The root problem here is that there's no legitimate way to monetize browser extensions. Extensions are meant to be simple, so it's hard to sell premium features. Extensions usually don't "own" any space to embed ads in.
The issue with that is that "Gets to read and/or write the DOM" happens to be the only permissions a nefarious extension needs while also being those that a vast number of useful extensions require.
I think you're thinking from the browser level. I was thinking from the standpoint of what I could do as an extension developer.
If we approach it from that angle, then your extension can only restrict access to it's features via a round trip to your own servers to validate access and/or show a checkout view to purchase access.
I suspect it would be a very hard permission to implement. There are a lot of ways to exfiltrate data from a website if you have DOM access. But yeah, agreed.
Some of the difficulty around securing extensions boils down to the fact that Javascript permissions could be better. Websites do a decent job of sandboxing the website, but sandboxing within websites (without relying on iframes) is much more difficult.
Per-site permissions and click-to-activate are also really useful features here. It's easy to forget how recent they are. But it would be good to go further if possible and having barriers in front of exfiltration would be a big part of that -- there are many browser permissions that would become less dangerous if you could know for sure that the data they generate can't get off your device. I just think it would be really difficult to try and build browser permissions around that in a user-legible way.
Not sure if sarcasm but will respond as if it's not.
There are lots of business models to choose from
- subscription
- affiliate links
- sponsors
- one time charge, this one is tricky as restricting access requires a back-end that needs ongoing maintenance and server costs
I may have misunderstood your prior comment so please excuse me if I got it wrong. The problem I was solving was how to make money from an extension that I publish. I was outlining different business models where you could give the user access to the extension, and make money without having to accept this arrangement with data thieves.
I believe problem isn't the right word. I think OP is challenging your assumption that it's inherently freeware. There are methods for monetizing an extension and they're infrequently used or associated with a much larger experience (e.g. my BitWarden extension is critical for using BitWarden, but I pay for BitWarden's subscription elsewhere).
Yes, most extension devs probably start out with no intentions of profit. They wrote their extension to scratch an itch. However, once they get an installed base and start getting offers to do shady stuff, it seems obvious that they might be tempted by easy money. If they had a more legitimate way to make money, they may be less tempted by the shady stuff.
> one time charge, this one is tricky as restricting access requires a back-end that needs ongoing maintenance and server costs
If a browser extension is allowed to use license keys (not sure on the various store rules i.r.t. browser extensions), you could create a timed license key that is cryptographically signed.
An extension user could theoretically be willing to pay for the value the extension provides them. The malicious actors sending these emails are willing to pay for the value that a user's data provides them. These two numbers are not related in any way, and the value of user data will often be much higher than the value of the extension's functionality.
There is no way for monetization to solve this, because the two potential customers are not purchasing the same product.
Google could easily find a way to display ads for all extensions: pre-roll ads before extension launches, mid-roll ads when user is using extension for some period of time; not sure what is stopping them.
"The web has come a long way in the 11 years since we launched the Chrome Web Store. Back then, we wanted to provide a way for developers to monetize their Web Store items. But in the years since, the ecosystem has grown and developers now have many payment-handling options available to them."
Another failed Google product...of course every company has huge back catalogs of deprecated products but the sheer % of fails by Google is almost unbelievable.
Just want to put a plug in for https://extensionpay.com/ - I've used it in extensions in the past. It takes away the headache of setting up a backend for payment. They do take an extra 5%, but it's worth it especially. for smaller projects
I don't think this is necessarily true. I run a software licensing API with quite a handful of customers running browser extensions with respectable user bases.
So there are monetization opportunities, just like any other distribution channel.
Might at least make these attacks harder if users could disable extension updates, or had to opt into them. Most of these extensions are simple and don't really need to be updated, yet the update mechanism is silent full auto bada bing bada boom no rollbacks. I can't think of any updates more aggressive, not even Steam.
Yet another opportunity to recommend Firefox to readers.
I'm not sure I advise doing it, but you can go to about:addons and hit the gear icon and you can uncheck "Update Addons Automatically". Even better, click on an extension and under the "details" tab there's an option per-addon to set whether you want automatic updates or not, so you can disable updates just for the one addon you don't trust (or enable updates just for the one addon you do trust).
Also, want to run older version of an extension? The Mozilla Addons page for each extension has a list of every release and you can download each version independently as a signed XPI file if you want to sideload it.
The big thing I wish Mozilla would add is self-compiled releases like F-Droid does, especially since their ill-advised signing process means it's hard for users to compile an extension from source -- it's way too easy for a submitted extension to deviate from its source code. But that (admittedly large) issue aside, Firefox offers a lot of control for users who want to manage their own extension versions. Forced automatic updates are a Chrome problem.
Yeah, that's very nice. The only reason I'm even aware of how Chrome does it is because we're forced to use Chrome at work. We're allowed to use some vetted internal extensions with it, and I do, but someone pushed an update that broke an extension by accident. Then I was like, why is this a thing.
To see this many aggressive offers over an extension with ~300k users, it makes you wonder how intense the offers are for the likes that reach in the millions.
The incentives seem entirely misaligned in the extension space.
Hell I have gotten offers like this on a Discord bot, even. Wherever user data can be found, there are those who'd like to have their finger on the pulse
ChatGPT for Google was #1 on HN earlier this year. Check out the GitHub repo now: that person sold the extension.
I had a small side project extension, ~25,000 installs & free to use. I got enough inbound interest trying to "help me monetize" that I thought it would be worth cataloguing all the different unsavory avenues: https://mattfrisbie.substack.com/p/the-ugly-business-of-mone...
The most galling offer we saw on the mobile app side was something that would turn on the user's microphone, and listen for ads on tvs around them to track what they'd been exposed to offline. Adtech is such a thoroughly gross field.
so this really does happen then? Because I used to be convinced it wasn't a coincidence when I saw ads online for some niche uncommon topic I had recently talked out loud about.
This matches the audio signature of the TV ad - basically, it's like Shazam, but for TV ads.
It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that. It would cost orders of magnitude more in processing power than you could get from the extra sales.
This would be immediately obvious in a cursory analysis of performance. On-device transcription is not only computationally infeasible, it would also require model capabilities far beyond what is currently SOTA.
Google had (and has afaik) significant challenges implementing multiple wake-word detection for precisely this reason.
Transcribing a couple of words accurately on-device without a major performance penalty (so that it can be running in the background always) is just _barely_ coming out now.
There's this weird narrative I see that "computers just aren't powerful enough" to do things I remember them already doing on Pentium 1 class machines in the 90s.
Yeah, my understanding was that it was audio fingerprinting tv ads, not transcribing anything, but I wouldn’t be surprised if they were trying to vacuum up other stuff. That said, I think it should be feasible to do basic low-accuracy transcription on-device, especially with all the neural engine hardware making inference more efficient.
> It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that.
Anedoctally I belive Meta does something like that because I consistently get ads on Instagram about topics I talk with a friend on Whatsapp and sometimes that is done completely via audio messages. Though I might be wrong and leaked the topics in text messages among other possibilities.
I think it can be economically feasible. They can have a model optimized for their topics which can be orders of magnitude faster than general-purpose speech recognition. Low accuracy probably wouldn't be an issue as they are able to fine tune the user topics of interest via its interactions with the ads (e.g. click rate, time spent before scroll).
But every time this comes up the threads are flooded with people saying it doesn't actually happen and the ad companies just work out what you're interested in by what you're browsing.
Fly-by-night ad networks might engage in this. Ad networks that are in the sights of regulators, and can be slapped with $X billion fines, that may well exceed the marginal revenue produced by improved tracking[1] are going to be a bit antsier around doing that sort of thing.
[1] How much more money will a $100B ad business make if they improved tracking accuracy by %1? It's some positive number, but significantly less than $1B.
Probably not direct legal risk[1] if they weren't the ones collecting the data, but integrating with all that shit has the incredible risk that your counterparty might just go up in smoke next week, while leaving you with a busted product, and all the reputational damage fallout.
It's picking up pennies in front of a steamroller. You'd have to be a truly desperate PM to consider it.
[1] Still all the legal risks of holding that data, but they are easier to mitigate.
So instead they buy that data from the fly-by-night operators and carry on as usual. That's the key problem here, this data only needs to be collected by one shady operator, "the market" will handle the rest.
Two different things. The popular conspiracy theory is that the phone listens to and presumably transcribes your conversations, sending them to a third party. The example the OP gave is specifically listening for TV content: they’ll have hashes of known ads/shows/whatever to compare against rather than do something like live transcription.
Don’t get me wrong it’s shitty and gross. But they are different things.
Both iOS and Android show when your microphone is active so the whole conspiracy theory about it always listening to you and sending it back is pretty bullshit. And no one has yet found evidence of such network traffic either.
True, but the theory is far older than the indicators. So maybe Facebook stopped being sneaky once those controls came in? Not saying I believe them, but there's still room for doubt there.
Facebook doesn't have to be the one doing it - a 3rd party that controls an app on users' phones could be selling transcribed data to companies that want to run individually tailored ads on Facebook.
except it's always listening for you to say "siri" or "google assisstent". Some androids also show what music is playing nearby. You can thankfully opt-out but the ability to is still there.
At least on iOS, not without hacking the operating system. Siri’s ability to listen for a wakeword without an microphone indicator requires privileges that normal apps don’t get. On Android, as far as I can tell, the same is true, except that some phones ship with preinstalled third-party apps which can then get extra privileges.
This seems very similar in principle to the perceptual neural hash that Apple created and uses to check every file on any Apple device. I recall that some people had an issue with that, because there is no guarantee what hashes will be added to the database, and no real way to know what file they will map. So, the hash could be anything, and could send anything, which is entirely up to the whins of whatever company or entity that deploys such a product.
Effectively, this just means that you can in fact check nearly anything happening on an input, if it maps to some perceptual hash that is similar enough to one the server has in its db.
Actually there are no servers involved; it uses an on-device database:
> When music plays nearby, your phone compares a few seconds of music to its on-device library to try to recognize the song. This processing happens on your phone and is private to you.
...They don't even need to hash content. Advertisers can just add ultrasound beacons to the audio track.
Imperceptible to human hearing, but readily picked up by a listening mic. In fact, there are static analysis tools for picking out apps that access such API's in FDroid, along with taking measures to feed said apps dummy data. At least for Android anyway.
8 major versions, that is surely less than 5% of the Android population. I'm sure the security flaws in those non-updated phones is far more serious than the lack of microphone indicator.
According to https://source.android.com/docs/core/permissions/privacy-ind..., the microphone indicator is only in there since Android 12. Android 12 and 13 cover only 50% of Android phones, according to https://gs.statcounter.com/os-version-market-share/android/m.... There were some "access to the microphone is restricted for background apps" changes earlier, reported for Android 9. But I wouldn't rely on them, and even if those restriction always worked, that still made ~10% of Android phones vulnerable.
