Exactly. Firefox and Safari have both implemented and keep improving the type of fingerprint protection that Google is throwing their hands in the air about.
This summary is a thorough response, pointing out just how ridiculous and meritless the original post from Google was.
Of course it's not possible that this is true since the observational capabilities of the API are explicitly not being deprecated, only the content blocking capabilities. In other official posts they have claimed that the real "justification" is for performance reasons, which I think is equally nonsense.
can you link to the ridiculous tirade? Cause here's the text I see in full
> The sole motivation here is correcting major privacy and security deficiencies in the current system. I know, because I set that focus, and the team reports up through me. And here's a bit more context on the uBlock assertions. [link to other tweet]
> Honestly, all of the negative coverage here is because the team is doing all of this development in the open and engaging with the community. They're taking feedback and making significant changes in response. So the framing here is just not accurate.
Whether this difference in resources does have a concrete impact or not, remains to be seen. The fact that Apple Safari did it first makes me believe that there is some truth in the technical merit argument; surely Apple didn’t want to make sure their content blockers were ineffective, but was actually using the same approach as always: providing a possibly “weaker” but far more efficient implementation (compared to “de facto standards” on other platforms) to protect iOS resources usage.
That said - that's my choice, I don't have to use those extensions, but the gain is, to my mind, worth the pain. I really don't like the patronising "we know what's best for you" attitude of the Chrome developers - especially because what they came up with as being "best for us" is also best for Google.
That's a dead give away to me that this person is not effective as it's a naked appeal to his own authority.
> The sole motivation here is [...] I know, because I set that focus, and the team reports up through me
As for me, I'll use Firefox.
Also, genuine question: isn't it hard to go private sector if most of your resume is redacted? How do you convince employers that you're talented?
One that tests integrity along with diligence and capability.
You have 2 types of people in the any DoD. 0) the peons who do what they are told. 1) the ones who are bright, know the deal, speak when spoken too, and generally play their role. 2) the ones who are protecting their patch with a bunch of bureaucracy.
Those people who care about civil liberties belong in to (1). They unfortunately, have no real say. And when push comes to shove, (2) owns (1, 0) in every shape and form. At best, (1) goes and takes job with a contractor.
Either way, just because you leave your job, doesnt mean you have left your job. If your a (2), u have a network of resources at your disposal. And sometimes, its calculated.
A (2) will always be a (2). Even in retirement. Even if they take a new job. Their network will remain.
As the parent stated, manifest v3 changes didn't hide any information from extensions (hence, by definition, not improving privacy), and independent studies completely discredit Justin's claims about the effectiveness of ad targeting.
I think the first change was in good faith and reasonable. Provided the filtering abilities are reasonable, it is good for privacy and performance (and it would make sense for eg Firefox to support this api too). (I think I would be happiest with an api that lets you write a pure (somehow enforced) js function from url to an action (eg block/allow/upgrade to https) and 4 bits of data).
Although obviously it is unfortunate if it stops various good extensions from working well.
For the second change, I can’t decide. It could be that they were made deliberately small, or it could be that they didn’t really know what appropriate size limits would be and picked limits which were way too small.
Who really thinks a whole professional team of developers goes and neuters adblockers for nothing?
Let us not be naive.
It took me less than 2mins of thinking (and I am hardly the smartest guy ever) about it to figure out that you can solve the potential privacy hazard that webRequest poses (extensions siphoning off request data) by introducing a special kind of content script, let's call it a request-script, that is input-only/one-way-communication except for a limited set of request manipulation and only when asked by the browser. Such as blocking requests. Of course, the devil is in the details here of what to allow and not allow.
The input-only nature still allows for it to be feed new/updates instructions, and it being a script it can still implement rules that cannot be implemented with a fixed rule list like google proposes. But it cannot make web requests and exfiltrate data like that, it cannot communicate back to the host extension and exfiltrate that like that, it cannot exfiltrate data, period. It only ever is allowed to perform certain (not all) request modifications and only when asked by the browser itself.
That leaves the "performance issues" google claims are a major problem. And indeed, there is a chance a misbehaving extension might obliterate performance. But you can do a lot of things in this space, too. "You" are the browser after all and any extension or any request script is at the mercy of what you're allowing it to do anyway. A low hanging fruit here would be to enforce that a request-script has to give an answer in a sane amount of time. Or warn users when an extension slows down requests too much.
And ultimately users will decide if a e.g. 100ms delay for each request is preferable over downloading a few megabytes of video ads for them or not. That is if google was really interested in protecting their users and improving their experience and did not have other motives...
But yeah, a bad actor would probably just switch away from webRequest to <all_urls> + webNavigation permissions and siphon off data with content scripts. So google's argument that is is a privacy issue and thus they just HAVE TO cripple their webRequest APIs doesn't get any better.
Any additional blocking capabilities (reordering, delaying, selective header stripping) increase the number of bits.
