In my experience Adblock Plus, NoScript and RequestPolicy allow much more control than Adblock Plus and Ghostery. Adblock is even easier to use if you install the Element Hider Helper.
RequestPolicy is pretty awesome. I've switched to Adblock Edge, which hopefully protects me better than Adblock Plus. Unfortunately, the more I delve into web privacy, the more I think that non-technical users are screwed. How on earth are mere mortals supposed to protect themselves when someone skilled in the art has a difficult time getting web sites to work in a privacy-maximal fashion?
I had to install Adblock on my mother's laptop after she visited a webpage with a malicious advertisement. I went ahead and installed HTTPS Everywhere and Ghostery while I was at it. Non-technical users are completely up the creek without a paddle.
I honestly don't understand why RequestPolicy doesn't get more love from the pro-privacy crowd. It does exactly what they want: prevents sites from issuing HTTP requests to other sites.
I once used a rather ambitious collection of addons, and I've since reduced it to just NoScript and RequestPolicy. And NoScript actually allows Javascript everywhere; it just has the XSS filter enabled. As a result, the vast majority of websites (with a categorical exception, below) work without any fiddling, and I don't see any third-party content at all: advertisements, share/like/+1 buttons, etc.
My only complaint about RequestPolicy is its lack of wildcard domain matching. I'd love to allow access from all sites to 'x.cloudfront.net', but that's not possible in the current version. (Rumour is that this is being fixed, and while I can confirm that wildcards are supported in the alpha version, it's definitely not ready for real-world usage yet.) Unfortunately, this means that some sites just don't work right; eg. 'x.blogspot.ca' always renders oddly, because they all pull from 'blogblog.com' and 'blogger.com'.
It surprises me that more people don't just block third-party cookies. No need to maintain blacklists that way. Sure, you still see ads, but it keeps tracking at bay.
I block third party cookies, Ghostery, and block Flash. I've even opted out on the various ad tracking opt out aggregators.
I still get shown ads correlating to other sites I've visited, searches I've done, or emails I've received on Gmail.
I searched for Niles and Russound multi-room audio one Friday last summer, and HTD.com (Home Theater Direct) has been showing me whole house amps everywhere I go ever since.
The third party cookie block doesn't seem to help much any more.
If third-party scripts or images are still being requested, then what prevents a site- and/or page-specific identifier from being included in the URLs of those assets? And what then prevents those site IDs, page IDs, the IP address you used to make the requests, your user agent's User-Agent string, the Referer header values, and other identifying information from being collected and stored? What prevents them from them from then tying this information together in a way that tracks you and your browsing behavior?
Keep in mind that cookies of any type are not at all necessary for such tracking to occur. The only way to truly avoid that kind of tracking is to not make any such requests in the first place.
I work in web analytics. Recently, one of our clients decided that they wanted to track visitors across multiple domains. After much hemming and hawing, and research proposals, and industry comparisons, the ultimate solution that was decided upon was... third-party cookies.
The change is extremely simple, and the data loss from people who block third-party cookies is like 5%.
So what prevents sites from deploying these technologies? Economics. To your point, there are no insolvable technical barriers. But right now the marginal return return on these technologies in no way stacks up to the marginal effort required to deploy them. Considering the fraction of the population that even knows what a cookie even is, I do not anticipate this changing in the near future. If everyone starts blocking third-party cookies, then yes we'll see an uptick in use, but I don't see that happening this decade.
Not so much. AFAICT anything including an IFRAME to Google (e.g. a map) will set their tracking cookie, and anything fetched from any of their servers will probably try to identify you via browser fingerprinting. To do anything that really matters, you need to block the HTTP requests.
I just tested this and it's simply not true. Cookie headers to an iframe from a third-party domain are suppressed when third-party cookie blocking is on, and sent when cookie blocking is off.
Google whitelists their own third-party cookies by default in Chrome and it's possible other browsers come with a preset whitelist as well, maybe that's what you encountered.
There was an exception for Google in my cookie whitelist that I didn't put there, but after checking some other chrome installs it isn't on all of them.
You're probably right -- I can't create a reproducible test case now. Still, given the browser fingerprinting, you're best off blocking the HTTP connection.
Y'know, something more than a naked link is going to be just a smidge more useful and informative:
AreWePrivateYet recreates Stanford University's Tracking the Trackers: Self-Help Tools study on a continuous basis in a reproducible way. The above chart compares the level of protection provided by the different privacy extensions across various metrics.
