
Plausible Deniability and Gaslighting in Fighting Ad Blockers - chii
https://secarch.dev/posts/plausible-deniability-and-gaslighting-in-fighting-ad-blockers/
======
dessant
While the controversy centers around ad blockers, the most important aspect of
the Chrome extension API changes seems to have been missing from the
discussions of the past few months. You will not be able to fully control
every aspect of a request in your own browser, despite installing extensions
that run priviledged code that you trust.

HTTP headers can no longer be freely edited, unless they are part of a limited
whitelist blessed by the Chrome team. This kills innovation in the browser
extension space in its tracks, and ad blockers are just a subset of use cases
that will be impacted.

The changes will inevitably find their way into Chromium forks which do not
have the resources to maintain the deprecated API while merging upstream
changes, further limiting choice and hindering innovation.

~~~
derefr
Mind you, another way to say that is “malicious extension authors can no
longer snoop on all network traffic.”

As someone who was, at one point, pitched a project proposal for a browser
extension our company could make which would “make users think they’re getting
one useful effect, while secretly using their browser as a node in a
distributed web-scraping farm to social-network sites they’re logged into” —
I’m sure this is more common than people think, and very wary of extensions
saying they do one thing while doing quite another (which happens to fit into
the same permissions set as the explicit purpose of the extension, making
users none the wiser.)

~~~
dessant
The discussed API changes do not limit malware to snoop on browser traffic,
requests can still be observed, and scraping is also not affected.

Ad blocking is arguably one of the best ways to protect yourself from malware,
and that is the capability Google attempts to limit.

~~~
danShumway
This also isn't even a first step where eventually privacy restrictions around
observation will be added later. From the discussion thread[0]:

> _Chrome is deprecating the blocking capabilities of the webRequest API in
> Manifest V3, not the entire webRequest API (though blocking will still be
> available to enterprise deployments). Extensions with appropriate
> permissions can still observe network requests using the webRequest API. The
> webRequest API 's ability to observe requests is foundational for extensions
> that modify their behavior based on the patterns they observe at runtime._

It's not just that the people claiming that this will improve privacy are
wrong about this specific change. Google's stance is that blocking request
observation is fundamentally not acceptable, specifically because it would
stop extensions from tracking and responding to user behavior.

To all the people saying, "well, it's about time extensions got locked down"
\-- Google is not your friend and they don't want the same things as you.

[0]:
[https://groups.google.com/a/chromium.org/forum/#!topic/chrom...](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-
extensions/veJy9uAwS00%5B101-125%5D)

~~~
yellowapple
> though blocking will still be available to enterprise deployments

So I guess the answer is to be an "enterprise", then.

~~~
danShumway
Not necessarily, since having the API available for you personally is only one
part of the problem.

The other question to ask is, will you even have an ad blocker to install,
given that Gorhill has hinted these changes might mean abandoning Chrome as a
target platform?[0]

If enough ordinary people move to enterprise, Google will eventually restrict
that as well. If not enough people move to enterprise, extension authors won't
support Chrome and you'll be stuck writing or forking your own ad blocker. So
you're gambling on being able to walk very thin line alongside a company
that's already shown you that it is actively hostile to your interests.

The more permanent answer is to just switch to Firefox and stop playing their
game. Switching to enterprise will probably at best buy you some time before
you're forced to make that decision.

[0] [https://github.com/uBlockOrigin/uBlock-
issues/issues/338#iss...](https://github.com/uBlockOrigin/uBlock-
issues/issues/338#issuecomment-456179825)

~~~
yellowapple
Oh, I switched to Firefox years ago (Chrome still doesn't offer any reasonable
equivalent to Tree Style Tabs). This would be more for the folks that I
haven't quite convinced yet to do the same.

------
cproctor
From a technical standpoint, I don't understand why the adtech companies don't
just serve ads via APIs consumed by website owners, and served to clients via
the primary domain. This seems like it would obviate current adblocking and
third-party cookie blockers.

It would add a bit of technical complexity for site owners, but that seems
manageable, particularly for b2b relationships.

Obviously, I hope this doesn't happen, but it seems like an obvious strategy
and I don't see the flaw.

~~~
rsync
"From a technical standpoint, I don't understand why the adtech companies
don't just serve ads via APIs consumed by website owners, and served to
clients via the primary domain."

I also would like to know why there is so much resistance to this, which was
the original model of ads on websites ...

rsync.net stopped advertising, in all venues, about two years ago - mainly
because the overlap between "people smart enough to use rsync.net" and "people
who don't use an adblocker" is basically zero. Nobody who cares about our
product ever saw our ads.

But, of course, we still have some interest in advertising our product and, to
that end, I have approached several websites and offered very good money to
_just insert two lines of plain text on their HTML page_. No "network", no
code blob, nothing interactive ... _no picture_ ... just an extra line of
text, with a bit of it href'd for a link.

Huge pushback on that. No interest. "Impossible".

I really don't understand the responses I've gotten ...

