntime: java.lang.UnsatisfiedLinkError: Bad JNI version returned from JNI_OnLoad in "/data/app/com.disney.PuffleLaunch-rjdXjIyhGz7STdfxQ9xH2g==/lib/arm/libmono.so": 0
I'm always on the lookout for old interesting games, and maybe there are workarounds for the other titles in your library too. What's the list?
I tried looking up that "no vspace available" error (which is the real error message) and found no explanation. I wonder whether it's something like trying to map a .so segment as memory that's both executable and writeable but it's no longer allowed? And IIRC Android's runtime linker was rewritten sometime around Android ~4 because the original was not very well written, so that might be the cause of the incompatibility. Come to think of it, the large parts of libc that were also completely replaced (mostly with code from OpenBSD and FreeBSD IIRC) because they were terribly buggy will probably cause compatibility issues too.
Puffle Launch wasn't an Angry Birds clone, it was the barrel scenes from Donkey Kong Country expanded into a full game.

One problem is that some games aren't just incompatible, but also were enshittified with ads and nonsense after I paid for them (before they were killed altogether).

Offhand, the ones I remember: a paid version of Angry Birds Space, Amazing Alex (Rovio's excellent take on The Incredible Machine), Swords and Soldiers (fortunately there's a Steam version of that), Noodlecake's "Wave Wave", Pool Break Pro, and some classic ports like Dead Space, Spy vs Spy, and Ur-Quan Master, but there are better non-mobile ways to play those games.

Why do you think iOS and Android now prompt for microphone usage?
iOS has prompted for microphone usage since 2013
> the ad companies just work out what you're interested in

The word "just" doesn't belong in that sentence. The ad companies being able to know things about you without actually listening to you is even more scary.

Evil-Ad-Company Neo: "You're telling me I can know things about my customers by secretly listening to them?"

Evil-Ad-Company Morpheus: "No Neo, I'm telling you that with the right license agreements, data sharing partnerships, and algorithms, you wont need to secretly listen to them."

I mean showing you ads for diapers because you googled "best diapers" falls under that same category and I daresay isn't evil at all
I am pretty convinced that modern advertising - from the most inane and innocent to tracking users 24/7 pretty clearly falls under evil. Gone are the days of advertising trying to raise product awareness and convert purchases - that field now exists to create demand. It induces desires in the recipients that play on psychological factors like FOMO to create customers out of thin air - and that process causes we the consumer to pay a constant attention tax and suffer higher levels of stress in our daily lives.

Advertising is evil.

I'm not a radical about many subjects, but I'm certainly radically anti-advertising.
Advertising is nudge theory without the do-gooder mystique
You do realize all forms of media embed advertising directly into the content going right back to the beginning, right? There's nothing modern about it. Showing you a product when you actually want to see it is the most effective way to induce demand. All your favorite shows, movies, youtube personalities, etc. still do this.
Well, seeing that:

- I use ad blockers for my browser on both mobile and PC

- pay for the ad free version of all of my streaming providers

- don’t use apps that have ads and don’t have a method to pay to get rid of them

If you think that the product that the lead actor in the series your marathoning through on your streaming provider isn't there on purpose, then you've just not been paying attention. There's a reason shows blur out logos on people's clothing or the crew covers them up with grip tape, or set dressers turn the cans/bottles/boxes of products around so the main logos are not visible. Even having copyrighted posters on the wall in frame can cause licensing issues.
(comment deleted)
This isn't true. Originally advertising was designed around the premise of explicitly highlighting utility and functionality of goods/content. It wasn't until Bernays came along and adapted his uncle Sigmund Freud's theories into practice by designing advertising to manipulate people into believing that they actually need the product.

Modern advertising is not just "showing a product to induce demand". Car adverts don't just highlight functionality, they use mass market analytics to play emotionally driven messaging and visuals so that you associate that feeling with the car ad.

Do you know what Bernays called what services he offered before the word got tarnished?

Propaganda.

> Bernays came along and adapted his uncle Sigmund

and then bernays' nephew started netflix

Those two categories are really far away from each other.

Googling X is a voluntary act to search for X.

Speaking about X with a friend, while the phone sits in a bag nearby, has exactly zero connotations of wanting to search for X.

Advertising, by its very nature, is emotional manipulation with the goal of getting you to give up some of your money for something you most likely don't really need and won't improve your life all that much, if at all. To me, that's evil.

Sure, there are varying degrees of this evil, but IMO even the least-objectionable advertising out there still can't be called "good".

In my experience, the case where advertising gets you to buy something that ends up being materially useful, that you would not have bought (or found a substitute for) without that advertising, is the exception, not the rule.

Oh, and to address your specific example: if you search "best diapers", and get shown ads for diapers, that absolutely is evil, because some ad-presentation algorithm is pushing you toward whatever diapers will generate the most money for the ad network, likely not toward which diapers are best. Not to mention that "best" often means different things to different people, and the ad networks only care about that insofar it increases their profit.

> Advertising, by its very nature, is emotional manipulation with the goal of getting you to give up some of your money for something you most likely don't really need and won't improve your life all that much

I've heard somewhere that ads are rich people screaming "give me money".

(i know, i know, but i like it)

> To me, that's evil.

Bill Hicks on marketing: https://www.youtube.com/watch?v=tHEOGrkhDp0

> I've heard somewhere that ads are rich people screaming "give me money".

That makes me think of this Paul Graham piece on "the PR industry, lurking like a huge, quiet submarine beneath the news." [0]

[0] http://www.paulgraham.com/submarine.html

He makes one really good insight:

> If you really want to be a critical reader, it turns out you have to step back one step further, and ask not just whether the author is telling the truth, but why he's writing about this subject at all.

Followed quickly by being hopelessly naïve about the future:

> Whatever its flaws, the writing you find online is authentic. It's not mystery meat cooked up out of scraps of pitch letters and press releases, and pressed into molds of zippy journalese. It's people writing what they think.

I don’t have any ethical concerns with ads. My concern is that it ruins the experience of whatever content I’m trying to consume.

Surprisingly though, for some reason I don’t find podcast ads to be as offensive.

>you most likely don't really need and won't improve your life all that much, if at all

People are spending money because they see that they are getting value from something. If people didn't want it or thought it was worthless they would not buy it.

>If people didn't want it or thought it was worseless [sic] they would not buy it.

Thinking something is "worthless" and not wanting something are opinions. A lot of modern advertising attempts to change peoples' opinions, so that they do want something, and think something has worth. It's just like propaganda, which actively attempts to sway peoples' opinions.

