122 comments

[ 3.4 ms ] story [ 174 ms ] thread
The irony of this being a youtube video is not lost on me.
How does Youtube detect adblock anyway? Is that documented anywhere?
It's not very hard to see when particular web requests did not happen, or particular JS did not execute.
you can make the request and hide the result from the user
Which defeats about 75% of the reason to use the adblocker.
In the specific case of YouTube, it does not. The content and ads providers are the same.
I'd say closer to 99.9999% of users who can stream YouTube aren't trying to save data and just want to AdBlock.
if there's no other option it's a still infinitely better than seeing HOT SINGLES IN YOUR AREA or another MANSCAPED ad

if it gets to that point I wouldn't mind the adblocker even automatically clicking the ad some percentage of the time, just to punish Google

That's called AdNauseam.
not quite

I don't want to punish everyone, only those attempting to coerce me into disabling the ad-blocker

For something like YouTube it can probably still be detected by timing. If the browser plays part A of a video, then when it is done immediately requests part B of the video, when there is supposed to be a 2 minute gap to play an ad, that can be detected on the server side. The client could try to get around that by doing things like telling the server it is playing at 2x, and then really playback at 1x, but then the server could send different content (pre-downsampled) depending on the playback rate requested.
That doesn't seem to be what is happening, because then uBlock Origin couldn't work around it.

Also things like Newpipe and embedding can be used to bypass the block as well.

I find all of this weird because it seems all so lacking in fundamentals. I'd expect indeed checking whether the content was actually downloaded. That'd be much harder to work around.

In turn that should result in an ad blocker that downloads content but doesn't show it, completing the circle.

I think properly doing it would require a specialized web browser, capable of keeping two separate models, one which it pretends to render, and one which is actually renders.

It is beneficial for Google to drag out any cat and mouse game against ad blockers as long as possible. They are all built and maintained by volunteers, who get yelled at by assholes every time something changes and breaks an ad blocker even for a single night.

Google is trying to make this suck for the maintainers, explicitly so they stop maintaining the ad blocker.

I read somewhere Youtube used to send a response like {..., ads: [1, 2, 3]}. uBlock would see this response and turn it into {..., ads: []} and load the page accordingly.

I guess now, Youtube expects a response back, and occasionally, the request/response is faked. So, when uBlock adjusts the request/response and says "This user watched the ads", Youtube knows the request/response was fake and there were no ads to begin with, notifying that user is using an adblocker.

Looking at the filters that uBlock is using, it still seems to be some sort of regex on the xhr request/response body [1]. Why can't youtube trivially defeat this by encrypting everything? It seems like trying to go about the cat-mouse game in this fashion in a losing battle, because all google needs to do is just change up the names a bit each day.

[1] https://github.com/uBlockOrigin/uAssets/commit/fb33bb3c1fa99...

> It seems like trying to go about the cat-mouse game in this fashion in a losing battle, because all google needs to do is just change up the names a bit each day.

That's exactly what they are doing, well I don't know about only "change up the names" but they update the script multiple times per day and uBlock Origin devs are trying to catch up.

Might*

*Actually doesn't

I can see you're already being downvoted because Hacker News has a really juvenile attitude to DRM.

No one has the right to YouTube (or free media for that matter).

> No one has the right to YouTube (or free media for that matter).

This is self-evident and we have Terms of Service for exactly this reason. What I think we're debating is what's reasonable reach for Terms of Service to have? Can we violate it by muting ads? Why not? Why is that different in principle than an Adblocker?

(comment deleted)
> Hacker News has a really juvenile attitude to DRM.

The door is that way.

Anyway. Sure, no one has right to YouTube, but they can't have their cake and eat it too. I think the EU trend is pretty clear: no tracking to make money off our citizens. If you want to sell them a service, go ahead and just name your price. Actually compete instead of giving away stuff for free to undermine competition and then getting the money back by peddling the eyeballs in the back alleys.

I don't think this argument has any legs. You request a page from a web server, the server gives you back some html and some javascript, you execute the javascript which detects if you are using an adblocker.