It is also worth mentioning that http://www.areweprivateyet.com/ is created and maintained by Evidon, the makers of Ghostery (and unfortunately, they have no placed any obvious disclaimer except the footer mention and the top right ghostery logo which is not entirely sufficient imo
Not by my experience. I also use Element Hiding Helper and found many Google-based elements (such as YouTube sponsored videos) would still be visible using ABP. When I switched to ABE, my filters worked as expected.
I dont even know what YT sponsored videos are. I am always shocked when I see ads before/after a video on a friends computer. Did you have a crappy blockilist subscription with ABP?
Ghostery is fantastic after you've set everything to get blocked automatically, but it's noisy out of the box (you have to really go through every setting to get it just right), and many websites simply break if you block some external scripts from loading.
Probably. They're pretty open about their business model -- gather data about where ads get served, and sell that to the people buying those ads. As long as a minority of people use Ghostery, they can keep making money.
The only real way to control tracking is via an HTTP proxy that blocks connections to known bad actors (e.g. Google). Keeping an up-to-date list of miscreants is a pain, but doable. Ghostery does this for you, for a price.
Adding a couple of solutions to the bucket. The first is of course Disconnect [0], which does everything Ghostery does and more, minus their "compromised" business model -
The second is "Self-Destructing Cookies" [1], a browser add-on
that deletes cookies as soon as a tab is closed. Those sites whose cookies you do not want deleted (like, say, HN), you can add to a whitelist.
And yes, use AdBlock Edge instead of AdBlock Plus.
Disconnect is an "of course"? I looked at their issues page and saw these two open requests that are basic requirements for me:
"Feature: option to manage Whitelist/Blacklist #272 -- The whitelist is being stored in JSON format in the FF prefs.js, this is really hard to manage manually. I'd like a basic dialog for Whitelist/Blacklist management of sites."
"Element hiding in Firefox #237 -- Implemented?"
Scanning the rest of the bugs it seems like they do a bad job of doing what HTTPS-Everywhere does extremely well and the graph of behavior-tracking websites looked like a crappy version of LightBeam.
I like Ghostery so far, but the Self-Destructing Cookies add-on looks excellent, thanks :). I just wish that it (and Ghostery) would not make obnoxious and useless notifications by default. Easy enough to change, though...
I should also point out that if you are serious about tracking, you should probably look into disabling Sync and "Signed In" feature of chrome. Though there is no proof yet, but theoretically Chrome update can start tracking based on logged in user.
* Facebook disconnect.
* Google disconnect.
* Ghostery
* Privoxy
* Self Destructing Cookies
* No-Script
I wouldn't be so concerned about the ads themselves if they didn't flash, jump about, get in the way of text, harvest my likes, cross harvest my interests, get hijacked and infect my machine, steal my battery life by being animated etc. etc.
This is what scared me about Add Block by default on browsers. Essentially what's happening is the monopolies (Google & FB) get to keep their profitable business models while all small time content publishers get stripped of revenue. WTF !?
Where's the Anti trust regulation? You'd think they were conspiring to kill independent content creation. Or are they?
What if I choose browse the web with Lynx (text-only browser, no JavaScript). Am I still denying people their income? What if I watch TV and go to the bathroom during commercial breaks, am I denying those people's income too?
I use ABP + Ghostery and most Google ads do not qualify as unobtrusive (I don't use FB). I can't recall having seen a Google ad since installing ABP probably not too long after the new policy (I installed Ghostery a few months later IIRC). E.g. the ads at the top of searches are gone, which is great for me since I use redshift and can never tell where the ads stop and the results begin when it is shifting (it is also nice to not need to scroll down to see actual results, although the re-search as text is entered into the search box thing annoyed me enough that I switched to DDG). For people who installed ABP after the option was added it is well documented.
I think ABP came up with a good list that actually indicates when ads have minimal negative impact. Does following those rules actually harm independent content creation? Before installing ad blocking it was not at all infequent for me to not look at websites at all because the ads were too obnoxious. OTOH, when I find an article valuable I usually look around more at what the site has to offer and would at least see the less obtrusive ads at that point even if I missed them earlier.
