The company opted to ignore the Do Not Track setting on Web browsers ... other Internet behemoths, including Google and Yahoo, have publicly confirmed that they also ignore Do Not Track
Am I the only one bothered by the silliness of "Do Not Track"? Or even worse, the EU cookie law?
You have a browser that leaks all kinds of info[1] about itself, tells everyone where you came from (sends referral), takes cookies from strangers like an untrained dog, making you uniquely identifiable and instead of fixing that, you ask everyone on the web to please disregard that info your browser just volunteered. How is that not completely backwards?
AdBlock, RefControl, and Disconnect, or their equivalents should be built into modern browsers. And maybe do something about the user agent, fonts, etc, too?
I also walk around town completely uncamouflaged, voluntarily displaying my uniquely identifiable face and whatnot, and yet somehow most businesses can still restrain themselves and do not follow me around, colluding to enable each other to videotape my every step for analytics purpose.
Sure, there's some technical steps that can be taken but there's also a social or cultural dimension to what behavior is popularly accepted fro companies.
Do you wear an ID around your neck? Do you walk into an establishment, introduce yourself, tell the keeper where you came from, when was the last time you visited, check in with an inter-business tracking device, and then ask them to forget all that?
This is what a browser with (or more appropriately, on) DNT is doing. Long way from camouflage.
And offline, we should also employ techniques like randomizing MAC addresses in mobile devices. Just like you lock your car even though it's illegal to jack it.
The browser shows where you are coming from, similar to you walking from one store that sent you to a second store. The browser's identifying marks are more like the color and type of your vehicle. The ID around your neck? That really is more like a company that would use facial recognition, or tagging your phone and tracking that.
What websites do is exactly what the parent described, like to a T. Often stores track you inside the premises though for marketing and display purpsoes, or so I've been told.
They are unique the same way your gender + birthdate + zip code are unique. That is to say, a combination of ordinary parameters that make it unique, and only identifiable if you go to the trouble to do something with the information.
> Do you wear an ID around your neck? Do you walk into an establishment, introduce yourself, tell the keeper where you came from, when was the last time you visited, check in with an inter-business tracking device, and then ask them to forget all that?
Don't worry, there's a startup that's "fixing" that[0].
Nomi uses the MAC address of your phone to identify the brick-and-mortar venues you visit. It's opt-out for consumers, and the only way to opt-out is to register your MAC address with them[1].
This actually gets killed by an upcoming iOS 8 update (which randomizes you MAC every time it searches for wifi networks). Big pro-privacy change from Apple. While it is problematic that this is iOS only (for now, at least), the large number of iOS device will introduce a ton of noise and make the tracking much less interesting for any company, even if they can theoretically still track Android devices.
Luckily there's a simple solution to that: randomized MAC addresses. My laptop assigns itself a random MAC address on boot. About the only downside is that some captive portals require me to re-sign-in on boot.
Actually, I don't lock my car because the crime rate in my area is pretty low. In fact the front door of my parents' house is unlocked during the day when they're not home. They've never been burgled.
Hmm... what if I re-post a legal-sounding statement as my status that refuses to give Facebook permission to use my information? That would work, right?
> Do you walk into an establishment, introduce yourself, tell the keeper where you came from, when was the last time you visited, check in with an inter-business tracking device, and then ask them to forget all that?
If the shopkeeper kept a logbook that recorded all of that, and then he published said logbook to other companies, you might feel that this was going a bit further than the social contract between you and the shopkeeper allows.
Though not a perfect analogy, the shopkeeper and you having small talk -- without anyone writing things and keeping the records forever -- would be tantamount to the server keeping the values in a transient fashion (i.e. for the duration of the request or session and then dropping them).
Can I follow you anywhere and photograph/record you doing everything? This is usually called stalking and it's illegal, unless it's done by the government, when it's called protecting from terrorists.
I also walk around town completely uncamouflaged, voluntarily displaying my uniquely identifiable face and whatnot, and yet somehow most businesses can still restrain themselves and do not follow me around...