~~~
tialaramex
As an example, from LWN.net's FAQ under Advertising

"What happened to text ads? The text ad facility allowed readers to place
simple, text-oriented ads on the site. Use of this facility had been dropping
over time; when we realized that nobody had bought an ad in over six months,
we decided to remove the feature."

LWN would still sell you banner advertising, but they don't do text any more.
As with other features that were killed because nobody used them, the interest
of a single small buyer won't bring them back because it doesn't make any
economic sense.

~~~
rsync
That's very interesting that you used that example because LWN.net was one of
the content providers that we approached.

I figured _someone_ at their organization had the wherewithal to open a
regular file in vi and paste in two lines of HTML ... in exchange for money
...

Nope.

------
0815test
There's plausible deniability and then there's sheer barefaced denial. When
will the Better Ads Standards protect the average user from having outright
malware, browser-jacking, click-jacking etc. etc. delivered via ad networks,
potentially including Google's or Facebook's? Do _that_ and 99% of web users
will most likely stop caring about any other sort of ad blocking. However, as
things stand today, switching to Brave, Firefox or any other browser that
commits to making _all_ malicious ads blockable is the only reasonable course
of action.

~~~
JoshMnem
Brave is based on Chromium, so it's vulnerable to Google's future decisions
about what browsers should be able to do.

------
chaz6
This is a very good article, but misses out a critical fact: Google plans on
making the old API available to paid enterprise users, which is the final nail
in the coffin.

I hope that Qt will add a new Gecko backend for QtWebEngine and move away from
Chromium/Blink.

~~~
Kalium
Where do I go to get this paid enterprise Chrome?

~~~
qes
No payment necessary.

[https://cloud.google.com/chrome-
enterprise/browser/download/](https://cloud.google.com/chrome-
enterprise/browser/download/)

------
xg15
I don't know, I'm not convinced.

I very much agree that Google's conflict of interest regarding ads is
problematic and I'd absolutely trust them to look for ways how to get rid of
adblockers, but the current issue seems like an unnecessarily roundabout way
to archive that.

The Chrome team seems to have put a lot of engineering effort into the DNR
language and even extended the language to respond to some of the criticism.
(Though still far less than what the API would need to be usable). It seems
odd to me that they would spend so many resources into implementing something
that is not really expected to be used.

I feel if they really wanted to get rid of adblockers this instant, they could
just tell so openly. Since Chrome has its own built-in filters now, they could
just spin it as additional blockers no longer being needed.

Instead they're just _slightly_ tipping the scales in favour of site
developers. Ad-blockers wouldn't be made impossible with this change, they'd
just be made less accurate and reliable. This doesn't make a lot of sense to
me.

~~~
chrismartin
> Instead they're just slightly tipping the scales in favour of site
> developers. Ad-blockers wouldn't be made impossible with this change, they'd
> just be made less accurate and reliable. This doesn't make a lot of sense to
> me.

It's the camel's nose under the tent (or the boiling frog). Abolishing all ad-
blocking extensions would cause many folks to migrate away from Chrome, so
they probably see a more effective strategy in incrementally neutering these
extensions at a rate that reduces peak outrage.

"What is something we can take away that ad blocking tech relies on?" Today
it's an API change, in a few months it'll be some other measure.

~~~
xg15
Yeah, you could imagine some strategy where they modify the API to make
adblockers appear progressively more annoying and unreliable to end users, so
that eventually, the public perception of them changes.

However, this seems a bit like a Xanathos Gambit to me. There are a lot of
things that could make this plan fail. It starts with the current backlash of
the adblocker devs themselves: They could simply choose to boycott Chrome
instead of damaging their reputation.

Even if they don't, so far you still have competition to Chrome so differences
can be observed: If adblockers perform significantly worse on Chrome than they
do on Firefox, it's apparent even for non-technical users that the browser is
somehow a factor in this.

I agree though, just making a change to web store policy (e.g. disallowing all
adblockers) probably wouldn't have cut it - that would risk triggering a
Streisand effect where everyone tries to smuggle adblockers back into the
store using all kinds of rule-bending. So a technical restriction would
probably be needed from their point of view.