I can completely understand that the software engineers working on Chrome are separate from the ones working on Ads, but ignoring that conflict interest that is extremely obvious to some outsiders reduces how seriously these arguments can be taken by this group of people. I think Google needs to do more to highlight that their technical choices in Chrome and other Google products and services does not advantage their Ad business if that is truly the case.
Update: reworded and added a bit more.
You can't take Google at their word because their word doesn't mean much. Especially when those vows directly contradict their main source of revenue, targeted ads.
Or Google's equivalent would be, "Then we realized there was money in it, so ..."
> CTO @ AdRoll
I think it would be useful to build a tool that monitors HN users which have a conflict of interest and attempt to discredit valid arguments, or try to derail conversations.
and such a tool would ironically be a tracker (as others have noted).
I know let’s build a tracking network (or join one, let’s say google as they are pretty large) and use that info to work out of their is a conflict of interest or not.
If said comment came from anyone else would it of been dismissed as quickly? Ok it’s Google so prob yes :-p
How HN decides to address that is a separate matter.
[Edit: mistook you for the original commenter and fixed that up]
Further, their privacy sandbox sounds like it would just monopolize the advertising space to them. If they don't allow advertisers to collect data, that takes control away from advertisers and centralizes it to their ad market platform.
The post also creates some weird false dichotomy between cookies and fingerprinting. Let's just block both, yea? That's what is best for the user, and probably best for the web in the long term.
We absolutely need a new funding model for the web (to kill ads). The biggest barrier I see are the high transaction fees of digital transactions (30 cents + 2.9%). I don't know if the solution will be Brave, Libra, or something else entirely. Whatever it is, it can't come soon enough.
Google have been very concerned about lack of diversity on their profitable business portfolio and this was a seemingly promising idea at the moment, so they actually tried that idea and miserably failed. People don't want to pay a single cent to publishers unless there's a significant value delivered (like music, movie subscriptions) while the majority is okay with using their privacy as currency. If you have a viable proposal on a "micropayment" business, go try and become the next tech giant.
Collectively it's untenable for a single for-profit entity to hold highly personal information on billions of people from all over the world and have a direct, immediate communication channel open to them. These companies have immense power and they need to be brought under control.
>For instance, a site like Oxford Reference can charge between 25 to 99 cents for access to a single page of content
I want something entirely different. I want to pay what google makes on me watching ads (or 2x that, I don't care), and distribute that to people creating content I watch without me interfering on that process. Essentially, what happens when I listen to music on Spotify.
To make it a mandatory system is a whole other issue.
It's true that people will probably still only pay for things that provide them significant value, but a) low-value content is one of the biggest problems on the internet, so putting those companies out of business is a great result as far as I am concerned, and b) search is obviously high value content, so Google has nothing to worry about.
That's probably because they actually have tried it: https://contributor.google.com/v/beta
It may seem frustrating for some of us living in nice places, having our own money and access to easily accessible electronic payment systems but for a lot of the world (geographical, age and economic status) that's not available. So while I support being able to have the option to pay to not see ads I also support being able to just see pages (with ads) without having to configure billing, etc. Otherwise a lot of the high value Internet would be only accessible to the group of people I mentioned above and that would be sad (and going against why Internet has penetrated so much of the world).
PS: If you think it's hard to stay anonymous in an Internet of ads, I cannot see how you'd be anonymous in one where you have to configure billing which is traceable (by design) to your physical person.
Now, you have to imagine the CPM is directly related to the value of the goods being sold. That scales per country. It's probably not the perfect proxy, but in the same sense that your viewers from other countries pay out different CPMs, they can probably afford different amounts per video.
It isn't about anonymity. It's about abuse of data. I'm not mad that I can't make anonymous phone calls, I'm mad that my phone provider sells my real time location data. I am happy to pay a company that preserves privacy and trust them with my information. This is a bit aside though, because I more or less trust Google with my information, I just don't like ads. It's not about anonymity.
Sometimes we pay a lot more: https://graphtreon.com/patreon-stats
> The true value of the video is likely much lower.
The true value of the video varies a lot. Some are demonstrably very highly valued: https://graphtreon.com/top-patreon-creators
A premium account is $10/mo.. or $30/quarter. Pandora is part of sirius now.. but spotify has revenue of about 5.50/user/quarter.
Either Pandora is 6x more effective at monetization than Spotify (very unlikely), or that engineer was wrong.
It's sort of related.
Except that the vast majority of the advertising on the internet supports mainly low-quality junk ... The more ads, the scummier and more worthless the site gets, usually.
There are exceptions, few and far between, like news websites I guess. But most of the ads on the Internet are used to support content that you never asked for, never wanted, never would visit, and still get shoved in your face occasionally.