It's a matter of cost/benefit to the businesses, that's all. When a business can track customers cheaply and finds the data useful, they just do it:
> yet somehow most businesses can still restrain themselves and do not follow me around
Hmm no. It's just harder to do but they are working on it. Any big shop uses tons of tracking on every level. Pay by CC or use your fidelity card, facial tracking, MAC address of your phone. In London a company was providing the phone tracking service on the streets, installed on their bins, until they got shot down by the government.
If you use any credit card, points or frequent shoppers card or participate in loyalty program, you are being tracked. If you use a e-coupon, you are being tracked. They are not colluding -- they collect this information and had it to the data mining companies.
Why do you think the buzz around big data exists ? Its not just for curing cancer ; its mostly to track and model individual consumer behavior.
Don't you know almost every shop tracks you by your CC, and they literally put up fake wireless networks, so they can track your phone MAC address when you walk around a store?
The world on the street is exactly as cynical as the one online. It's the same world. Online it's just easier to track people even more, so they get tracked even more.
The browser giving information automatically is not trivial to fix; the vast majority of users don't want the equivalent of a UAC popup every time they try to use a web app that has session cookies, for example. So the browser gives info by default because it's useful for making certain things work.
It seems to me that the best way to do this is to combine both approaches. There are some things you can do, but there's almost certainly going to be some clever way that people manage to circumvent these rules. One thing to consider is that the biggest threat is from the "omnipresent" companies like Google, Facebook, Twitter, etc, because they're the ones who have a 3rd party presence nearly everywhere on the web. Tracking someone's entire web history is a lot different than tracking 1 out of every 100 websites they go to, and the "big players" are the ones who are most likely to actually be scrutinized. I'm usually quite loathe to recommend any legislation, but I do think that these "big players" would likely comply with a legal requirement to respect "Do Not Track" requests, even if CoolBeanzTracker.biz would still ignore them.
In the end, I think the way forward should be to do our best to prevent our browsers from leaking such information, but also to punish people who, against our explicit wishes, take advantage of any small mistakes we make when we protect ourselves.
By analogy, it's probably not smart to go into a bad neighborhood at night alone with no protection, a large amount of cash and a flashy suit, but that doesn't mean that it's a silly thing to try and deter robberies and assaults on a societal level (either with social strategies like shaming and shunning or with violent strategies like law enforcement or retributive violence) - to the extent that it's cost-effective to do so.
I was seriously considering to make a browser plugin which would scrape pages for Google Analytics unique IDs, make a local database of them and randomly mix them up. Like this:
0. [page visited]
1. Does the page contain GA tracking ID?
no: do nothing
yes: add it to the database and replace it with another randomly chosen ID from the database
I'm by no means an expert, but usually when a web browser makes a request for a resource it includes a referral header which tells the server where it came from. This header is probably sent both to the initial javascript request and to the tracking pixels it requests to send new info to Google. At a first glance I feel like if you change the tracking id, and the referrals, you may have some success messing with their system.
But again, not an expert and I could easily be missing something crucial.
Now that's a funny idea. Instead of just opting out you can poison the tracking info pool which basically invalidates any of the data they get even the legitimate stuff.
I seem to remember a schoolgirl developing a project to do exactly that, a few months ago on HN. Trying to dig it out now, unless anyone else can chime in?
This is part of the better long-term solution for online privacy. Spend the effort to educate users about privacy and tracking and build easy to use software options, rather than investing time in standards that don't get adopted and are based on trust.
The voluntary standards were never going to work since the interests of the parties involved are diametrically opposed. The voluntary systems only work for the ad companies if a very small number of users take up the option and if privacy remains a niche issue. As soon as developers looked to apply DNT broadly, they baulked.
Trust is also an issue. Facebook previously said that although their share buttons are hosted on the same domain as facebook.com, meaning cookies are sent - that they are not storing or tracking user web browsing data. They now are using that data, and very little was made of the reversal.
The same reversal or business changes could turn on DNT in the same way. With DNT the sites still receive the cookies and can still store the data. They are able to comply with DNT for a period and then later reverse their position and still use the old data for targeting (and a DNT header is one more data bit that says a lot about a user).
There are now a number of competing opt out standards. None of them really work and they each have problems, but companies need to be able to say they let users opt out whenever they announce a new tech that encroaches further into our lives (Facebook use aboutads, the NAI has their own, Google has its own, most of the aggregators have their own, there are other efforts to sync opt-out).