Unfortunatly, none of this will protect you from EverCookies (https://en.wikipedia.org/wiki/Evercookie). The only way possible right now is to disable firefox history/cookies/javascript and use private mode, and even then its not 100%. But at that point you wont be able to use most of the sites. This means even if you use TOR or VPN, you can still be tracked. There is one plugin in beta stage called NeverCookies beta (https://github.com/sensepost/neverevercookie) you can also find xpi on softpedia site. NeverCookie does not have any options in beta version. But there is another plugin no one mantioned called "Random Agent Spoofer" (https://addons.mozilla.org/en-US/firefox/addon/random-agent-...) It protects your ETag, X-Forward-For and more.
I don't know, I've used Ghostery and ABP for a while and despite claims of lack of trust, I've had no issues with them. They both allow blocking everything, the options aren't exactly hidden in a locked closet guarded by a leopard.
But I don't get my hopes too high, I know that there are still other ways to track users and I feel it's a hopeless fight (without going to extremes like ABP+Ghostery+noscript+TOR+no cookies+never using the same device twice). But hey, if it annoys them enough to pay for being whitelisted by default on some platforms, it's worth the fight for me.
Ghostery is problematic, I've stopped using their serivce (now using disconnect.me.
Some sources say that Evidon, the company owning Ghostery, plays a dual role in the online advertising industry. Ghostery blocks sites from gathering personal information. But it does have an opt-in feature named GhostRank that can be checked to "support" them. GhostRank takes note of ads encountered and blocked, and sends that information, though anonymously, back to advertisers so they can better formulate their ads to avoid being blocked.[4]
don't forget about flash cookies, a.k.a LSO's or SuperCookies. BetterPrivacy works well mitigating that.
i'd also recommend 'Secret Agent' - "Continuously Randomizes your Firefox/SeaMonkey HTTP User Agent, to Suppress Device Fingerprinting, and Resist Web Tracking. Also Prevents eTag Tracking.": https://www.dephormation.org.uk/index.php?page=81
To expound upon someguy2's recommendation below, I have since moved on my Arch Linux laptop after reading a dev's blog post[0] to using hostsblock to block a lot of known domains to redirect to localhost. That, in conjunction with dnsmasq and kwakd (a ~400 LOC web server in C that only returns <html></html>)[2] for all requests makes me worry a lot less.
I also use disconnect.me (after discovering the motivation behind Ghostery is just to sell info back to marketers). My only real issue is that kwakd is clearly choking on certain sites (namely Google, which I just back to permanent NoScript blockage) with some of the weirder stuff it does with asynchronous JS calls. Blocking Google completely as a result makes my web experience much, much faster and cleaner.
Try the Epic Privacy Browser -- a chromium based browser that rips out all google calls/services and protects your privacy -- it blocks ads and trackers and philosophically doesn't send your browsing through its servers nor collects any data unlike many of the other privacy addons mentioned.
51 comments
[ 1.6 ms ] story [ 109 ms ] threadLooking at the RequestPolicy log does not present an immediately obvious solution.
I once used a rather ambitious collection of addons, and I've since reduced it to just NoScript and RequestPolicy. And NoScript actually allows Javascript everywhere; it just has the XSS filter enabled. As a result, the vast majority of websites (with a categorical exception, below) work without any fiddling, and I don't see any third-party content at all: advertisements, share/like/+1 buttons, etc.
My only complaint about RequestPolicy is its lack of wildcard domain matching. I'd love to allow access from all sites to 'x.cloudfront.net', but that's not possible in the current version. (Rumour is that this is being fixed, and while I can confirm that wildcards are supported in the alpha version, it's definitely not ready for real-world usage yet.) Unfortunately, this means that some sites just don't work right; eg. 'x.blogspot.ca' always renders oddly, because they all pull from 'blogblog.com' and 'blogger.com'.
I still get shown ads correlating to other sites I've visited, searches I've done, or emails I've received on Gmail.
I searched for Niles and Russound multi-room audio one Friday last summer, and HTD.com (Home Theater Direct) has been showing me whole house amps everywhere I go ever since.
The third party cookie block doesn't seem to help much any more.
If third-party scripts or images are still being requested, then what prevents a site- and/or page-specific identifier from being included in the URLs of those assets? And what then prevents those site IDs, page IDs, the IP address you used to make the requests, your user agent's User-Agent string, the Referer header values, and other identifying information from being collected and stored? What prevents them from them from then tying this information together in a way that tracks you and your browsing behavior?
Keep in mind that cookies of any type are not at all necessary for such tracking to occur. The only way to truly avoid that kind of tracking is to not make any such requests in the first place.