Of course, there's only so far you can take this. Convincing anyone who isn't seriously mentally impaired that a sandwich made with literal shit isn't worthless is probably not going to work. But away from the extreme end, there's a lot of room to manipulate people.

Sure, if you take the most benign examples, it doesn't sound so bad. But it's so much worse than that. Going back to 2012 for "acting on data analysis gone wrong"

Target Sends Coupons to Pregnant Girl and Unawares Dad Explodes

https://www.workplaceethicsadvice.com/2012/02/target-sends-c...

> Pole had identified about 25 products that, when analyzed together, allowed him to assign each shopper a "pregnancy prediction" score. More important, he could also estimate her due date to within a small window, so Target could send coupons timed to very specific stages of her pregnancy.

And things just get worse from there, as companies figure out more and more ways they can extract information from the information they have about you, and share it with each other.

But that story was made up. (Not that Target does data analysis - the specific "teenage girl had sex!" anecdote).
No no no. First we start with trusted brands you know and love. We use the trust you have in them to slowly build a market around them. With our ad strategy, you’ll start seeing our product as related to Trusted Brand A. You will start seeing comments and reviews for our Brand in the same browsing contexts more and more until our Brand is now correlated enough to Trusted Brand A to remove purchase inhibitions.

After that, we just wait. We know we have you. It’s just a matter of time till you need a product like ours (you’re already our target demo), or an impulse buy occurs.

Without evening knowing it. You’ve been manipulated into trusting our brand, and you’ll think it was all an organic choice.

Nothing malicious or dangerous here.. move along.

sorry, i don’t mean to be dense here but could you spell out the implications for me? why is what you’re suggesting more scary?
They're saying it's scarier that ad companies can figure out these things without the data because it means that you can't protect yourself by withholding your data.
> you can't protect yourself

but what are you protecting yourself from? What's the threat model?

You're protecting yourself from targeted psychological manipulation. It's like the difference between someone spraying a cyber-attack over the entire IPv4 space, or spending a while trying to drill into a specific server. The latter is much scarier and harder to resist, but it's basically what targeted advertising is these days. They supposedly want just to help you find what you want to buy, but they do this by trying to make you want things you wouldn't actually need otherwise.

I like to think I'm immune (the only ad I've ever taken up was years ago for Privacy(.com), and only because I then knew about it later, and could choose to pursue it on my own), but I wouldn't be surprised if at some point before I started being allergic to every type of advertisement imaginable, some ads managed to get my attention for one reason or another. (maybe subliminal messaging's done something before, I dunno.)

I'm not too concerned about it since I know it's been kept to a minimum, so at this point basically everything I've done is something I actually wanted to do, there are no concerns about having been manipulated. But that's just because I've managed to avoid seeing targeted ads almost whatsoever.

Of course, someone who has been successfully manipulated would also think they've escaped manipulation. Isn't that the scariest part
Depends on the method of manipulation but yeah that is the scary part. It's probably part of what scares people into being so privacy conscious in the first place. Though for me it's more that I get really, really annoyed getting told to do things, because it triggers pathological demand avoidance. But that's just manipulating me in reverse (it's really easy to make me hate/avoid something just by annoying me with it)
At some point a reality check should be possible. Do you find yourself spending money on advertised-things?
That's the metric I usually use. It's absolutely inconclusive, but it works for peace of mind at least. Have I seen any ads for something I bought? Usually the answer is "no". I'm still at the mercy of sort order on sites like Amazon and eBay, but that's much less scary because if I really care, I can sort by lowest price first.
By my own moral compass. If a company says "lots of people on Amazon are looking to buy what we have, let's make sure we're present in that market", that's completely moral. Compare that with, "a child is preparing for their math test tomorrow by watching a video, let's interrupt them and make them watch a commercial about our sugary, addictive, and unhealthy drink".
Is it even possible to not spend money on advertised things?
Mostly by not spending money frivolously.
The house I live in was advertised when it was on sale, all the food at the store gets advertised, all the non-bespoke clothes I can buy get advertised, as do most of the bespoke ones, every car gets advertised...
The difference is whether those ads were exposed to you before you bought it. Was it a factor in your decision?

Not whether it's something in the world that's ever been marketed at all, because literally everything has.

Generally yes. Especially the grocery store is constantly advertising hundreds of items, and I've looked at their ad pages more than once. And it's pretty hard to find houses outside of advertising platforms, and I used to watch enough TV that I'd seen ads for every clothing store and every car before I had a chance to find them on my own.
Among other things, I would say the unknown collation of personal history, interests and spending activity that is often auctioned off to the highest bidder.[1][2] In an even more automated society than today, social scoring becomes the norm, and with it access to services.

With prolific cases as Robodebt and the Toeslagen Affaire, we can only hope these automated scoring systems remain isolated from governmental overreach.[3][4]

[1]: https://themarkup.org/privacy/2023/06/08/from-heavy-purchase...

[2]: https://themarkup.org/privacy/2023/06/23/how-your-attention-...

[3]: https://en.m.wikipedia.org/wiki/Robodebt_scheme

[4]: https://en.m.wikipedia.org/wiki/Dutch_childcare_benefits_sca...

Deanonymizing people across datasets for one. Maybe attacker or maybe next gov that goes full Hitler and subpenas tech companies to introduce social karma and you are put on a no-fly list because you expressed interest in UK royalty or have a cousin in Iran. Invisible bubble and radicalization for another.
Firstly there is the emotional response: I don't want to be followed around in everything that I do for someone else's benefit, and I not at all convinced of arguments that targetted advertising is done for my benefit.

Then there is the fact that a large amount of data about me is being stored, possibly insecurely for people with even less scruples to analyse. I have very little to hide (white, middle class, straight, male, cis, no criminal activity beyond some unlicensed TV/film access, etc – there is little or nothing about me that would be frightening for anyone else to know) but there are many out there who do have things that could be (unfairly) held against them with terrible consequences. Consider women in Texas where there is effectively a reward/bounty program to encourage snitching on those who have had, or are considering, an abortion, or people in law enforcement who don't want certain groups to be able to derive their home address with any accuracy, people in one or more closets through fear of being ostracised from their family/community and left pennyless & without support, and so forth. I grew up with friends who were gay when it was still effectively illegal to be, despite what the Sexual Offences Act (1967) said, and when getting beaten up for being gay was almost acceptable (“act more straight, and it wouldn't have happened”: something a friend was once told by a policeman that saw no cause for arrest) – the fear of consequences from collected information “getting out” and/or being used to derive other information (true or otherwise) is real and for many people not at all irrational.