The solution is to cut the problem off at the head and solve it with software. Browsers and that are easy to use in terms of specifying who you trust (like installing an app) and that don't ever make third-party requests by default. Now that the pretense of negotiating a solution has been dropped, effort can go into developing better software control for users and tech solutions - since none of the current offerings are perfect (which is excusable).
AdBlock Plus once blocked Google ads, till Google decided to pay them [0] to "whitelist" their ads by default. The cynical part of me sees this as a precursor for AdBlock to sign a deal with Facebook and let their ads/tracking through too, for a price of course.
AdBlock Plus wants to encourage non obtrusive advertising. Anyone can apply to have their ads/website added to the acceptable-ads whitelist. Larger companies are charged a maintenance fee.
There is a single checkbox in the options to toggle the whitelist, as well as a link to filter list being used and documentation.
Well, it is AdBlock, not TrackingBlock. There are other extensions out there to help with that problem. Popular ones are NoScript (which improves the web in many more ways, as well) and Ghostery.
From as often as I hear people complaining on forums like HN and reddit that a linked site doesn't work due to NoScript, I would question how many people would agree that it improves the web.
It's not "doesn't work due to noscript", it's "doesn't work because it requires javascript". The blame is on javascript, which degrades the web most of the time.
It IS "doesn't work due to noscript". Browsers come with Javascript. Websites use Javascript. The owner of the site wrote the site using Javascript because browsers support Javascript by default. You specifically turned off Javascript, even though it's a default part of the web.
You broke your experience. If you turn off your car's engine and the brakes and steering stop working, that's not the engine's fault, it's yours.
I do remember a few years ago when everyone in web development talked about how your website has to degrade gracefully in the absence of some technology (JS, flash etc). Now nobody cares. I come across sites that won't even show me the text unless I allow fonts.googleapis.com (via RequestPolicy).
The general point being the most websites I visit I am just reading text. Yet, I usually have to allow a few secondary domains (that serve JS and data), before the text gets into a form better than soup.
A few years ago there may have been a fair amount of users that legitimately didn't have capabilities to display such pages. Now they don't, so why spend a lot of time or change front-end development to accommodate a tiny number of users?
I don't want to use these browsers. I don't want to run these scripts. I want text, sometimes images, maybe a video. If you are serving scripts instead of the thing I'm there for, you are hurting my browsing experience. You are trying to assume control over my browser and my browsing habits. Noscript can help my browsing experience in some cases, but not always. It's giving me back some control.
Sounds like you want to read documents, not use applications that people are making. That's fine, but it's not the modern web, not by a long shot. It's fine if you don't want to execute someone's app, but don't act as if it's some higher ground.
Why should anyone spend time rewriting their entire UI to run on a server and hack up rendering for you because you don't wish to run their UI code?
I'm not telling what people should or should not do. I'm just saying that they are ruining the experience for me by trying to shove unwanted apps down my throat when the thing that really matters is the text and images which can and traditionally have been done just fine without upstream apps. There is nothing for me in the "modern web", I don't want it if it doesn't help me. The web is not an end, it's a means.
So when people show their work (implicitly asking for critique), I think it is perfectly appropriate critique to point out if the static content (information) that matters cannot be displayed without Javascript. You don't need to run an UI on the server for me. No, you don't need to hack up rendering for me. My browser renders things itself. I want the browser to render things for me, according to my preferences. I don't need your rendering. My browser is my UI. Just give me the content in the right format so it can present it for me, with the interface that I am accustomed to and in charge of.
Incompetent and control-freak authors are making applications that do nothing more than force one bizarre rendering of their documents. We were naive enough to provide tooling to make that feasible, and now it's become a platform which is displacing the World-Wide Web of open hypertext which could be repurposed.
And if more people were willing to use NoScript, forcing web designers to not make javascript a mandatory part of their content delivery, we'd all get a much more secure and private internet.
But since those web designers probably monetize their content through the same ad networks we're trying to block it seems like a catch 22.
There was a time when we could view html just fine and we didn't need color monitors. Then web developers happened. CSS happened, javascript happened..
and to all site owners moaning about people using adblock : this is why we can't have nice things. as long as policies like this exist, I'll block anything remotely able to track me.