The change is extremely simple, and the data loss from people who block third-party cookies is like 5%.
So what prevents sites from deploying these technologies? Economics. To your point, there are no insolvable technical barriers. But right now the marginal return return on these technologies in no way stacks up to the marginal effort required to deploy them. Considering the fraction of the population that even knows what a cookie even is, I do not anticipate this changing in the near future. If everyone starts blocking third-party cookies, then yes we'll see an uptick in use, but I don't see that happening this decade.
Google whitelists their own third-party cookies by default in Chrome and it's possible other browsers come with a preset whitelist as well, maybe that's what you encountered.
AreWePrivateYet recreates Stanford University's Tracking the Trackers: Self-Help Tools study on a continuous basis in a reproducible way. The above chart compares the level of protection provided by the different privacy extensions across various metrics.
https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/
The only real way to control tracking is via an HTTP proxy that blocks connections to known bad actors (e.g. Google). Keeping an up-to-date list of miscreants is a pain, but doable. Ghostery does this for you, for a price.
"Ghostery does not collect any data by default. You may choose to send us data by enabling the Ghostrank™ feature."
The second is "Self-Destructing Cookies" [1], a browser add-on that deletes cookies as soon as a tab is closed. Those sites whose cookies you do not want deleted (like, say, HN), you can add to a whitelist.
And yes, use AdBlock Edge instead of AdBlock Plus.
[0] https://disconnect.me/ [1] https://addons.mozilla.org/en-US/firefox/addon/self-destruct...
"Feature: option to manage Whitelist/Blacklist #272 -- The whitelist is being stored in JSON format in the FF prefs.js, this is really hard to manage manually. I'd like a basic dialog for Whitelist/Blacklist management of sites."
"Element hiding in Firefox #237 -- Implemented?"
Scanning the rest of the bugs it seems like they do a bad job of doing what HTTPS-Everywhere does extremely well and the graph of behavior-tracking websites looked like a crappy version of LightBeam.
Just did a quick Google search and discovered it might be possible to use the "Element Hiding Helper" plugin with Adblock Edge: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/...
* Facebook disconnect. * Google disconnect. * Ghostery * Privoxy * Self Destructing Cookies * No-Script
I wouldn't be so concerned about the ads themselves if they didn't flash, jump about, get in the way of text, harvest my likes, cross harvest my interests, get hijacked and infect my machine, steal my battery life by being animated etc. etc.
This is what scared me about Add Block by default on browsers. Essentially what's happening is the monopolies (Google & FB) get to keep their profitable business models while all small time content publishers get stripped of revenue. WTF !?
Where's the Anti trust regulation? You'd think they were conspiring to kill independent content creation. Or are they?
I think ABP came up with a good list that actually indicates when ads have minimal negative impact. Does following those rules actually harm independent content creation? Before installing ad blocking it was not at all infequent for me to not look at websites at all because the ads were too obnoxious. OTOH, when I find an article valuable I usually look around more at what the site has to offer and would at least see the less obtrusive ads at that point even if I missed them earlier.
Some sources say that Evidon, the company owning Ghostery, plays a dual role in the online advertising industry. Ghostery blocks sites from gathering personal information. But it does have an opt-in feature named GhostRank that can be checked to "support" them. GhostRank takes note of ads encountered and blocked, and sends that information, though anonymously, back to advertisers so they can better formulate their ads to avoid being blocked.[4]
/Disclaimer; Author.
Whatever the name, it's a great feature. Thanks!
i'd also recommend 'Secret Agent' - "Continuously Randomizes your Firefox/SeaMonkey HTTP User Agent, to Suppress Device Fingerprinting, and Resist Web Tracking. Also Prevents eTag Tracking.": https://www.dephormation.org.uk/index.php?page=81
hosts file is another option: http://winhelp2002.mvps.org/hosts.txt
I also use disconnect.me (after discovering the motivation behind Ghostery is just to sell info back to marketers). My only real issue is that kwakd is clearly choking on certain sites (namely Google, which I just back to permanent NoScript blockage) with some of the weirder stuff it does with asynchronous JS calls. Blocking Google completely as a result makes my web experience much, much faster and cleaner.
[0] http://jasonwryan.com/blog/2013/12/28/hostsblock/
[1] http://gaenserich.github.io/hostsblock/
[2] https://code.google.com/p/kwakd