Back to my icky feelings, which are perhaps a little bit less rational: I wouldn't be happy with someone following me between shops, watching what I'm perusing, then to the pub and noting who I was there with, then back to my home, in order to be able to serve me relevant ads (perhaps for shoes that would be more comfortable for that much walking? or for condoms because they noticed I was accompanied by a female friend, and you never know, right, nudge nudge wink wink), and I'm not happy about the same happening in a more virtual environment. How do I trust that is really (or only) why I'm being followed? And I how do I know who else my stalker is selling news of my activity to?

[actually, the “I have little or nothing to fear” isn't entirely right – any of us could suffer from plain old identity theft in various ways]

I understood this to mean the amount of information they have is enough to uniquely fingerprint you and associate that with your derived wants and needs.
That was an official feature of the Facebook app at one point. Like 10 years ago. It's absurd that anyone would deny this. It was right there as a feature! Default off I think. But it was definitely there.
I can’t speak for Android. But exactly how does a mobile app turn on your microphone on iOS without you giving it explicit permission?

I just did a virtual visit with a doctor that used a video conferencing service that work without an app on iOS and just used Safari. I had to give the page explicit permission to use my microphone

What makes you think they don't get permission from the user?
Nielsen has sent me about $30 so far begging me to wear a microphone that records me all day. They repeatedly call and have started fedexing me letters instead of USPS.

I open them to get my increasing amount of cash.

That data must be valuable???

Put the microphone on your cat while you're gone for the day.
So your app already had microphone/audio permission granted for legitimate reasons or were they going to do the pop-up after the update?
Nah, we didn’t ask for any permissions at the time iirc, except gps if/when people wanted to use that to hop the map to the right spot.
Why broadcasted ads which are the same for everybody? Is it trying to track effectiveness of these ads?
Why not? Your cable company would like to charge you extra if you mute the ads or use the bathroom during ad breaks. That's just capitalism.
Exactly. Going to bathroom during ads is just a display of disrespect to creators and marketing people. You could go during the show instead.
Probably to target an ad for the same product/service at someone who was in the same room as a TV ad. About 10 years ago I worked for an ad targeting company and we got ~50% more click-through on a web ad just by showing it shortly after a TV ad aired in that location (just using the geoip timezone and hoping they might've been watching the right channel), if you could do that only for people who've actually been exposed to the TV ad there's the potential for huge uplift there.
When I worked on audio firmware for the BlackBerry, one of the external devices I had to support was called a "security plug", which just shorted the headset mic and headphones to ground. It always seemed kind of silly to me because there was still the handset mic on the phone that could be activated separately.
Did an external mic not stop the internal one from working? I assume the plug was a box-checking exercise more than anything.
I think the default audio routing was setup to stop the internal mic, but if you used the mixer API, you could do weird, custom things.
"Adtech is such a thoroughly gross field."

Someone else on HN called it "elegant" last week.

https://news.ycombinator.com/item?id=36975056

I work in ad tech and elegant is not a word I’d use. It’s very, very loosely coupled and has a grave transparency problem.
> "The current movement to avoid tracking is an extremely powerful centralizing force."

What a biased, myopic comment. As if ad companies are a grassroots movement against centralisation. As if ad tech is not in the hands of the powerful few tech companies.

They have defended ads in 2021 as well. I wonder where they work. I mean, somebody must be writing the backend for all these ad companies.

Adtech is psychological manipulation. Radicalisation uses the same techniques: Create the perception of a vacuum and then provide the solution to fill it.

One is actively censored and you can go to jail for, the other isn't even on the legislative agenda. There are semi-understandable reasons, but it's far from entirely non-hypocritical.

- Do you trust your constituency to make up their own minds or not?

- Who are you trying to protect?

  - From what?

  - From whom?
And this is without even mentioning online advertising as a (seemingly increasing) vector of scams, frauds, malware and viruses.
When I worked at Meta, the execs said that many users think they're being spied on when they see ads based on a conversation they've had in real life, but the execs categorically denied that this could be happening, and said it's all just a coincidence. I thought this was a completely unfounded denial, since Meta had no way of auditing 3rd party apps on the user's phone, and it's perfectly plausible for another app to spy on their conversations and then use that to provide targeted ads to the Facebook account associated with the individual's email.
Realistically, in a simple statistical way, plain "coincidences" have a significant "expected value". I.e., if you simply take the billions of people across the planet, and look even across a single day, lots of coincidences occur.

Now, add in psychological effects - "synchronicity", "frequency illusion" ("Baader-Meinhof"), "recency illusion", confirmation bias, etc... I'd expect a fair bit of compounding*.

Then, add in simple use of statistics, statistical inference, etc. and basic tracking of user navigation around the web, on a given website, etc.

I've had these experiences, perhaps one or two times a year, on average. Experiences where I was VERY surprised by ads presented. Experiences that would easily suggest a microphone must have been on when it shouldn't have been. Sometimes, I realized I'd used someone else's device in a way that could be tied to me. Other times, while some "leaps" would be involved, I could basically deduce myself that someone who had looked for information on some "X", and information on some "Y", might really be thinking about some "Z" that isn't easily arrived at from either X or Y in vacuo.

Spying, in the sense you suggest, can't be ruled out by the above. But, I would ask - why even spy? Is a company like "meta" really going to get much more useful (from their perspective) info by doing so? Particularly given the COST? It's becoming more realistic, arguably, but, really, these companies have had more than enough info on just about anyone for well over a decade to keep their algorithms and such well-occupied.

People gladly hand over tons of data constantly ... with full awareness and intentionality, and otherwise. The vast majority have no idea what statistical inference and other techniques can suggest based on seemingly obliquely connected info. Further, most users are so accustomed to "cookies" and other hidden types of tracking, and ignoring EULAs** ... really, it's hard for me to imagine a good case for doing anything more ... "invasive" and ... legally / otherwise dubious.

Edit: mostly came back to add one of my favorite (ab)uses of (statistical) inference:

https://youtu.be/Oseqh7SMIvo

(also, added the bit below about EULAs)

* Outweighing significantly, I'd suggest, other quirks of human perception, memory, etc. that may diminish awareness and recognition of potentially related events. I write "suggest" mainly because I don't have ready refs to offer this second and don't have time to dig a couple up ... IIRC, the research that exists strongly favors compounding, though, of course, this could be argued to be influenced itself by human psychology (including social and economic factors, e.g., "publish or perish" etc.).