To be honest (warning, tinfoil hats ahead), I wouldn't be surprised if a long-
term goal for Google is to abolish browser extensions altogether. Philosophy-
wise, extensions seem completely at odds with Google's vision how the web
should behave and how user experiences are designed. Most of their work in the
space seems to be about restricting extensions, too - while work that extends
capabilities (e.g. support for inspecting WebSocket connections or bringing
extensions to mobile Chrome) is postponed.

------
saagarjha
> As far as I know Apple’s declarative API doesn’t have the same low rules
> limits as Chrome’s planned one either.

Safari content blockers have a limit of 50,000 rules.

~~~
kdeldycke
For comparison, activating all uBlock origin registered filter sets takes
281,078 network filters ＋ 210,016 cosmetic filters.

~~~
saagarjha
Yeah, I'm writing a conversion tool and I'm having quite a hard time getting
EasyList to fit in the 50,000 limit. I have some deduplication rules in place
which takes it quite close, and with cleverer algorithms it might be possible
to fit the entire thing, but it's pretty clear that this limit is quite
restrictive (plus, there's no guarantee that it will even work on iOS, which
will kill the ruleset compiler if it uses too much resources).

------
ramtatatam
It seems It will be better for me to stay with Firefox. Though I must admit
sometimes it occures to me that maybe in the future I'll use curl more..?

~~~
paulryanrogers
IME Curl and even NoScript is becoming nigh impossible to use because of all
the JS

------
chii
one can only hope that firefox steps up its game. May be eventually the new
rust engine can push firefox forward with performance, and renew the market
from chrome's dominance.

~~~
taneq
How recent is your "firefox is slow" perception? I've been using it as my
daily driver web browser since... well, for a long time, and it's come a long
way.

Admittedly I haven't run Chrome myself much recently but looking over other
peoples' shoulders I don't see much in terms of a perceptible difference in
speed.

~~~
chii
If you load up youtube.com, the site loads faster on chrome than firefox.

On a mobile, chrome's scroll seems smoother than firefox (the test i use is if
i rapidly swipe up and down to scroll the page, does my finger covering the
text change position?).

~~~
czinck
Slow YouTube load is entirely YouTube/Google's fault

>YouTube page load is 5x slower in Firefox and Edge than in Chrome because
YouTube's Polymer redesign relies on the deprecated Shadow DOM v0 API only
implemented in Chrome.

[https://twitter.com/cpeterso/status/1021626510296285185](https://twitter.com/cpeterso/status/1021626510296285185)

------
3xblah
"I think it's fairly safe to say at this point that Google is institutionally
incapable of imagining a world without ads, so they're not capable of
entertaining solutions that would seriously interfere with the ad ecosystem."

I think it is safe to say the same about Mozilla. They, too, rely (indirectly)
on the ad ecosystem to survive.

An HTTP client that does not deliver ads _by default_ will not be produced by
either company.

Trying to escape from online ads by using these corporate-controlled browsers
is like trying to escape from a wet paper bag without being allowed to damage
the paper.

------
PaulHoule
It amazes me that Google isn't facing an antitrust lawsuit over the chrome
adblocker situation. Of course chrome is going to block everything except
Google ads to destroy the competition.

~~~
alexpetralia
Relevant essay for the uninitiated: [https://alexdanco.com/2019/05/30/google-
chrome-the-perfect-a...](https://alexdanco.com/2019/05/30/google-chrome-the-
perfect-antitrust-villain/)

------
AJ007
Very good write up on the Chrome ad blocker issue, and worth reading in its
entirety.

Based on the comments in other posts on this topic, my view is a little
different. I think Google is making decisions that look good in short term
models but will be very damaging to them in the long term. In this case, it is
simple. If Chrome does a poor job blocking ads they are going to become known
as the junk browser.

Recall a behavior Google added to Chrome. When you open Chrome, you are
presented with what looks like a default Google.com search page. When you
click the search field and start typing, instead of appear in the search bar,
the search occurs in the URL navigation bar.

Google could have trained their users to be certain they went to Google.com to
make a search. They didn't. Today Google pays billions of dollars a year to
Apple. Google still doesn't seem to have learned that lesson (see AMP and
weird ideas on divorcing the URL from the site the user is on.)

Not only is Google's revenue growth under threat, but their existing revenue
base may very well be too. After GDPR, the EU copyright directive, and changes
Apple is making to Safari who knows what 2020 revenue will look like. In my
mind, this explains a lot of the sloppy decisions Google's management has been
making.

If there was no Firefox or Apple, then panic. For now, the panic should lay
within Google.

~~~
fencepost
Don't forget that Chrome reached its dominant market share in large part
because every time you went to search for something you were presented with an
ad for Chrome. Alternative search engines at this point are hard to come by,
AFAIK it's basically just Google and Bing in much of the world, plus whatever
has approval in China - most other search is just wrappers around those 2.

