gregdoesit 26 days ago [-]
>This isn’t the first time that Google has used disingenuous arguments to suggest that a privacy protection will backfire. We’re calling this move privacy gaslighting, because it’s an attempt to persuade users and policymakers that an obvious privacy protection—already adopted by Google’s competitors—isn’t actually a privacy protection.

Exactly. Firefox and Safari have both implemented and keep improving the type of fingerprint protection that Google is throwing their hands in the air about.

This summary is a thorough response, pointing out just how ridiculous and meritless the original post[1] from Google was.

[1] https://www.blog.google/products/chrome/building-a-more-priv...

shawnz 26 days ago [-]
That original post was written by the same Justin Schuh who went on this ridiculous tirade on twitter claiming he headed the manifest v3 adblocker neutering changes for privacy reasons: https://twitter.com/justinschuh/status/1134092257190064128

Of course it's not possible that this is true since the observational capabilities of the API are explicitly not being deprecated, only the content blocking capabilities. In other official posts they have claimed that the real "justification" is for performance reasons, which I think is equally nonsense.

magicalist 25 days ago [-]
> the same Justin Schuh who went on this ridiculous tirade on twitter

can you link to the ridiculous tirade? Cause here's the text I see in full

> The sole motivation here is correcting major privacy and security deficiencies in the current system. I know, because I set that focus, and the team reports up through me. And here's a bit more context on the uBlock assertions. [link to other tweet]

> Honestly, all of the negative coverage here is because the team is doing all of this development in the open and engaging with the community. They're taking feedback and making significant changes in response. So the framing here is just not accurate.

ngold 25 days ago [-]
Do the merits of his claims hold true? Then I don't care if it's written by a guppy fish with I'll intention. Truth is the standard. Not the writer.
giovannibajo1 25 days ago [-]
Depends on your point of view. Chrome is going to use the same architecture that Safari has had for a few years (on iOS and Mac): data-driven content blocking, where rules are declared by the extensions, and then read and implemented by the browser core with no JavaScript involved on each request.

Javascript-based content blocking is technically slower because you need to invoke V8 on all requests, and then it’s up to the extension to make sure that the JavaScript code is fast enough. It surely is more flexible (as you can do whatever you want in that javascript code) but it’s hard to beat a simpler, data-driven content blocking engine written in native code and integrated in the core.

Whether this difference in resources does have a concrete impact or not, remains to be seen. The fact that Apple Safari did it first makes me believe that there is some truth in the technical merit argument; surely Apple didn’t want to make sure their content blockers were ineffective, but was actually using the same approach as always: providing a possibly “weaker” but far more efficient implementation (compared to “de facto standards” on other platforms) to protect iOS resources usage.

shawnz 25 days ago [-]
Here are some measurements from the Ghostery team which show that the impact of the non-declarative API can be extremely minimal, and maybe even negative if you consider the increased performance from the reduced ad load.

https://whotracks.me/blog/adblockers_performance_study.html

EdwardDiego 25 days ago [-]
At the risk of being that guy who mistakes his anecdote for a datum, I've found the bigger ad-blocking extensions to have a larger performance impact - simply because they're evaluating large regex based block lists on each request.

That said - that's my choice, I don't have to use those extensions, but the gain is, to my mind, worth the pain. I really don't like the patronising "we know what's best for you" attitude of the Chrome developers - especially because what they came up with as being "best for us" is also best for Google.

dannyw 25 days ago [-]
No. Ublock does not have a performance problem.
daveevad 25 days ago [-]
> I know, because I set that focus

That's a dead give away to me that this person is not effective as it's a naked appeal to his own authority.

inimino 25 days ago [-]
What? It's an appeal to authority to justify his assertion about the motivation of team that he manages. And you don't think his role is relevant? What are you smoking?

> The sole motivation here is [...] I know, because I set that focus, and the team reports up through me

ChrisCinelli 25 days ago [-]
His job history may tell you another reason on his positions about the subject: https://www.linkedin.com/in/justinschuh/
hellcow 25 days ago [-]
TIL the engineering director for Chrome comes from the NSA and CIA. Surely he cares deeply about everyone's privacy now, though...

As for me, I'll use Firefox.

sterlind 25 days ago [-]
Over a decade of military and then offensive CNE work, a quick tour around the private sector and then a decade of leading Chrome. I guess Chrome had a ton of security issues early on? I can't really think why they'd pick someone like this for directing Chrome and not Chrome security specifically. Even picking him for his contacts doesn't make sense - it's a free product, not much in the way of government contracts to land. And from a "mole" perspective, it'd make more sense to go to Project Zero anyway.

Also, genuine question: isn't it hard to go private sector if most of your resume is redacted? How do you convince employers that you're talented?

CydeWeys 25 days ago [-]
A lot of the time (most of the time), you end up in a particular specialty by career accident, not because you're genuinely excellent at that and only that, and not good at related adjacent things.
lightedman 25 days ago [-]
You take the test which YC people fail to provide.

One that tests integrity along with diligence and capability.

Hnrobert42 25 days ago [-]
There are some who work for those organizations that care passionately about civil liberties and work hard to preserve them while still carrying out necessary functions of government.
Nasrudith 23 days ago [-]
"Necessary functions" like causing the Vietnam War, the Iraq War, installing dictatorships, training people behind such lovely ideas as "rape dogs", leading to Osama Bin Laden, snooping on everyone while failing to stop attacks they were outright told about.
Hnrobert42 22 days ago [-]
No. Not like those.
weq 23 days ago [-]
hahahahahahah yeh right.

You have 2 types of people in the any DoD. 0) the peons who do what they are told. 1) the ones who are bright, know the deal, speak when spoken too, and generally play their role. 2) the ones who are protecting their patch with a bunch of bureaucracy.

Those people who care about civil liberties belong in to (1). They unfortunately, have no real say. And when push comes to shove, (2) owns (1, 0) in every shape and form. At best, (1) goes and takes job with a contractor.

Either way, just because you leave your job, doesnt mean you have left your job. If your a (2), u have a network of resources at your disposal. And sometimes, its calculated.

A (2) will always be a (2). Even in retirement. Even if they take a new job. Their network will remain.

25 days ago [-]
staticassertion 26 days ago [-]
Justin is a trustworthy guy and, while unfortunate, I believe the Chrome security team was acting in good faith with the manifest v3 changes.
ocdtrekkie 25 days ago [-]
We probably shouldn't refer to someone as "trustworthy" who is repeatedly demonstrated to be blatantly lying and spreading clear falsehoods.

As the parent stated, manifest v3 changes didn't hide any information from extensions (hence, by definition, not improving privacy), and independent studies completely discredit Justin's claims about the effectiveness of ad targeting.

targonca 25 days ago [-]
His employer considers him trustworthy.
prepend 25 days ago [-]
Just because your mom thinks you’re handsome doesn’t mean you’re handsome.
sk5t 25 days ago [-]
Trusted to advance his employer's interests, do you mean?
staticassertion 25 days ago [-]
I have no affiliation with Google or Justin.
nsuser3 25 days ago [-]
I'm not his employer (luckily).
25 days ago [-]
dan-robertson 25 days ago [-]
There were two parts to the changes. One that stops the current system of ad-blockers requiring them to use a different url-filtering api (specifically one which denies them the ability to read the urls), and one that puts really tiny limits on that api.

I think the first change was in good faith and reasonable. Provided the filtering abilities are reasonable, it is good for privacy and performance (and it would make sense for eg Firefox to support this api too). (I think I would be happiest with an api that lets you write a pure (somehow enforced) js function from url to an action (eg block/allow/upgrade to https) and 4 bits of data).

Although obviously it is unfortunate if it stops various good extensions from working well.

For the second change, I can’t decide. It could be that they were made deliberately small, or it could be that they didn’t really know what appropriate size limits would be and picked limits which were way too small.

plorkyeran 25 days ago [-]
No, they did not deny ad blockers the ability to read the URLs. They removed the ability to modify requests via the webRequest API, but left in the functionality for observing all requests made.
shawnz 25 days ago [-]
The limits aren't the only problem -- forcing everyone to use only the declarative API restricts the ability of adblocker vendors to develop new techniques for blocking different kinds of ads or privacy threats.
dan-robertson 25 days ago [-]
I agree that there are good reasons to want something less declarative but I claim that only allowing declarative rules is a reasonable bona fide choice from a security or privacy perspective. In particular if there were no question of motives, I think there would be far fewer complaints about this system being implemented. Indeed Apple’s system for mobile url filtering works like this and though some people complained about the lack of expressivity I didn’t see any complaints that it was some kind of conspiracy to sell ads.
tsimionescu 25 days ago [-]
You keep missing the fact that there is no security/privacy advantage to what Google did, since the API for an extension to see every URL being accessed and use it in arbitrary ways still exists. They only removed the part where the extension could block that request from happening.
SpicyLemonZest 25 days ago [-]
Selective request blocking has huge security implications. In many ways it's a similar attack surface to arbitrarily rewriting the content. (Imagine making some charges to your credit card, then blocking the request that lists card charges on your bank's website.)
25 days ago [-]
zwaps 24 days ago [-]
How long until we find out that Google adservers and tracking can not be blocked in the new API?

Who really thinks a whole professional team of developers goes and neuters adblockers for nothing?

Let us not be naive.

rndgermandude 25 days ago [-]
They didn't even try to solve it.

It took me less than 2mins of thinking (and I am hardly the smartest guy ever) about it to figure out that you can solve the potential privacy hazard that webRequest poses (extensions siphoning off request data) by introducing a special kind of content script, let's call it a request-script, that is input-only/one-way-communication except for a limited set of request manipulation and only when asked by the browser. Such as blocking requests. Of course, the devil is in the details here of what to allow and not allow.

The input-only nature still allows for it to be feed new/updates instructions, and it being a script it can still implement rules that cannot be implemented with a fixed rule list like google proposes. But it cannot make web requests and exfiltrate data like that, it cannot communicate back to the host extension and exfiltrate that like that, it cannot exfiltrate data, period. It only ever is allowed to perform certain (not all) request modifications and only when asked by the browser itself.

That leaves the "performance issues" google claims are a major problem. And indeed, there is a chance a misbehaving extension might obliterate performance. But you can do a lot of things in this space, too. "You" are the browser after all and any extension or any request script is at the mercy of what you're allowing it to do anyway. A low hanging fruit here would be to enforce that a request-script has to give an answer in a sane amount of time. Or warn users when an extension slows down requests too much.