Afaik nobody really tried true micropayments yet. Micro actually means 10^-6, so as TACIXAT mentioned below/above it comes down to 0.025-0.4 cent per one piece of something. Meanwhile what we have seen from the industry is $.99 macro payments. Did Google Contributor really charge people ~0.025-0.4 cent per impression?
People want to be able to opt out of Google entirely, and that product didn’t do it.
I don't care about seeing ads, but I am willing to pay money (and I do, when such an option exists) in exchange for stopping the spying that ads bring.
It's possible to enable advertising while maintaining privacy and security. What was missing was legal and regulatory forces to push advertisers and adtech into it. Now it's here.
Nothing is free. You either pay with cash that you earn, or you pay with your attention with ads. Option 2 is faster, easier, more passive, more affordable and more equal. That's why billions of people prefer to monetize attention on-demand for their content instead of paying cash upfront.
Whether people would pay enough to get anywhere near the costs however, is probably unlikely given how little they pay for far cheaper content on the internet today. Wikipedia is not comparable since the vast majority is unpaid volunteer work and user-provided content.
- convenience: do not underestimate it, lots of supporting evidence that people want maximum convenience. Notice how a small UI change as "one click purchase" increased Amazon sales significantly or why they even make/sell those buttons to put around the house to press and refill periodic stuff
- access: like I was saying in another reply, it's simply the case that in a lot of situations, users (because of age, location and economic status) simply have no good means to pay electronically
- affordability: 10 cent/view pay seem like nothing to us but in many places that can add up to a few USD per month that may be the cost of food of a family for a week. So now you'd have to do geographical location based pricing, dealing with all the crap that comes with it (people using proxies to avoid it, etc)
Affordability is the largest factor by far though because most people just cant pay for everything they consume for free today. When you look at video content especially, it can easily add up to several dollars per day in spend.
Just run something like a Radius server, which any website could query, and which could log usage.
> access: ...
Provide a wide variety of payment options. As many VPN services and VPS hosts do.
> - affordability: ...
I don't know specifics, but I can't imagine how users in places so poor generate the same ad income as users in wealthier places. So just adjust cost/view to generate the same income that the current system does.
Tons of people paid for content before the Web. Newspapers, magazines, books, CDs, DVDs, cable TV, premium channels.
With the Web, dotcoms were focused on IPOs (and so the appearance of possibly being a player in the future), everyone was focused on adoption, there was also a lot of finance opportunism. Then most all of the the business models switched to spying/control, or just more finance scams. For which free content still makes sense.
If you end the spying/control business model, and the current growth-oriented investment schemes, and maybe breakup a few megacorps that never should've been allowed to happen... then maybe we'll get better options for low-friction content payment, and presumably some people will resume paying for content with value.
Also, the US piracy culture needs to stop. One of the reasons that's been hard to argue, starting in the MP3 days, is that some of the most directly affected content organizations (e.g., MPAA, RIAA) had awful reputations. But to the extent that piracy culture affects legitimate economic sustainability for other content (e.g., subreddits that institutionalized pasting news article full text, or rehosting webcomics on imgur), we need to fix the culture, and make it not socially-acceptable.
Sure, but newspapers, magazines, cable TV and premium channels have never really lived off of customer payments, they were always ad-based businesses first (there are exceptions, such as small newspapers and HBO).
Spotify is barely thriving and took 13 years to make its first profit. It's precariously balanced with constant problems in artist payouts and catalogs. Netflix managed to grow by getting into the content production business but is seeing challenges there as costs rise.
And both Netflix and Spotify distribute content that can be consumed multiple times. How many times are you going to read the same article? If the answer was as simple as an HN comment, the industry would've figured it out by now.
Most “content” isn’t worth paying for. Google’s phrasing about publishers not being able to pay to generate content made me think, “Yay, no content mills!”
Separately, people with something to say like to reach audiences. In the distant past, it was called “pamphleteering”.
There was a web before banner ads. The content came from somewhere...
That was a tiny web that barely anyone used and even less created for. It's really not the same. Also you don't have the same needs and wants as the billions of other people who spend time online to make a judgement that most content isn't worth paying for.
This thread is about your grandparent comment, ”The biggest barrier is that people don’t want to pay for content.”
Billions of people are the market, your remark opens with the judgment that people don’t want to pay for content. In other words, the market has judged most content isn’t worth paying for.
> That was a tiny web that barely anyone used and even less created for. It's really not the same.
On the contrary, today, certainly a higher number have their words preserved online, as persistent conversations such as this one or perhaps Likes on Instagram. But a far lower percentage of those who are online today “have a home page” for example.
In the mid to late 90s a higher proportion of “web pages” were meaningful, and a much higher percentage of users were also publishers of their own web sites.
Amateur web sites unofficially organized around topics of interest were a thing:
That content is still getting created, and still getting self-published, it’s just much harder to find.