It seems highly inefficient to listen to users 24/7 given the other more specific signals that are available. Rather have a transaction data point around everything someone has purchased then what they talk about.
Agreed. Android 4 was peak Android. Most of my favorite Android games are from that era and very few of them run anymore. I wish Google either make a sandboxed emulation layer for those old abandoned games.
Wait... what? As someone who's always tried to target the oldest Android version I can which Google Play will still allow uploading (for a long time, Android 2.3), this is alarming. Why don't they run now? I don't actually play games on Android myself.
No idea of what API they're hitting but basically half of my old humble library won't run anymore - they show a warning about old APIs, show the title screen, then crash to desktop.
Even some old games I paid for are gone from the Play Store too. Like, I paid for Puffle Launch and it's just plain gone from my library.
Edit: ahah, I was looking in the wrong spot! Its still in my "not installed" list, just not in my "family library". Either way, not compatible with any device I own.
08-10 14:55:03.864 25995 25995 E linker : ERROR: OOPS: 0 cannot map library 'libmono.so'. no vspace available.
08-10 14:55:03.864 25995 25995 D AndroidRuntime: Shutting down VM
...
08-10 14:55:03.865 25995 25995 E AndroidRuntime: FATAL EXCEPTION: main
08-10 14:55:03.865 25995 25995 E AndroidRuntime: Process: com.disney.PuffleLaunch, PID: 25995
08-10 14:55:03.865 25995 25995 E AndroidRuntime: java.lang.UnsatisfiedLinkError: Bad JNI version returned from JNI_OnLoad in "/data/app/com.disney.PuffleLaunch-rjdXjIyhGz7STdfxQ9xH2g==/lib/arm/libmono.so": 0
I'm always on the lookout for old interesting games, and maybe there are workarounds for the other titles in your library too. What's the list?
I tried looking up that "no vspace available" error (which is the real error message) and found no explanation. I wonder whether it's something like trying to map a .so segment as memory that's both executable and writeable but it's no longer allowed? And IIRC Android's runtime linker was rewritten sometime around Android ~4 because the original was not very well written, so that might be the cause of the incompatibility. Come to think of it, the large parts of libc that were also completely replaced (mostly with code from OpenBSD and FreeBSD IIRC) because they were terribly buggy will probably cause compatibility issues too.
Puffle Launch wasn't an Angry Birds clone, it was the barrel scenes from Donkey Kong Country expanded into a full game.
One problem is that some games aren't just incompatible, but also were enshittified with ads and nonsense after I paid for them (before they were killed altogether).
Offhand, the ones I remember: a paid version of Angry Birds Space, Amazing Alex (Rovio's excellent take on The Incredible Machine), Swords and Soldiers (fortunately there's a Steam version of that), Noodlecake's "Wave Wave", Pool Break Pro, and some classic ports like Dead Space, Spy vs Spy, and Ur-Quan Master, but there are better non-mobile ways to play those games.
> the ad companies just work out what you're interested in
The word "just" doesn't belong in that sentence. The ad companies being able to know things about you without actually listening to you is even more scary.
Evil-Ad-Company Neo: "You're telling me I can know things about my customers by secretly listening to them?"
Evil-Ad-Company Morpheus: "No Neo, I'm telling you that with the right license agreements, data sharing partnerships, and algorithms, you wont need to secretly listen to them."
I am pretty convinced that modern advertising - from the most inane and innocent to tracking users 24/7 pretty clearly falls under evil. Gone are the days of advertising trying to raise product awareness and convert purchases - that field now exists to create demand. It induces desires in the recipients that play on psychological factors like FOMO to create customers out of thin air - and that process causes we the consumer to pay a constant attention tax and suffer higher levels of stress in our daily lives.
You do realize all forms of media embed advertising directly into the content going right back to the beginning, right? There's nothing modern about it. Showing you a product when you actually want to see it is the most effective way to induce demand. All your favorite shows, movies, youtube personalities, etc. still do this.
If you think that the product that the lead actor in the series your marathoning through on your streaming provider isn't there on purpose, then you've just not been paying attention. There's a reason shows blur out logos on people's clothing or the crew covers them up with grip tape, or set dressers turn the cans/bottles/boxes of products around so the main logos are not visible. Even having copyrighted posters on the wall in frame can cause licensing issues.
This isn't true. Originally advertising was designed around the premise of explicitly highlighting utility and functionality of goods/content. It wasn't until Bernays came along and adapted his uncle Sigmund Freud's theories into practice by designing advertising to manipulate people into believing that they actually need the product.
Modern advertising is not just "showing a product to induce demand". Car adverts don't just highlight functionality, they use mass market analytics to play emotionally driven messaging and visuals so that you associate that feeling with the car ad.
Do you know what Bernays called what services he offered before the word got tarnished?
Advertising, by its very nature, is emotional manipulation with the goal of getting you to give up some of your money for something you most likely don't really need and won't improve your life all that much, if at all. To me, that's evil.
Sure, there are varying degrees of this evil, but IMO even the least-objectionable advertising out there still can't be called "good".
In my experience, the case where advertising gets you to buy something that ends up being materially useful, that you would not have bought (or found a substitute for) without that advertising, is the exception, not the rule.
Oh, and to address your specific example: if you search "best diapers", and get shown ads for diapers, that absolutely is evil, because some ad-presentation algorithm is pushing you toward whatever diapers will generate the most money for the ad network, likely not toward which diapers are best. Not to mention that "best" often means different things to different people, and the ad networks only care about that insofar it increases their profit.
> Advertising, by its very nature, is emotional manipulation with the goal of getting you to give up some of your money for something you most likely don't really need and won't improve your life all that much
I've heard somewhere that ads are rich people screaming "give me money".
> If you really want to be a critical reader, it turns out you have to step back one step further, and ask not just whether the author is telling the truth, but why he's writing about this subject at all.
Followed quickly by being hopelessly naïve about the future:
> Whatever its flaws, the writing you find online is authentic. It's not mystery meat cooked up out of scraps of pitch letters and press releases, and pressed into molds of zippy journalese. It's people writing what they think.
>you most likely don't really need and won't improve your life all that much, if at all
People are spending money because they see that they are getting value from something. If people didn't want it or thought it was worthless they would not buy it.
>If people didn't want it or thought it was worseless [sic] they would not buy it.
Thinking something is "worthless" and not wanting something are opinions. A lot of modern advertising attempts to change peoples' opinions, so that they do want something, and think something has worth. It's just like propaganda, which actively attempts to sway peoples' opinions.
Of course, there's only so far you can take this. Convincing anyone who isn't seriously mentally impaired that a sandwich made with literal shit isn't worthless is probably not going to work. But away from the extreme end, there's a lot of room to manipulate people.
Sure, if you take the most benign examples, it doesn't sound so bad. But it's so much worse than that. Going back to 2012 for "acting on data analysis gone wrong"
Target Sends Coupons to Pregnant Girl and Unawares Dad Explodes
> Pole had identified about 25 products that, when analyzed together, allowed him to assign each shopper a "pregnancy prediction" score. More important, he could also estimate her due date to within a small window, so Target could send coupons timed to very specific stages of her pregnancy.
And things just get worse from there, as companies figure out more and more ways they can extract information from the information they have about you, and share it with each other.
No no no. First we start with trusted brands you know and love. We use the trust you have in them to slowly build a market around them. With our ad strategy, you’ll start seeing our product as related to Trusted Brand A. You will start seeing comments and reviews for our Brand in the same browsing contexts more and more until our Brand is now correlated enough to Trusted Brand A to remove purchase inhibitions.
After that, we just wait. We know we have you. It’s just a matter of time till you need a product like ours (you’re already our target demo), or an impulse buy occurs.
Without evening knowing it. You’ve been manipulated into trusting our brand, and you’ll think it was all an organic choice.
They're saying it's scarier that ad companies can figure out these things without the data because it means that you can't protect yourself by withholding your data.
You're protecting yourself from targeted psychological manipulation. It's like the difference between someone spraying a cyber-attack over the entire IPv4 space, or spending a while trying to drill into a specific server. The latter is much scarier and harder to resist, but it's basically what targeted advertising is these days. They supposedly want just to help you find what you want to buy, but they do this by trying to make you want things you wouldn't actually need otherwise.
I like to think I'm immune (the only ad I've ever taken up was years ago for Privacy(.com), and only because I then knew about it later, and could choose to pursue it on my own), but I wouldn't be surprised if at some point before I started being allergic to every type of advertisement imaginable, some ads managed to get my attention for one reason or another. (maybe subliminal messaging's done something before, I dunno.)
I'm not too concerned about it since I know it's been kept to a minimum, so at this point basically everything I've done is something I actually wanted to do, there are no concerns about having been manipulated. But that's just because I've managed to avoid seeing targeted ads almost whatsoever.
Depends on the method of manipulation but yeah that is the scary part. It's probably part of what scares people into being so privacy conscious in the first place. Though for me it's more that I get really, really annoyed getting told to do things, because it triggers pathological demand avoidance. But that's just manipulating me in reverse (it's really easy to make me hate/avoid something just by annoying me with it)
That's the metric I usually use. It's absolutely inconclusive, but it works for peace of mind at least. Have I seen any ads for something I bought? Usually the answer is "no". I'm still at the mercy of sort order on sites like Amazon and eBay, but that's much less scary because if I really care, I can sort by lowest price first.
By my own moral compass. If a company says "lots of people on Amazon are looking to buy what we have, let's make sure we're present in that market", that's completely moral. Compare that with, "a child is preparing for their math test tomorrow by watching a video, let's interrupt them and make them watch a commercial about our sugary, addictive, and unhealthy drink".
The house I live in was advertised when it was on sale, all the food at the store gets advertised, all the non-bespoke clothes I can buy get advertised, as do most of the bespoke ones, every car gets advertised...
Generally yes. Especially the grocery store is constantly advertising hundreds of items, and I've looked at their ad pages more than once. And it's pretty hard to find houses outside of advertising platforms, and I used to watch enough TV that I'd seen ads for every clothing store and every car before I had a chance to find them on my own.
Among other things, I would say the unknown collation of personal history, interests and spending activity that is often auctioned off to the highest bidder.[1][2] In an even more automated society than today, social scoring becomes the norm, and with it access to services.
With prolific cases as Robodebt and the Toeslagen Affaire, we can only hope these automated scoring systems remain isolated from governmental overreach.[3][4]
Deanonymizing people across datasets for one. Maybe attacker or maybe next gov that goes full Hitler and subpenas tech companies to introduce social karma and you are put on a no-fly list because you expressed interest in UK royalty or have a cousin in Iran. Invisible bubble and radicalization for another.
Firstly there is the emotional response: I don't want to be followed around in everything that I do for someone else's benefit, and I not at all convinced of arguments that targetted advertising is done for my benefit.