And ultimately users will decide if a e.g. 100ms delay for each request is preferable over downloading a few megabytes of video ads for them or not. That is if google was really interested in protecting their users and improving their experience and did not have other motives...

vengefulduck 25 days ago [-]
Except the extension could just inject a script into the webpage and exfiltrate data that way.
rndgermandude 25 days ago [-]
That requires some different permissions to the webRequest permission in question.

But yeah, a bad actor would probably just switch away from webRequest to <all_urls> + webNavigation permissions and siphon off data with content scripts. So google's argument that is is a privacy issue and thus they just HAVE TO cripple their webRequest APIs doesn't get any better.

shawnz 25 days ago [-]
That is still possible with Chrome's new declarative model too, so the parent's idea is strictly an improvement.
sfink 21 days ago [-]
Blocking is itself a communications channel. You have some data to exfiltrate from extension to server. The page embeds a bunch of URLs to your ad server, you selectively block based on the data to exfiltrate, the server gets 1 bit per URL.

Any additional blocking capabilities (reordering, delaying, selective header stripping) increase the number of bits.

tbodt 25 days ago [-]
> 100ms delay for each request

NOPE

luckylion 25 days ago [-]
That was an example - it's actually more like one or two ms.
JohnFen 25 days ago [-]
His argument just doesn't hold up, though, so I have a hard time thinking that it's anything more than a sales job.
9HZZRfNlpR 25 days ago [-]
Trustworthy to who? Definitely not for the 99.9% of the population. Helping to build the biggest spying machine gestapo would be jealous of can be only done by men with very low morals.
tareqak 25 days ago [-]
Isn't that Google blog article completely ignoring the fact that Google implementing tracking protection would hurt their ability to maintain marketplace dominance in one domain (66%+ of web browsers) in order to further maintain and entrench Google's dominance and profitability in yet another (web advertising), and therefore anti-competitive [0][1]?

I can completely understand that the software engineers working on Chrome are separate from the ones working on Ads, but ignoring that conflict interest that is extremely obvious to some outsiders reduces how seriously these arguments can be taken by this group of people. I think Google needs to do more to highlight that their technical choices in Chrome and other Google products and services does not advantage their Ad business if that is truly the case.

[0] https://www.netmarketshare.com/browser-market-share.aspx

[1] https://www.statista.com/statistics/193530/market-share-of-n...

Update: reworded and added a bit more.

xvector 26 days ago [-]
I am honestly surprised at how ridiculous Google’s original blog post was. Zero nuance.
lowdose 26 days ago [-]
It is double speak.
dialtone 26 days ago [-]
You are aware that Google has vowed to actively fight any sort of fingerprinting right? https://techcrunch.com/2019/05/07/googles-chrome-will-soon-g...
magashna 26 days ago [-]
"Don't be evil" they said, until it became inconvenient.

You can't take Google at their word because their word doesn't mean much. Especially when those vows directly contradict their main source of revenue, targeted ads.

vezycash 25 days ago [-]
“It is difficult to get a man to understand something, when his salary depends on his not understanding it.” ― Upton Sinclair
adam12 26 days ago [-]
I loved Google back in 2005. It's sad to see what it has become.
airstrike 26 days ago [-]
I still loved it as late as 2008... remember this?

http://blogoscoped.com/google-chrome/1

SilasX 26 days ago [-]
To borrow from Tony Stark: And I vowed to stop eating dairy, but then they named a Ben & Jerry's flavor after me, so ...

Or Google's equivalent would be, "Then we realized there was money in it, so ..."

ocdtrekkie 26 days ago [-]
I didn't remember this line. III Avengers 14:53, apparently.
SilasX 26 days ago [-]
You mean Infinity War? I'd never heard it referred to as Avengers 3, although I guess it's the third Avengers-branded one. And I edited the actual quote to include "vow"; the original is, "And I swore off dairy, but then Ben and Jerry’s named a flavor after me, so…".
ocdtrekkie 26 days ago [-]
https://seanlennaerts.github.io/mcuverse/ is now the best way to reference MCU lines.
wpietri 25 days ago [-]
That is a delight. For those who haven't seen it, its title is "MCU Bible Verse", and it's a fast searchable list of quotes from the Marvel movies with references done in Bible style.
Nicksil 26 days ago [-]
The article you linked has Google stating they're planning, over the next few years, to add restrictions to the way fingerprinting is executed. Nothing mentions Google vowing to fight any sort of fingerprinting.
kube-system 26 days ago [-]
Yes, we're aware. The entire article linked in the OP is a direct response to Google's claims about fighting fingerprinting. The argument made by the Princeton researchers here is that Google's claims are not likely to result in good user privacy.
taurath 26 days ago [-]
They’re adding an option, knowing full well that 95% of users will never even think to look in the menu.
dessant 26 days ago [-]
> You are aware that Google has vowed to actively fight any sort of fingerprinting right?

> CTO @ AdRoll

I think it would be useful to build a tool that monitors HN users which have a conflict of interest and attempt to discredit valid arguments, or try to derail conversations.

25 days ago [-]
clairity 26 days ago [-]
it's useful to know alliances that can cause insider bias, but the parent comment was adding relevant, mostly unbiased, and industry-knowledgeable information that should be encouraged rather than discouraged here.

and such a tool would ironically be a tracker (as others have noted).

Crosseye_Jack 26 days ago [-]
How would you monitor anon’s?

I know let’s build a tracking network (or join one, let’s say google as they are pretty large) and use that info to work out of their is a conflict of interest or not.

If said comment came from anyone else would it of been dismissed as quickly? Ok it’s Google so prob yes :-p

manigandham 26 days ago [-]
A better way is let the content speak for itself instead of relying on the person's identity.
Liquix 26 days ago [-]
Great catch + novel idea. But how would the tool distinguish between those sharing their legitimate controversial opinions (everyone has a right to free speech, no matter how 'brainwashed') vs. malicious active derailing?
acollins1331 26 days ago [-]
Just knowing that the person is the CTO of adroll is enough. Let them speak their piece but it's basically a "this comment was paid for by" disclaimer.
pvg 26 days ago [-]
It would be against the rules of the site which disallow this kind of insinuation whether it's automated or not.
dredmorbius 26 days ago [-]
Evidence-based demonstration is not insinuation.

How HN decides to address that is a separate matter.

pvg 26 days ago [-]
There is nothing 'evidence based' here. There is nothing wrong with the comment, no evidence it is an attempt to 'discredit valid arguments or derail conversation'. That's just a completely baseless accusation and, again, the site guidelines ask people not to do that. The user's affiliation is listed right in their profile, to boot.

[Edit: mistook you for the original commenter and fixed that up]

TACIXAT 26 days ago [-]
Google's original post is super gross. It dismisses the idea that there could be alternate ways to fund content (i.e. micropayments). I get why they promote "free content" but it is not free at all when you are trading your attention and privacy.

Further, their privacy sandbox sounds like it would just monopolize the advertising space to them. If they don't allow advertisers to collect data, that takes control away from advertisers and centralizes it to their ad market platform.

The post also creates some weird false dichotomy between cookies and fingerprinting. Let's just block both, yea? That's what is best for the user, and probably best for the web in the long term.

We absolutely need a new funding model for the web (to kill ads). The biggest barrier I see are the high transaction fees of digital transactions (30 cents + 2.9%). I don't know if the solution will be Brave, Libra, or something else entirely. Whatever it is, it can't come soon enough.

summerlight 25 days ago [-]
> It dismisses the idea that there could be alternate ways to fund content (i.e. micropayments). I get why they promote "free content" but it is not free at all when you are trading your attention and privacy.

Google have been very concerned about lack of diversity on their profitable business portfolio and this was a seemingly promising idea at the moment, so they actually tried that idea and miserably failed. People don't want to pay a single cent to publishers unless there's a significant value delivered (like music, movie subscriptions) while the majority is okay with using their privacy as currency. If you have a viable proposal on a "micropayment" business, go try and become the next tech giant.

blub 25 days ago [-]
Individual decisions might make sense for individuals, although it's obvious that the level of tracking is now so deep that most people do not understand what is going on and they would be shocked if they knew how they could be taken advantage of.

Collectively it's untenable for a single for-profit entity to hold highly personal information on billions of people from all over the world and have a direct, immediate communication channel open to them. These companies have immense power and they need to be brought under control.

KptMarchewa 25 days ago [-]
They tried:

>For instance, a site like Oxford Reference can charge between 25 to 99 cents for access to a single page of content

I want something entirely different. I want to pay what google makes on me watching ads (or 2x that, I don't care), and distribute that to people creating content I watch without me interfering on that process. Essentially, what happens when I listen to music on Spotify.

AJ007 25 days ago [-]
You need to not only pay Google’s cut, you need to pay what the publisher makes. Then it has to be multiplied to make up for the people who do not opt in to the system. Just a rough guess, you might be looking at several thousand dollars per year per participant depending on what the ad value of the content was.

To make it a mandatory system is a whole other issue.

kerkeslager 25 days ago [-]
Other funding sources fail on the current market because they're competing with content users think is free. But if browser developers remove the option to pay with privacy, that competitor is removed. Google is one of the companies positioned to make that happen.

It's true that people will probably still only pay for things that provide them significant value, but a) low-value content is one of the biggest problems on the internet, so putting those companies out of business is a great result as far as I am concerned, and b) search is obviously high value content, so Google has nothing to worry about.

d1zzy 25 days ago [-]
> Google's original post is super gross. It dismisses the idea that there could be alternate ways to fund content (i.e. micropayments). I get why they promote "free content" but it is not free at all when you are trading your attention and privacy.

That's probably because they actually have tried it: https://contributor.google.com/v/beta

It may seem frustrating for some of us living in nice places, having our own money and access to easily accessible electronic payment systems but for a lot of the world (geographical, age and economic status) that's not available. So while I support being able to have the option to pay to not see ads I also support being able to just see pages (with ads) without having to configure billing, etc. Otherwise a lot of the high value Internet would be only accessible to the group of people I mentioned above and that would be sad (and going against why Internet has penetrated so much of the world).

PS: If you think it's hard to stay anonymous in an Internet of ads, I cannot see how you'd be anonymous in one where you have to configure billing which is traceable (by design) to your physical person.

