Ads, Trackers, Blockers, Super-Cookies, Private Modes and other Ghastly Beasts

Dan Appelquist, Open Web Advocate

@torgo

Disclosure of Allegiances

 Who Pays My Bills:

  • Open Data Institute
  • UK Government Digital Service
  • Samsung
  • Co-Chair of W3C Technical Architecture Group
  • Co-founder and co-organizer of Over the Air

In Addition:

Some History

First Web Ad:
October 27, 1994 in Wired

An Industry is Born

From Ads to Ad Networks

How Do you Measure?

  • Analyzing log files (unreliable)
  • Enter cookies!

From Ad Networks to Tracking Networks

Ad Retargeting

  • You search for dishwashers
  • Suddenly dishwashers are stalking you around the web

Text

Only the tip of the personal data iceberg

It's Not About the Ads
It's About (Your) Data

Bought, Sold, Traded, Re-traded, Re-sold, Aggregated, Anonymized,
De-anonymized, Analyzed & Monetized
ad infinitum

Ad Blockers

  • Almost as soon as the first ads, the first ad blockers
  • First ad blockers were proxies
  • Evolved to: an extension API to hide an element or block a load based on a set of rules
  • AdBlock Plus is the standard bearer

Modern Ad Blockers are Tracking Blockers

Tracking Network Blocker Blockers

“Forbes asked readers to turn off ad blockers then immediately served them pop-under malware.”

Engadget 8-1-2016 : http://engt.co/1PNJZqf

The Many Faces of
“Do Not Track”

  • A "do not track" preference originally proposed by the US Federal Trade Commission in 2007
  • W3C workshop and working group followed
  • Supported by many digital rights groups (CDT, EFF)
  • Now the DNT preference and header is in every browser
  • Unfortunately almost no ad network honors it
  • No enforcement (yet)

Some Hope for DNT…

Privacy Badger?

  • Plug-in for Chrome & Firefox
  • Blocks tracking networks
  • Built by EFF
  • Lets content through that “respects users' privacy” (including DNT)
  • …Badger!

 

The Many Faces of
“Private Mode”

  • Process Privacy: Keep communication private from other users on the same machine
  • Network Privacy: Keep communication private from intervening networks
  • Server Privacy: Prevent the server from connecting activity to a user's Personally Identifying Information

 

Different browsers do better or worse jobs

Not just the
<ahem> mode

  • Share your browser with someone
  • Log into a different account
  • Test something without context
  • Search without context
  • Symptoms checker
  • Research medical condition
  • Battered spouse support
  • Marginalised groups
  • Research political topics
  • NGO or aid organization
  • ...

BTW:
Private Browsing Modes Don't Protect You From Your ISP / Government / Wireless Hotspot etc...

Super-Cookies
and the Super-Evil People who Bake Them

Network Operator “Super Cookies”

Enough Said...

This is War

Title Text

The Tracker Resistance

e.g.:

  • Ghostery
  • Disconnect.me
  • Privacy Badger
  • Lightbeam

Panopticlick 2.0 from EFF

Test your browser for “tracker-i-ness.”

https://panopticlick.eff.org

Mozilla Lightbeam

“See who's tracking you online”

Mobile Browser Ad Blocking

  • Lots of resources, plugins, etc.. for desktop browsing
  • Held back on mobile - no extension APIs

Apple Throws in a Grenade

  • 3rd party extension API
  • Over 40 blockers out there – some free, some paid
  • Notably, “Focus by Firefox” (uses Disconnect.me's blacklist)

Surprise, Surprise: Google Makes it More Difficult

  • Right now you either need to load a special browser, e.g. adblock plus browser
  • ...or go through rigamarole of configuring a proxy (aoooga! aoooga! privacy alert!)

Samsung Internet

  • Samsung (Chromium) browser from 4.0 will support “content filtering”
    • 3rd Party Extension API Approach
  • Also featuring a private browsing (“secret”) mode
  • & “progressive webapp” support (Service Workers, Manifest…)
  • Default browser on Samsung phones

“Brave”

Title Text

Title Text

  • Chromium(!?)-based browser
  • Started by Brendan Eich, inventor of JavaScript and brief CEO of Mozilla
  • Malware heuristics + tracking network blocking + “https everywhere”
  • Ex-TAG member and EFFer / author of https everywhere / Yan Zhu is on the team
  • They got brave.com
  • "coming soon"

What we know about Brave:

Thanks!

@torgo

beasts

By Daniel Appelquist

beasts

Lightning Talk for London Web Standards 25-Jan-2016

  • 3,495