Then there is the fact that a large amount of data about me is being stored, possibly insecurely for people with even less scruples to analyse. I have very little to hide (white, middle class, straight, male, cis, no criminal activity beyond some unlicensed TV/film access, etc – there is little or nothing about me that would be frightening for anyone else to know) but there are many out there who do have things that could be (unfairly) held against them with terrible consequences. Consider women in Texas where there is effectively a reward/bounty program to encourage snitching on those who have had, or are considering, an abortion, or people in law enforcement who don't want certain groups to be able to derive their home address with any accuracy, people in one or more closets through fear of being ostracised from their family/community and left pennyless & without support, and so forth. I grew up with friends who were gay when it was still effectively illegal to be, despite what the Sexual Offences Act (1967) said, and when getting beaten up for being gay was almost acceptable (“act more straight, and it wouldn't have happened”: something a friend was once told by a policeman that saw no cause for arrest) – the fear of consequences from collected information “getting out” and/or being used to derive other information (true or otherwise) is real and for many people not at all irrational.
Back to my icky feelings, which are perhaps a little bit less rational: I wouldn't be happy with someone following me between shops, watching what I'm perusing, then to the pub and noting who I was there with, then back to my home, in order to be able to serve me relevant ads (perhaps for shoes that would be more comfortable for that much walking? or for condoms because they noticed I was accompanied by a female friend, and you never know, right, nudge nudge wink wink), and I'm not happy about the same happening in a more virtual environment. How do I trust that is really (or only) why I'm being followed? And I how do I know who else my stalker is selling news of my activity to?
[actually, the “I have little or nothing to fear” isn't entirely right – any of us could suffer from plain old identity theft in various ways]
I understood this to mean the amount of information they have is enough to uniquely fingerprint you and associate that with your derived wants and needs.
That was an official feature of the Facebook app at one point. Like 10 years ago. It's absurd that anyone would deny this. It was right there as a feature! Default off I think. But it was definitely there.
I can’t speak for Android. But exactly how does a mobile app turn on your microphone on iOS without you giving it explicit permission?
I just did a virtual visit with a doctor that used a video conferencing service that work without an app on iOS and just used Safari. I had to give the page explicit permission to use my microphone
Nielsen has sent me about $30 so far begging me to wear a microphone that records me all day. They repeatedly call and have started fedexing me letters instead of USPS.
Probably to target an ad for the same product/service at someone who was in the same room as a TV ad. About 10 years ago I worked for an ad targeting company and we got ~50% more click-through on a web ad just by showing it shortly after a TV ad aired in that location (just using the geoip timezone and hoping they might've been watching the right channel), if you could do that only for people who've actually been exposed to the TV ad there's the potential for huge uplift there.
When I worked on audio firmware for the BlackBerry, one of the external devices I had to support was called a "security plug", which just shorted the headset mic and headphones to ground. It always seemed kind of silly to me because there was still the handset mic on the phone that could be activated separately.
> "The current movement to avoid tracking is an extremely powerful centralizing force."
What a biased, myopic comment. As if ad companies are a grassroots movement against centralisation. As if ad tech is not in the hands of the powerful few tech companies.
They have defended ads in 2021 as well. I wonder where they work. I mean, somebody must be writing the backend for all these ad companies.
Adtech is psychological manipulation. Radicalisation uses the same techniques: Create the perception of a vacuum and then provide the solution to fill it.
One is actively censored and you can go to jail for, the other isn't even on the legislative agenda. There are semi-understandable reasons, but it's far from entirely non-hypocritical.
- Do you trust your constituency to make up their own minds or not?
- Who are you trying to protect?
- From what?
- From whom?
And this is without even mentioning online advertising as a (seemingly increasing) vector of scams, frauds, malware and viruses.
When I worked at Meta, the execs said that many users think they're being spied on when they see ads based on a conversation they've had in real life, but the execs categorically denied that this could be happening, and said it's all just a coincidence. I thought this was a completely unfounded denial, since Meta had no way of auditing 3rd party apps on the user's phone, and it's perfectly plausible for another app to spy on their conversations and then use that to provide targeted ads to the Facebook account associated with the individual's email.
Realistically, in a simple statistical way, plain "coincidences" have a significant "expected value". I.e., if you simply take the billions of people across the planet, and look even across a single day, lots of coincidences occur.
Now, add in psychological effects - "synchronicity", "frequency illusion" ("Baader-Meinhof"), "recency illusion", confirmation bias, etc... I'd expect a fair bit of compounding*.
Then, add in simple use of statistics, statistical inference, etc. and basic tracking of user navigation around the web, on a given website, etc.
I've had these experiences, perhaps one or two times a year, on average. Experiences where I was VERY surprised by ads presented. Experiences that would easily suggest a microphone must have been on when it shouldn't have been. Sometimes, I realized I'd used someone else's device in a way that could be tied to me. Other times, while some "leaps" would be involved, I could basically deduce myself that someone who had looked for information on some "X", and information on some "Y", might really be thinking about some "Z" that isn't easily arrived at from either X or Y in vacuo.
Spying, in the sense you suggest, can't be ruled out by the above. But, I would ask - why even spy? Is a company like "meta" really going to get much more useful (from their perspective) info by doing so? Particularly given the COST? It's becoming more realistic, arguably, but, really, these companies have had more than enough info on just about anyone for well over a decade to keep their algorithms and such well-occupied.
People gladly hand over tons of data constantly ... with full awareness and intentionality, and otherwise. The vast majority have no idea what statistical inference and other techniques can suggest based on seemingly obliquely connected info. Further, most users are so accustomed to "cookies" and other hidden types of tracking, and ignoring EULAs** ... really, it's hard for me to imagine a good case for doing anything more ... "invasive" and ... legally / otherwise dubious.
Edit: mostly came back to add one of my favorite (ab)uses of (statistical) inference:
* Outweighing significantly, I'd suggest, other quirks of human perception, memory, etc. that may diminish awareness and recognition of potentially related events. I write "suggest" mainly because I don't have ready refs to offer this second and don't have time to dig a couple up ... IIRC, the research that exists strongly favors compounding, though, of course, this could be argued to be influenced itself by human psychology (including social and economic factors, e.g., "publish or perish" etc.).
** Jargon buried in legalese, what a genius way to get just about anyone to agree to just about anything! If only John, King of England (in 1215), had been more skilled in the ways of the EULA - perhaps "King Charles III" would be emperor of the world now. Oh utopia denied ... kek.
While that is a positive take that could explain it, I am not convinced by that number crunch. 2/situations per year, per person, that is still "a lot" to be considered plausible statistical coincidence.
You had the conversation with someone and that someone googled/shopped/amaozned/clicked it. Or did before already, you don’t initiate every conversation in your life after all.
Now go and try getting a denial that they are not using the fact that you share a wifi with someone as parts of the recipe for the recommendation cake.
The arrow of causality can also go the other way. X corp is currently running a campaign targeting your area/demographic. A friend of yours sees and X ad and mentions something X-related to you in a private conversation. The next day, you see an X ad too.
You can (e.g. by email address), which is why it's impossible for Facebook to guarantee that ads weren't targeted based on listening in on conversations. It has no ability to determine how an advertising purchaser generated / obtained the data it is using to for ads targeting.
Yup. The typical use case is e.g. if someone logs in to your e-commerce site with their email and looks at a product but doesn’t purchase, then you can show them an ad for that product to try to remind them to go back and buy it.
It’s a really creepy feature though that can easily be abused.
I am not at all surprised to see one of the emails you got matches exactly (other than the extension name) one from the linked post. Definitely a lot of this crap is heavily automated.
> I'm a fan of [extension name] and I really like how convenient and useful it is.
> Have you considered offering promotional spots to those interested in promoting their products on your extension? I'm interested in promoting my own extension on [extension name] and would love to discuss this possibility with you.
Interesting, I've received this same exact message recently as well. I've maintained an extension with a few hundred thousand users for the last few years and I've received way more messages like this in the last year than ever before. Can't say I'm that surprised though.
Man, being offered $11k for an extension would be hard to say no to... With that a down payment for a house is a much smaller problem. It's always a good idea to consider where the line is for ones own ethics.
In a sense, poverty encourages corruption / corruptability; it ties in with the saying that everyone's for sale at the right price.
I have a website, I'm sure it's worth money to someone. If someone were to offer me $1000? Piss off, i've paid more than that in hosting costs in the 15 odd years I've run it. 10K? Sounds compelling, I'll have to think about it. $1M? Fuck all of my online friends, I'm taking the money and cutting contact.
It would be shit and I'd probably regret it, but it's a lot of money. But this kind of corruption is everywhere, and worst of all, it's permeated in politics. But subtly, in the form of campaign contributions, lavish parties and vacations, connections (i.e. lavish positions in company boards during or after a tenure in politics), never in the form of wads of cash passing hands.
I have an extension I wrote that is literally for a single regional website to do some extra blocking to get around a paywall. There are under 10 installs total. For some reason, the most recent monetization email I got thought it was 10,000.
> I'm reaching out to discuss a unique monetization opportunity for your extension, <name>, through our exclusive Premium Bing Hosted Product.
> I'm thrilled to let you know that this invitation-only product offers the chance to earn as much as $500 per month for every 1000 users. Given that your extension has a user base of 10K, you stand to make up to $5000 monthly just by integrating the search functionality into your extension. This could be a significant source of passive income, and I truly believe it's an opportunity you won't want to pass up.
I... I... I know the 10 installs are all basically /my devices/...
You should counter by offering to sell them the whole thing for a flat price and then have all your users (you) switch to a new extension that does the same thing under a new name. :)
Okay, even better, to follow on another user's idea and up the ante:
Fake extensions created under burner dev accounts (w/ fake identities), astroturf the installs like crazy. Use ChatGPT to write the code, pump it out like chocolate out of Willy Wonka's Fudge Sludgefest.
Sell to scammers/info scalpers for a flat fee via a non-refundable route under a semi-reputable escrow, rinse and repeat.
The one downside is if you do that to somebody bad, and you've left any personal info out by accident....
Additionally, it's highly unethical. Don't do this. But it seems like 'easy money', the whole 'curse of maybe getting doxxed and XYZ from a sufficiently-motivated data thief' aside.
This assumes the offer is legit. I seriously doubt even the most nefarious extension nonsense is actually going to bring in $20k/month. Even if there's millions of users.
That's exactly it. The "extension monetization" field is a product area fundamentally designed to scam its users. Clearly they're not going to shy away from scamming their suppliers. They just need to fool the authors into giving them control before taking payment, then they move on to the next mark.
That is nothing. I turned down the opportunity to inherit a Saudi Prince’s fortune for doing nothing (well just needed to pay his sons bail
bond or something)
And if you run a website you get constant emails like this:
Hey There,
I wanted to reach out and see if <website.com> accepts guest post contributions or link insertion in existing posts? If so, I'd love to hear more about your guidelines and any specific topics of interest.
Thank you for your time, and I'm looking forward to your response.
Best Regards,
These ones are definitely spammed out en-masse, my site doesn't even have a blog.