TACIXAT 25 days ago [-]
The CPM on ads is a good way to look at this. On YouTube you get anywhere from 25 cents CPM to 4 dollars, usually dependent on where your customers are from. Let's put that on the high side since I'm in the US. Would I rather pay 0.4 cents per video view or see ads? You bet I'll choose to pay that instead. Now that covers the creator costs, Google needs to take a portion of that to run their platform, so let's round it up to 1 whole cent per video. I'm still game.

Now, you have to imagine the CPM is directly related to the value of the goods being sold. That scales per country. It's probably not the perfect proxy, but in the same sense that your viewers from other countries pay out different CPMs, they can probably afford different amounts per video.

It isn't about anonymity. It's about abuse of data. I'm not mad that I can't make anonymous phone calls, I'm mad that my phone provider sells my real time location data. I am happy to pay a company that preserves privacy and trust them with my information. This is a bit aside though, because I more or less trust Google with my information, I just don't like ads. It's not about anonymity.

zaarn 25 days ago [-]
You don't pay 0.4 cents to watch a video though, some advertiser pays that to get you to watch the ad. The true value of the video is likely much lower.
pdkl95 25 days ago [-]
> You don't pay 0.4 cents to watch a video though

Sometimes we pay a lot more: https://graphtreon.com/patreon-stats

> The true value of the video is likely much lower.

The true value of the video varies a lot. Some are demonstrably very highly valued: https://graphtreon.com/top-patreon-creators

zaarn 25 days ago [-]
I don't think patreon is a good metric since there a low number of people pay for content early or exlusives, meaning the cost is distributed among less people. A video on youtube will cost less and has less value since it's available to more people.
opportune 25 days ago [-]
If I could load, say, $10 into some Google account and in return that buys me complete exemption from tracking + ads on 10k site visits, I would absolutely do that in a heart beat. I wonder if they have thought about doing that yet
naniwaduni 25 days ago [-]
That's almost what Contributor is, but how could that possibly exempt you from tracking? They'd have to identify you to exempt you from it...
KptMarchewa 25 days ago [-]
On a browser level? Some kind of google extension. Or just build in Chrome.
notyourwork 25 days ago [-]
I’m guessing that is not even close to revenue generated. I was told by a pandora engineer a few years ago if all users paid for premium to drop ads they couldn’t stay afloat. It seems the ad industry is milking businesses and users have no choice in the matter.
rgbrenner 25 days ago [-]
Just because he worked there, doesn't mean he understands the economics of the business.

A premium account is $10/mo.. or $30/quarter. Pandora is part of sirius now.. but spotify has revenue of about 5.50/user/quarter.

Either Pandora is 6x more effective at monetization than Spotify (very unlikely), or that engineer was wrong.

JohnJamesRambo 25 days ago [-]
If this is true why did they constantly inundate you with ads to upgrade to premium? They should have been trying to actively hide the fact they have premium.
CydeWeys 25 days ago [-]
tripzilch 25 days ago [-]
> I also support being able to just see pages (with ads) without having to configure billing, etc. Otherwise a lot of the high value Internet would be only accessible to the group of people I mentioned above and that would be sad

Except that the vast majority of the advertising on the internet supports mainly low-quality junk ... The more ads, the scummier and more worthless the site gets, usually.

There are exceptions, few and far between, like news websites I guess. But most of the ads on the Internet are used to support content that you never asked for, never wanted, never would visit, and still get shoved in your face occasionally.

rasz 24 days ago [-]
>micropayments

Afaik nobody really tried true micropayments yet. Micro actually means 10^-6, so as TACIXAT mentioned below/above it comes down to 0.025-0.4 cent per one piece of something. Meanwhile what we have seen from the industry is $.99 macro payments. Did Google Contributor really charge people ~0.025-0.4 cent per impression?

hedora 25 days ago [-]
Paying Google Contributor wouldn’t stop them from tracking you.

People want to be able to opt out of Google entirely, and that product didn’t do it.

JeremyBanks 23 days ago [-]
The Google Contributor that launched was very neutered from what was originally proposed internally. It wasn't a real effort to solve the problem; it was effectively a deliberate failure they could present to justify the status quo.
JohnFen 25 days ago [-]
> I support being able to have the option to pay to not see ads

I don't care about seeing ads, but I am willing to pay money (and I do, when such an option exists) in exchange for stopping the spying that ads bring.

manigandham 26 days ago [-]
The biggest barrier is that people don't want to pay for content. This has been the subject of endless discussions over decades and just yesterday there was a large HN conversation over too many video subscriptions causing people to turn to piracy again. Not to mention it negatively affects the vast majority of people who can't afford to pay for everything they consume.

It's possible to enable advertising while maintaining privacy and security. What was missing was legal and regulatory forces to push advertisers and adtech into it. Now it's here.

joes223 25 days ago [-]
The biggest barrier is that there is no money in honest business. In other words, people want to pay for useful content (e.g. wikipedia is still up and running), it's just what they want to pay is nowhere near multi-billion-dollar valuation that VCs are used to. Can Google Search, Maps, YouTube, Chrome, Android and so on exist without ads and tracking? Absolutely. It's just this business would become non-profit.
manigandham 25 days ago [-]
I'm not sure what you mean by "honest business" or what any of this has to do with non-profits.

Nothing is free. You either pay with cash that you earn, or you pay with your attention with ads. Option 2 is faster, easier, more passive, more affordable and more equal. That's why billions of people prefer to monetize attention on-demand for their content instead of paying cash upfront.

2019-08-24 25 days ago [-]
He is arguing that Google could make money with cash, only less than what they currently make with ads, because people spend cash cautiously, whereas they spend data wildly.
manigandham 25 days ago [-]
None of that has to do with being non-profit. Google is a trillion dollar company. Yes it can make less profits and still survive.

Whether people would pay enough to get anywhere near the costs however, is probably unlikely given how little they pay for far cheaper content on the internet today. Wikipedia is not comparable since the vast majority is unpaid volunteer work and user-provided content.

joes223 23 days ago [-]
There is nothing more equal in it. It's outright criminal. The today's adtech is when you walk into a grocery store, get stuff for free, while in the meantime the store takes notes what car you drive, who you likely are, packages all this info and sells to whoever pays, including criminals.
d1zzy 25 days ago [-]
I would say it's a combination of:

- convenience: do not underestimate it, lots of supporting evidence that people want maximum convenience. Notice how a small UI change as "one click purchase" increased Amazon sales significantly or why they even make/sell those buttons to put around the house to press and refill periodic stuff

- access: like I was saying in another reply, it's simply the case that in a lot of situations, users (because of age, location and economic status) simply have no good means to pay electronically

- affordability: 10 cent/view pay seem like nothing to us but in many places that can add up to a few USD per month that may be the cost of food of a family for a week. So now you'd have to do geographical location based pricing, dealing with all the crap that comes with it (people using proxies to avoid it, etc)

manigandham 25 days ago [-]
Convenience and access have been tried by several startups (including a project that we did a few years back). It's being attempted yet again by the Brave browser with blockchain tech. With micropayments, there's a big problem with decision fatigue.

Affordability is the largest factor by far though because most people just cant pay for everything they consume for free today. When you look at video content especially, it can easily add up to several dollars per day in spend.

mirimir 25 days ago [-]
> - convenience ...

Just run something like a Radius server, which any website could query, and which could log usage.

> access: ...

Provide a wide variety of payment options. As many VPN services and VPS hosts do.

> - affordability: ...

I don't know specifics, but I can't imagine how users in places so poor generate the same ad income as users in wealthier places. So just adjust cost/view to generate the same income that the current system does.

neilv 25 days ago [-]
> The biggest barrier is that people don't want to pay for content.

Tons of people paid for content before the Web. Newspapers, magazines, books, CDs, DVDs, cable TV, premium channels.

With the Web, dotcoms were focused on IPOs (and so the appearance of possibly being a player in the future), everyone was focused on adoption, there was also a lot of finance opportunism. Then most all of the the business models switched to spying/control, or just more finance scams. For which free content still makes sense.

If you end the spying/control business model, and the current growth-oriented investment schemes, and maybe breakup a few megacorps that never should've been allowed to happen... then maybe we'll get better options for low-friction content payment, and presumably some people will resume paying for content with value.

Also, the US piracy culture needs to stop. One of the reasons that's been hard to argue, starting in the MP3 days, is that some of the most directly affected content organizations (e.g., MPAA, RIAA) had awful reputations. But to the extent that piracy culture affects legitimate economic sustainability for other content (e.g., subreddits that institutionalized pasting news article full text, or rehosting webcomics on imgur), we need to fix the culture, and make it not socially-acceptable.

tsimionescu 25 days ago [-]
> Tons of people paid for content before the Web. Newspapers, magazines, books, CDs, DVDs, cable TV, premium channels.

Sure, but newspapers, magazines, cable TV and premium channels have never really lived off of customer payments, they were always ad-based businesses first (there are exceptions, such as small newspapers and HBO).

neilv 24 days ago [-]
Digital technology changes some of the economics, and perhaps some of the need for advertising revenue. For example, you could sell mostly journalism "content", without the expense of printing and distribution operation.
foobarqwertz 25 days ago [-]
Exactly. There are tons of good old paper magazines just created cause the target audience, thus ad targeting, is relatively easy to predict.
KptMarchewa 25 days ago [-]
Yet services like Netflix and Spotify thrive. Why? Because they are 1) easier to use than piracy "competitors" 2) they offer a fair deal without seemingly fleecing you, like paying for individual articles.
manigandham 25 days ago [-]
In my comment, I described how piracy is coming back because of too many subscription services. It certainly isn't as simple as just being easier to use, and there are issues with what people will pay for regardless of billing model.

Spotify is barely thriving and took 13 years to make its first profit. It's precariously balanced with constant problems in artist payouts and catalogs. Netflix managed to grow by getting into the content production business but is seeing challenges there as costs rise.

And both Netflix and Spotify distribute content that can be consumed multiple times. How many times are you going to read the same article? If the answer was as simple as an HN comment, the industry would've figured it out by now.