** Jargon buried in legalese, what a genius way to get just about anyone to agree to just about anything! If only John, King of England (in 1215), had been more skilled in the ways of the EULA - perhaps "King Charles III" would be emperor of the world now. Oh utopia denied ... kek.

> Billions of people > lots of coincidences

While that is a positive take that could explain it, I am not convinced by that number crunch. 2/situations per year, per person, that is still "a lot" to be considered plausible statistical coincidence.

In many cases it’s more than simple:

You had the conversation with someone and that someone googled/shopped/amaozned/clicked it. Or did before already, you don’t initiate every conversation in your life after all.

Now go and try getting a denial that they are not using the fact that you share a wifi with someone as parts of the recipe for the recommendation cake.

The arrow of causality can also go the other way. X corp is currently running a campaign targeting your area/demographic. A friend of yours sees and X ad and mentions something X-related to you in a private conversation. The next day, you see an X ad too.
Wdym? You cannot target specific individuals when creating ads on FB/IG?
You can (e.g. by email address), which is why it's impossible for Facebook to guarantee that ads weren't targeted based on listening in on conversations. It has no ability to determine how an advertising purchaser generated / obtained the data it is using to for ads targeting.
Wow what, facebook allows ad targeting based on a user's email?
Yup. The typical use case is e.g. if someone logs in to your e-commerce site with their email and looks at a product but doesn’t purchase, then you can show them an ad for that product to try to remind them to go back and buy it.

It’s a really creepy feature though that can easily be abused.

I am not at all surprised to see one of the emails you got matches exactly (other than the extension name) one from the linked post. Definitely a lot of this crap is heavily automated.

> I'm a fan of [extension name] and I really like how convenient and useful it is.

> Have you considered offering promotional spots to those interested in promoting their products on your extension? I'm interested in promoting my own extension on [extension name] and would love to discuss this possibility with you.

> Let me know if you're open to this.

Interesting, I've received this same exact message recently as well. I've maintained an extension with a few hundred thousand users for the last few years and I've received way more messages like this in the last year than ever before. Can't say I'm that surprised though.
Man, being offered $11k for an extension would be hard to say no to... With that a down payment for a house is a much smaller problem. It's always a good idea to consider where the line is for ones own ethics.
In a sense, poverty encourages corruption / corruptability; it ties in with the saying that everyone's for sale at the right price.

I have a website, I'm sure it's worth money to someone. If someone were to offer me $1000? Piss off, i've paid more than that in hosting costs in the 15 odd years I've run it. 10K? Sounds compelling, I'll have to think about it. $1M? Fuck all of my online friends, I'm taking the money and cutting contact.

It would be shit and I'd probably regret it, but it's a lot of money. But this kind of corruption is everywhere, and worst of all, it's permeated in politics. But subtly, in the form of campaign contributions, lavish parties and vacations, connections (i.e. lavish positions in company boards during or after a tenure in politics), never in the form of wads of cash passing hands.

In the US, $11k may only cover submitting three months rent + security deposit to rent an apartment.
I have an extension I wrote that is literally for a single regional website to do some extra blocking to get around a paywall. There are under 10 installs total. For some reason, the most recent monetization email I got thought it was 10,000.

> I'm reaching out to discuss a unique monetization opportunity for your extension, <name>, through our exclusive Premium Bing Hosted Product. > I'm thrilled to let you know that this invitation-only product offers the chance to earn as much as $500 per month for every 1000 users. Given that your extension has a user base of 10K, you stand to make up to $5000 monthly just by integrating the search functionality into your extension. This could be a significant source of passive income, and I truly believe it's an opportunity you won't want to pass up.

I... I... I know the 10 installs are all basically /my devices/...

You should counter by offering to sell them the whole thing for a flat price and then have all your users (you) switch to a new extension that does the same thing under a new name. :)
Okay, even better, to follow on another user's idea and up the ante:

Fake extensions created under burner dev accounts (w/ fake identities), astroturf the installs like crazy. Use ChatGPT to write the code, pump it out like chocolate out of Willy Wonka's Fudge Sludgefest.

Sell to scammers/info scalpers for a flat fee via a non-refundable route under a semi-reputable escrow, rinse and repeat.

The one downside is if you do that to somebody bad, and you've left any personal info out by accident....

Additionally, it's highly unethical. Don't do this. But it seems like 'easy money', the whole 'curse of maybe getting doxxed and XYZ from a sufficiently-motivated data thief' aside.

I got this too! For an extension that doesn't even work anymore after manifest v3
It is so cheap to send spam email that it wasn’t worth the developer adding a filter I guess.

Maybe mark as spam and move on.

Hard to turn down $20k/month for doing basically nothing. Props to the author.
It's only $20k/month if (1) their number is truthful, and (2) Google doesn't ban your extension for serving malware.
This assumes the offer is legit. I seriously doubt even the most nefarious extension nonsense is actually going to bring in $20k/month. Even if there's millions of users.
Yeah, I've received plenty of similar offers over the years and I'd have been a lot more tempted if I actually believed any of the numbers.
That's exactly it. The "extension monetization" field is a product area fundamentally designed to scam its users. Clearly they're not going to shy away from scamming their suppliers. They just need to fool the authors into giving them control before taking payment, then they move on to the next mark.
It wouldn't be a long-term income anyways. Most likely Google would block the extension within weeks. So it's more like $20k total, not per month.
That is nothing. I turned down the opportunity to inherit a Saudi Prince’s fortune for doing nothing (well just needed to pay his sons bail bond or something)
(comment deleted)
And if you run a website you get constant emails like this:

   Hey There,

   I wanted to reach out and see if <website.com> accepts guest post contributions or link insertion in existing posts? If so, I'd love to hear more about your guidelines and any specific topics of interest.

   Thank you for your time, and I'm looking forward to your response. 

   Best Regards,
These ones are definitely spammed out en-masse, my site doesn't even have a blog.

My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.

> My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.

I wonder what these people are thinking? Like, TOR operators know the risks with connection sharing - most particularly: pedos using their service to share CSAM. But everyday people?! They have no idea until one day they get v&.

Prey on users who don't know the difference. Sell the residential proxy service to scammers who use high-reputation residential IPs to commit crime or fraud or other shady things.
I think these services are used mainly for scraping sites which try to hide their data (think LinkedIn). They don't offer any protection to those that are breaking the law, afaik. So I would expect that there isn't much risk of putting their victims ("endpoints") in trouble with the law.

Not condoning it of course, it is still an ugly practice.