Self-published home pages like this are still cool:
This one uses a kind of ethical advertising:
Note the author invites patronage but says don’t worry about it: ”I have a day job and SSC gets free hosting, so don't feel pressured to contribute. But extra cash helps pay for contest prizes, meetup expenses, and me spending extra time blogging instead of working.” People with things to say will say them.
While it’s still being experimented with, it seems that quality content is worth paying for, even worth patronage:
This goes into more detail about content mill versus patronage model for higher value content:
// Irony of HuffPo well noted.
- Option 1 is to work, turn effort into cash, then spend that cash on the internet.
- Option 2 is to just go to the internet and view ads which turn your attention into cash behind the scenes in real-time.
You're still paying but advertising is a much more seamless, passive, and equally available system, and can quickly scale on-demand. So to rephrase the argument, people want the content, and they pay for it, but they mostly don't choose option 1.
Yes there's a tiny bit that's provided for free by creators who pay for it themselves, but it's so miniscule that it doesn't matter.
How much for Arxiv with ”open access to 1,580,815 e-prints in the fields of physics, mathematics, computer science, quantitative biology, quantitative finance, statistics, electrical engineering and systems science, and economics”?
For huge amounts of valuable content — ideas and knowledge some people want to share and some people want to absorb — self-publishing, patronage, and private or public funding work, at scale. The “amateur web” is still here, it only seems “miniscule” thanks to being buried under the content mills trying to generate placeholder pages for ads.
The web wasn’t born as either subscriptions (pay with cash) or ads (pay with attention), it was a knowledge linking and sharing platform.
Huge amounts of content continue to be produced other ways. There are more options (https://en.m.wikipedia.org/wiki/False_dilemma).
> ”Since its creation in 2001, Wikipedia has grown rapidly into one of the largest reference websites, attracting 374 million unique visitors monthly as of September 2015. There are about 72,000 active contributors working on more than 48,000,000 articles in 302 languages. As of today, there are 5,913,176 articles in English. Every day, hundreds of thousands of visitors from around the world collectively make tens of thousands of edits and create thousands of new articles.” — https://en.m.wikipedia.org/wiki/Wikipedia:About
That’s not so minuscule it doesn’t matter.
There's content and distribution. Sometimes content is freely generated by users (wikipedia, stackoverflow, quora, HN, social media) but distribution costs money. These costs (content + distribution) are paid for by cash (including patronage/donations) or ads. That's it. There's no magical 3rd option.
The amount of content that's both created and distributed for free is miniscule and you haven't quoted a single example yet. Billions of consumers are not going to be satisfied with a bunch of people hosting their own blogs from their home.
You weren’t talking about paying cash for publishing/distribution, because both your two options, paid subscription and free ad-supported, you were talking how the consumer pays and also cost money to publish, cancelling that dimension out.
In the pay-to-publish model, someone is deciding it’s worth their own pocket money (or patronage or sponsorship by powers that be) to publish. That makes it free to consume.
We were talking about the perspective of the content consumer, and for them, the pay-to-publish model is free. They are neither paying for the content, nor are they paying with their attention. Some entirely different actor not discussed in your models, is covering it.
That content, content creators support publishing, tends to be different in nature — someone is willing to spend “their own” money to share the ideas in it freely.
Pamphleteers paid the printing presses by cash too, that’s how they didn’t have to sell ads and how they didn’t have to charge a ha’penny a sheet.
> “Content both created and distributed for free is miniscule and you haven’t quoted a single example yet”
You’re both non-responsive to examples with factual data to back them up, and moving the goalposts. To be clear, I’m agreeing there is too much no-value content getting churned out as filler to advertise against. So much volume, so much noise, the valuable content is buried.
Perhaps we agree there’s too much ad-hosting filler content, and not enough inherent value content.
To keep saying “minuscule” perhaps you use a very different internet. Where are the ads on this site? Are you paying for it? No, someone has an interest in this site and its content being available to a special interest audience. It costs almost nothing to host contentful content of mostly plain text conveying information rather than eye candy to drive clicks. With light design but info rich text content, it’s easy for the ROI to work. Companies know this and publish for free without ads.
If you add “corporate” publishing into the mix, all the company product sites and blogs, combining company sites, academic sites, non-profit/public-good sites, government sites, WordPress home pages of everyone homesteading on the web, etc., it’s not minuscule.
But here’s some hard data from 2018:
“Ad-supported media’s share of consumer time will drop to 42.5 percent by 2021. This past year , the number fell to 44.4 percent, its lowest point ever, per the research.” — https://www.pqmedia.com/product/global-consumer-media-usage-...
Ad-supported is less than half of media time and trending down.
In the beginning, profiting off web content was illegal. Is it impossible to imagine course-correcting this race to the bottom?
- - - - - -
PS. I can’t help but notice the incredibly high not at all minuscule percentage of content linked to from HN that is neither subscription based nor ad-supported, but paid for by its author, some even calling out that they’re free, such as this one from the thread on standing out as a speaker:
What does this cost?