TACIXAT 25 days ago [-]
Users don't want to pay a 5$ / month subscription for content. I know I don't. Would they be willing to pay cents or even fractions of a cent for content? I'd like to see a study on that. We need the infrastructure to support that model though, which I think doesn't fully exist yet.
colordrops 25 days ago [-]
Most content is either just plain bad or manipulative. We should welcome the death of most content. Content makers that do it for the love of it rather than the monetary reward typically make much better content.
Terretta 25 days ago [-]
> people don’t want to pay for content

Most “content” isn’t worth paying for. Google’s phrasing about publishers not being able to pay to generate content made me think, “Yay, no content mills!”

Separately, people with something to say like to reach audiences. In the distant past, it was called “pamphleteering”.

https://en.m.wikipedia.org/wiki/Pamphleteer

There was a web before banner ads. The content came from somewhere...

manigandham 25 days ago [-]
There was advertising before banner ads too, so is your issue about ads on the internet?

That was a tiny web that barely anyone used and even less created for. It's really not the same. Also you don't have the same needs and wants as the billions of other people who spend time online to make a judgement that most content isn't worth paying for.

Terretta 25 days ago [-]
> There was advertising before banner ads too, so is your issue about ads on the internet?

This thread is about your grandparent comment, ”The biggest barrier is that people don’t want to pay for content.”

Billions of people are the market, your remark opens with the judgment that people don’t want to pay for content. In other words, the market has judged most content isn’t worth paying for.

> That was a tiny web that barely anyone used and even less created for. It's really not the same.

On the contrary, today, certainly a higher number have their words preserved online, as persistent conversations such as this one or perhaps Likes on Instagram. But a far lower percentage of those who are online today “have a home page” for example.

In the mid to late 90s a higher proportion of “web pages” were meaningful, and a much higher percentage of users were also publishers of their own web sites.

Amateur web sites unofficially organized around topics of interest were a thing:

https://en.m.wikipedia.org/wiki/Webring

That content is still getting created, and still getting self-published, it’s just much harder to find.

Self-published home pages like this are still cool:

https://www.gwern.net/

This one uses a kind of ethical advertising:

https://slatestarcodex.com/about/

Note the author invites patronage but says don’t worry about it: ”I have a day job and SSC gets free hosting, so don't feel pressured to contribute. But extra cash helps pay for contest prizes, meetup expenses, and me spending extra time blogging instead of working.” People with things to say will say them.

While it’s still being experimented with, it seems that quality content is worth paying for, even worth patronage:

https://patrons.theguardian.com/

This goes into more detail about content mill versus patronage model for higher value content:

https://www.huffpost.com/entry/its-time-to-democratize-p_b_4...

// Irony of HuffPo well noted.

manigandham 25 days ago [-]
Not worth paying for directly does not mean worthless. Nothing is free. Let me summarize is this way.

- Option 1 is to work, turn effort into cash, then spend that cash on the internet.

- Option 2 is to just go to the internet and view ads which turn your attention into cash behind the scenes in real-time.

You're still paying but advertising is a much more seamless, passive, and equally available system, and can quickly scale on-demand. So to rephrase the argument, people want the content, and they pay for it, but they mostly don't choose option 1.

Terretta 25 days ago [-]
Neither of those are the option I described.
manigandham 25 days ago [-]
For paid content, it's either cash or attention-via-ads.

Yes there's a tiny bit that's provided for free by creators who pay for it themselves, but it's so miniscule that it doesn't matter.

Terretta 24 days ago [-]
How much do you pay to read Wikipedia?

How much for Arxiv with ”open access to 1,580,815 e-prints in the fields of physics, mathematics, computer science, quantitative biology, quantitative finance, statistics, electrical engineering and systems science, and economics”?

For huge amounts of valuable content — ideas and knowledge some people want to share and some people want to absorb — self-publishing, patronage, and private or public funding work, at scale. The “amateur web” is still here, it only seems “miniscule” thanks to being buried under the content mills trying to generate placeholder pages for ads.

The web wasn’t born as either subscriptions (pay with cash) or ads (pay with attention), it was a knowledge linking and sharing platform.

Huge amounts of content continue to be produced other ways. There are more options (https://en.m.wikipedia.org/wiki/False_dilemma).

> ”Since its creation in 2001, Wikipedia has grown rapidly into one of the largest reference websites, attracting 374 million unique visitors monthly as of September 2015. There are about 72,000 active contributors working on more than 48,000,000 articles in 302 languages. As of today, there are 5,913,176 articles in English. Every day, hundreds of thousands of visitors from around the world collectively make tens of thousands of edits and create thousands of new articles.”https://en.m.wikipedia.org/wiki/Wikipedia:About

That’s not so minuscule it doesn’t matter.

manigandham 24 days ago [-]
You're conflating several things.

There's content and distribution. Sometimes content is freely generated by users (wikipedia, stackoverflow, quora, HN, social media) but distribution costs money. These costs (content + distribution) are paid for by cash (including patronage/donations) or ads. That's it. There's no magical 3rd option.

The amount of content that's both created and distributed for free is miniscule and you haven't quoted a single example yet. Billions of consumers are not going to be satisfied with a bunch of people hosting their own blogs from their home.

Terretta 24 days ago [-]
On the contrary, you’re now trying to ‘conflate’ the pay-to-publish model into the two you argued meant that model didn't exist.

You weren’t talking about paying cash for publishing/distribution, because both your two options, paid subscription and free ad-supported, you were talking how the consumer pays and also cost money to publish, cancelling that dimension out.

In the pay-to-publish model, someone is deciding it’s worth their own pocket money (or patronage or sponsorship by powers that be) to publish. That makes it free to consume.

We were talking about the perspective of the content consumer, and for them, the pay-to-publish model is free. They are neither paying for the content, nor are they paying with their attention. Some entirely different actor not discussed in your models, is covering it.

That content, content creators support publishing, tends to be different in nature — someone is willing to spend “their own” money to share the ideas in it freely.

Pamphleteers paid the printing presses by cash too, that’s how they didn’t have to sell ads and how they didn’t have to charge a ha’penny a sheet.

> “Content both created and distributed for free is miniscule and you haven’t quoted a single example yet”

You’re both non-responsive to examples with factual data to back them up, and moving the goalposts. To be clear, I’m agreeing there is too much no-value content getting churned out as filler to advertise against. So much volume, so much noise, the valuable content is buried.

Perhaps we agree there’s too much ad-hosting filler content, and not enough inherent value content.

To keep saying “minuscule” perhaps you use a very different internet. Where are the ads on this site? Are you paying for it? No, someone has an interest in this site and its content being available to a special interest audience. It costs almost nothing to host contentful content of mostly plain text conveying information rather than eye candy to drive clicks. With light design but info rich text content, it’s easy for the ROI to work. Companies know this and publish for free without ads.

If you add “corporate” publishing into the mix, all the company product sites and blogs, combining company sites, academic sites, non-profit/public-good sites, government sites, WordPress home pages of everyone homesteading on the web, etc., it’s not minuscule.

But here’s some hard data from 2018:

“Ad-supported media’s share of consumer time will drop to 42.5 percent by 2021. This past year [2017], the number fell to 44.4 percent, its lowest point ever, per the research.”https://www.pqmedia.com/product/global-consumer-media-usage-...

Ad-supported is less than half of media time and trending down.

In the beginning, profiting off web content was illegal. Is it impossible to imagine course-correcting this race to the bottom?

- - - - - -

PS. I can’t help but notice the incredibly high not at all minuscule percentage of content linked to from HN that is neither subscription based nor ad-supported, but paid for by its author, some even calling out that they’re free, such as this one from the thread on standing out as a speaker:

What does this cost?

Make your checks payable to a shell corporation I have in the Caymans. Just kidding; it's all free. I hope you enjoy it. Also, if I ever see one of your talks, it better be damn good.

I'll add to this site over time. You might be interested in watching the newest posts page.

https://speaking.io/

Once again, content published to us for free is ironically the very content worth paying for.

manigandham 24 days ago [-]
Content production and distribution are the 2 main costs, paid by cash (subs/donations) or ads (which is just a secondary market for attention-to-cash conversion). That's all there is.

I'm not sure what you're even arguing now. You seem to be saying that some sites exist where the creator pays both costs instead of the consumer but I don't see what point that makes. Like I said, that particular scenario is an absolutely tiny portion of the content available.

Is your argument that only content that's completely paid for by the creator is good? That makes no sense.

tzs 25 days ago [-]
Another barrier to models where users pay directly is taxes.

If you come to my site, and I take money from an advertiser to show you an ad, I simply add that money into the income for my business on my Federal and state tax filings.

If you come to my site, and pay me to view my content, then in addition to dealing with that money as income, I also have to worry about whether I owe sales tax to your state or VAT to your country.

Worse, in many states that tax rate depends on your address, so I'll need to get that from you.

To make micropayments work for web content, someone is going to have to offer a service that integrates the micropayment system with a sales tax/VAT collecting and reporting system. You probably have to set it up so it is actually that service that is selling the content to the end users, so that the sites themselves do not have to deal with the states at all. That may require the service to act as some sort of portal that the users go through to reach the sites.

alkonaut 25 days ago [-]
I don’t think micropayments will come any time soon. I hope dumb non-tracking ads will make a comeback meanwhile.

If it becomes harder and harder to push invasive ad me then more money will end up in dumb ads instead.

btilly 25 days ago [-]
Non-tracking ads are not necessarily dumb.

The NY Times solution, for example, is to target ads based on relevance to content on the page being delivered. No tracking required, but its relevance to the page can sometimes be more effective than tracking ads.

Conversely tracking ads are not necessarily smart.

Go shopping for a fridge, then buy one. You'll have fridge ads following you around even though you're not in the market for a fridge any more.

jeff_tyrrill 25 days ago [-]
> Go shopping for a fridge, then buy one. You'll have fridge ads following you around even though you're not in the market for a fridge any more.

This persistent meme commits the fallacy of believing that every person follows the precise same fact pattern as yourself: Buying a fridge on some predictable, perfectly recurring and invariant schedule.

In fact, it is probably far more likely that a person who just bought a fridge will be favorably economically incentivized by an ad for a fridge than a randomly selected person.

For one thing, we know that this is a person who will ever influence a decision to buy a fridge (because they in fact did buy a fridge). Many people will never select a fridge in their life (for reasons that include renting a home, moving into a home which already has a fridge, replacing a non-working fridge with whatever a repairperson selects and is thus not influenced by an ad, is not the person in their family who selects a fridge, etc.)

A person who just bought a fridge is more likely to return that fridge and buy another than a randomly selected person is likely to buy a fridge in the same time period.