I've read through some of Brian Krebs' articles on some of these proxies, the ones I get these email offers from seem a little less slimy than that and more above board like you say. It's still not an acceptible thing to be seeling your users out to though.
You just saved me some work, thanks!

I also get these emails but run a WordPress site. I was convinced they would fingerprint websites and mail those to these sites only.

It was on my todo to see if I could hide the fingerprint of WordPress.

But now that you mention this, it's obvious it wouldn't do much. In hindsight, I could have know these spammer would just spam everybody in bulk.

Masking your WordPress install is a pretty good idea for plenty of other reasons though, just hiding wp-login will save you a lot of headache with bots wasting your CPU cycles and bandwidth trying to bruteforce.

Sounds like a challenge to hide the wordpressyness entirely though, it's got a huge surface area.

This is my favorite sort of email that we get about once a month in various forms... their title at the end is hilarious.

---

Subject: Found a security vulnerability on your website.

Hi Team, I am Harris, a security researcher, and I have found a security vulnerability in your website outside a bug bounty program.

I can disclose all the vulnerabilities found and their proper fixes too, to make your website more secure.

Companies I helped have always been generous and helped me back with rewards in amounts they think are appropriate to the issues I have found. If you appreciate my help, I'd be happy to receive a bonus payment via PayPal, Bitcoin, Payoneer, or Bank Transfer.

Waiting for a positive response from your end.

Thanks and Regards,

Harris A

Certified Ethical Hacker

On the off chance you entertain these individuals, it's usually something really dull an automated scanner picked up.
What happens if you don't pay? Or do they expect you to pay up front for essentially a pig in a poke?
The last one I engaged with only mentioned payment after the fact (along with wanting me to hire them to do a full pentest).

I just ignored them and that was it.

I would like to keep a working <email:> tag on my website but doing so seems to attract tons of spam email that goes something like this, or otherwise offers from random web developer conglomerates offering to "better" my website (which I try to keep simple and plain). :/
We run an educational blog for our saas product and we get some legit emails from readers but also a lot of the spam and some of it is scary good.

They feed in so much context that it does appear to be a real person and it ends up wasting a lot of time and honestly it's quite hurtful. We spend a lot of time sharing our stuff and these fake connections are a major turnoff.

Recently we encountered a wave of "awards shortlist" sort of emails written by AI with deep context that will cosider us for award for one easy payment! Except they always forget to tune the topic as we're not running software security service, we cover web scraping.

I feel like AI will kill email communication between strangers. It's getting so exhausting.

This may not be appropriate for your use case, but rotating the publicly facing email address when you get spam or on an interval may help here. For example hello-XXXXX@site.com (hello-a5b84@site.com, hello-jux8k@site.com, …).

I believe most legitimate visitors send an email shortly after visiting a page with the address while spam emails often have a much longer lead time with new addresses (it takes time to get scraped, put in a database, and then get used).

However this does mean that extended communication on that address and saved addresses will not work well.

I wonder whether there exists a cottage industry of fake extension writers pumping up their numbers with fake installs, all with the goal to sell the fake extensions to these scammers.
You make the extension. I'll use bots to inflate the stats and make it look used. You pretend to not notice and sell-out. We split the profits. Fraud as easy as 1-2-3.
I also wonder how they make these sales. Is there an escrow for this? Are Chrome extension transfers non-reversible? Can't imagine such a shady deal is safe for either party.
If you put something out on the web that gets somewhat popular, you are going to get all sorts of scummy people contacting you.

The first one that happened to me: I have a domain name and someone emailed me to let me know, as a courtesy, that someone was buying similar Chinese domain names and did I want to get them first. I thought that was nice that they were notifying me ... oh wait, they're just trying to get me to buy their domain names.

People contact me about redesigning my website, buying my website, exchanging links, straight up spamming my website. It's really strange.

Android apps too. Always getting offers to have some code added.
I used to reply, with the same offer “i can help complete YOUR set”
This one is interesting because it seems harmless, if not even helpful (Monitoring DNS errors). What am I missing here?

"I’m sure you get business proposals all the time, so I’ll get straight to the point. I hope what I’m proposing is a little different and might actually interest you. I like Hover Zoom+ as a great alternative to it’s bigger brother Hover Zoom that lost its glamour over the last couple of months.

We're conducting a DNS error research and we’re interested in small amounts of anonymous data that you might be able to provide via your Chrome extension. Our research has been going on for years and Google has never had the slightest problem with it.

- Compatible with Google’s strict policies

- No personal user data

- No ads, no malware

The data we’re interested in are basically just DNS errors:

- NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.

- A time stamp – when it happened.

- GEO – where it happened (USA, UK, RU etc.).

- A unique randomly generated user ID (can be hashed, not traceable back to the user). Please, don’t confuse this with the user IP address.

And that’s all. You can either use our script or collect the data on your own and send it to us via an FTP server, API etc. There’s a lot of different ways we can do this. We pay on a monthly basis. The payments depend on user GEOs, but it would be in thousands of dollars per year.

Is this worth at least a brief discussion? Looking forward to hearing from you.

A while back I reached out to you regarding a DNS error research our company conducts. Hover Zoom+ would be an ideal medium for our research. In return, this could become a solid new revenue stream for you.

Our method has been going on for years and we’ve never had the slightest problem with Google. We pay regularly on a monthly basis. For you it would be in tens of thousands of dollars per year - the amount depends on your users base and data quality.

If you’re concerned about including third party scripts, there’s still a lot of ways we can make this work.

Please let me know if this is worth a brief discussion to you."

Probably looking for domains that are commonly typo'd that they can purchase and run ads on.
Well, money's changing hands, and they're not specifying any clear intent of goodwill.

Therefore, there is likely some business interest at best, or anti-user behavior at worst.

It's not hard to write a script that ostensibly does one thing but very sneakily carries information about another thing. For example, write a bad 'hashing' function? Piece of cake.

Always follow the gradient of ATP.

They want to know what domains people are mistyping or are interested in so they can more efficiently scam them, I’d wager.
Just a guess: they could buy domain names that are available and for some reason get queries. For example often misspelled domains. This would not be forbidden but still a little shady.
And then they will add a phishing site on that domain, looking like the one they meant to type, and scam people. So very shady, I think.
Typo squatting research. See what users frequently mistype and receive NX reply so that they can register it and serve ads or do phishing or such.
My guess is either mapping out internal networks for nefarious purposes or finding expired/dead domains that still receive traffic.
This would expose internal DNS names when in an environment where they're not connected to their private DNS server.
This one pings my trap detection in addition to the private network mapping and typo-squatting potential.
They doth protest too much methinks, about how Google has never had a problem with them.
(comment deleted)
Oh, hey! I just got my first one of those for my extension a couple days ago. I just marked it as spam and moved on with my life.

