Ads, Trackers, Blockers, Super-Cookies, Private Modes and other Ghastly Beasts
Dan Appelquist, Open Web Advocate
@torgo
These slides: https://slides.com/torgo/beasts
Disclosure of Allegiances
Who Pays My Bills:
- Open Data Institute
- UK Government Digital Service
- Samsung
- Co-Chair of W3C Technical Architecture Group
- Co-founder and co-organizer of Over the Air
In Addition:
Some History
First Web Ad:
October 27, 1994 in Wired
An Industry is Born
From Ads to Ad Networks
How Do you Measure?
- Analyzing log files (unreliable)
- Enter cookies!
From Ad Networks to Tracking Networks
Ad Retargeting
- You search for dishwashers
- Suddenly dishwashers are stalking you around the web
Text
Only the tip of the personal data iceberg
It's Not About the Ads
It's About (Your) Data
Bought, Sold, Traded, Re-traded, Re-sold, Aggregated, Anonymized,
De-anonymized, Analyzed & Monetized
ad infinitum
Ad Blockers
- Almost as soon as the first ads, the first ad blockers
- First ad blockers were proxies
- Evolved to: an extension API to hide an element or block a load based on a set of rules
- AdBlock Plus is the standard bearer
Modern Ad Blockers are Tracking Blockers
Tracking Network Blocker Blockers
“Forbes asked readers to turn off ad blockers then immediately served them pop-under malware.”
Engadget 8-1-2016 : http://engt.co/1PNJZqf
The Many Faces of
“Do Not Track”
- A "do not track" preference originally proposed by the US Federal Trade Commission in 2007
- W3C workshop and working group followed
- Supported by many digital rights groups (CDT, EFF)
- Now the DNT preference and header is in every browser
- Unfortunately almost no ad network honors it
- No enforcement (yet)
Some Hope for DNT…
Privacy Badger?
- Plug-in for Chrome & Firefox
- Blocks tracking networks
- Built by EFF
- Lets content through that “respects users' privacy” (including DNT)
- …Badger!
The Many Faces of
“Private Mode”
- Process Privacy: Keep communication private from other users on the same machine
- Network Privacy: Keep communication private from intervening networks
- Server Privacy: Prevent the server from connecting activity to a user's Personally Identifying Information
Different browsers do better or worse jobs
Not just the
<ahem> mode
- Share your browser with someone
- Log into a different account
- Test something without context
- Search without context
- Symptoms checker
- Research medical condition
- Battered spouse support
- Marginalised groups
- Research political topics
- NGO or aid organization
- ...
BTW:
Private Browsing Modes Don't Protect You From Your ISP / Government / Wireless Hotspot etc...
Super-Cookies
and the Super-Evil People who Bake Them
- “Unsanctioned Tracking” using any web technology for tracking that was not designed for tracking
https://www.w3.org/2001/tag/doc/unsanctioned-tracking/ - e.g. Canvas, WebRTC...
- “considered harmful”
- Takes the agency away from the user
- See also “Fingerprinting Guidance for Web Specification Authors": https://w3c.github.io/fingerprinting-guidance/
Network Operator “Super Cookies”
Enough Said...
This is War
Title Text
The Tracker Resistance
e.g.:
- Ghostery
- Disconnect.me
- Privacy Badger
- Lightbeam
Panopticlick 2.0 from EFF
Test your browser for “tracker-i-ness.”
https://panopticlick.eff.org
Mozilla Lightbeam
“See who's tracking you online”
Mobile Browser Ad Blocking
- Lots of resources, plugins, etc.. for desktop browsing
- Held back on mobile - no extension APIs
Apple Throws in a Grenade
- 3rd party extension API
- Over 40 blockers out there – some free, some paid
- Notably, “Focus by Firefox” (uses Disconnect.me's blacklist)
Surprise, Surprise: Google Makes it More Difficult
- Right now you either need to load a special browser, e.g. adblock plus browser
- ...or go through rigamarole of configuring a proxy (aoooga! aoooga! privacy alert!)
Samsung Internet
- Samsung (Chromium) browser from 4.0 will support “content filtering”
- 3rd Party Extension API Approach
- Also featuring a private browsing (“secret”) mode
- & “progressive webapp” support (Service Workers, Manifest…)
- Default browser on Samsung phones
“Brave”
Title Text
Title Text
- Chromium(!?)-based browser
- Started by Brendan Eich, inventor of JavaScript and brief CEO of Mozilla
- Malware heuristics + tracking network blocking + “https everywhere”
- Ex-TAG member and EFFer / author of https everywhere / Yan Zhu is on the team
- They got brave.com
- "coming soon"
What we know about Brave:
Thanks!
@torgo