My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.
> My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.
I wonder what these people are thinking? Like, TOR operators know the risks with connection sharing - most particularly: pedos using their service to share CSAM. But everyday people?! They have no idea until one day they get v&.
Prey on users who don't know the difference. Sell the residential proxy service to scammers who use high-reputation residential IPs to commit crime or fraud or other shady things.
I think these services are used mainly for scraping sites which try to hide their data (think LinkedIn). They don't offer any protection to those that are breaking the law, afaik. So I would expect that there isn't much risk of putting their victims ("endpoints") in trouble with the law.
Not condoning it of course, it is still an ugly practice.
I've read through some of Brian Krebs' articles on some of these proxies, the ones I get these email offers from seem a little less slimy than that and more above board like you say. It's still not an acceptible thing to be seeling your users out to though.
Masking your WordPress install is a pretty good idea for plenty of other reasons though, just hiding wp-login will save you a lot of headache with bots wasting your CPU cycles and bandwidth trying to bruteforce.
Sounds like a challenge to hide the wordpressyness entirely though, it's got a huge surface area.
This is my favorite sort of email that we get about once a month in various forms... their title at the end is hilarious.
---
Subject: Found a security vulnerability on your website.
Hi Team,
I am Harris, a security researcher, and I have found a security vulnerability in your website outside a bug bounty program.
I can disclose all the vulnerabilities found and their proper fixes too, to make your website more secure.
Companies I helped have always been generous and helped me back with rewards in amounts they think are appropriate to the issues I have found. If you appreciate my help, I'd be happy to receive a bonus payment via PayPal, Bitcoin, Payoneer, or Bank Transfer.
I would like to keep a working <email:> tag on my website but doing so seems to attract tons of spam email that goes something like this, or otherwise offers from random web developer conglomerates offering to "better" my website (which I try to keep simple and plain). :/
We run an educational blog for our saas product and we get some legit emails from readers but also a lot of the spam and some of it is scary good.
They feed in so much context that it does appear to be a real person and it ends up wasting a lot of time and honestly it's quite hurtful. We spend a lot of time sharing our stuff and these fake connections are a major turnoff.
Recently we encountered a wave of "awards shortlist" sort of emails written by AI with deep context that will cosider us for award for one easy payment! Except they always forget to tune the topic as we're not running software security service, we cover web scraping.
I feel like AI will kill email communication between strangers. It's getting so exhausting.
This may not be appropriate for your use case, but rotating the publicly facing email address when you get spam or on an interval may help here.
For example hello-XXXXX@site.com (hello-a5b84@site.com, hello-jux8k@site.com, …).
I believe most legitimate visitors send an email shortly after visiting a page with the address while spam emails often have a much longer lead time with new addresses (it takes time to get scraped, put in a database, and then get used).
However this does mean that extended communication on that address and saved addresses will not work well.
I wonder whether there exists a cottage industry of fake extension writers pumping up their numbers with fake installs, all with the goal to sell the fake extensions to these scammers.
You make the extension. I'll use bots to inflate the stats and make it look used. You pretend to not notice and sell-out. We split the profits. Fraud as easy as 1-2-3.
I also wonder how they make these sales. Is there an escrow for this? Are Chrome extension transfers non-reversible? Can't imagine such a shady deal is safe for either party.
If you put something out on the web that gets somewhat popular, you are going to get all sorts of scummy people contacting you.
The first one that happened to me: I have a domain name and someone emailed me to let me know, as a courtesy, that someone was buying similar Chinese domain names and did I want to get them first. I thought that was nice that they were notifying me ... oh wait, they're just trying to get me to buy their domain names.
People contact me about redesigning my website, buying my website, exchanging links, straight up spamming my website. It's really strange.
This one is interesting because it seems harmless, if not even helpful (Monitoring DNS errors). What am I missing here?
"I’m sure you get business proposals all the time, so I’ll get straight to the point. I hope what I’m proposing is a little different and might actually interest you. I like Hover Zoom+ as a great alternative to it’s bigger brother Hover Zoom that lost its glamour over the last couple of months.
We're conducting a DNS error research and we’re interested in small amounts of anonymous data that you might be able to provide via your Chrome extension. Our research has been going on for years and Google has never had the slightest problem with it.
- Compatible with Google’s strict policies
- No personal user data
- No ads, no malware
The data we’re interested in are basically just DNS errors:
- NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.
- A time stamp – when it happened.
- GEO – where it happened (USA, UK, RU etc.).
- A unique randomly generated user ID (can be hashed, not traceable back to the user). Please, don’t confuse this with the user IP address.
And that’s all. You can either use our script or collect the data on your own and send it to us via an FTP server, API etc. There’s a lot of different ways we can do this. We pay on a monthly basis. The payments depend on user GEOs, but it would be in thousands of dollars per year.
Is this worth at least a brief discussion? Looking forward to hearing from you.
A while back I reached out to you regarding a DNS error research our company conducts. Hover Zoom+ would be an ideal medium for our research. In return, this could become a solid new revenue stream for you.
Our method has been going on for years and we’ve never had the slightest problem with Google. We pay regularly on a monthly basis. For you it would be in tens of thousands of dollars per year - the amount depends on your users base and data quality.
If you’re concerned about including third party scripts, there’s still a lot of ways we can make this work.
Please let me know if this is worth a brief discussion to you."
Well, money's changing hands, and they're not specifying any clear intent of goodwill.
Therefore, there is likely some business interest at best, or anti-user behavior at worst.
It's not hard to write a script that ostensibly does one thing but very sneakily carries information about another thing. For example, write a bad 'hashing' function? Piece of cake.
Just a guess: they could buy domain names that are available and for some reason get queries. For example often misspelled domains. This would not be forbidden but still a little shady.
Oh, hey! I just got my first one of those for my extension a couple days ago. I just marked it as spam and moved on with my life.
Shameless self promotion - Open source chrome tab search way more powerful than the newish built in search (supports quotes, negative searches, things like host:example.com, etc).
This is so true. I receive these emails every week. I've even had offers about acquisition that I had to turn down. Having a "Featured" chrome extension does seem to attract a lot of these offers. The more emails/offers I receive, the more I'm convinced that I shouldn't give up the extension.
I don't know what the solution to this is, but I know a few trusted/legitimate companies that sell their user data for around £20/year even after having monetized their users with actual money
I will never do this because violating privacy goes against the core of my beliefs, but there is a conflict I can't seem to work out. On the one hand, I KNOW that the vast majority of users prefer to sell their privacy than pay a single penny. They would gladly click on a "sell my data" over a "pay money" button any day of the week. I know this because I have interacted with enough users to know these things. Many users will suffer a fit when things are not free but won't lose any sleep over giving away their personal details. Again, I speak of the majority and in general terms
On the other hand, I want the internet to be a place where unscroupulous actors don't flourish. Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?
The worst bit of it all is that in the end, the only people interested in spending money online are data thieves and advertisers. Everyone else is giving their soul. Developers are somehow expected to work for free so that this entire edifice can stand
The Internet has no easy to use fully-anonymous cash equivalent. If you pay for something, you're giving away your identity information anyway. The value exchange is definitely lopsided, but if I have to share my identity AND pay to get X, I'm out money AND shared my identity info. If I share my identity info and get X for free, at least I'm not out the money.
Extensions are centrally distributed on platforms that could at least nominally handle payment. The problem is that $0.01 is infinitely more expensive than free.
In order for me to pay you, I at a minimum have to do some amount of mental gymnastics to convince myself that it's worth it for me to pay you. This has a perceived cost even if the money spent is trivial. This is why people who take money in small increments - i.e. mobile games, arcade operators, casinos, and so on[0] have you buy a large amount of some scrip that they control, and then make it so easy to spend it that you might accidentally do so.
Nobody is thinking "I'd buy this, but only if I can leave no record of ownership[1]", they're thinking, "is it actually worth buying". Identity and privacy isn't a thing that people actually account for when making purchases - mostly because it's never actually mentioned[2] in the terms of purchase. It's snuck in. So the choice is just "the free one" and "the $2 one", where the value of the $2 extension can never hope to overcome the mental transaction costs.
[0] Nintendo and Microsoft used to do this around the Wii and 360 eras. While on the Wii it was 1 point equals 1 penny/yen, Xbox did something nasty and made it 80 points equals 1 dollar.
[1] That would mean that setting up a new computer or browser profile loses you all your existing extensions that you paid for.
[2] I do not consider legal disclaimers to be adequate notice, and neither should you. Dropping a clause in a EULA is the equivalent of dropping rohypnol in your drink.
It also effectively has a minimum payment amount due to the credit card transaction fee structure.
And also unlike cash a service can keep billing you.
And, for better or worse, the risk is partially put on the business in the form of increased cost (or payment service denial) when a credit card transaction is considered too risky (charge backs).
Also there is a fair amount of friction to giving payment info than say pulling out your wallet or phone (but this is improving with “digital wallets”).
>They would gladly click on a "sell my data" over a "pay money" button any day of the week.
You don't know that because no one is given a clear choice like you present (and even saying "data" is opaque to joe average user). And this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?
>Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?
Most of the internet is communication in some form or another. I get a lot of communication for free in the real world. My question is: why does everyone assume that the purpose of the internet is their platform to get rich selling trinkets to clueless natives? Maybe some things are better off run as a non-profit?
> this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?
Unfortunately under the GDPR we are not going to find out how many people would choose this option. It isn't legal, in the EU, to refuse someone access if they say no to your data collection.
That is a monetization service. A short internet search quickly reveals that data-or-paywall is a bad idea at best, and explicitly illegal per multiple nations. It only requires one user from one of those states to file a report.
> It is legal[1] to require users to agree to data collection or pay a subscription. Some news sites have already begun to implement this scheme.
From your link, almost at the top: "The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.". So no, requiring users to agree to data collection, per your article, is prohibited.
You have to read the whole article though, not just stop at the first paragraph.
The article makes a distinction between cookie wall (accept or no access) and paywall[1] (accept or pay). The former is prohibited, the latter has been okay'd by several national DPAs.
> The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.
> The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service: 1. accepting the use of cookies; or 2. another alternative, “not necessarily free of charge“, that doesn’t require giving consent to cookies.
[1] Not to be confused with the "hard" paywall (pay or no access) we see on some publications. They've just called it like that for lack of a better term.
I've never had much a problem with informed decision. What rubs me the wrong way is when these apps hide the data monetization, require it, or don't offer any way to use the service except to opt in. It particularly sucks for services I can't even opt to not participate in, e.g. my work just went live with "The Work Number" service from Equifax so my data is already there whether or not I make an account. Even worse, not making an account just leaves it open that someone else might try to create an account as part of gathering even more involuntarily shared information about me.
When it comes to what people chose to do with their own data though I don't feel a moral obligation to push my views though. If they truly want to opt in and save the $20 (or however much the data is worth in the app) then taking that choice away because I disagree with how they should treat their privacy information is hardly much better than forcing them to because of the same reason. The main difference for me being whether or not I profit off it but, given choice in each case, that really doesn't matter to how the user weighs the situation.