Shameless self promotion - Open source chrome tab search way more powerful than the newish built in search (supports quotes, negative searches, things like host:example.com, etc).

https://chrome.google.com/webstore/detail/tabasco/apnefdpgai...

Nuking all extensions that use any of the listed "monetization platforms" would make Chrome extension store a safer place for everyone.
They will just rename everything and operate under a new shell company. Then everything will be back to the status quo.
Google could launch a honeypot extension to get offers from those new companies and keep removing offending extensions.
This is so true. I receive these emails every week. I've even had offers about acquisition that I had to turn down. Having a "Featured" chrome extension does seem to attract a lot of these offers. The more emails/offers I receive, the more I'm convinced that I shouldn't give up the extension.

For those curious, here's the GitHub repo of my extension: https://github.com/mohnish/rearrange-tabs

I don't know what the solution to this is, but I know a few trusted/legitimate companies that sell their user data for around £20/year even after having monetized their users with actual money

I will never do this because violating privacy goes against the core of my beliefs, but there is a conflict I can't seem to work out. On the one hand, I KNOW that the vast majority of users prefer to sell their privacy than pay a single penny. They would gladly click on a "sell my data" over a "pay money" button any day of the week. I know this because I have interacted with enough users to know these things. Many users will suffer a fit when things are not free but won't lose any sleep over giving away their personal details. Again, I speak of the majority and in general terms

On the other hand, I want the internet to be a place where unscroupulous actors don't flourish. Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?

The worst bit of it all is that in the end, the only people interested in spending money online are data thieves and advertisers. Everyone else is giving their soul. Developers are somehow expected to work for free so that this entire edifice can stand

The Internet has no easy to use fully-anonymous cash equivalent. If you pay for something, you're giving away your identity information anyway. The value exchange is definitely lopsided, but if I have to share my identity AND pay to get X, I'm out money AND shared my identity info. If I share my identity info and get X for free, at least I'm not out the money.
Can you hear that? It's the sound of a distant crypto-bro stampede coming your way!
Extensions are centrally distributed on platforms that could at least nominally handle payment. The problem is that $0.01 is infinitely more expensive than free.

In order for me to pay you, I at a minimum have to do some amount of mental gymnastics to convince myself that it's worth it for me to pay you. This has a perceived cost even if the money spent is trivial. This is why people who take money in small increments - i.e. mobile games, arcade operators, casinos, and so on[0] have you buy a large amount of some scrip that they control, and then make it so easy to spend it that you might accidentally do so.

Nobody is thinking "I'd buy this, but only if I can leave no record of ownership[1]", they're thinking, "is it actually worth buying". Identity and privacy isn't a thing that people actually account for when making purchases - mostly because it's never actually mentioned[2] in the terms of purchase. It's snuck in. So the choice is just "the free one" and "the $2 one", where the value of the $2 extension can never hope to overcome the mental transaction costs.

[0] Nintendo and Microsoft used to do this around the Wii and 360 eras. While on the Wii it was 1 point equals 1 penny/yen, Xbox did something nasty and made it 80 points equals 1 dollar.

[1] That would mean that setting up a new computer or browser profile loses you all your existing extensions that you paid for.

[2] I do not consider legal disclaimers to be adequate notice, and neither should you. Dropping a clause in a EULA is the equivalent of dropping rohypnol in your drink.

It also effectively has a minimum payment amount due to the credit card transaction fee structure.

And also unlike cash a service can keep billing you.

And, for better or worse, the risk is partially put on the business in the form of increased cost (or payment service denial) when a credit card transaction is considered too risky (charge backs).

Also there is a fair amount of friction to giving payment info than say pulling out your wallet or phone (but this is improving with “digital wallets”).

>They would gladly click on a "sell my data" over a "pay money" button any day of the week.

You don't know that because no one is given a clear choice like you present (and even saying "data" is opaque to joe average user). And this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?

>Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?

Most of the internet is communication in some form or another. I get a lot of communication for free in the real world. My question is: why does everyone assume that the purpose of the internet is their platform to get rich selling trinkets to clueless natives? Maybe some things are better off run as a non-profit?

(comment deleted)
> this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?

Unfortunately under the GDPR we are not going to find out how many people would choose this option. It isn't legal, in the EU, to refuse someone access if they say no to your data collection.

It is legal[1] to require users to agree to data collection or pay a subscription. Some news sites have already begun to implement this scheme.

[1] At least according to some countries' DPAs, and as long as the price is "fair".

https://www.iubenda.com/en/help/24487-cookie-walls-gdpr

That is a monetization service. A short internet search quickly reveals that data-or-paywall is a bad idea at best, and explicitly illegal per multiple nations. It only requires one user from one of those states to file a report.
> It is legal[1] to require users to agree to data collection or pay a subscription. Some news sites have already begun to implement this scheme.

From your link, almost at the top: "The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.". So no, requiring users to agree to data collection, per your article, is prohibited.

You have to read the whole article though, not just stop at the first paragraph.

The article makes a distinction between cookie wall (accept or no access) and paywall[1] (accept or pay). The former is prohibited, the latter has been okay'd by several national DPAs.

> The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.

> The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service: 1. accepting the use of cookies; or 2. another alternative, “not necessarily free of charge“, that doesn’t require giving consent to cookies.

[1] Not to be confused with the "hard" paywall (pay or no access) we see on some publications. They've just called it like that for lack of a better term.

I'm fine with GDPR-compliant sites not giving that choice.

Especially because I bet so many of those sites would set X to be much higher than the value of the data.

I've never had much a problem with informed decision. What rubs me the wrong way is when these apps hide the data monetization, require it, or don't offer any way to use the service except to opt in. It particularly sucks for services I can't even opt to not participate in, e.g. my work just went live with "The Work Number" service from Equifax so my data is already there whether or not I make an account. Even worse, not making an account just leaves it open that someone else might try to create an account as part of gathering even more involuntarily shared information about me.

When it comes to what people chose to do with their own data though I don't feel a moral obligation to push my views though. If they truly want to opt in and save the $20 (or however much the data is worth in the app) then taking that choice away because I disagree with how they should treat their privacy information is hardly much better than forcing them to because of the same reason. The main difference for me being whether or not I profit off it but, given choice in each case, that really doesn't matter to how the user weighs the situation.