Make your checks payable to a shell corporation I have in the Caymans. Just kidding; it's all free. I hope you enjoy it. Also, if I ever see one of your talks, it better be damn good.
I'll add to this site over time. You might be interested in watching the newest posts page.
Once again, content published to us for free is ironically the very content worth paying for.
I'm not sure what you're even arguing now. You seem to be saying that some sites exist where the creator pays both costs instead of the consumer but I don't see what point that makes. Like I said, that particular scenario is an absolutely tiny portion of the content available.
Is your argument that only content that's completely paid for by the creator is good? That makes no sense.
If you come to my site, and I take money from an advertiser to show you an ad, I simply add that money into the income for my business on my Federal and state tax filings.
If you come to my site, and pay me to view my content, then in addition to dealing with that money as income, I also have to worry about whether I owe sales tax to your state or VAT to your country.
Worse, in many states that tax rate depends on your address, so I'll need to get that from you.
To make micropayments work for web content, someone is going to have to offer a service that integrates the micropayment system with a sales tax/VAT collecting and reporting system. You probably have to set it up so it is actually that service that is selling the content to the end users, so that the sites themselves do not have to deal with the states at all. That may require the service to act as some sort of portal that the users go through to reach the sites.
If it becomes harder and harder to push invasive ad me then more money will end up in dumb ads instead.
The NY Times solution, for example, is to target ads based on relevance to content on the page being delivered. No tracking required, but its relevance to the page can sometimes be more effective than tracking ads.
Conversely tracking ads are not necessarily smart.
Go shopping for a fridge, then buy one. You'll have fridge ads following you around even though you're not in the market for a fridge any more.
This persistent meme commits the fallacy of believing that every person follows the precise same fact pattern as yourself: Buying a fridge on some predictable, perfectly recurring and invariant schedule.
In fact, it is probably far more likely that a person who just bought a fridge will be favorably economically incentivized by an ad for a fridge than a randomly selected person.
For one thing, we know that this is a person who will ever influence a decision to buy a fridge (because they in fact did buy a fridge). Many people will never select a fridge in their life (for reasons that include renting a home, moving into a home which already has a fridge, replacing a non-working fridge with whatever a repairperson selects and is thus not influenced by an ad, is not the person in their family who selects a fridge, etc.)
A person who just bought a fridge is more likely to return that fridge and buy another than a randomly selected person is likely to buy a fridge in the same time period.
A person who just bought a fridge is more likely to be a decision-maker in selecting another fridge in the near-term than a randomly selected person (for reasons that include: buying another fridge for their garage, buying one for their business, recommending one to their contacts).
Buying a fridge is a rare event that probably absolutely correlates positively to buying another fridge.
A more effective ad targeting model would advertise fridges to the friends of someone who recently bought a fridge though, due to a) keeping up with the Jones' effect, and b) friends are likely at similar life stages, ie. getting married, buying a home, etc.
The fridge ads are mostly interesting for someone who has searched for a fridge (either on Google or on the fridge seller's website) but hasn't bought one yet.
I mean these are massive spyware businesses and they should be called out as such.
Newspapers especially fit your model of micro-payments: each newspaper is usually a minuscule amount of money, but that is never enough to sustain it.
There is also the problem of incentives - even if your customers are paying to access the content, if you can then ALSO mix ads with the content, you are guaranteed more money, so businesses will usually be inclined to do so.
Similarly, the free web is mostly content produced by people with little interest in getting paid (see livejournal, tumblr, blogger, pre-monetized everything: youtube, tiktok) and the providers are not simply trying to cover costs, they are trying to become billion dollar platforms.
All I'm trying to say is there's a vibrant internet to be had without prioritizing profitability and allowing ourselves to be subject to surveillance.
Perhaps though there is an ad-free future at could strive towards. I doubt it will happen within the current capitalist framework.
Because it's not valid alternative. It may work some edge-cases, but there's 0 evidence that it could support economy at the same scale as ads.
> We absolutely need a new funding model for the web (to kill ads).
We need to rework how ads work, but killing ads is very naive approach. Ads are core part to how world economy operates (and always have been). Calling for killing advertising is only hurting the case - it makes it easy to dismiss, as some crazy hippie talk.
I know there are probably a lot of people who would rather be advertised to than pay any non-zero amount to view content. Those people should be able to pay with their attention.
Maybe we don't need to kill ads, but having the choice to pay with money would definitely be welcome to people like me.
I don't think it's at all reasonable to compare the way ads used to be (inert) to the tracking/privacy/malware nightmare that online advertising has become.
Just because we've always had some (comparatively mild) forms of advertisement doesn't mean we should put up with this blight.
And I'm a fan.
I mean seriously I would probably pay more.
I hope regulations from governments help bring google down in size instead of breaking it up for a monopoly. IT has been extremely lucrative.