>They would gladly click on a "sell my data" over a "pay money" button any day of the week.
Even though many people assume it's this way, this choice hardly ever happens in practice. You allude to this yourself. In reality, the choices are usually between paying for something and they still sell your data, and getting it free and they really sell your data.
The majority of paid services have privacy policies, terms of service and user agreements that spell out how they sell data just as much. At best, you might expect that they are a bit more selective in who they sell to, since they're not as desperate for cash flow. However the impact to you is greater - they now have your credit card, address, full name, phone number (all vulnerable to hacks and leaks) and it's harder to lie about these things than with a free account. So the data they collect is more valuable, hence the temptation is higher as well.
Moreover, the paid services have consumer-hostile subscription systems rife with dark patterns. It's needlessly tedious to cancel a service if you decide you don't like it, and even free trials demand a credit card.
Transparency is very low about what is actually done with your money as well. Many services operate at a loss, and the customer charge is just a fig leaf while the real money comes from investors. Arguably, the paid model is a sham for some companies and their real exit is to collect data for a years and then get bought by some data aggregator. On the other end of the spectrum you have people fishing for suckers with ridiculously inflated prices.
For these reasons the choice of paying money is tainted by lack of trust, it is not just consumers being stingy and entitled. Lack of trust can quickly bog down any market.
I don't really blame the industry here, though. It's a bit like California in 1848 - you can hardly blame people for picking up the gold that's just lying around. The real problem is that we don't have the tools, infrastructure and regulatory frameworks that let users see and control how their data is used. If people really want to sell their data in lieu of payment, then let them. But currently, most users are not aware exactly what data gets collected and how much it is worth - they're not able to rationally decide that paying $5 for an app is better than being mined for $20 worth of your data.
World of Warcraft has an in game ui addon modding system built in that ends up suffering from these same problems. It’s so damn frustrating to see addon developers sell out their fans to a super shady spyware company for like $3/month (and the alternative is $0)
I could understand betraying people for a life-changing amount of money, but £20 is 5-20 minutes’ worth of pay for a competent SWE…
Open source, audited extensions. I noticed this already exists in Firefox (https://mzl.la/3Acn4DU), I don't know of any auditors for Chrome extensions.
Have some trusted organization or group (like Google or Mozilla themselves) who run audits on extensions to "certify" they don't have any malware. Additionally, the extensions are all 100% open-source, so if the "trusted organization" is compromised (or just bad at their job), they'll get caught and people will stop using them.
This isn't foolproof. Adware can be hidden from even the auditor or the auditor can be compromised but nobody finds out. It's also expensive and time-consuming, especially for extensions with a lot of complex code, so many popular extensions which perfectly-fine are still not certified. Updates are delayed and discouraged because the diff always has to be audited as well. Lastly (and something which can easily be overlooked), the auditors can be biased towards approving some extensions (like those who pay them) while not approving others: extensions code won't be approved if their code is too hard to read or they are later in the review queue, but the line at which code is considered "too hard to read" and their position in the queue could easily be influenced by cash.
Nonetheless, web extensions are a good type of software to audit, compared to other software like apps. They're often much smaller and simpler, users need much less, and they operate in a very-trusted domain (all web browing, including in banks and other confidential sites. Compare this to apps on a sandboxed phone, or programs running in user mode on a computer, the damage is still there but it's much less)
And it works. At least to keep the worst off Apples App Store. Mostly. Googles play store is apparently much more linient. And contains lots of horrible apps.
But the costs, as you mention, are real too. So much, that many, including myself, simply forego Apple as target at first. Sure, it's the more popular platform and it has more people willing to pay. But the review hurdles aren't worth it in the beginning.
I actually run a service for adding paid features to browser extensions: https://extensionpay.com
From all the data I have, people will definitely pay for extension functionality, though lots of people will write negative reviews unfortunately.
I also use ExtensionPay myself in my own extensions and have found this to be true. I try to get the people who pay and have a good experience to write reviews since they’re so underrepresented in written reviews.
I built an extension called Repibox that pulls the recipe out of any website that has instructions/ingredients in the meta data and displays it immediately. First time I got an acquisition email was exciting, but then I realized any acquisition would do a disservice to my friends/family who use my extension.
Things have gotten bad enough that I've stopped using extensions that haven't been through a code vetting process.
> Recommended extensions differ from other extensions that are regularly reviewed by Firefox staff in that they are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status.
What does that mean in reality? Pretty sure Chrome Web Store extensions are reviewed, but since they're all minified and obfuscated garbage, I wonder how easily malicious code could slip through. I'm surprised there hasn't been a mass cookie stealing attack yet.
It means taking malware seriously, even if that means you have to pay human beings to vet code manually. I realize that Google wants to avoid paying human beings at all costs, but too bad.
CWS doesn't review every extension submission, at best they do some % of them along with anything that sets off red flags. Out of hundreds of times I pushed updates to my extension (~100k monthly users by the end) it was delayed for human review maybe... twice?
maybe its time for a LLM based security review open source framework. this could be adapted for extensions to see what information they'd be sending over.
Mozilla's review process is much more strict than Chrome's: they required me to produce original source code for all libraries that I am using (like jquery), forced me to get rid of some leftover eval's in javascript, etc. I don't think they read all source code, but they definitely look for some patterns.
If by recommended you mean "featured" flag on Chrome webstore then I believe that happens automatically if the extension satisfies their "best practices" criteria.
Without the additional constraints manifest v3 puts on what code an extension can run at runtime, an extension author can just slip some "grab some code from a server I control and eval it" logic into their extension, which Google can't vet. That makes it possible for an extension that was fine yesterday go to "harvesting your PII to send to a company that is building an AI based on your click frequency" today with no change indicated; just a silent "Oops I'm malicious now" shift.
All cards on the table: Google does a not-great job of protecting against intentional malicious changes last I checked, i.e. they'll pass through a lot of new extensions and extension updates that do shady stuff behind the scenes. But without some lockdown on arbitrary code execution (which Mv3 provides), the problem is theoretically impossible to solve.
Detect if the extension downloads and executes arbitrary code, and ban it if it does. That should be just as easy to detect as detecting that the code does something bad directly. In fact, the way extension policing works is (afaik) completely reactive: if someone reports that an extension is doing something bad, then the extension/the developer thereof is banned. No/minimal policing is done at the time of publishing. The exact same policy applies unchanged to extensions that download malicious code instead of packaging it directly: wait until someone complains about the malicious code, ban the extension for having malicious code.
In manifest v2, downloading and executing arbitrary code is a feature.
What you're describing is the migration path from v2 to v3. "Detect if the extension downloads and executes arbitrary code, and ban it if it does" is isomorphic to "deprecate the eval arbitrary code permission, cease supporting it in the store, and provide an alternative declarative model to get some of the behavior back;" it's what Google is trying to do.
It's a composition of two features, both of which are useful on their own. Removing this "feature" requires removing at least one of those sub-features, in this case eval. We could alternatively allow eval to be used, but ban it from being used on code downloaded from the internet. This would require vetting the code, rather than a fully automated check. The goal of such a removal is, supposedly, to enable manual vetting to be more effective. However, the only reason to prefer an outright removal over a conditional ban is that it obviates the need for manual review. Do you see the contradiction?
Naturally. Thus, it doesn't much matter whether code is shipped in the extension package, or downloaded off the internet, since nobody will be checking what it does regardless.
Of course it matters. One of them allows looping in data from arbitrary external sources, and the other one (Mv3) has a permissions model that disallows that. It's a completely different risk domain.
Don't forget, the mere act of requesting data from an external uncontrolled third-party source is leaking user information. Under Mv3, those leaks are fully documented.
Maintainer here. My extension is pretty much unmonetizable so any offer I receive would require some degree of a moral sacrifice. The least intrusive offer I've seen so far is to put a reciprocal link to somebody else's extension inside of mine, kind of like DarkReader is doing on their website. Even though it won't compromise any of my users data, the reason I'm not doing this is because it indirectly endorses that other extension and I don't control what they do with their users data.
I really appreciate the transparency from you. I don't use Chrome anymore, but back in the day I absolutely loved Hover Zoom+ and my wife is still loving it to this day. It's a great extension and having read your comment and the linked Github issue, I feel even better about it. Thanks for your hard work.
You're doing a very admirable thing, and this helps dispel the little voiced but commonly held perception that "everybody sells out" when they get big.
You'd still have to rely on the trust of the original maintainer, but they could set up something like a warrant canary[0], but for if they sold it or if they added tracking items.
warrant canary assumes the maintainer is under coercion. But if the maintainer is untrustworthy, their warrant canary also won't be trustworthy, since it's trivial for the "sale" and the new maintainers to continue the existing warrant canary as though nothing has happened.
Aren't these also useless even for their original reason as they can just be given a demand from the legal system to keep updating the canary as if nothing happened?
I don't think there's a solution for it after all. At the end of the day, you need to trust someone / something, unless you are the one who writes the whole code.
I do think that reproducible builds would make a lot of sense for open-source browser extensions. Google could say "if you want your extension to get a Trusted Build tag, put the source code on Github, and we'll run the build script for you to ensure that the code submitted for store review is built from the code from a specific Git commit." And from a security perspective this would be better than what we have, which is zero guarantee that an "open source" extension even matches its stated repository. I'd trust the integrity of Google's automated build systems more than an independent developer with nothing to lose and everything to gain by sneaking in a third-party script.
Alas, the presence of this kind of reproducible build system would bring needed clarity to the chaotic ad blocker market, and the lack of that clarity works in Google's favor as an advertising company, so sadly I doubt they'd do such a thing.
Yes, that's what I mean, at the end of the day, you have to trust somebody / something.
Here you have to trust both developer's code and Google's build system. Can you verify all of the developer's codes? And can you verify how privacy-trustworthy Google's build system is? At the other side, you have to trust developer's code and developer's build.
I didn't mean which one you "should trust more" at all in my comment above. Please read again. What I mean is the first sentence here.
There is a method. Designing plugin and system API in such a way that allows users a granular control over plugins or apps permissions and network activity.
But that doesn't solve the problem of a plugin developer selling out. Under the granular permission control, your existing, granted permissions _should_ be revoked, but there's no way you could know to revoke it.
Something like a plugin is a fairly well defined thing and ideally should not need a lot of permissions. E.g. an ad blocker has a simple flow: occasionally update filters from a number of specified endpoints and then match and block web pages’ request urls against downloaded lists. Between update it should have zero web traffic and filter updates are expected to be from known whitelisted sources and asymmetrical in size: very few bytes sends and a lot received. If all of a sudden after an update your plugin wants to send a bunch of data to a new URL you know immediately something is fishy. With respect to granularity, in this case the plugin might not even need to know the entire URL but just the host/domain name - this makes it less attractive to adtech.