>They would gladly click on a "sell my data" over a "pay money" button any day of the week.

Even though many people assume it's this way, this choice hardly ever happens in practice. You allude to this yourself. In reality, the choices are usually between paying for something and they still sell your data, and getting it free and they really sell your data.

The majority of paid services have privacy policies, terms of service and user agreements that spell out how they sell data just as much. At best, you might expect that they are a bit more selective in who they sell to, since they're not as desperate for cash flow. However the impact to you is greater - they now have your credit card, address, full name, phone number (all vulnerable to hacks and leaks) and it's harder to lie about these things than with a free account. So the data they collect is more valuable, hence the temptation is higher as well.

Moreover, the paid services have consumer-hostile subscription systems rife with dark patterns. It's needlessly tedious to cancel a service if you decide you don't like it, and even free trials demand a credit card.

Transparency is very low about what is actually done with your money as well. Many services operate at a loss, and the customer charge is just a fig leaf while the real money comes from investors. Arguably, the paid model is a sham for some companies and their real exit is to collect data for a years and then get bought by some data aggregator. On the other end of the spectrum you have people fishing for suckers with ridiculously inflated prices.

For these reasons the choice of paying money is tainted by lack of trust, it is not just consumers being stingy and entitled. Lack of trust can quickly bog down any market.

I don't really blame the industry here, though. It's a bit like California in 1848 - you can hardly blame people for picking up the gold that's just lying around. The real problem is that we don't have the tools, infrastructure and regulatory frameworks that let users see and control how their data is used. If people really want to sell their data in lieu of payment, then let them. But currently, most users are not aware exactly what data gets collected and how much it is worth - they're not able to rationally decide that paying $5 for an app is better than being mined for $20 worth of your data.

The solution of for the app store owner to develop a better monetization scheme that would reward developers

+ track change of ownership

+ some distributed review system

+ better sandboxing

+ no forced autoupdates

+ A few other things

Man, that would be nice

World of Warcraft has an in game ui addon modding system built in that ends up suffering from these same problems. It’s so damn frustrating to see addon developers sell out their fans to a super shady spyware company for like $3/month (and the alternative is $0)

I could understand betraying people for a life-changing amount of money, but £20 is 5-20 minutes’ worth of pay for a competent SWE…

Open source, audited extensions. I noticed this already exists in Firefox (https://mzl.la/3Acn4DU), I don't know of any auditors for Chrome extensions.

Have some trusted organization or group (like Google or Mozilla themselves) who run audits on extensions to "certify" they don't have any malware. Additionally, the extensions are all 100% open-source, so if the "trusted organization" is compromised (or just bad at their job), they'll get caught and people will stop using them.

This isn't foolproof. Adware can be hidden from even the auditor or the auditor can be compromised but nobody finds out. It's also expensive and time-consuming, especially for extensions with a lot of complex code, so many popular extensions which perfectly-fine are still not certified. Updates are delayed and discouraged because the diff always has to be audited as well. Lastly (and something which can easily be overlooked), the auditors can be biased towards approving some extensions (like those who pay them) while not approving others: extensions code won't be approved if their code is too hard to read or they are later in the review queue, but the line at which code is considered "too hard to read" and their position in the queue could easily be influenced by cash.

Nonetheless, web extensions are a good type of software to audit, compared to other software like apps. They're often much smaller and simpler, users need much less, and they operate in a very-trusted domain (all web browing, including in banks and other confidential sites. Compare this to apps on a sandboxed phone, or programs running in user mode on a computer, the damage is still there but it's much less)

This is essentially the model of App Stores.

And it works. At least to keep the worst off Apples App Store. Mostly. Googles play store is apparently much more linient. And contains lots of horrible apps.

But the costs, as you mention, are real too. So much, that many, including myself, simply forego Apple as target at first. Sure, it's the more popular platform and it has more people willing to pay. But the review hurdles aren't worth it in the beginning.

I actually run a service for adding paid features to browser extensions: https://extensionpay.com

From all the data I have, people will definitely pay for extension functionality, though lots of people will write negative reviews unfortunately.

I also use ExtensionPay myself in my own extensions and have found this to be true. I try to get the people who pay and have a good experience to write reviews since they’re so underrepresented in written reviews.

I built an extension called Repibox that pulls the recipe out of any website that has instructions/ingredients in the meta data and displays it immediately. First time I got an acquisition email was exciting, but then I realized any acquisition would do a disservice to my friends/family who use my extension.
Things have gotten bad enough that I've stopped using extensions that haven't been through a code vetting process.

> Recommended extensions differ from other extensions that are regularly reviewed by Firefox staff in that they are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status.

https://support.mozilla.org/en-US/kb/recommended-extensions-...

If your browser doesn't have a code vetting process for extensions, I'm not interested in your browser.

What does that mean in reality? Pretty sure Chrome Web Store extensions are reviewed, but since they're all minified and obfuscated garbage, I wonder how easily malicious code could slip through. I'm surprised there hasn't been a mass cookie stealing attack yet.
> What does that mean in reality?

It means taking malware seriously, even if that means you have to pay human beings to vet code manually. I realize that Google wants to avoid paying human beings at all costs, but too bad.

That's why AMO requires extensions to be uploaded with their source code and disallows obfuscation.

They do allow minification for compression, and I don't know what stops someone from uploading different source code from the shipped addon.

CWS doesn't review every extension submission, at best they do some % of them along with anything that sets off red flags. Out of hundreds of times I pushed updates to my extension (~100k monthly users by the end) it was delayed for human review maybe... twice?
maybe its time for a LLM based security review open source framework. this could be adapted for extensions to see what information they'd be sending over.
Mozilla's review process is much more strict than Chrome's: they required me to produce original source code for all libraries that I am using (like jquery), forced me to get rid of some leftover eval's in javascript, etc. I don't think they read all source code, but they definitely look for some patterns.
Did your extension go through the normal vetting process or the extended review necessary to become a recommended extension?
(comment deleted)
Stuff like this is why Google is pushing manifest v3.
How does manifest v3 combat this?
Without the additional constraints manifest v3 puts on what code an extension can run at runtime, an extension author can just slip some "grab some code from a server I control and eval it" logic into their extension, which Google can't vet. That makes it possible for an extension that was fine yesterday go to "harvesting your PII to send to a company that is building an AI based on your click frequency" today with no change indicated; just a silent "Oops I'm malicious now" shift.