I remember when I was much younger, there were banner ads on a bunch of pages (and pop-ups/pop-unders of varying levels of frustration). The banner ads were fine even when we were rocking 56k internet: not beloved by any stretch, but typically reasonably okay.
I have previously toyed with ad blockers, but at a certain point stopped, figured I'd play nice or whatever. Then there were sites that over time legitimately ate into computer resources to the point they were eating way more energy than reasonable (I can't remember which one, but there was one that if I left the site open long enough, it'd crash all open tabs). At that stage, I went back to ad blockers. I really wish it didn't come to it, but man, that whole "give somebody an inch and they'll take a mile" is in full display online now.
I think as this conversation evolves, we will find that there is an additional human right, the right for others to not use undue force to influence your mind. This whole battle is ultimately one to secure this right.
Even on my home network something insane like 30% of packets sent and received are ad or tracking related, which I know because they all get blocked by the PiHole sitting next to the router.
Choosing to block ads literally makes my browsing go faster, and keeps my data limits from being blown out. AND it prevents fingerprinting of my habits? It's a complete no-brainer.
Battery life is a huge concern. Also page load speed. I am having a hard time processing your comment: I should slow down my computer and decrease the battery life because why? Other people can’t be arsed to care if their ads screw up my experience?
Personalised ads, tracking, etc: Criminalise it. By which I mean, after a cooling-off period, jail people still pushing it.
- Forcing websites to explicitly mark cross-site cookies, or they get blocked for cross-site usage. They also seem to be hinting at adding better ways to clear cookies in Chrome.  
- Further attempts to block fingerprinting. (Vague, seems hard?)
These seem like... good things? The SameSite initiative makes CSRF attacks harder. Maybe not big news or as strong as you'd like, but in the right direction?
Why does anyone even allow third-party cookies anymore? I've had them disabled for years at this point, and I can count on one hand the number of times it's been noticeable, and I think there was only a single time I actually found it worthwhile to enable third party cookies to access the site.
I do have some appreciation for how badly it would break a lot of the web applications though, but it seems like it might work.
GDPR only safeguards your data from the honest. What we need is a technological solution.
Users or extension authors can't do much other than blocking those scripts or restricting what the whole page can do because it's difficult to attribute actions to a specific script.
When things don’t work I either disable it for the site or click away. Sometimes I fiddle with it out of curiosity to see what the site relies on.
As a side effect it gives me a sense of what sites are professionally built and which are not.
EDIT: What I mean is example.com/api/hello could hit your back end, but example.com/js/script.js hits S3 (or another static hosting service) instead of hitting your real origin.
So even though to the browser it would appear that /js/script.js is coming from example.com it could actually be coming from anywhere else.
BUT the cookie origin would take over. So if script.js was a tracker. the cookie it set on the browser would be example.com and not "AnotherSite.com" which had the same tracking script. But if the script can make the same fingerprint from both domains then that's not so much of and issue. But thats going back to other methods of fingerprinting.
Basically, you are confusing some terminology and not really making any point: in your example, there is only one origin, that of example.com. Yes, servers can forward any data they wish to other web sites (like AnotherSite.com).
What is the point?
But in this context, how does this matter? "Origin" is a client/browser side concept, and however you serve your website internally, it appears as one web site. Basically, I replied to a comment bringing CDNs into discussion where they are totally irrelevant.
Origin checks can't protect you against servers forwarding your data to a privacy-invading site (eg Google), and a server can do that simply by being a reverse proxy to another site.
JS has got too much access to too much information.
All styling declared and don't let JS interrogate style info from the DOM
Since sites that use responsive designs are a constant pain in my side, if they stopped working then I'd personally be a little happier with the web.
Why? Because I have reader mode turned on by default and haven’t looked back since over a year ago, and I can’t imagine the web without it any more. It’s the only thing that makes the web tolerable, no matter how many ad blockers I install.
If everyone else used it too, websites would become wise and start blocking it somehow.
Oh, wait, I mean, reader mode is terrible and nobody should use it!
Oh and I love the “thank you in advance for your help” lol what?
>> "There is little trustworthy evidence on the comparative value of tracking-based advertising."
This is flat out wrong. Google and Facebook have proven that there are BILLIONS of dollars on the table for the value of "tracking-based advertising"
As an engineer who used to work in ad-tech, making appeals to reason to these companies won't help. There's a lot of money flowing in this sector, and unless large internet companies see the value in changing their ad-based business models, the only thing that will dissuade them are shifts in public opinion, laws, and policy.
Or a rearchitecture of the web, which I'm all for :)
Only if you assume value == money. The question is not whether advertisers will pay extra for tracking-based advertising (your definition of "value"), the question is whether they are getting what they're paying extra for (what others are considering "value"). That someone pays for extra for something doesn't not necessarily mean it's worth it.
That's what we need data for before trusting any hand-waving argument.