A person who just bought a fridge is more likely to be a decision-maker in selecting another fridge in the near-term than a randomly selected person (for reasons that include: buying another fridge for their garage, buying one for their business, recommending one to their contacts).

Buying a fridge is a rare event that probably absolutely correlates positively to buying another fridge.

naasking 25 days ago [-]
I don't know anyone who has ever returned a fridge. I know plenty of people who have bought one though. Can't say I find your argument all that convincing as a result.

A more effective ad targeting model would advertise fridges to the friends of someone who recently bought a fridge though, due to a) keeping up with the Jones' effect, and b) friends are likely at similar life stages, ie. getting married, buying a home, etc.

mcv 23 days ago [-]
While this is true, it's more likely that the fridge buyer is also interested in an oven and some other kitchen appliances, or even a complete kitchen.

The fridge ads are mostly interesting for someone who has searched for a fridge (either on Google or on the fridge seller's website) but hasn't bought one yet.

AJ007 25 days ago [-]
Google’s publisher network used to be, as best as I could tell, entirely contextual to page content. I used to see CPMs anywhere from $5 - $1000 depending on the content.
danek 25 days ago [-]
This happens to me all the time. A few weeks ago I registered for a half marathon and I’m still seeing targeted ads for it. As if I would somehow be able to run it twice lol..
lancesells 26 days ago [-]
I don't see ads being replaced or killed anytime soon. I think regulation and laws are needed where if I'm not using a Google or Facebook product they aren't building and tracking my profile everywhere I go both online and offline.

I mean these are massive spyware businesses and they should be called out as such.

tsimionescu 25 days ago [-]
Unfortunately, historical data suggests that ads are the only viable way to run a highly-profitable content delivery business. Look at newspapers and television - major, profitable ones have always been ad-driven,and that is despite the fact that they also had a physical cost.

Newspapers especially fit your model of micro-payments: each newspaper is usually a minuscule amount of money, but that is never enough to sustain it.

There is also the problem of incentives - even if your customers are paying to access the content, if you can then ALSO mix ads with the content, you are guaranteed more money, so businesses will usually be inclined to do so.

jazzyjackson 25 days ago [-]
Newspapers were not journalists who wanted to place ads to pay for their salaries, they were admen who hired writers journalists to get people to pick up their advertisements.

Similarly, the free web is mostly content produced by people with little interest in getting paid (see livejournal, tumblr, blogger, pre-monetized everything: youtube, tiktok) and the providers are not simply trying to cover costs, they are trying to become billion dollar platforms.

All I'm trying to say is there's a vibrant internet to be had without prioritizing profitability and allowing ourselves to be subject to surveillance.

tsimionescu 25 days ago [-]
I absolutely agree! I was just trying to point out that there was never any ad-free past at have strayed from.

Perhaps though there is an ad-free future at could strive towards. I doubt it will happen within the current capitalist framework.

justapassenger 25 days ago [-]
> It dismisses the idea that there could be alternate ways to fund content (i.e. micropayments)

Because it's not valid alternative. It may work some edge-cases, but there's 0 evidence that it could support economy at the same scale as ads.

> We absolutely need a new funding model for the web (to kill ads).

We need to rework how ads work, but killing ads is very naive approach. Ads are core part to how world economy operates (and always have been). Calling for killing advertising is only hurting the case - it makes it easy to dismiss, as some crazy hippie talk.

_vertigo 25 days ago [-]
I don't want to see ads. Given the alternative between having ads everywhere and paying a fraction of a cent to see content, I would choose the latter. Ads are annoying enough to me that I would absolutely pay a fraction of a cent to not view the ad.

I know there are probably a lot of people who would rather be advertised to than pay any non-zero amount to view content. Those people should be able to pay with their attention.

Maybe we don't need to kill ads, but having the choice to pay with money would definitely be welcome to people like me.

tripzilch 25 days ago [-]
> Ads are core part to how world economy operates (and always have been).

I don't think it's at all reasonable to compare the way ads used to be (inert) to the tracking/privacy/malware nightmare that online advertising has become.

Just because we've always had some (comparatively mild) forms of advertisement doesn't mean we should put up with this blight.

tannhaeuser 25 days ago [-]
We don't need to ban ads. Doing so would be unrealistic. What we need is to ban tracking (through cookies and fingerprinting), and return to content-based advertising. This not only gets rid of privacy invasion and surveillance, but also of monopolization of the web, as ad money goes to many sites and their content creators.
ngold 25 days ago [-]
The first ad company that brings ads in house to the website they are serving will be the Google killer. It is an ad company that has no people behind it, paying content creator's pennies on the dollar, with no customer support on any end. Google should be employing big blue numbers in just customer support. But they don't have to since we have all been hoodwinked into it's monopoly.

And I'm a fan.

INTPenis 26 days ago [-]
You mentioning micropayments made me think, I would probably pay more than 100 EUR/year for using a Google without ads and tracking (except what I opt-in to).

I mean seriously I would probably pay more.

I hope regulations from governments help bring google down in size instead of breaking it up for a monopoly. IT has been extremely lucrative.

TACIXAT 25 days ago [-]
Yea, I would probably pay on that order of magnitude (hundreds) to get all my internet content per year from trustworthy sources. News articles, videos, community sites (HN, reddit), email (with strong blocking to not waste money), chat apps. I wish I could pay them all some fraction of a cent per page load. I'm sure it would add up to be viable.
jsgo 26 days ago [-]
Somewhere along the way, ad networks got incredibly greedy (I know, gasp).

I remember when I was much younger, there were banner ads on a bunch of pages (and pop-ups/pop-unders of varying levels of frustration). The banner ads were fine even when we were rocking 56k internet: not beloved by any stretch, but typically reasonably okay.

I have previously toyed with ad blockers, but at a certain point stopped, figured I'd play nice or whatever. Then there were sites that over time legitimately ate into computer resources to the point they were eating way more energy than reasonable (I can't remember which one, but there was one that if I left the site open long enough, it'd crash all open tabs). At that stage, I went back to ad blockers. I really wish it didn't come to it, but man, that whole "give somebody an inch and they'll take a mile" is in full display online now.

abdullahkhalids 26 days ago [-]
The energy usage and slow down of your computer are relatively minor concerns when it comes to ads. The real problem is that ads use every dark pattern in the book to influence your beliefs and decisions, effectively taking over your very valuable brain cycles.

I think as this conversation evolves, we will find that there is an additional human right, the right for others to not use undue force to influence your mind. This whole battle is ultimately one to secure this right.

m3rc 25 days ago [-]
Energy usage may be not that high, but data usage, especially on mobile devices, is very high.

Even on my home network something insane like 30% of packets sent and received are ad or tracking related, which I know because they all get blocked by the PiHole sitting next to the router.

Choosing to block ads literally makes my browsing go faster, and keeps my data limits from being blown out. AND it prevents fingerprinting of my habits? It's a complete no-brainer.

dingo_bat 23 days ago [-]
Note that data usage on mobiles directly corresponds with energy usage.
erikpukinskis 25 days ago [-]
Huh? Why would I give an hour of battery life away for no benefit?

Battery life is a huge concern. Also page load speed. I am having a hard time processing your comment: I should slow down my computer and decrease the battery life because why? Other people can’t be arsed to care if their ads screw up my experience?

wasdfff 25 days ago [-]
Across the world ads waste a great deal of energy. They are pollution, like mining bitcoin.
JohnJamesRambo 25 days ago [-]
It’s odd you hate ads taking your privacy but don’t mind your bank and government doing so with your money.
abdullahkhalids 25 days ago [-]
Privacy is a human right. Not having to pay various institutions in society for services they provide is not a human right.
25 days ago [-]
desc 25 days ago [-]
Advertising generally: I guess it's necessary.

Personalised ads, tracking, etc: Criminalise it. By which I mean, after a cooling-off period, jail people still pushing it.

reaperducer 26 days ago [-]
I think "Punch the monkey" was the tipping point.
dredmorbius 26 days ago [-]
For the curious: "punch the monkey" online scam explanation:

http://www.mikeonads.com/2007/03/01/punch-the-monkey/

skybrian 26 days ago [-]
This new initiative seems to be about some changes to Chrome that were overlooked due to hazy justifications that seem to have distracted everyone. I'm guessing the justifications are especially unclear because Google doesn't want to upset advertisers. But how about we look at the technical changes they're announcing, rather than how they justify them?

- Forcing websites to explicitly mark cross-site cookies, or they get blocked for cross-site usage. They also seem to be hinting at adding better ways to clear cookies in Chrome. [1] [2]

- Further attempts to block fingerprinting. (Vague, seems hard?)

These seem like... good things? The SameSite initiative makes CSRF attacks harder. Maybe not big news or as strong as you'd like, but in the right direction?

[1] https://web.dev/samesite-cookies-explained/ [2] https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-s...

0xffff2 25 days ago [-]
>Forcing websites to explicitly mark cross-site cookies, or they get blocked for cross-site usage.

Why does anyone even allow third-party cookies anymore? I've had them disabled for years at this point, and I can count on one hand the number of times it's been noticeable, and I think there was only a single time I actually found it worthwhile to enable third party cookies to access the site.

mormegil 24 days ago [-]
Just a piece of anecdata: a (large) bank we work for struggles with this all the time. Because of historical/branding reasons, they use several different domains. The services used to be quite independent, so everything used to work fine. Because of PSD2 APIs and other developments, they moved on to a central (SSO) authentication page, used from all services on various domains (needing the common authentication cookie). Since then, we fight with the various privacy protections, people blocking third-party cookies, etc. (I'm not saying it's technically impossible to solve, or even saying it's wrong to block third-party cookies. Just... we'll have a lot of work to do, as everyone moves in that direction.)
doe88 26 days ago [-]
Funny how Google paints itself as the somewhat Justice Scalia of web privacy using originalist arguments to make its point. Personally I never been impressed by these constructions and in this case to the extent that it would be rightly interpreted I would be more a living web privacy kind of person anyway. I ultimately think in the web as in the constitution it is disingenuous to think framers would have envisioned at its conception all use cases and especially all potential abuses.
diegof79 25 days ago [-]
I felt a dejavú while reading Google statements. It remind me a time when Microsoft published statements about how harmful was OSS for software innovation.
zygimantasdev 25 days ago [-]
That sounds like an interesting read - could you provide a link?
insulanus 25 days ago [-]
schlipity 26 days ago [-]
Has anyone ever considered just giving 3rd party javascript less access to things? That may fix the fingerprinting problem too.