There is no tracking involved, if you believe the js you got back is spyware you can refrain from running it and you can't watch the vid. Should every website ask for your consent to serve you javascript now?

> Should every website ask for your consent to serve you javascript now?

Ideally, yes.

Please don't give the EU any more ideas.
I could do without js.
As the "cookie consent" debacle showed us, websites won't stop using JS, they'll just bombard you with consent dialogs until you click the button that makes them go away fastest, which is likely the one that involves consenting to run their JS.
I don't think I've ever seen a cookie consent behave that way, they just make it 1-3 extra clicks to refuse non-essential cookies; which is in violation.
A reminder that the "cookie consent debacle" is intentional. There is no requirement for a popup or any system to ask for your consent to store cookies if you simply do not store unnecessary cookies, and the carve out for "necessary" cookies is huge.

Every time you see a popup to approve cookies, it is explicitly so a company can beg you to allow them to track you for free money.

Right, this about what websites will do in response to legislation, not what the legislation actually intends for them to do.
(comment deleted)
I'm entirely ok if the punishment for violating the law (most popups violate the law) is to shut down the entire website for 6 months.
Why not? GDPR isn't flawless, but im sure happy it exists
Please, give them more ideas. They're the only regulatory bloc that's willing to protect users from corporate overreach and oligopoly.
(comment deleted)
Their core thoughts seems to good, final result isn't.
uMatrix implements that. Highly recommend.
While highly recommended. Outside of the tech crowd, uMatrix is a maze to organise and most folk don't care that they are planted with tracking cookies.
For those users, there is uBlock Origin. Actually, I think it's the recommended suggestion by their developer for all users, isn't uMatrix no longer supported with uBlock Origin including many of it's features?
I'm still using uMatrix. I don't really understand why uMatrix was abandoned, its UI is miles ahead what uBlock Origin offers.
I haven't used uMatrix in years, but isn't the UI in uBlock Origin > More similar, do you know what's missing?

https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...

Everything is missing? That left panel as shown in the screenshot is display-only, you can't click on it to allow/disallow anything (also: it's below the rest of the interface in my version, not to the left, which requires a lot further mouse travel).

...oh, I see, I have to first go into the settings to declare myself an able-minded human. That's quite the UX failure, hiding functionality behind an unrelated toggle at an entirely different place.

Having finally found the correct mystical incantation, I can answer your question. At first glance, that UI is incredibly confusing. Why are there two columns to the right of every domain? What's the difference between making the left column red and the right grey, versus making the right column red and the left grey? What is the significance of the +'s and -'s in the various cells? That help page doesn't explain any of it.

What's really missing: uMatrix lets me see how many resources of what type were loaded from what domain. That's very helpful when finding out what needs to be unblocked: if a site doesn't work, I progessively whitelist third-party resources until basic functionality is restored. I then remove everything from the writelist that's unused. It doesn't seem like that information is available.

Also: with UBO it doesn't seem possible to enable javascript for just one third-party host, or enable everything except javascript? If I whitelist a host in the UI, it automatically enables static resources (img, css), dynamic resources (js), cross-site data (xhr) and frames. I'm not going to write manual rules every time I want to allow everything except javascript.

This is just from a cursory examination, so maybe the functionality is there, it's just unfamiliarity with the new interface. But from what I'm seeing, neither the UI itself nor the help page make a compelling reason to make the switch.

To allow disallow, click the smaller rectangles to the left, on mouse over they are grey and red squares.

>uMatrix lets me see how many resources of what type were loaded from that domain.

uBlock Origin > Logger (its an icon)

> enable javascript for just one third-party host

Red button (with more enabled) disables a specific resource in a nested-list UI very similar to uMatrix AFAIR.

Yes, I phrased that one badly. I meant to ask: how do I enable just javascript for a domain, rather than also enabling css/img/frames? But that's more of an academic question since if you trust a domain to run javascript, you'll surely also load css and img from that domain.