Google are in an ideal position to test this and publish results on (eg. A/B testing on ad selection method). Not that we'd really trust them completely, but at least we'd have something to go off. :)
I don’t get value out of tracking-based advertising. The best ads are still search-term based where ads help me find.
There’s no to little evidence that tracking based ads benefit the user. (although it’s clear that it makes tons for advertisers)
Is it? Please link! Thanks.
I wonder if the director of chrome engineering has drunk the koolaid enough to believe this? Or whether they feel really bad about carrying water to pay the bills.
I tried out Google’s non-personalized ads for a while, and wow the ads were bad, especially on YouTube. Not like irrelevant but downright obnoxious. But wait, we’ve seen this before!
A couple years ago, Google noticed that ads were starting to get downright atrocious and started fighting them. One relevant blog post: https://blog.google/technology/ads/building-better-web-every...
Why Google oh why are ads so bad? Because advertisers got more evil? Yes and no. Google got more evil advertisers as all the good ad money went to Facebook’s properties.
Google’s recent blogpost is frustratingly “right”: given the opportunity cost of bad ads, an average user is better off opting in to higher-quality tracking-targeted ads. BUT! That is only because Google the ad company lost the good content. And sadly, Google the software company owns the browser, so they have to make do in a Google world.
This isn’t even an issue about privacy. It’s about a company overtly misrepresenting the interests of its users in bad faith. No different than Uber tacking on the $1 “safe rides” fee as a pure margin generator rather than as protection for riders.
Exactly. I'm really stupefied with arguments that I'm "better off" by opting for tracking ads. Why am I better off? What good does it do to me? It almost seems like these arguments are coming from some other world which I am not living in.
This quote is hilarious, but if, as the article suggests, privacy-invading, tracking-based ads aren't much better than content and region-based ads, presumably advertising companies like Google could abandon it and still provide similar value to their customers.
It might even save time, resources, and money since they wouldn't need to put as much effort into tracking.
A contrast with law enforcement, is that the abusers are not punished and deterred, but instead encouraged to escalate the potency of their behaviour. Anti-tracking technology is preventing pick-pocketing by expecting people to ride in armoured cars. This should be part of the solution, but we also need deterrence.
Laws like the GDPR should in theory help, but sadly enforcement with regard to tracking consent has been lacklustre, and consequently and predictably the law is widely flaunted. This makes the mitigating technical measures all the more necessary, yet they are not a panacea.
"Hey AdTech Network. Here is the server from Free Newspaper. Can you send me an add for Free Newspaper user X at IP Y?" "Hey Free Newspaper. Oh, that guy? I just saw him buying a flight ticket at Flight Aggregator. He is definitely Flight Aggregator user Z. Here is a targeted ad."
I work in a very boring niche for a small company and you'll receive email from us and we'll know what ads you clicked to find us 1 year ago and that we'll keep your entire browsing history and utilize it to tailor our messaging and that's just a begining of it. And our budgets are fraction of what huge online advertisers spend.
Modern digital marketing wouldn't be possible without tracking and that's just how it is.
If we make it harder via regulations, we'll just make it more expensive and that's all. Kind of similar as drugs - demand is so strong that supply is going to be there no matter what you do.
Almost like they have some financial interest in determining user behavior so they can deliver more targeted ads. Almost like they are an adware company.
Nah, can't be that. That would be like a conspiracy or something......
Umm.. no thanks!
Now are WordPress using that ability to track users which the owner of this site isn't aware of? That's another question.
Edit: This page doesn't contain any emoji, But it prob just a WP Plugin that replaces any into broswer/os emoji.
You: TeX is turing complete too!
> Some ideas include new approaches to ensure that ads continue to be relevant for users
Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith, and respectable publications can do better.
This sort of thing happens in real life all the time. In the debate over drug policy, one of the major arguments for legalization is that drug prohibition leads to different types of crime. On the one hand, this is a "defeatist" attitude to have about drug policy. On the other hand, the world is complicated, and sometimes we have to make compromises.
The author continues:
> Based on peer-reviewed research, including our own, we’re confident that fingerprinting continues to represent a small proportion of overall web tracking. And there’s no evidence of an increase in the use of fingerprinting in response to other browsers deploying cookie blocking.
That's an excellent, concrete point to make about the question. But it's not "absurd" for others to have less confidence in that conclusion. It sounds like a tricky open question.
Calling an argument 'absurd' or 'disingenuous' is not an argument, it's a conclusion. Its value lies entirely in how well the point is proven.
Here, the article does a fair job of that task. It supports the idea that the argument is absurd because mitigations against browser fingerprinting are already in development, and it supports the idea that the argument is disingenuous because in a comparable situation Google itself did not deploy a privacy workaround, so it should know that fingerprinting is not a universal response.
I take your point, but calling people out for being disingenuous when they are, in fact, being disingenuous is not bad faith at all.
It may be harsh to be dismissive of Google's claims, but Google chose to put itself in a position where they have deep, systemic conflicts of interest.