I do have some appreciation for how badly it would break a lot of the web applications though, but it seems like it might work.

cameronbrown 26 days ago [-]
It'd be really easy to circumvent. Proxying Google Analytics through your own origin would become standard practice.
tinus_hn 25 days ago [-]
Then it wouldn’t be able to be used to track you across the web.
cameronbrown 25 days ago [-]
Until all your data ends up being re-associated with you in some way across multiple websites. Nothing stopping these sites from sharing data if it ends up mutually beneficial.
yjftsjthsd-h 25 days ago [-]
Intentionally sharing data that identifies users would hit GDPR pretty quickly, no?
cameronbrown 24 days ago [-]
Yep, but it's completely invisible to users so that could be tough to prove without a data breach. And there's massive profit motive to get away with this. Right now Google still keeps these websites in check with regards to Analytics/Ads data usage, remove the middleman and things are going to get much worse.

GDPR only safeguards your data from the honest. What we need is a technological solution.

joes223 25 days ago [-]
It wouldn't because that's a drastically more complex solution.
gberger 25 days ago [-]
If you already have a web server serving your content, setting up a proxy to GA is trivial.
joes223 23 days ago [-]
Let's put it another way: 95% of webdevs can drop a code snippet with GA on their page, while only hm.. 5% can set up that GA proxy.
bhauer 26 days ago [-]
Anyone using NoScript or similar is, in a fashion, doing that. I can confirm that it's generally more pleasant dealing with the web when a lot of third-party script is being blocked.
the8472 26 days ago [-]
Iframes already provide that capability for web authors. Their sandbox and csp attributes allow you to enforce quite a lot of things.

Users or extension authors can't do much other than blocking those scripts or restricting what the whole page can do because it's difficult to attribute actions to a specific script.

ddiss 25 days ago [-]
The trend of shipping apps that run their own localhost server, coupled with javascript, is particularly worrisome for privacy. E.g. https://ddiss.github.io/is-netflix-running/ .
JohnFen 25 days ago [-]
That would be nice. In my opinion (since I already don't allow JS to run in my browser), it would be even nicer if browsers stopped giving webservers any information about my machine, operating system, or the browser.
erikpukinskis 25 days ago [-]
I have PolicyControl installed in Chrome and by default I block most 3rd party content.

When things don’t work I either disable it for the site or click away. Sometimes I fiddle with it out of curiosity to see what the site relies on.

As a side effect it gives me a sense of what sites are professionally built and which are not.

deburo 26 days ago [-]
Javascript coming from a different origin? What about CDNs in that case?
Crosseye_Jack 26 days ago [-]
If you have something like CloudFront in front of your site you can actually make a subdirectory be served from a different origin. To the browser they actually come from the same "place", its just AWS is sitting in the middle. I'm sure its the same with Fastly (Don't use that feature as their shared ssl offering is like and extra $100 p/m) and with cloudflare.

EDIT: What I mean is example.com/api/hello could hit your back end, but example.com/js/script.js hits S3 (or another static hosting service) instead of hitting your real origin.

So even though to the browser it would appear that /js/script.js is coming from example.com it could actually be coming from anywhere else.

BUT the cookie origin would take over. So if script.js was a tracker. the cookie it set on the browser would be example.com and not "AnotherSite.com" which had the same tracking script. But if the script can make the same fingerprint from both domains then that's not so much of and issue. But thats going back to other methods of fingerprinting.

necovek 25 days ago [-]
Don't get me wrong, but this way of serving content has been common since, well, apache 1.2 days and mod_proxy ReverseProxy: CDNs did not bring anything new in that respect.

Basically, you are confusing some terminology and not really making any point: in your example, there is only one origin, that of example.com. Yes, servers can forward any data they wish to other web sites (like AnotherSite.com).

What is the point?

KptMarchewa 25 days ago [-]
You're using external service.
necovek 24 days ago [-]
Sure, and a service that is able to scale much better, has a fatter pipe, allows configuration through a web UI...

But in this context, how does this matter? "Origin" is a client/browser side concept, and however you serve your website internally, it appears as one web site. Basically, I replied to a comment bringing CDNs into discussion where they are totally irrelevant.

Origin checks can't protect you against servers forwarding your data to a privacy-invading site (eg Google), and a server can do that simply by being a reverse proxy to another site.

jedberg 26 days ago [-]
How do we reconcile wanting to block fingerprinting so we can't be tracked, with the fact that almost every modern front end uses fingerprinting for things like figuring out the canvas size for responsive designs? I definitely don't want to be tracked, but I'd like responsive designs to keep working.
syrrim 26 days ago [-]
Fingerprinting requires sending information back to the mothership. If we got javascript that was sandboxed from making web requests, then it could have access to whatever private data it wanted without entailing a privacy risk.
jgraham 26 days ago [-]
The web has so many vectors for exfiltrating data that it seems hard to come up with a js sandbox that is both useful and cannot leak data. Any DOM write access whatsoever allows you to do things like update link targets to include the private data or manipulate the DOM in ways that can be read by unsandboxed script. Even wothout considering timing attacks I'm unconvinced that there's a way forward that involves trying to separate js with permission to read system state from the network.
purple_ducks 26 days ago [-]
If these things were declared in just css and not JS accessible, things would be better, as they were before.

JS has got too much access to too much information.

All styling declared and don't let JS interrogate style info from the DOM

nitwit005 25 days ago [-]
It's unlikely that anyone would try to prevent leaking something like browser window sizing, as there are so many ways to infer it. You can likely figure out window size even with static content by embedding some image pixels and examining the timing of get requests for them.
JohnFen 25 days ago [-]
> for things like figuring out the canvas size for responsive designs?

Since sites that use responsive designs are a constant pain in my side, if they stopped working then I'd personally be a little happier with the web.

masto 25 days ago [-]
If you read the Google thing, there’s a proposal for doing exactly that with a privacy budget. The browser would allow access to information until it becomes too specific to a user and then cut it off.
zaroth 25 days ago [-]
It’s not a perfect solution, but a less granular (avoiding the pun) return value could make the API less useful for fingerprinting but still useful for responsive design layout.
erikpukinskis 25 days ago [-]
There’s no reason to use JavaScript for responsive designs. Devs that do it are lazy and sites that do it I’m happy to click away from.
doctorpangloss 26 days ago [-]
Reader mode.
jedberg 26 days ago [-]
That's great for the 1% of people who know how to use that, but what about for the general public. When I make a website I'd like the responsive parts to keep working.
dredmorbius 26 days ago [-]
Reader mode by default.
ninkendo 25 days ago [-]
I really hope this never happens.

Why? Because I have reader mode turned on by default and haven’t looked back since over a year ago, and I can’t imagine the web without it any more. It’s the only thing that makes the web tolerable, no matter how many ad blockers I install.

If everyone else used it too, websites would become wise and start blocking it somehow.

Oh, wait, I mean, reader mode is terrible and nobody should use it!

dredmorbius 25 days ago [-]
What browser, and how?
ninkendo 18 days ago [-]
Safari on Mac (and iOS), In the Safari settings under Websites, Reader, you can set "Other Websites" to "On", and it's on by default except websites you turn off (which you can do from the reader button on the left part of the address bar.)
jakeogh 26 days ago [-]
You really only need some small JS fragments. Whitelist the hashes (heck bundle them with the browser), run nothing else. The JS does not need to know the canvis size, the browser (the user) can decide. Executing arb programs is poor design.
Schnitz 26 days ago [-]
Switched back to firefox on Mac, Windows and Android a few weeks ago and never looked back. Only using chrome for work.
bgdnyxbjx 26 days ago [-]
On top of the generally absurd claims made in the official Google post, that writing was just terrible. Comma splices all over the place, sentences starting with So and But, very strange tone and wording in some things. Did anyone edit this?

Oh and I love the “thank you in advance for your help” lol what?

thetinguy 25 days ago [-]
Starting a sentence with conjunction is not grammatically incorrect. https://www.merriam-webster.com/words-at-play/words-to-not-b...
bgdnyxbjx 25 days ago [-]
So you are saying that this was a totally fine way to write? But it sounds very awkward and sloppy to me. Maybe, it’s just me.
nvrspyx 25 days ago [-]
I mean, you just used both of the ones that you mentioned in this comment alone, unless that was intentional. I think it sounds fine, so long as the writing is not intended to be super formal.
25 days ago [-]
standyro 25 days ago [-]
This letter lost me really early on:

>> "There is little trustworthy evidence on the comparative value of tracking-based advertising."

This is flat out wrong. Google and Facebook have proven that there are BILLIONS of dollars on the table for the value of "tracking-based advertising"

As an engineer who used to work in ad-tech, making appeals to reason to these companies won't help. There's a lot of money flowing in this sector, and unless large internet companies see the value in changing their ad-based business models, the only thing that will dissuade them are shifts in public opinion, laws, and policy.

Or a rearchitecture of the web, which I'm all for :)

kodablah 25 days ago [-]
> This is flat out wrong

Only if you assume value == money. The question is not whether advertisers will pay extra for tracking-based advertising (your definition of "value"), the question is whether they are getting what they're paying extra for (what others are considering "value"). That someone pays for extra for something doesn't not necessarily mean it's worth it.

amazingman 25 days ago [-]
While I agree with you philosophically, you are using a different definition of “value” than the parent, i.e. you are talking past the point of the parent comment.
necovek 25 days ago [-]
You missed the argument: are there billions of dollars more over non-privacy-invading advertising?

That's what we need data for before trusting any hand-waving argument.

Google are in an ideal position to test this and publish results on (eg. A/B testing on ad selection method). Not that we'd really trust them completely, but at least we'd have something to go off. :)

inapis 25 days ago [-]
There are studies which say targeted advertising is just 4% more effective than non-privacy-invading advertising.[1]

[1] https://techcrunch.com/2019/05/31/targeted-ads-offer-little-...

abtinf 24 days ago [-]
4% sounds like it could be many billions.
jpadkins 23 days ago [-]
how do you measure the effectiveness without tracking and measurement?
prepend 25 days ago [-]
No value to users.

I don’t get value out of tracking-based advertising. The best ads are still search-term based where ads help me find.