Red button (with more enabled) disables a specific resource

I don't see it. Red button disables a specific domain for as far as I can see. It doesn't disable just one type of resource from that domain.

in a nested-list UI very similar to uMatrix

It seems this is the problem: uMatrix is most emphatically not a nested-list UI: it is an authorization matrix UI. It seems that UBO does try to incorporate some of uMatrix' features back into it, but in the basis it's still a one-dimensional blocklist. That's just not good enough for how I browse the web in safety.

If the missing functionality is there, I can't find it either and no mention in the docs.
Replying to myself to further refine my issues:

Why are there two two columns to the right of every domain?

The left column is for global rules (independent of the currently-visited domain), the right column is for rules specific to the currently-loaded domain. This is strictly inferior to uMatrix, which allows me to set rules for every part of the dns name (e.g. I can easilty switch between settings rules for news.ycombinator.com, ycombinator.com and even for all .com sites). So what's missing: source domain control for the rule(s) I'm currently configuring.

What's more, in uMatrix I could set a hard block on a toplevel domain (say, google.com) and then add a whitelist for a subdomain (say, mail.google.com) which would override the higher-level block. Since UBO only uses block (red)/ignore (grey), this kind of setup is not possible. So what's missing: an explicit allow/ignore/block toggle like in uMatrix.

What is the significance of the +'s and -'s in the various cells?

These are blocked and allowed resources, so there's some level of feedback there. But it seems that CSS resources are not included in those statistics at all, and images do cause a + to be displayed in the domain-specific row but not in the generic "images" row whereas third-party javascript gets a + in the domain-specific row and in the generic "3rd-party scripts row". So what's missing: I want resource type indicators rather than generic "+"

I'll repeat what I wrote as a response to the sibling comment because it seems to be a fundamental UI issue: the UI of UBO still seems geared towards a one-dimensional blocklist and is missing all the controls for two-dimensional control of [domains]x[resource types]. And after years of safely browsing the modern web with uMatrix, I can't imagine going without that control.

-- edit:

To explain a bit more my thought proces behind how I browse the web: I maintain effectively four trust levels in the browser, which are:

(0. not a browser trust level: pihole-style dns rpz blocking)

1. no trust: all outgoing connections to the domain are blocked.

2. static content: html/css/img is allowed to be loaded from the domain.

3. dynamic content: allow javascript and cross-site requests

4. embeddings: mostly used for payment processors, these tend to get very anxious if some things don't work as expected.

My default (uMatrix) settings put the primary domain at level 2 and all third-party sites at level 1. Surprisingly, this still works fine for a lot of sites, at least the sites that I find worth reading. I guess I'm enough of an academic to prefer reading over "consuming" content.

The first trust increase, if needed, is to selectively bump third-party domains belonging to the same first party to trust level 2. This is mostly because CDNs use a different hostname (such as theguardian.com using guim.co.uk for their content, bbc.co.uk using bbci.co.uk). These rules are configured once as I encounter them, then saved so I won't need to worry about it again.

Then there's webshops I frequent, which are by default at trust level 3. But even there, only the first-party domain is at trust level 3, and the payment provider for the site it whitelisted at level 4. But other third-parties are still at level 1 or 2. Even for these sites, I prefer to keep the trust low and only elevate said trust when I'm actually making a purchase.

So, with respect to uBlock Origin: I don't see how it would allow me to switch easily between trust level 2 and 3 for each third-party domain. And as described here, I use trust switching a lot -- it's become an ingrained part of my browsing habit. In uMatrix, the same is actually very easy, I only have a resource-level Deny on javascript and a resource-level Deny on iframe embeddings. Setting a specific domain to Allow will only bump it to trust level 2 because the resource-level Deny's are still in plac...

You can also just set uBlock Origin to disable JavaScript by default.
There is also https://noscript.net/

I don't think umatrix is actively maintained any more

Correct, umatrix is not actively maintained anymore. It still works flawlessly and is (IMHO) feature complete, but as time goes on it's good to be cognisant of the security implications.
Unwanted javascript is a job for the browser to refuse. Which is why the people who ship browsers try to make refusing as difficult or confusing as possible.