Yet the very same author turned over the OG uBlock to a shady character, having to launch a competitor to take back the momentum. To this day there is still confusion among normies.
Hi, I used to love hoverzoom... was there a malware scare a while back or am I thinking of a similarly named plugin ? At the time I switched to imagus & adjusted to it. Either way, thanks for turning away the monetization attempts :)
373 comments
[ 3.3 ms ] story [ 328 ms ] threadThat's kinda lame because now you have to have a backend setup, just so you can charge for some features.
If we approach it from that angle, then your extension can only restrict access to it's features via a round trip to your own servers to validate access and/or show a checkout view to purchase access.
Some of the difficulty around securing extensions boils down to the fact that Javascript permissions could be better. Websites do a decent job of sandboxing the website, but sandboxing within websites (without relying on iframes) is much more difficult.
Per-site permissions and click-to-activate are also really useful features here. It's easy to forget how recent they are. But it would be good to go further if possible and having barriers in front of exfiltration would be a big part of that -- there are many browser permissions that would become less dangerous if you could know for sure that the data they generate can't get off your device. I just think it would be really difficult to try and build browser permissions around that in a user-legible way.
There are lots of business models to choose from
[edit: formatting, spelling]Extension devs know the rules of the game up front and have no expectation of profit.
It's wonderful that people are willing to share their knowledge and time for free - why not let it be the way it is?
Project being maintained by a single dev being another, there needs to be incentive to keep the project going and not abondon or sell out.
If a browser extension is allowed to use license keys (not sure on the various store rules i.r.t. browser extensions), you could create a timed license key that is cryptographically signed.
No back-end required for that.
Everyone has a price, and when everything is going smoothly, that price goes up.
There is no way for monetization to solve this, because the two potential customers are not purchasing the same product.
If monetization was better, it would just end up like Google Play, with adtech spam crowding out the "legitimately" monetized apps.
Dracionian restrictions on web access (like requiring a prompt whenever an extension wants to upload/download data) might help a little.
https://developer.chrome.com/docs/webstore/money/
"The web has come a long way in the 11 years since we launched the Chrome Web Store. Back then, we wanted to provide a way for developers to monetize their Web Store items. But in the years since, the ecosystem has grown and developers now have many payment-handling options available to them."
So there are monetization opportunities, just like any other distribution channel.
I'm not sure I advise doing it, but you can go to about:addons and hit the gear icon and you can uncheck "Update Addons Automatically". Even better, click on an extension and under the "details" tab there's an option per-addon to set whether you want automatic updates or not, so you can disable updates just for the one addon you don't trust (or enable updates just for the one addon you do trust).
Also, want to run older version of an extension? The Mozilla Addons page for each extension has a list of every release and you can download each version independently as a signed XPI file if you want to sideload it.
The big thing I wish Mozilla would add is self-compiled releases like F-Droid does, especially since their ill-advised signing process means it's hard for users to compile an extension from source -- it's way too easy for a submitted extension to deviate from its source code. But that (admittedly large) issue aside, Firefox offers a lot of control for users who want to manage their own extension versions. Forced automatic updates are a Chrome problem.
"It's lowercase-italics 'r', lowercase-italics 'e', lowercase-italics 'd', lowercase-italics 'a', lowercase-italics 'c', lowercase-italics 't', lowercase-italics 'e', lowercase-italics 'd'"
"Ha, ha, your name is 'redacted'?"
"No"
The incentives seem entirely misaligned in the extension space.
One of them straight up offered $10k, whether that was a real offer or not I don't know because I never replied to any of them.
I've since taken down the extension as I'm no longer maintaining it, but weirdly I still get these emails, albeit less frequently.
I had a small side project extension, ~25,000 installs & free to use. I got enough inbound interest trying to "help me monetize" that I thought it would be worth cataloguing all the different unsavory avenues: https://mattfrisbie.substack.com/p/the-ugly-business-of-mone...
It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that. It would cost orders of magnitude more in processing power than you could get from the extra sales.
This might change in the future, of course
Google had (and has afaik) significant challenges implementing multiple wake-word detection for precisely this reason.
Transcribing a couple of words accurately on-device without a major performance penalty (so that it can be running in the background always) is just _barely_ coming out now.
Of course running it 24/7 in the background would ruin my battery, you would have to be smarter than that.
Anedoctally I belive Meta does something like that because I consistently get ads on Instagram about topics I talk with a friend on Whatsapp and sometimes that is done completely via audio messages. Though I might be wrong and leaked the topics in text messages among other possibilities.
I think it can be economically feasible. They can have a model optimized for their topics which can be orders of magnitude faster than general-purpose speech recognition. Low accuracy probably wouldn't be an issue as they are able to fine tune the user topics of interest via its interactions with the ads (e.g. click rate, time spent before scroll).
[1] How much more money will a $100B ad business make if they improved tracking accuracy by %1? It's some positive number, but significantly less than $1B.
It's picking up pennies in front of a steamroller. You'd have to be a truly desperate PM to consider it.
[1] Still all the legal risks of holding that data, but they are easier to mitigate.
Don’t get me wrong it’s shitty and gross. But they are different things.
I'm just glad we are not there yet.
> When music plays nearby, your phone compares a few seconds of music to its on-device library to try to recognize the song. This processing happens on your phone and is private to you.
https://support.google.com/pixelphone/answer/7535326?hl=en&s...
Imperceptible to human hearing, but readily picked up by a listening mic. In fact, there are static analysis tools for picking out apps that access such API's in FDroid, along with taking measures to feed said apps dummy data. At least for Android anyway.
https://imgur.com/a/mqBE8wM
30% on Android 13 is absolutely not believable, both from personal experiences and data collected.
Even some old games I paid for are gone from the Play Store too. Like, I paid for Puffle Launch and it's just plain gone from my library.
Edit: ahah, I was looking in the wrong spot! Its still in my "not installed" list, just not in my "family library". Either way, not compatible with any device I own.
I just found https://archive.org/details/PuffleLaunchAPK and https://archive.org/details/PuffleLaunchAmazonAPK (both point to each other), with a note that says that the latter generally works and the former crashes. I can verify this; on my (Android 8, 32-bit compatible) device the Play version crashes with:
I'm always on the lookout for old interesting games, and maybe there are workarounds for the other titles in your library too. What's the list?One problem is that some games aren't just incompatible, but also were enshittified with ads and nonsense after I paid for them (before they were killed altogether).
Offhand, the ones I remember: a paid version of Angry Birds Space, Amazing Alex (Rovio's excellent take on The Incredible Machine), Swords and Soldiers (fortunately there's a Steam version of that), Noodlecake's "Wave Wave", Pool Break Pro, and some classic ports like Dead Space, Spy vs Spy, and Ur-Quan Master, but there are better non-mobile ways to play those games.
The word "just" doesn't belong in that sentence. The ad companies being able to know things about you without actually listening to you is even more scary.
Evil-Ad-Company Neo: "You're telling me I can know things about my customers by secretly listening to them?"
Evil-Ad-Company Morpheus: "No Neo, I'm telling you that with the right license agreements, data sharing partnerships, and algorithms, you wont need to secretly listen to them."
Advertising is evil.
- I use ad blockers for my browser on both mobile and PC
- pay for the ad free version of all of my streaming providers
- don’t use apps that have ads and don’t have a method to pay to get rid of them
Modern advertising is not just "showing a product to induce demand". Car adverts don't just highlight functionality, they use mass market analytics to play emotionally driven messaging and visuals so that you associate that feeling with the car ad.
Do you know what Bernays called what services he offered before the word got tarnished?
Propaganda.
[0] https://www.youtube.com/watch?v=eJ3RzGoQC4s
It explores the power fear has to shape behavior.
and then bernays' nephew started netflix
Googling X is a voluntary act to search for X.
Speaking about X with a friend, while the phone sits in a bag nearby, has exactly zero connotations of wanting to search for X.
Sure, there are varying degrees of this evil, but IMO even the least-objectionable advertising out there still can't be called "good".
In my experience, the case where advertising gets you to buy something that ends up being materially useful, that you would not have bought (or found a substitute for) without that advertising, is the exception, not the rule.
Oh, and to address your specific example: if you search "best diapers", and get shown ads for diapers, that absolutely is evil, because some ad-presentation algorithm is pushing you toward whatever diapers will generate the most money for the ad network, likely not toward which diapers are best. Not to mention that "best" often means different things to different people, and the ad networks only care about that insofar it increases their profit.
I've heard somewhere that ads are rich people screaming "give me money".
(i know, i know, but i like it)
> To me, that's evil.
Bill Hicks on marketing: https://www.youtube.com/watch?v=tHEOGrkhDp0
That makes me think of this Paul Graham piece on "the PR industry, lurking like a huge, quiet submarine beneath the news." [0]
[0] http://www.paulgraham.com/submarine.html
> If you really want to be a critical reader, it turns out you have to step back one step further, and ask not just whether the author is telling the truth, but why he's writing about this subject at all.
Followed quickly by being hopelessly naïve about the future:
> Whatever its flaws, the writing you find online is authentic. It's not mystery meat cooked up out of scraps of pitch letters and press releases, and pressed into molds of zippy journalese. It's people writing what they think.
Surprisingly though, for some reason I don’t find podcast ads to be as offensive.
People are spending money because they see that they are getting value from something. If people didn't want it or thought it was worthless they would not buy it.
Thinking something is "worthless" and not wanting something are opinions. A lot of modern advertising attempts to change peoples' opinions, so that they do want something, and think something has worth. It's just like propaganda, which actively attempts to sway peoples' opinions.
Of course, there's only so far you can take this. Convincing anyone who isn't seriously mentally impaired that a sandwich made with literal shit isn't worthless is probably not going to work. But away from the extreme end, there's a lot of room to manipulate people.
Target Sends Coupons to Pregnant Girl and Unawares Dad Explodes
https://www.workplaceethicsadvice.com/2012/02/target-sends-c...
> Pole had identified about 25 products that, when analyzed together, allowed him to assign each shopper a "pregnancy prediction" score. More important, he could also estimate her due date to within a small window, so Target could send coupons timed to very specific stages of her pregnancy.
And things just get worse from there, as companies figure out more and more ways they can extract information from the information they have about you, and share it with each other.
After that, we just wait. We know we have you. It’s just a matter of time till you need a product like ours (you’re already our target demo), or an impulse buy occurs.
Without evening knowing it. You’ve been manipulated into trusting our brand, and you’ll think it was all an organic choice.
Nothing malicious or dangerous here.. move along.
but what are you protecting yourself from? What's the threat model?
I like to think I'm immune (the only ad I've ever taken up was years ago for Privacy(.com), and only because I then knew about it later, and could choose to pursue it on my own), but I wouldn't be surprised if at some point before I started being allergic to every type of advertisement imaginable, some ads managed to get my attention for one reason or another. (maybe subliminal messaging's done something before, I dunno.)