There’s no to little evidence that tracking based ads benefit the user. (although it’s clear that it makes tons for advertisers)

harry8 25 days ago [-]
> (although it’s clear that it makes tons for advertisers)

Is it? Please link! Thanks.

prepend 25 days ago [-]
I feel so bad for the author of this post. I would love to bump into and chat with the author 10 years from now at some conference and learn about the arguments that went into why this was written.

I wonder if the director of chrome engineering has drunk the koolaid enough to believe this? Or whether they feel really bad about carrying water to pay the bills.

hartator 26 days ago [-]
To be fair, most of the reasons for trackers is to fight ad fraud. Most of traffic on ads are just bots.
TeMPOraL 26 days ago [-]
So liars are in a constant fight with fraudsters. It doesn't justify having regular people's privacy be collateral damage.
zacksinclair 26 days ago [-]
The vast majority of tracking is about behavioral ad targeting.
jakeogh 26 days ago [-]
And behavioral modification by selectively lying to the user.
JohnFen 25 days ago [-]
That isn't a good justification for trackers. I should not have to be subjected to spying in order to help an industry deal with their own problem.
choppaface 25 days ago [-]
What if Google is so entrenched in this position because they see a ton of evidence? What if Google is “right”?

I tried out Google’s non-personalized ads for a while, and wow the ads were bad, especially on YouTube. Not like irrelevant but downright obnoxious. But wait, we’ve seen this before!

A couple years ago, Google noticed that ads were starting to get downright atrocious and started fighting them. One relevant blog post: https://blog.google/technology/ads/building-better-web-every...

Why Google oh why are ads so bad? Because advertisers got more evil? Yes and no. Google got more evil advertisers as all the good ad money went to Facebook’s properties.

2012 https://www.emarketer.com/newsroom/index.php/google-edges-cl...

2019 https://www.emarketer.com/chart/217028/facebook-vs-google-sh...

Google’s recent blogpost is frustratingly “right”: given the opportunity cost of bad ads, an average user is better off opting in to higher-quality tracking-targeted ads. BUT! That is only because Google the ad company lost the good content. And sadly, Google the software company owns the browser, so they have to make do in a Google world.

This isn’t even an issue about privacy. It’s about a company overtly misrepresenting the interests of its users in bad faith. No different than Uber tacking on the $1 “safe rides” fee as a pure margin generator rather than as protection for riders.

burnaway 25 days ago [-]
You need to consider some users A) don't want to see ads at all (exhibit A: lot of posters in this thread) B) rather see "dumb" ads than personalized one if it comes through individual level tracking and profiling (that's me). From this perspective no amount of evidence can convince me they are "right" and I have no wish to contribute in any way to "betterment of ad quality" for the price it is proposed. This is comment is no reflection on the rest of your argument btw, just addressing the premise.
feanaro 25 days ago [-]
> You need to consider some users A) don't want to see ads at all

Exactly. I'm really stupefied with arguments that I'm "better off" by opting for tracking ads. Why am I better off? What good does it do to me? It almost seems like these arguments are coming from some other world which I am not living in.

Ambele 22 days ago [-]
I think some ads are good. Specifically the kind that informs you of something new. Sometimes when I see an ad with a trailer for a new movie in theaters, I'm appreciative that I learned a movie that I wouldn't have otherwise known about.
musicale 25 days ago [-]
> We find this passage from Shoshana Zuboff’s The Age of Surveillance Capitalism to be apt: “Demanding privacy from surveillance capitalists or lobbying for an end to commercial surveillance on the internet is like asking old Henry Ford to make each Model T by hand. It’s like asking a giraffe to shorten its neck, or a cow to give up chewing. These demands are existential threats that violate the basic mechanisms of the entity’s survival.”

This quote is hilarious, but if, as the article suggests, privacy-invading, tracking-based ads aren't much better than content and region-based ads, presumably advertising companies like Google could abandon it and still provide similar value to their customers.

It might even save time, resources, and money since they wouldn't need to put as much effort into tracking.

gnode 26 days ago [-]
> the pickpocketers will just switch to muggings. That would be even worse. Surely you don’t want that, do you?

A contrast with law enforcement, is that the abusers are not punished and deterred, but instead encouraged to escalate the potency of their behaviour. Anti-tracking technology is preventing pick-pocketing by expecting people to ride in armoured cars. This should be part of the solution, but we also need deterrence.

Laws like the GDPR should in theory help, but sadly enforcement with regard to tracking consent has been lacklustre, and consequently and predictably the law is widely flaunted. This makes the mitigating technical measures all the more necessary, yet they are not a panacea.

joes223 25 days ago [-]
I think the today's adtech is more like video cams installed in everyone's house and squads of criminals that do targeted raids based on information obtained from those video cams. First people figured that such cameras exist. Then they started installing steel doors. Now they're removing those cameras.
anticristi 25 days ago [-]
Can someone explain me if this isn't (technically speaking) and uphill battle? Let's say all browsers implement first-party isolation and anti-fingerprinting, won't tracking simply move server-side?

"Hey AdTech Network. Here is the server from Free Newspaper. Can you send me an add for Free Newspaper user X at IP Y?" "Hey Free Newspaper. Oh, that guy? I just saw him buying a flight ticket at Flight Aggregator. He is definitely Flight Aggregator user Z. Here is a targeted ad."

cameronbrown 25 days ago [-]
It's totally possible and why IP addresses are PII. If you've got enough websites working together it's probably possible to reconstruct their browsing history, and I would guess even more accurately than with client-side tracking (where blocking cookies and adblockers at least give you some control).
anticristi 25 days ago [-]
So then why are people so annoyed about Google not implementing anti-tracking technology, instead of being annoyed at legislators not regulating tracking à la GDPR?
cameronbrown 24 days ago [-]
I don't know. But it seems to me there's a lot of misdirected anger in the air. Trump is investigating FAANG yet nobody is willing to give him the benefit of the doubt there. If everyone was screaming at government then maybe something would change.
25 days ago [-]
25 days ago [-]
26 days ago [-]
JMTQp8lwXL 25 days ago [-]
Is there someway it'd be possible to develop a browser that fingerprinted as identically as possible for everybody? Surely we have different IP Addresses, but we can make things like querying for viewport dimensions the same.
tortemp7163 25 days ago [-]
The TOR browser already achieves this. All TOR users have an identical fingerprint.
airnomad 25 days ago [-]
I find it amusing how commenters on HN are so privacy-sensitive while good share of software industry today supports, depends on or directly is involved in people tracking, this way or another.
yjftsjthsd-h 25 days ago [-]
Eh... some of the industry, sure. I work in a B2B company, others work in hardware devices, etc. I'm not sure what the relative proportion might be, but it's certainly not the whole industry.
airnomad 25 days ago [-]
Go talk to your marketing team and you would be amazed by level of tracking those guys doing or should be doing in order to win the market.

I work in a very boring niche for a small company and you'll receive email from us and we'll know what ads you clicked to find us 1 year ago and that we'll keep your entire browsing history and utilize it to tailor our messaging and that's just a begining of it. And our budgets are fraction of what huge online advertisers spend.

Modern digital marketing wouldn't be possible without tracking and that's just how it is.

If we make it harder via regulations, we'll just make it more expensive and that's all. Kind of similar as drugs - demand is so strong that supply is going to be there no matter what you do.

einhverfr 25 days ago [-]
It's almost like Google wants to track and deliver advertising.

Almost like they have some financial interest in determining user behavior so they can deliver more targeted ads. Almost like they are an adware company.

Nah, can't be that. That would be like a conspiracy or something......

auslander 25 days ago [-]
That surveillance economy strongly reminds me Tobacco industry. It was cool and trendy until everyone woke up and regulated it to death, as it should be. GDPR is just the beginning.
undoware 25 days ago [-]
fantastic essay. thank you
joes223 25 days ago [-]
I believe that this is a part of a well funded campaign against Google by some of its rivals or enemies. Oracle? Regardless, whoever is implementing this attack, they're doing a fantastic job. Google's business is basically connecting Advertisers (wolves) with Users (sheep) and the most important part of this business is to keep this ecosystem stable. Someone's apparently found a way to destabilize this system: wolves are getting bigger and greedier, while sheep is dying out. The only solution here is to cut the population of wolves, but Google is still in denial and lies to itself that maybe the extinction can be stopped by formalizing the process of chasing sheep.
burnaway 23 days ago [-]
There are people with strong beliefs and opinions they are ready to fight for - within the frame of their daily job, using their free time, their own money etc. All this without being enthralled to a "bigger entity", as a part of a conspiracy, serving a special interest playing power games, or simply someone paying them. I am one of those people, in agreement with this post, I can see the OP being in this category as well. If this is all too surprising for you that is a reflection on you.
1024core 26 days ago [-]
Ironically, this site wants to use my browser's canvas to fingerprint me.

Umm.. no thanks!

Crosseye_Jack 26 days ago [-]
I'm not 100% its being done for tracking, the canvas usage is being used to insert emoji into the page from WordPress Servers. It being a WordPress based blog kinda explains that.

Now are WordPress using that ability to track users which the owner of this site isn't aware of? That's another question.

Edit: This page doesn't contain any emoji, But it prob just a WP Plugin that replaces any into broswer/os emoji.

lazyeye 26 days ago [-]
"Hide your evil"
devoply 26 days ago [-]
Get rid of cookies, get rid of fingerprints by sharing them between all browsers using a p2p network so everyone has the same fingerprints. Now get rid of Google. Thanks for all the fish, Google.
jakeogh 26 days ago [-]
And disable JS. The idea that clients need to execute arb code to see a page broke the information / presentation separation, on purpose. I leave it off (surf lets you easily toggle it per process), and it's pretty rare that I actually want to use it, and in those cases, the page could easily have been designed to work fine without it. It's a deliberate problem.
joes223 25 days ago [-]
Afaik, TeX is a Turing-complete language that can even read files from disk. Yet, it's only purpose is to render static text documents and nobody blames Knuth for inability to separate the presentation layer. The web is no longer a bunch of text documents. It's the first and only successful cross-platform solution. Moreover, it's still in the very infancy and in 10-20 years it will be the full-blown operation system layer on top of every platform. The problem of the web is that its sandbox has become leaky.
jakeogh 24 days ago [-]
Me: executing arb code to view a doc is a bad idea

You: TeX is turing complete too!