-----

Turns out that youtube also has:

1) the dominant browser;

2) the same interests as, multiple partnerships with, and very little actual competition with the company that runs the next biggest browser in a walled garden, and

3) been completely funding the development of the browser that continually press releases as if youtube's aims are pure evil and that they are the only opposition.

Pointless, you are already in complete control of this. Just disable JS, enable it when you want.

If a website doesn’t support your usecase, that’s on you, there is no ADA requirement for JS-free websites

Doesn't that same argument apply to cookie consent popups?

Privacy shouldn't only be afforded to the more technical users.

I’d be interested to see the data that shows cookie notifications have had a useful impact.
I'd wager they've had a "useful" impact, in that they've done a lot to coerce/manipulate users into allowing tracking cookies. :\",
Doesn't that same argument apply to cookie consent popups?

Yes! I would have much preferred the EU to make PSAs explaining how to disable cookies in browsers rather than inflicting popups on billions of users.

Companies are being purposefully obtuse with popups as a form of malicious compliance (and in some cases looking suspiciously like political statement) - and you're blaming the EU for it?
you're blaming the EU for it?

Yes. If you create regulations with the assumption that they will be followed exactly how you want them to be rather than considering how entities who don't share your goals will react, you are doing a bad job.

Cookie consent popups are not mandated by the GDPR (the EU privacy law), they’re just a stupid (and often infringing) reaction to it.

The GDPR disallows tracking without consent, but more in the spirit of “don’t track” than “get consent”. It also specifies that conditions should be clear, and that not granting consent (or withdrawing it) should be as simple as granting it. It even specifies that sites that request private information from kids should be clearer, because they need to understand what they’re accepting even if their guardians will provide the consent.

Cookie consent popups are not mandated by the GDPR (the EU privacy law), they’re just a stupid (and often infringing) reaction to it.

They're an entirely rational and predictable reaction to it. If you're trying to regulate bad actors, it should be utterly unsurprising when they game the easily gameable rules.

The GDPR disallows tracking without consent, but more in the spirit of “don’t track” than “get consent”.

Then it should actually ban tracking, without the loophole of "you can track as long as you get the user to click a button, also you can't offer them anything in exchange for doing so". That's just asking for all the dark patterns we've gotten.

> They're an entirely rational and predictable reaction to it.

The problem isn't that. The problem is that people are being convinced that malicious compliance is somehow the EU's fault. This is clearly the bad actors being bad; the thing that's being gamed isn't GDPR, but publicity around it. As in, the EU should probably invest some money in naming and shaming actors complying in bad faith (if at all).

It does and that's what makes the nonsense of cookie consent laws. How are you going to keep track of the user's preference of "no" to cookie tracking? It's the browser saving the data, not the website.
(comment deleted)
It allows them to create a profile of the users. Same reason android no longer has an api to detect which apps are installed along side yours.
The profile being a "Uses Ad Blocker Y/N" ?
Just a handful of (binary or more) attributes such as that one are enough to tell apart a user from thousands of others.
Tied to your IP, which makes it collection of personal information. Meaning you need to consent to it and they are not allowed to do it unless it's strictly necessary in order to deliver the service, bill you and so on.

They can choose not to provide the service unless you pay.

They can also choose not to provide the service to unregistered users and give out free daily watches as a part of their marketing campaign. Then you enter a simple contract by opening an account and agreeing to their terms.

Terms which can include data collection, but it has to be possible to opt-out from it without losing access to the service.

I was under the false impression they have hash that was created by playing the ad and got that back to confirm the ad ran somehow.

I'm not familiar with tbh because the idea of working on ad software and SEO seem like the most boring possibly ethically dubious jobs.

It is, it also makes so much money, that google can pay people tons and basically throw all the amenities at them to keep them happy.
Every HTTP request should ideally be preceded by a dialog button and if affirmative consent is not provided, the request shouldn't be made.

For example, I did not consent to this y18.svg file that this website has served to me. This is a non-consensual violation of my computational autonomy. Just to put a logo up? Horrific.