All cards on the table: Google does a not-great job of protecting against intentional malicious changes last I checked, i.e. they'll pass through a lot of new extensions and extension updates that do shady stuff behind the scenes. But without some lockdown on arbitrary code execution (which Mv3 provides), the problem is theoretically impossible to solve.

Detect if the extension downloads and executes arbitrary code, and ban it if it does. That should be just as easy to detect as detecting that the code does something bad directly. In fact, the way extension policing works is (afaik) completely reactive: if someone reports that an extension is doing something bad, then the extension/the developer thereof is banned. No/minimal policing is done at the time of publishing. The exact same policy applies unchanged to extensions that download malicious code instead of packaging it directly: wait until someone complains about the malicious code, ban the extension for having malicious code.
In manifest v2, downloading and executing arbitrary code is a feature.

What you're describing is the migration path from v2 to v3. "Detect if the extension downloads and executes arbitrary code, and ban it if it does" is isomorphic to "deprecate the eval arbitrary code permission, cease supporting it in the store, and provide an alternative declarative model to get some of the behavior back;" it's what Google is trying to do.

It's a composition of two features, both of which are useful on their own. Removing this "feature" requires removing at least one of those sub-features, in this case eval. We could alternatively allow eval to be used, but ban it from being used on code downloaded from the internet. This would require vetting the code, rather than a fully automated check. The goal of such a removal is, supposedly, to enable manual vetting to be more effective. However, the only reason to prefer an outright removal over a conditional ban is that it obviates the need for manual review. Do you see the contradiction?
> This would require vetting the code, rather than a fully automated check.

Then it's a non-starter for the manifest format supported by the chrome web store. Because Google's goal is to automate as much as possible.

Naturally. Thus, it doesn't much matter whether code is shipped in the extension package, or downloaded off the internet, since nobody will be checking what it does regardless.
Of course it matters. One of them allows looping in data from arbitrary external sources, and the other one (Mv3) has a permissions model that disallows that. It's a completely different risk domain.

Don't forget, the mere act of requesting data from an external uncontrolled third-party source is leaking user information. Under Mv3, those leaks are fully documented.

I don’t see the harm of monetizing something great. You could also say that its a way to reward the good work.
Maintainer here. My extension is pretty much unmonetizable so any offer I receive would require some degree of a moral sacrifice. The least intrusive offer I've seen so far is to put a reciprocal link to somebody else's extension inside of mine, kind of like DarkReader is doing on their website. Even though it won't compromise any of my users data, the reason I'm not doing this is because it indirectly endorses that other extension and I don't control what they do with their users data.
I really appreciate the transparency from you. I don't use Chrome anymore, but back in the day I absolutely loved Hover Zoom+ and my wife is still loving it to this day. It's a great extension and having read your comment and the linked Github issue, I feel even better about it. Thanks for your hard work.
Thank you for the kind words. I actually publish hoverzoom+ to Firefox and Edge as well (links are in the repo's readme) so you can use it there too.
Wow! This just made my day, thanks so much. I don’t know why I never bothered to check if there was a Firefox version. Thank you!
You're doing a very admirable thing, and this helps dispel the little voiced but commonly held perception that "everybody sells out" when they get big.
uBlock Origin is also an incredible success story here!
and you are essentially trusting the moral integrity of the current maintainer.

why can't there be a method for making sure that such trust cannot be abused? Is this a tractable problem at all?

You'd still have to rely on the trust of the original maintainer, but they could set up something like a warrant canary[0], but for if they sold it or if they added tracking items.

[0] https://en.wikipedia.org/wiki/Warrant_canary

warrant canary assumes the maintainer is under coercion. But if the maintainer is untrustworthy, their warrant canary also won't be trustworthy, since it's trivial for the "sale" and the new maintainers to continue the existing warrant canary as though nothing has happened.
Aren't these also useless even for their original reason as they can just be given a demand from the legal system to keep updating the canary as if nothing happened?
The legal theory is that the law cannot compel you to lie. Of course, this is untested.
I don't think there's a solution for it after all. At the end of the day, you need to trust someone / something, unless you are the one who writes the whole code.

Which browser are you using?

Blockchain technology! ;D
I do think that reproducible builds would make a lot of sense for open-source browser extensions. Google could say "if you want your extension to get a Trusted Build tag, put the source code on Github, and we'll run the build script for you to ensure that the code submitted for store review is built from the code from a specific Git commit." And from a security perspective this would be better than what we have, which is zero guarantee that an "open source" extension even matches its stated repository. I'd trust the integrity of Google's automated build systems more than an independent developer with nothing to lose and everything to gain by sneaking in a third-party script.

Alas, the presence of this kind of reproducible build system would bring needed clarity to the chaotic ad blocker market, and the lack of that clarity works in Google's favor as an advertising company, so sadly I doubt they'd do such a thing.

Yes, that's what I mean, at the end of the day, you have to trust somebody / something.

Here you have to trust both developer's code and Google's build system. Can you verify all of the developer's codes? And can you verify how privacy-trustworthy Google's build system is? At the other side, you have to trust developer's code and developer's build.

I didn't mean which one you "should trust more" at all in my comment above. Please read again. What I mean is the first sentence here.

There is a method. Designing plugin and system API in such a way that allows users a granular control over plugins or apps permissions and network activity.
But that doesn't solve the problem of a plugin developer selling out. Under the granular permission control, your existing, granted permissions _should_ be revoked, but there's no way you could know to revoke it.
Something like a plugin is a fairly well defined thing and ideally should not need a lot of permissions. E.g. an ad blocker has a simple flow: occasionally update filters from a number of specified endpoints and then match and block web pages’ request urls against downloaded lists. Between update it should have zero web traffic and filter updates are expected to be from known whitelisted sources and asymmetrical in size: very few bytes sends and a lot received. If all of a sudden after an update your plugin wants to send a bunch of data to a new URL you know immediately something is fishy. With respect to granularity, in this case the plugin might not even need to know the entire URL but just the host/domain name - this makes it less attractive to adtech.
Yet the very same author turned over the OG uBlock to a shady character, having to launch a competitor to take back the momentum. To this day there is still confusion among normies.
I didn't turn over the extension in the Chrome Webstore, I always have been the owner of it since I first published uBlock in June 2014.
Thanks for clarifying. I stand corrected. Curious if you've secured the trademark? Seems someone has tried with #78022486
Hi, I used to love hoverzoom... was there a malware scare a while back or am I thinking of a similarly named plugin ? At the time I switched to imagus & adjusted to it. Either way, thanks for turning away the monetization attempts :)
that was hover zoom (the original) not hover zoom+ (the fork by GP)
(comment deleted)