When you have a company with strongest possible interest in profitable advertising, who also makes browsers, operating systems, and controls key services that are effectively chokepoints of the internet, it's not unreasonable to assume that SMEs would question your commitment to finding a solution that would hurt you. When you write an article that demonstrates that others have been able solve impossible technical problems that an engineering organization at Google cannot, it's difficult to call that "bad fath" reporting. In fact, anyone who assumes that a company will inflict harm upon its own short/mid term financial interests is clueless, because that is what management demands at any public company.
If Google did something like implement strong organizational walls that isolated advertising from other lines of business, like a newspaper, perhaps I would agree with you. If Google was showing market dominance in other areas, like cloud computing, perhaps I would agree. But they do not, and in fact they are integrating components of their business more and more, and are compelled to do so by their duty to shareholders. (See Google One as an example)
If they are not real arguments, but false dilemma kind of arguments presented specifically to push an agenda, how do you call them? You definitely can't take them at face value and provide counter arguments, you can only call them out.
> large scale blocking of cookies undermine people’s privacy by encouraging opaque techniques such as fingerprinting. With fingerprinting, developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.
the argument claims:
- people block cookies so fingerprinting methods had to be implemented
- cookies, unlike fingerprinting, can be deleted
Actually, fingerprinting is not JUST used to track users for ads. Describing the characteristics of a device is used for lots of other purposes as well. For example canvas size etc etc useful for other reasons. Many / most web dev folks rely on fingerprints (user agent / screen size) when targeting layouts, adding / removing features etc.
The whole analogy where police are cracking down on criminals is the same as cracking down on fingerprinting is what is "absurd" and "disingenuous". A better analogy is wanting to have a 10mph speed limit to reduce pedestrian deaths. It would (and I like car free planning so would support it). But it would ALSO make commutes etc slower.
If I write a page that uses user agent / resolution to serve up a layout -- that's not fingerprinting. Fingerprinting would be if I tried to identify a particular user with those elements.
I think the problem you're trying to illustrate is that it is difficult for a browser to determine what the requesting site intends to do with those parameters. The browser doesn't know if you want canvas access to draw a pretty picture, or if you want canvas access to perform identification of the user.
I've been building web sites commercially since 1997. I have never done any of those things.
Unless the company you work for has the marketing or advertising department in charge of the IT department, this shouldn't happen. I'm sure that Facebook and a bunch of other terrible companies do it, but they shouldn't. The closest I ever came was during the era when you had to detect IE6 and work around that.
But, no, "most" web devs don't do that. Maybe you do. Maybe the people in your company do. But that is not "most," or even "many." I'd say it's probably not even a plurality.
To put it bluntly: If you think that's web development, you're doing it wrong.
The shift from IE to chrome was told by user agent strings. Almost EVERY web developer was tracking this and figuring out what features would work reasonably and what would not during this shift for the websites they maintained. In other words, what parts of the standard HTML were widely supported among users visiting their sites.
If you worked internationally you'll know that this was very different on a country by country basis.
Surprised to hear the claims that only a few do this. It is CRITICAL to developing useful websites -> you need to know what version of HTML to target at a minimum. Screen size, mobile vs desktop all also matter.
I'm now realizing why some web devs can charge so much - they might use these tools -> while others don't?
User agent sniffing is a bad idea and fragile. Feature detection and shims work much better. CSS media queries are quite sufficient for screen size and resizing issues.
Most importantly, none of this ican be fingerprinting unless you are sending these metrics back to your servers which is IMHO unethical.
The posters above, sorry for my tone, are lying when they claim that most websites don't do this and most developers don't. It's actually easy to expose their lies. Just visit some websites and check their tracking approach / tools. Literally, browse some of the top 100 websites, magazines, consumer directed product sites etc. In fact, the items may be logged by literally multiple systems on ONE site - the big players can't seem to pick one set of analytics.
For example, a site I run turns out to be much more desktop heavy (84%) and have almost no firefox usage (3.XX). That's much different than the web as a whole (half mobile). It's a boring site - no entertainment, mostly folks slowly learning things. Mobile side is heavy iphone / samsung -> so we make sure we get site testing coverage through those. Knowing this and acting on it does not make me an idiot.
"But, no, "most" web devs don't do that. Maybe you do. Maybe the people in your company do. But that is not "most," or even "many." I'd say it's probably not even a plurality."
Please folks - form your own opinion - chrome dev tools let's you check out whats going on (or just get an extension) and at the end of the day browsing you can choose to believe me (you are heavily fingerprinted on almost all the sites you use) or these folks upset that I'm calling them out.
Here are default mixpanel properties by the way - I picked one product at random.
People are spending literally billions on analytics using this (and much more) in terms of trying to figure out how to make a bit more money.
Do you consider being able to support my family for a couple of decades successful?
You can imagine a case where not tainting a variable implies something about the user.