I'm not too concerned about it since I know it's been kept to a minimum, so at this point basically everything I've done is something I actually wanted to do, there are no concerns about having been manipulated. But that's just because I've managed to avoid seeing targeted ads almost whatsoever.
Not whether it's something in the world that's ever been marketed at all, because literally everything has.
With prolific cases as Robodebt and the Toeslagen Affaire, we can only hope these automated scoring systems remain isolated from governmental overreach.[3][4]
[1]: https://themarkup.org/privacy/2023/06/08/from-heavy-purchase...
[2]: https://themarkup.org/privacy/2023/06/23/how-your-attention-...
[3]: https://en.m.wikipedia.org/wiki/Robodebt_scheme
[4]: https://en.m.wikipedia.org/wiki/Dutch_childcare_benefits_sca...
Then there is the fact that a large amount of data about me is being stored, possibly insecurely for people with even less scruples to analyse. I have very little to hide (white, middle class, straight, male, cis, no criminal activity beyond some unlicensed TV/film access, etc – there is little or nothing about me that would be frightening for anyone else to know) but there are many out there who do have things that could be (unfairly) held against them with terrible consequences. Consider women in Texas where there is effectively a reward/bounty program to encourage snitching on those who have had, or are considering, an abortion, or people in law enforcement who don't want certain groups to be able to derive their home address with any accuracy, people in one or more closets through fear of being ostracised from their family/community and left pennyless & without support, and so forth. I grew up with friends who were gay when it was still effectively illegal to be, despite what the Sexual Offences Act (1967) said, and when getting beaten up for being gay was almost acceptable (“act more straight, and it wouldn't have happened”: something a friend was once told by a policeman that saw no cause for arrest) – the fear of consequences from collected information “getting out” and/or being used to derive other information (true or otherwise) is real and for many people not at all irrational.
Back to my icky feelings, which are perhaps a little bit less rational: I wouldn't be happy with someone following me between shops, watching what I'm perusing, then to the pub and noting who I was there with, then back to my home, in order to be able to serve me relevant ads (perhaps for shoes that would be more comfortable for that much walking? or for condoms because they noticed I was accompanied by a female friend, and you never know, right, nudge nudge wink wink), and I'm not happy about the same happening in a more virtual environment. How do I trust that is really (or only) why I'm being followed? And I how do I know who else my stalker is selling news of my activity to?
[actually, the “I have little or nothing to fear” isn't entirely right – any of us could suffer from plain old identity theft in various ways]
This has been true for years to the extent that the nature of your purchases can tell a lot about you. https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
I just did a virtual visit with a doctor that used a video conferencing service that work without an app on iOS and just used Safari. I had to give the page explicit permission to use my microphone
I open them to get my increasing amount of cash.
That data must be valuable???
Someone else on HN called it "elegant" last week.
https://news.ycombinator.com/item?id=36975056
What a biased, myopic comment. As if ad companies are a grassroots movement against centralisation. As if ad tech is not in the hands of the powerful few tech companies.
They have defended ads in 2021 as well. I wonder where they work. I mean, somebody must be writing the backend for all these ad companies.
One is actively censored and you can go to jail for, the other isn't even on the legislative agenda. There are semi-understandable reasons, but it's far from entirely non-hypocritical.
- Do you trust your constituency to make up their own minds or not?
- Who are you trying to protect?
And this is without even mentioning online advertising as a (seemingly increasing) vector of scams, frauds, malware and viruses.Now, add in psychological effects - "synchronicity", "frequency illusion" ("Baader-Meinhof"), "recency illusion", confirmation bias, etc... I'd expect a fair bit of compounding*.
Then, add in simple use of statistics, statistical inference, etc. and basic tracking of user navigation around the web, on a given website, etc.
I've had these experiences, perhaps one or two times a year, on average. Experiences where I was VERY surprised by ads presented. Experiences that would easily suggest a microphone must have been on when it shouldn't have been. Sometimes, I realized I'd used someone else's device in a way that could be tied to me. Other times, while some "leaps" would be involved, I could basically deduce myself that someone who had looked for information on some "X", and information on some "Y", might really be thinking about some "Z" that isn't easily arrived at from either X or Y in vacuo.
Spying, in the sense you suggest, can't be ruled out by the above. But, I would ask - why even spy? Is a company like "meta" really going to get much more useful (from their perspective) info by doing so? Particularly given the COST? It's becoming more realistic, arguably, but, really, these companies have had more than enough info on just about anyone for well over a decade to keep their algorithms and such well-occupied.
People gladly hand over tons of data constantly ... with full awareness and intentionality, and otherwise. The vast majority have no idea what statistical inference and other techniques can suggest based on seemingly obliquely connected info. Further, most users are so accustomed to "cookies" and other hidden types of tracking, and ignoring EULAs** ... really, it's hard for me to imagine a good case for doing anything more ... "invasive" and ... legally / otherwise dubious.
Edit: mostly came back to add one of my favorite (ab)uses of (statistical) inference:
https://youtu.be/Oseqh7SMIvo
(also, added the bit below about EULAs)
* Outweighing significantly, I'd suggest, other quirks of human perception, memory, etc. that may diminish awareness and recognition of potentially related events. I write "suggest" mainly because I don't have ready refs to offer this second and don't have time to dig a couple up ... IIRC, the research that exists strongly favors compounding, though, of course, this could be argued to be influenced itself by human psychology (including social and economic factors, e.g., "publish or perish" etc.).
** Jargon buried in legalese, what a genius way to get just about anyone to agree to just about anything! If only John, King of England (in 1215), had been more skilled in the ways of the EULA - perhaps "King Charles III" would be emperor of the world now. Oh utopia denied ... kek.
While that is a positive take that could explain it, I am not convinced by that number crunch. 2/situations per year, per person, that is still "a lot" to be considered plausible statistical coincidence.
You had the conversation with someone and that someone googled/shopped/amaozned/clicked it. Or did before already, you don’t initiate every conversation in your life after all.
Now go and try getting a denial that they are not using the fact that you share a wifi with someone as parts of the recipe for the recommendation cake.
And, it looks like that feature still exists: https://www.facebook.com/business/help/170456843145568
"Upload a list of emails to create a custom audience"
Seems easy enough.
https://en.wikipedia.org/wiki/Onavo
It’s a really creepy feature though that can easily be abused.
> I'm a fan of [extension name] and I really like how convenient and useful it is.
> Have you considered offering promotional spots to those interested in promoting their products on your extension? I'm interested in promoting my own extension on [extension name] and would love to discuss this possibility with you.
> Let me know if you're open to this.
I have a website, I'm sure it's worth money to someone. If someone were to offer me $1000? Piss off, i've paid more than that in hosting costs in the 15 odd years I've run it. 10K? Sounds compelling, I'll have to think about it. $1M? Fuck all of my online friends, I'm taking the money and cutting contact.
It would be shit and I'd probably regret it, but it's a lot of money. But this kind of corruption is everywhere, and worst of all, it's permeated in politics. But subtly, in the form of campaign contributions, lavish parties and vacations, connections (i.e. lavish positions in company boards during or after a tenure in politics), never in the form of wads of cash passing hands.
> I'm reaching out to discuss a unique monetization opportunity for your extension, <name>, through our exclusive Premium Bing Hosted Product. > I'm thrilled to let you know that this invitation-only product offers the chance to earn as much as $500 per month for every 1000 users. Given that your extension has a user base of 10K, you stand to make up to $5000 monthly just by integrating the search functionality into your extension. This could be a significant source of passive income, and I truly believe it's an opportunity you won't want to pass up.
I... I... I know the 10 installs are all basically /my devices/...
Fake extensions created under burner dev accounts (w/ fake identities), astroturf the installs like crazy. Use ChatGPT to write the code, pump it out like chocolate out of Willy Wonka's Fudge Sludgefest.
Sell to scammers/info scalpers for a flat fee via a non-refundable route under a semi-reputable escrow, rinse and repeat.
The one downside is if you do that to somebody bad, and you've left any personal info out by accident....
Additionally, it's highly unethical. Don't do this. But it seems like 'easy money', the whole 'curse of maybe getting doxxed and XYZ from a sufficiently-motivated data thief' aside.
Maybe mark as spam and move on.
My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.
I wonder what these people are thinking? Like, TOR operators know the risks with connection sharing - most particularly: pedos using their service to share CSAM. But everyday people?! They have no idea until one day they get v&.
Not condoning it of course, it is still an ugly practice.
I also get these emails but run a WordPress site. I was convinced they would fingerprint websites and mail those to these sites only.
It was on my todo to see if I could hide the fingerprint of WordPress.
But now that you mention this, it's obvious it wouldn't do much. In hindsight, I could have know these spammer would just spam everybody in bulk.
Sounds like a challenge to hide the wordpressyness entirely though, it's got a huge surface area.
---
Subject: Found a security vulnerability on your website.
Hi Team, I am Harris, a security researcher, and I have found a security vulnerability in your website outside a bug bounty program.
I can disclose all the vulnerabilities found and their proper fixes too, to make your website more secure.
Companies I helped have always been generous and helped me back with rewards in amounts they think are appropriate to the issues I have found. If you appreciate my help, I'd be happy to receive a bonus payment via PayPal, Bitcoin, Payoneer, or Bank Transfer.
Waiting for a positive response from your end.
Thanks and Regards,
Harris A
Certified Ethical Hacker
I just ignored them and that was it.
They feed in so much context that it does appear to be a real person and it ends up wasting a lot of time and honestly it's quite hurtful. We spend a lot of time sharing our stuff and these fake connections are a major turnoff.
Recently we encountered a wave of "awards shortlist" sort of emails written by AI with deep context that will cosider us for award for one easy payment! Except they always forget to tune the topic as we're not running software security service, we cover web scraping.
I feel like AI will kill email communication between strangers. It's getting so exhausting.
I believe most legitimate visitors send an email shortly after visiting a page with the address while spam emails often have a much longer lead time with new addresses (it takes time to get scraped, put in a database, and then get used).
However this does mean that extended communication on that address and saved addresses will not work well.
The first one that happened to me: I have a domain name and someone emailed me to let me know, as a courtesy, that someone was buying similar Chinese domain names and did I want to get them first. I thought that was nice that they were notifying me ... oh wait, they're just trying to get me to buy their domain names.
People contact me about redesigning my website, buying my website, exchanging links, straight up spamming my website. It's really strange.
"I’m sure you get business proposals all the time, so I’ll get straight to the point. I hope what I’m proposing is a little different and might actually interest you. I like Hover Zoom+ as a great alternative to it’s bigger brother Hover Zoom that lost its glamour over the last couple of months.
We're conducting a DNS error research and we’re interested in small amounts of anonymous data that you might be able to provide via your Chrome extension. Our research has been going on for years and Google has never had the slightest problem with it.
- Compatible with Google’s strict policies
- No personal user data
- No ads, no malware
The data we’re interested in are basically just DNS errors:
- NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.