>There is no tracking involved,

Wouldn't that depend on when YouTube starts the "three video" counter? A blanket ban on ad blockers may not violate the law, but their implementation may.

That would be a welcoming change! With html5 standard, pages can have text, image, video, even css animation, all without JS.

If the page need to load some SPA app, draw the canvas (accessing GPU), or WebUSB, etc, then ask for permission would be a good idea. Just like how accessing ones' camera and mic requires permission. It will force web developers to do less stuff in JS for just display. And if an app type of application is needed, then ask for permission.

Please no, cookie banners are annoying enough.
From the linked EU memo in the YouTube description: https://ec.europa.eu/commission/presscorner/detail/en/MEMO_1...

Can users still use ad blockers?

The proposal does not regulate the use of ad blockers. Users have the freedom to install software on their devices that disables the display of advertisement. At the same time, the Commission is aware that 'free' content on the internet is often funded by advertisement revenue. Therefore, the proposal allows website providers to check if the end-user's device is able to receive their content, including advertisement, without obtaining the end-user's consent. If a website provider notes that not all content can be received by the end-user, it is up to the website provider to respond appropriately, for example by asking end-users if they use an ad-blocker and would be willing to switch it off for the respective website.

Sounds like this video is trash then?
Depends on the definition of 'appropriately' really doesn't it.
The video is what had a link to the memo and is what pointed out the apparent contradiction. The memo is from half a decade ago and what alexanderhanff was able to get them to say in the referenced letter was separate[0]. It will probably need to be decided more definitively in court or by some commission somewhere, since it seems like the left hand doesn't know what the right hand is doing.

[0]: https://twitter.com/alexanderhanff/status/722861362607747072

Are people actually getting blocked? I saw the adblock-block popup once, and after flushing the cache and updating filters of my adblocker I haven't had any issues using yt since. Am I just in a lucky A/B group or is the detection and blockage actually that toothless?
I’m getting fully blocked. I barely mind it anymore though, it basically acts as a great procrastination block. (I think there’s work around a like that embedded videos still work but I like reducing the amount.)
This is why I'm surprised by their tactics.

Google is SO data driven, and many people's objectives are going to be impacted by the reduced watch time.

They're going to have to (or already have) modify the objectives of many, many employees

Premium was the worst purchase I ever made. I used to scroll shorts on my phone until my rage towards ads was strong enough to overpower my desire to continue. Now there's no release valve. I should go cancel it actually...
I get the pop up constantly. But you can just close it and watch the video.
Cannot watch a video at all with it enabled while in my account.

If I go incognito I can.

FreeTube for now, I guess.

I got blocked briefly. I switched to non-logged-in or using an alternative interface for a bit. I switched back and haven’t seen hide-nor-hair of the warning. I don’t know what that means though. Here’s hoping they don’t disable my Google account.
Oh, as of this afternoon I'm seeing ads show up on YouTube (I'm using Brave, with no additional ad-blocking) now. I guess we'll see how it plays out.
Yesterday I got the popup constantly but could chose to watch anyway. Today it said "you can watch 2 more videos.." and now I'm blocked after said 2 videos.
I've seen the pop-up twice in roughly two weeks, both times in Firefox on Linux with uMatrix, uBlock Origin and SponsorBlock.
Chrome users are out of lock due to the way extensions work, Firefox users can continue blocking without issue.
Ah makes sense. Guess it also helps me that I never use yt with a user logged in.
Yes, it's crazy. Upon updating ublock, even turning it off and clearing cookies resulted getting blocked.
you need to clear cookies and local storage on youtube.com and also google.com, update ublock, and make sure you're on the default filter settings, then you'll get unblocked
I've been blocked for a week now.
you need to clear cookies and local storage on youtube.com and also google.com, update ublock, and make sure you're on the default filter settings, then you'll get unblocked
I know, I just don't really care.

I never watched much of any creator-based content, just used it to browse for music, most of which was uploaded by someone other than the artist and, usually if I like it, I'll go and buy it directly from the artist/label. Someone's gotta pay for that hosting, though, right?