In that environment it may be hard to get the "Chrome as a junk browser" idea
widespread. I still deal with people daily whose goto browser is IE because
it's what they've always used.

------
sasaf5
As an oblivious Firefox user on Debian and Android, am I missing something by
not using Chrome?

~~~
georgeecollins
Features are missing in Google Aps in Firefox. I use Firefox as well, but
sometimes when I want to use Google Docs, I just switch back to Chrome.

~~~
false-mirror
What features are missing? I use Google Docs in firefox and haven't noticed
anything wrong.

~~~
callmeal
>What features are missing? I use Google Docs in firefox and haven't noticed
anything wrong.

Tracking and cookie slurping.

I've noticed that if you turn on privacy protections in firefox, all google
sites start misbehaving. And forget about trying to get through a recaptcha
without spending minutes clicking on crossroads.

------
Arbalest
Is it time for piracy of ostensibly free content? Just so that we can protect
ourselves, and perhaps our children from large scale tracking? Any injected
adverts into the content stream would either become static, or removed by the
release group. Imagine, pirated text content of blogs, just to get away from
the new web.

The alternative is ToR, i2p or other anonymising web services simply to make
the tracking model unviable. What was once a mechanism for persons in
oppressed countries and criminals, actually becoming the web of choice to stay
out of the tracking traps.

Edit: Just wanted to add, the way Stallman gets websites delivered to him via
email and an external scraping system.

------
t0mas88
Google did a similar hypocritical thing with GDPR in Europe. As a
Google/DoubleClick customer we lost access to the raw data logs on where our
ads were served, Google cited "privacy" and "GDPR" as the reasons. Then within
a month Google created a product called "Ads Data Hub" that has the exact same
data in it, for paying Google customers, in Google Cloud.

So for privacy reasons we cannot process that data in any Amazon (or other
competing) product, but surprise surprise, it is available in a paid Google
product.

Google has zero interest in privacy or even performance. All they care about
is abusing their monopoly to push others out of the market and make more money
from their own ads. The "do no evil" thing is long gone, it's time they get
the antitrust lawsuit they deserve.

------
ycombonator
Just moved all my bookmarks from Chrome to Firefox and don't miss a thing. I
hope Firefox positions 'import bookmarks' feature prominently.

~~~
arwhatever
Same here, switching is a _very small_ hassle. I hope chrome's web metrics are
plummeting in reaction to this.

------
dreamcompiler
I wish somebody would start a business with 1000 Pi-hole servers on a CDN
cloud and charge $10/year to use them. But I don't have a clue how you match
DNS lookups to paying customers. Probably have to just punt and make it a
nonprofit funded by a foundation like Wikipedia. If anybody wants to build
this, I'll help.

~~~
tgragnato
[https://news.ycombinator.com/item?id=20012687](https://news.ycombinator.com/item?id=20012687)

~~~
narag
Domain blocking is really useful, but... is it possible to do more? I mean
that uBlock Origin and other adblockers can make a more fine-tuned work,
cleaning pages much further, like cookies popups or similar useless crap.

I had thought of such a service time ago, but would it be legal? If I do it in
my private intranet, it shouldn't be a problem. But a service that would
remove ads from known webs and serve a clean versions through a proxy could be
accused of plagiarism or something like that.

Maybe that's because thay only do the domain blocking part.

~~~
dreamcompiler
I'm not sure it's even possible to do this on a proxy any more since so many
sites do client-side rendering now. You'd have to run the Javascript, see what
crap it produces, figure out what Javascript generated the crap, and remove
that Javascript. Sounds dangerously close to solving the halting problem. (I
presume ublock can do these things because it's sitting at the rendering
engine. Proxies don't have that luxury.)

~~~
narag
I forget how different my Internet experience is from everybody else, without
Facebook, Twitter and similar sites that you log in to use.

------
kreetx
This is a very nice write-up. Would be nice if the forces behind the Chrome
change would comment.

------
781
This is truly one of the best long-cons in the tech industry history. Invest
10 years into creating a browser and get the whole industry and it's
developers to love it, push it and develop solely for it, so that you can reap
the benefits now. They learned from the best - Embrace, Extend, Extinguish.
Even as recently as last year, saying that Google would eventually abuse
Chrome market dominance would got heavy downvotes here.

~~~
panpanna
More likely Google bean counters went to chrome team and demanded they start
generating money or at least stop loosing other divisions money.

The good news is that Firefox and soon Edge are on all (important) platforms
and support ublock origin

~~~
breakingcups
How long will Edge support uBlock if their upstream makes architectural
changes to prevent it and its kind?