If it's the tracking you'd like to avoid, don't use ad blockers!
They're the wrong tool for the job. They're for blocking ads. So they'll block ads that are not leaking your info (for your use case, a false positive) and will not (not necessarily) block other means by which you're being tracked (for your use case, a false negative).
Using blanket ad blocking sends the wrong signal to site owners, and creates little incentive to do the 'right thing' — it lets the "bad apples" (which I imagine to be something like 99% of the online ad businesses) spoil it for the one percent that does value your privacy, with no way for anyone to improve. Using ad blocking for privacy reasons is not completely effective (false negatives) and worse, it's punishing individuals for the behaviour of the flock.
Edit: Found the perfect example of the false-positive and false-negative I'm talking about above: http://www.gentoo.org . Harmless ads — just images inside html <a> anchors, loaded from the domain in the site URL. Not leaking anything. The ads help an organization I support.
So what does AdblockPlus do (default settings)? It blocks them. What does RequestPolicy do? It lets them through.
So don't use Adblock Plus because it works too well? And if theres false positives with either the Adblock or Tracking lists it comes with whitelists get around certain website bugs.
No, don't use Adblock Plus because it blocks the wrong thing (if you're actually wanting to protect your privacy vs just avoid ads). You want to avoid tracking, so you avoid ads... leaving all the other methods of tracking out there, and blocking ads which don't track you at all.
I tried requestpolicy, I found it too cumbersome to use. with adblock edge, I subscribe to 2 lists and I'm done. I'd try again if they adopt such a feature.
It is very difficult to get somebody to understand something when they have some amount of income depending on not understanding it. Of course site owners are always going to stand behind the ad-supported model of the web, even though it creates all the wrong incentives for content creators and massively degrades the user experience. And generally, degrades the very value proposition of the web.
(disclaimer: I run a 5k DAU social network with no ads).
I will happily accept advertisements as long as they are self-hosted in a way that doesn't report back to any external entity.
The problem [for me] is not the advertising as long as it's reasonably done (static, textual, non-invasive). It's the fact that every third party has their own behaviours, and I have no idea what any of them are. I instead must rely on the judgement of the person running the site - and most of them appear fairly unaware of the privacy implications associated with both advertisements and analytics services.
At least part of the problem is that we, as a society, have no idea how to fund the development of creative / digital works. We can't find good business models for this in general.
I agree that ad-supported is terrible. But how else? I'm hopeful for donation-crowdfunding and simple, liquid micropayment options online. But I don't know that that could significantly displace ads.
> At least part of the problem is that we, as a society, have no idea how to fund the development of creative / digital works. We can't find good business models for this in general.
Very true. This says something about how we as a society values those works and how our economic organization discourages some kinds of work/content.
true. but as long as site owners use ad-providers that track me, I don't really care. I will gladly reconsider my blocking ads if and when ad-providers are used that don't do this.
maybe site-owners should pressure ad-providers to provide a track-free service ?
The lower targeting potential reduces the value of the ad site as it is sold down the chain, so if the site owners are using the ads to fund themselves they are unlikely to as for this en-mass as it would reduce their income.
Of course you could argue the moral and inconvenience cases as sites make these judgements when choosing advert networks already but "a bit of tracking" does not have the same moral weight to most as "porn and gambling" or "the annoyance of pop-ups/unders and drive-by install attempts" when deciding where they are comfortable to take money from.
Then why don't the sites provide the same options that you get with some ios apps. Default is free with ads, otherwise pay a nominal fee to remove the ads.
Without the latter the ads being compulsory is just enforcing advertising on your users without knowing if they even want it.
Probably because it is more work in that environment. To accept payments for an ad-free version you need to create and maintain some sort of payment processing, and of course user authentication & session management. With iOS apps a lot of this is baked in.
Also it is much easier (for a non-technical user at least) to just skip the ads on the web using browser plug-ins, than it is to get around them in an app, so to an extent this extra work may be wasted and the number of people who take up the "pay for no ads" option might not be enough to warrant the work that goes into maintaining it.
There are some sites that offer the "ads or pay" option so it presumably works out worthwhile for some sites, but I've not seen it often.