- A time stamp – when it happened.
- GEO – where it happened (USA, UK, RU etc.).
- A unique randomly generated user ID (can be hashed, not traceable back to the user). Please, don’t confuse this with the user IP address.
And that’s all. You can either use our script or collect the data on your own and send it to us via an FTP server, API etc. There’s a lot of different ways we can do this. We pay on a monthly basis. The payments depend on user GEOs, but it would be in thousands of dollars per year.
Is this worth at least a brief discussion? Looking forward to hearing from you.
A while back I reached out to you regarding a DNS error research our company conducts. Hover Zoom+ would be an ideal medium for our research. In return, this could become a solid new revenue stream for you.
Our method has been going on for years and we’ve never had the slightest problem with Google. We pay regularly on a monthly basis. For you it would be in tens of thousands of dollars per year - the amount depends on your users base and data quality.
If you’re concerned about including third party scripts, there’s still a lot of ways we can make this work.
Please let me know if this is worth a brief discussion to you."
Therefore, there is likely some business interest at best, or anti-user behavior at worst.
It's not hard to write a script that ostensibly does one thing but very sneakily carries information about another thing. For example, write a bad 'hashing' function? Piece of cake.
Always follow the gradient of ATP.
Some good discussion in that thread too :)
Shameless self promotion - Open source chrome tab search way more powerful than the newish built in search (supports quotes, negative searches, things like host:example.com, etc).
https://chrome.google.com/webstore/detail/tabasco/apnefdpgai...
For those curious, here's the GitHub repo of my extension: https://github.com/mohnish/rearrange-tabs
I will never do this because violating privacy goes against the core of my beliefs, but there is a conflict I can't seem to work out. On the one hand, I KNOW that the vast majority of users prefer to sell their privacy than pay a single penny. They would gladly click on a "sell my data" over a "pay money" button any day of the week. I know this because I have interacted with enough users to know these things. Many users will suffer a fit when things are not free but won't lose any sleep over giving away their personal details. Again, I speak of the majority and in general terms
On the other hand, I want the internet to be a place where unscroupulous actors don't flourish. Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?
The worst bit of it all is that in the end, the only people interested in spending money online are data thieves and advertisers. Everyone else is giving their soul. Developers are somehow expected to work for free so that this entire edifice can stand
In order for me to pay you, I at a minimum have to do some amount of mental gymnastics to convince myself that it's worth it for me to pay you. This has a perceived cost even if the money spent is trivial. This is why people who take money in small increments - i.e. mobile games, arcade operators, casinos, and so on[0] have you buy a large amount of some scrip that they control, and then make it so easy to spend it that you might accidentally do so.
Nobody is thinking "I'd buy this, but only if I can leave no record of ownership[1]", they're thinking, "is it actually worth buying". Identity and privacy isn't a thing that people actually account for when making purchases - mostly because it's never actually mentioned[2] in the terms of purchase. It's snuck in. So the choice is just "the free one" and "the $2 one", where the value of the $2 extension can never hope to overcome the mental transaction costs.
[0] Nintendo and Microsoft used to do this around the Wii and 360 eras. While on the Wii it was 1 point equals 1 penny/yen, Xbox did something nasty and made it 80 points equals 1 dollar.
[1] That would mean that setting up a new computer or browser profile loses you all your existing extensions that you paid for.
[2] I do not consider legal disclaimers to be adequate notice, and neither should you. Dropping a clause in a EULA is the equivalent of dropping rohypnol in your drink.
And also unlike cash a service can keep billing you.
And, for better or worse, the risk is partially put on the business in the form of increased cost (or payment service denial) when a credit card transaction is considered too risky (charge backs).
Also there is a fair amount of friction to giving payment info than say pulling out your wallet or phone (but this is improving with “digital wallets”).
You don't know that because no one is given a clear choice like you present (and even saying "data" is opaque to joe average user). And this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?
>Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?
Most of the internet is communication in some form or another. I get a lot of communication for free in the real world. My question is: why does everyone assume that the purpose of the internet is their platform to get rich selling trinkets to clueless natives? Maybe some things are better off run as a non-profit?
Unfortunately under the GDPR we are not going to find out how many people would choose this option. It isn't legal, in the EU, to refuse someone access if they say no to your data collection.
[1] At least according to some countries' DPAs, and as long as the price is "fair".
https://www.iubenda.com/en/help/24487-cookie-walls-gdpr
From your link, almost at the top: "The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.". So no, requiring users to agree to data collection, per your article, is prohibited.
The article makes a distinction between cookie wall (accept or no access) and paywall[1] (accept or pay). The former is prohibited, the latter has been okay'd by several national DPAs.
> The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.
> The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service: 1. accepting the use of cookies; or 2. another alternative, “not necessarily free of charge“, that doesn’t require giving consent to cookies.
[1] Not to be confused with the "hard" paywall (pay or no access) we see on some publications. They've just called it like that for lack of a better term.
Especially because I bet so many of those sites would set X to be much higher than the value of the data.
When it comes to what people chose to do with their own data though I don't feel a moral obligation to push my views though. If they truly want to opt in and save the $20 (or however much the data is worth in the app) then taking that choice away because I disagree with how they should treat their privacy information is hardly much better than forcing them to because of the same reason. The main difference for me being whether or not I profit off it but, given choice in each case, that really doesn't matter to how the user weighs the situation.
Even though many people assume it's this way, this choice hardly ever happens in practice. You allude to this yourself. In reality, the choices are usually between paying for something and they still sell your data, and getting it free and they really sell your data.
The majority of paid services have privacy policies, terms of service and user agreements that spell out how they sell data just as much. At best, you might expect that they are a bit more selective in who they sell to, since they're not as desperate for cash flow. However the impact to you is greater - they now have your credit card, address, full name, phone number (all vulnerable to hacks and leaks) and it's harder to lie about these things than with a free account. So the data they collect is more valuable, hence the temptation is higher as well.
Moreover, the paid services have consumer-hostile subscription systems rife with dark patterns. It's needlessly tedious to cancel a service if you decide you don't like it, and even free trials demand a credit card.
Transparency is very low about what is actually done with your money as well. Many services operate at a loss, and the customer charge is just a fig leaf while the real money comes from investors. Arguably, the paid model is a sham for some companies and their real exit is to collect data for a years and then get bought by some data aggregator. On the other end of the spectrum you have people fishing for suckers with ridiculously inflated prices.
For these reasons the choice of paying money is tainted by lack of trust, it is not just consumers being stingy and entitled. Lack of trust can quickly bog down any market.
I don't really blame the industry here, though. It's a bit like California in 1848 - you can hardly blame people for picking up the gold that's just lying around. The real problem is that we don't have the tools, infrastructure and regulatory frameworks that let users see and control how their data is used. If people really want to sell their data in lieu of payment, then let them. But currently, most users are not aware exactly what data gets collected and how much it is worth - they're not able to rationally decide that paying $5 for an app is better than being mined for $20 worth of your data.
+ track change of ownership
+ some distributed review system
+ better sandboxing
+ no forced autoupdates
+ A few other things
World of Warcraft has an in game ui addon modding system built in that ends up suffering from these same problems. It’s so damn frustrating to see addon developers sell out their fans to a super shady spyware company for like $3/month (and the alternative is $0)
I could understand betraying people for a life-changing amount of money, but £20 is 5-20 minutes’ worth of pay for a competent SWE…
Have some trusted organization or group (like Google or Mozilla themselves) who run audits on extensions to "certify" they don't have any malware. Additionally, the extensions are all 100% open-source, so if the "trusted organization" is compromised (or just bad at their job), they'll get caught and people will stop using them.
This isn't foolproof. Adware can be hidden from even the auditor or the auditor can be compromised but nobody finds out. It's also expensive and time-consuming, especially for extensions with a lot of complex code, so many popular extensions which perfectly-fine are still not certified. Updates are delayed and discouraged because the diff always has to be audited as well. Lastly (and something which can easily be overlooked), the auditors can be biased towards approving some extensions (like those who pay them) while not approving others: extensions code won't be approved if their code is too hard to read or they are later in the review queue, but the line at which code is considered "too hard to read" and their position in the queue could easily be influenced by cash.
Nonetheless, web extensions are a good type of software to audit, compared to other software like apps. They're often much smaller and simpler, users need much less, and they operate in a very-trusted domain (all web browing, including in banks and other confidential sites. Compare this to apps on a sandboxed phone, or programs running in user mode on a computer, the damage is still there but it's much less)
And it works. At least to keep the worst off Apples App Store. Mostly. Googles play store is apparently much more linient. And contains lots of horrible apps.
But the costs, as you mention, are real too. So much, that many, including myself, simply forego Apple as target at first. Sure, it's the more popular platform and it has more people willing to pay. But the review hurdles aren't worth it in the beginning.
From all the data I have, people will definitely pay for extension functionality, though lots of people will write negative reviews unfortunately.
I also use ExtensionPay myself in my own extensions and have found this to be true. I try to get the people who pay and have a good experience to write reviews since they’re so underrepresented in written reviews.
> Recommended extensions differ from other extensions that are regularly reviewed by Firefox staff in that they are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
If your browser doesn't have a code vetting process for extensions, I'm not interested in your browser.
It means taking malware seriously, even if that means you have to pay human beings to vet code manually. I realize that Google wants to avoid paying human beings at all costs, but too bad.
They do allow minification for compression, and I don't know what stops someone from uploading different source code from the shipped addon.
https://support.mozilla.org/en-US/kb/recommended-extensions-...
All cards on the table: Google does a not-great job of protecting against intentional malicious changes last I checked, i.e. they'll pass through a lot of new extensions and extension updates that do shady stuff behind the scenes. But without some lockdown on arbitrary code execution (which Mv3 provides), the problem is theoretically impossible to solve.
What you're describing is the migration path from v2 to v3. "Detect if the extension downloads and executes arbitrary code, and ban it if it does" is isomorphic to "deprecate the eval arbitrary code permission, cease supporting it in the store, and provide an alternative declarative model to get some of the behavior back;" it's what Google is trying to do.
Then it's a non-starter for the manifest format supported by the chrome web store. Because Google's goal is to automate as much as possible.
Don't forget, the mere act of requesting data from an external uncontrolled third-party source is leaking user information. Under Mv3, those leaks are fully documented.
why can't there be a method for making sure that such trust cannot be abused? Is this a tractable problem at all?
[0] https://en.wikipedia.org/wiki/Warrant_canary
Which browser are you using?
Alas, the presence of this kind of reproducible build system would bring needed clarity to the chaotic ad blocker market, and the lack of that clarity works in Google's favor as an advertising company, so sadly I doubt they'd do such a thing.
Here you have to trust both developer's code and Google's build system. Can you verify all of the developer's codes? And can you verify how privacy-trustworthy Google's build system is? At the other side, you have to trust developer's code and developer's build.
I didn't mean which one you "should trust more" at all in my comment above. Please read again. What I mean is the first sentence here.