Sure, I'll tell my ad blocker to allow YT ads through, that's a compromise I'm fine with. But Google decided, arbitrarily, that that compromise isn't good enough and the mere presence of an inactive adblocker is enough for them to tell me to fuck off.

If that's how they're gonna be, then it's not gonna bother me at all to use Invidious.

I'm blocked, but for a different reason. Every click, their SPA javascript decides i'm not connected to the internet.
YouTube updates the script multiple times per day and uBlock Origin devs are fighting back, but they will always be a little bit behind.

Maybe you didn't try to play videos when they didn't update their fix yet.

if you navigate to elpais.com, they embed youtube videos, and you are required to accept youtube conditions before reproducing the video

https://imgur.com/a/m1NAWeC

I would happily pay for youtube without ads if I was confident that they wouldn't start putting ads in it anyways like always seems to happen with these services.
You could pay for YouTube Premium until it starts playing ads, then?
they will eventually do that
Then stop paying when they do?
Every single streaming service will eventually converge on showing the same amount of ads consumers have shown they're willing to put up with, and that's the amount of ads that are shown on cable TV. That's about 3 to 7 minutes of ads per 30 minute block[1].

Not showing ads is leaving money on the table, and streaming services are like any other company, they will need continuous return on investment no matter what. They will eventually get that return by showing ads[1], shareholders will demand it.

Look at Hulu, Netflix and YouTube. They all show ads now. Netflix previously didn't show ads and now does. Hell, I can't watch a 20-minute YouTube video without watching several minutes of ads.

These services' actual clients are the entities that have million/billion dollar advertising budgets, and not individual customers who pay a paltry monthly fee. Even if services start with no/minimal ads to get their foot in the door, they will eventually have to take their advertising partners' money, and those partners will want to show ads.

[1] https://digiday.com/future-of-tv/ad-supported-streaming-serv...

is Google really that desperate for revenue that they need to do this shit? Comes off as desperate
The thirst is real. I imagine no publicly traded company will ever stop nickel & diming to the ultimate degree. Even when you think the maximum level has been reached, they'll find a new way to extract more from users.
The only revenue target they have is 'more'. There's no stable end state where the goal has been achieved. Population declines are really going to end that model in spectacular fashion.
Do you want the charts to keep going up? If so yes, they need to do this and more...
Why should companies be required to offer content to people for free?
Welll... to be fair, that's literally the only reason the platform got as big as it did, and became "the" ubiquitous video hosting platform. They fronted the cost to capture a massive audience, and now they gradually extract more and more value out of the user base they lured in.
And the irony is, of course, that YouTube got off the ground based off of blatant and widespread copyright infringement.
People forget that when Google was buying them there were a bunch of copyright lawsuits again them and most of the major tech companies were scared to pay too much for them. Once the deals with the record labels worked out they found their footing.
Because they do offer content to people for free, and have for years. And people might actually be willing to put up with ads if they weren't so invasive and obnoxious - static ad banners, for instance, would probably be fine. But interrupting a video every few seconds for several minutes of ads is just ridiculous.

Also because the ability for the end user to have complete control over the content the server sends them has been baked into the web since the beginning. You can send your content for free and hope that I choose to view your ads (which I probably wont,) or you can put your content behind a paywall, and hope it's worth paying for (it probably isn't.)

What you can't do is send your content for free and just expect me to view your ads, as if the internet were old media like radio or television, where even then, you could skip ads with DVR or just change the channel.

It's not our problem corporations thought the web was going to be a gravy train where the rules didn't matter, and they poisoned the well and ruined everything in the process. To hell with all of them, let them burn. We'll go back to sharing videos on torrent or something.

A torrent based youtube replacement sounds fun.
Isn't that basically PeerTube?
if EU can stop this adblock i forgive them for GDRP or whatever its called
GDPR is extremely important and should be adopted worldwide in my view. It creates protections for handling and storing of personal data.
Please explain why you think the GDPR is bad.