I use web less and less. It just does not have that good experience, compared to dedicated devices and apps. Also it requires constant connection, way too much hassle while traveling.
For video I use dedicated apps with off-line caching. For email I have IMAP. I get news via RSS. Anything longer than 1 page, I save and read on Kindle latter (including HN discussions). I have off-line version of Wikipedia.
I recently switched from Adblock Plus to HTTP Switchboard[0]. I find it gives you much better control over what gets blocked, and it properly blocks what you have told it to, not just hide them.
I have it set up in quite a restrictive way so by default a site level scope is created and only image/css is allowed. It means I have to take anywhere from a couple of seconds to a few minutes to enable things a site needs to function, but I much prefer that to having tracking cookies, social media buttons, obnoxious adverts etc.
Also the Adblock site claims you can also block a few annoyances specific to Facebook[0]. Is that actually the case? I thought Adblock just used element hiding.
Initial ad blocking extensions for Chrome used element hiding due to addon limitations in Chrome. But for at least the last few years Chrome allows extensions to block requests.
Last week-end I introduced µBlock (or uBlock) [1] for users who do not like to deal with the more complicated HTTP Switchboard. It does rather well against other popular blockers [2], which shows that ABP does indeed block requests, not just hide HTML elements. Compare the numbers of domains reached with when no blocker is used.
That is true, and something I forgot to mention in my original comment. I do believe the author intends to eventually have it work on Firefox, but I doubt that will be any time soon due to the fact it currently relies heavily on the Chrome API.
To minimise the tracking without plugins: always login to facebook and anything that has your personal details in a "private" session or a browser you don't normally use with flash turned off (or not installed in the first place). Not perfect, but good enough for me.
Of course everyone in my other browser sessions is tracking me between sites, but it isn't linked to my social profiles and such.
TBH I don't really care about the tracking of me. The thing that I find annoys is the combined tracking of me and my contacts: I don't like the idea of them trying to track other people through me.
This is a very shallow way of "escaping"; your browsing activity is definitely being linked to your social media identities via your IP(s) and browser fingerprint.
For instance Google does maintain such non-cookie-based user identities. I'd be highly surprised if Facebook didn't as well; your data is just too valuable to pass on such easy fixes.
The browser fingerprint isn't going to help them though.
Of course the only real solution (other than cutting yourself off completely) is for there to be a stable, secure, reliable, non-tracked, ad-free alternative that enough people use - and that isn't going to happen unless you have a spare high improbability generator handy.
I sandbox Facebook inside Firefox, its the only thing I do with that browser. Makes me feel warm and fuzzy for continuing to use the browser too, I like Mozilla.
I'd also be curious to know this. Ghostery was quite an eye-opener when I first tried it. Everytime you go to a site, it lists all the items that it blocked on that page.
Debugging as a user or developer? It literally takes a single click to disable a specific tracker for a specific site or to disable tracking globally to see if Ghostery broke something.
I feel that Adblock is a serious threat to Facebook. If it gets the viral traction, imagine half of the Facebook users using Adblock. The result would be disastrous.
I use Adblock and love it dearly. I don't have to watch annoying ads on youtube or deal with intrusive banner ads suggesting I a guide on how to make $5000/day at home in an instant.
I do sometimes want to see ads, and that's when I google something and I want to actually see the advertisements. This is a good sign for google although overall, adblock will slowly cannibalize their ads
The entire movement is pissing against the wind. Tracking is how these companies make money. This is their motivation system. A "low" of current online physics is "tracking makes money".
As such, it's a waste of energy. Change physics first.
By the way, many people make valuable content and support their work by ads. Ads are online currency. I am not using adblock because it is like stealing their work without paying.
Am I the only one bothered by the silliness of "Do Not Track"? Or even worse, the EU cookie law?
You have a browser that leaks all kinds of info[1] about itself, tells everyone where you came from (sends referral), takes cookies from strangers like an untrained dog, making you uniquely identifiable and instead of fixing that, you ask everyone on the web to please disregard that info your browser just volunteered. How is that not completely backwards?
AdBlock, RefControl, and Disconnect, or their equivalents should be built into modern browsers. And maybe do something about the user agent, fonts, etc, too?
Don't educate users. Fix it.
[1] https://panopticlick.eff.org/