Great. Thanks.

la_barba 25 days ago [-]
Not to mention all the CPU time that JS scripts eat up. The eco-impact of disabling JS world-wide will be significant...
jiveturkey 26 days ago [-]
https://www.blog.google/products/chrome/building-a-more-priv...:

> Some ideas include new approaches to ensure that ads continue to be relevant for users

'nuff said

oconnor663 26 days ago [-]
> To appreciate the absurdity of this argument [about encouraging fingerprinting], imagine the local police saying, “We see that our town has a pickpocketing problem. But if we crack down on pickpocketing, the pickpocketers will just switch to muggings. That would be even worse. Surely you don’t want that, do you?”

Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith, and respectable publications can do better.

This sort of thing happens in real life all the time. In the debate over drug policy, one of the major arguments for legalization is that drug prohibition leads to different types of crime. On the one hand, this is a "defeatist" attitude to have about drug policy. On the other hand, the world is complicated, and sometimes we have to make compromises.

The author continues:

> Based on peer-reviewed research, including our own, we’re confident that fingerprinting continues to represent a small proportion of overall web tracking. And there’s no evidence of an increase in the use of fingerprinting in response to other browsers deploying cookie blocking.

That's an excellent, concrete point to make about the question. But it's not "absurd" for others to have less confidence in that conclusion. It sounds like a tricky open question.

Majromax 26 days ago [-]
> Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith, and respectable publications can do better.

Calling an argument 'absurd' or 'disingenuous' is not an argument, it's a conclusion. Its value lies entirely in how well the point is proven.

Here, the article does a fair job of that task. It supports the idea that the argument is absurd because mitigations against browser fingerprinting are already in development, and it supports the idea that the argument is disingenuous because in a comparable situation Google itself did not deploy a privacy workaround, so it should know that fingerprinting is not a universal response.

ska 26 days ago [-]
> Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith, and respectable publications can do better.

I take your point, but calling people out for being disingenuous when they are, in fact, being disingenuous is not bad faith at all.

Spooky23 26 days ago [-]
People are allowed to have editorial discretion and form opinions.

It may be harsh to be dismissive of Google's claims, but Google chose to put itself in a position where they have deep, systemic conflicts of interest.

When you have a company with strongest possible interest in profitable advertising, who also makes browsers, operating systems, and controls key services that are effectively chokepoints of the internet, it's not unreasonable to assume that SMEs would question your commitment to finding a solution that would hurt you. When you write an article that demonstrates that others have been able solve impossible technical problems that an engineering organization at Google cannot, it's difficult to call that "bad fath" reporting. In fact, anyone who assumes that a company will inflict harm upon its own short/mid term financial interests is clueless, because that is what management demands at any public company.

If Google did something like implement strong organizational walls that isolated advertising from other lines of business, like a newspaper, perhaps I would agree with you. If Google was showing market dominance in other areas, like cloud computing, perhaps I would agree. But they do not, and in fact they are integrating components of their business more and more, and are compelled to do so by their duty to shareholders. (See Google One as an example)

zzzcpan 26 days ago [-]
> Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith, and respectable publications can do better.

If they are not real arguments, but false dilemma kind of arguments presented specifically to push an agenda, how do you call them? You definitely can't take them at face value and provide counter arguments, you can only call them out.

Nicksil 26 days ago [-]
It's absurd because Google knew it was absurd before including it in their article anyway.
naringas 26 days ago [-]
this is the criticized argument

> large scale blocking of cookies undermine people’s privacy by encouraging opaque techniques such as fingerprinting. With fingerprinting, developers have found ways to use tiny bits of information that vary between users, such as what device they have or what fonts they have installed to generate a unique identifier which can then be used to match a user across websites. Unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.

the argument claims:

- people block cookies so fingerprinting methods had to be implemented

- cookies, unlike fingerprinting, can be deleted

- because cookies can be cleared people should just embrace them and keep their ability to choose

26 days ago [-]
privateSFacct 26 days ago [-]
> To appreciate the absurdity of this argument [about encouraging fingerprinting], imagine the local police saying, “We see that our town has a pickpocketing problem. But if we crack down on pickpocketing, the pickpocketers will just switch to muggings. That would be even worse. Surely you don’t want that, do you?”

Actually, fingerprinting is not JUST used to track users for ads. Describing the characteristics of a device is used for lots of other purposes as well. For example canvas size etc etc useful for other reasons. Many / most web dev folks rely on fingerprints (user agent / screen size) when targeting layouts, adding / removing features etc.

The whole analogy where police are cracking down on criminals is the same as cracking down on fingerprinting is what is "absurd" and "disingenuous". A better analogy is wanting to have a 10mph speed limit to reduce pedestrian deaths. It would (and I like car free planning so would support it). But it would ALSO make commutes etc slower.

kube-system 26 days ago [-]
Semantically speaking, the elements that could be used to compose a fingerprint is not the same as fingerprinting.

If I write a page that uses user agent / resolution to serve up a layout -- that's not fingerprinting. Fingerprinting would be if I tried to identify a particular user with those elements.

I think the problem you're trying to illustrate is that it is difficult for a browser to determine what the requesting site intends to do with those parameters. The browser doesn't know if you want canvas access to draw a pretty picture, or if you want canvas access to perform identification of the user.

reaperducer 26 days ago [-]
Many / most web dev folks rely on fingerprints (user agent / screen size) when targeting layouts, adding / removing features etc.

I've been building web sites commercially since 1997. I have never done any of those things.

Unless the company you work for has the marketing or advertising department in charge of the IT department, this shouldn't happen. I'm sure that Facebook and a bunch of other terrible companies do it, but they shouldn't. The closest I ever came was during the era when you had to detect IE6 and work around that.

But, no, "most" web devs don't do that. Maybe you do. Maybe the people in your company do. But that is not "most," or even "many." I'd say it's probably not even a plurality.

To put it bluntly: If you think that's web development, you're doing it wrong.

privateSFacct 26 days ago [-]
I'd be curious if you were commercially successful.

The shift from IE to chrome was told by user agent strings. Almost EVERY web developer was tracking this and figuring out what features would work reasonably and what would not during this shift for the websites they maintained. In other words, what parts of the standard HTML were widely supported among users visiting their sites.

If you worked internationally you'll know that this was very different on a country by country basis.

Surprised to hear the claims that only a few do this. It is CRITICAL to developing useful websites -> you need to know what version of HTML to target at a minimum. Screen size, mobile vs desktop all also matter.

I'm now realizing why some web devs can charge so much - they might use these tools -> while others don't?

shkkmo 25 days ago [-]
I find your tone innapropriate for HN

User agent sniffing is a bad idea and fragile. Feature detection and shims work much better. CSS media queries are quite sufficient for screen size and resizing issues.

Most importantly, none of this ican be fingerprinting unless you are sending these metrics back to your servers which is IMHO unethical.

privateSFacct 25 days ago [-]
All these are fingerprinting. Almost all these are routinely logged by almost every web analytic product out there.

The posters above, sorry for my tone, are lying when they claim that most websites don't do this and most developers don't. It's actually easy to expose their lies. Just visit some websites and check their tracking approach / tools. Literally, browse some of the top 100 websites, magazines, consumer directed product sites etc. In fact, the items may be logged by literally multiple systems on ONE site - the big players can't seem to pick one set of analytics.

For example, a site I run turns out to be much more desktop heavy (84%) and have almost no firefox usage (3.XX). That's much different than the web as a whole (half mobile). It's a boring site - no entertainment, mostly folks slowly learning things. Mobile side is heavy iphone / samsung -> so we make sure we get site testing coverage through those. Knowing this and acting on it does not make me an idiot.

"But, no, "most" web devs don't do that. Maybe you do. Maybe the people in your company do. But that is not "most," or even "many." I'd say it's probably not even a plurality."

Please folks - form your own opinion - chrome dev tools let's you check out whats going on (or just get an extension) and at the end of the day browsing you can choose to believe me (you are heavily fingerprinted on almost all the sites you use) or these folks upset that I'm calling them out.

Here are default mixpanel properties by the way - I picked one product at random.

https://help.mixpanel.com/hc/en-us/articles/115004613766-Def...

People are spending literally billions on analytics using this (and much more) in terms of trying to figure out how to make a bit more money.

reaperducer 25 days ago [-]
I'd be curious if you were commercially successful.

Do you consider being able to support my family for a couple of decades successful?

privateSFacct 22 days ago [-]
I do for sure.
sa1 26 days ago [-]
I think the problem can be solved using taint analysis in JavaScript. Variables that can be used to fingerprint are allowed to be used locally but not are not allowed to be sent back over the internet. Any variables that are derived from these fingerprintable variables should be considered tainted and be treated the same way.
Simon_says 25 days ago [-]
This is a very very hard problem.

You can imagine a case where not tainting a variable implies something about the user.

wbl 26 days ago [-]
Don't use user agent check for features. User agent detection doesnt keep pace with development.
privateSFacct 26 days ago [-]
I was providing a very basic example -> and yes, useragent can still be useful. But agreed, further feature detection, which the article calls "fingerprinting" is needed if you implement anything beyond the most basic patterns. But even basic patterns are helped by some minimal detection. Text only / braille readers etc can be targeted nicely as an example.
shkkmo 25 days ago [-]
Feature detection is not fingerprinting, you can't just change the meaning of terms.
cameronbrown 26 days ago [-]
Maybe a compromise would be to just build metrics reporting directly into browsers? I'm sure Apple/Mozilla/Google collect this data already, what's stopping them from just forwarding anonymised usage statistics to an HTTP endpoint for each website?
rwmurrayVT 26 days ago [-]
It's also heavily used in fraud prevention, blocking malicious actors, and on gambling websites.
snazz 26 days ago [-]
Is it actually effective at that kind of stuff though? Changing your user agent and screen size to get through a system like that seems very easy.
rwmurrayVT 21 days ago [-]
There is more to it than user-agent and screen size. There are tools out there like fraudfox that are intended to provide a way of masking the information. Last I was involved/interested it could reveal quite a bit of specific information. Typically, advanced fraudsters are capable of beating the systems. There are just too many tools available. Even blocking the trackers with noscript/privacy plug-ins can result in a block. Whatever comes out on the anti-fraud side is commonly just a temporary roadblock. The balance between convenience and security for most companies leans towards convenience.