
Firefox browser will block the IAB's DigiTrust universal ID - cpeterso
https://digiday.com/media/firefox-browser-will-block-the-iabs-digitrust-universal-id/
======
xg15
I've found that most press statement that contain the term "we believe" go on
with some utterly ridiculous mental gymnastics to justify shady behaviour.
This one is no exception:

> _[IAB Tech LAB svp of Membership and Operations said:] “They believe no
> third party can be trusted. We take a different position: that trust should
> be established directly between consumers and the brands, and publishers
> they trust, and with the third parties that those brands and publishers
> trust.”_

Question to that guy: What act specifically would establish that trust? My
browser downloading JavaScript from half a dozen companies that I've never
heard of?

Or is their position that by opening a link to some web page, I declared my
boundless, irrevocable trust in that site, all third-parties that site
delegates to, all third-parties those third-parties delegate to, etc etc as
infinitum?

Where else in life do you get this understanding of "trust"?

~~~
buboard
When you use your car, you trust 100 different manufacturers from all corners
of the earth. When you go to the hospital, you trust 100 different machines,
chemicals, gloves, needles etc. It's no different.

~~~
gpm
When I go to the hospital I trust the local doctors to make good decisions on
products to buy, I don't trust the products themselves let alone the products
manufacturers. Moreover it's not so much trust as resignation to the fact that
I have no better option but to hope they don't do something stupid.

When I use a car I trust the combination of the manufacturer and the regulator
to have used parts in a fashion such that they won't kill me. I don't know or
trust the individual part manufacturers, that's the automakers job.

There is no equivalent to the doctor, or the automaker, or the regulator here.
It is not at all similar.

------
tomp
I applaud Mozilla for taking this stance, but I think that _blocking_ is
fundamentally misguided approach. We need to start _faking_! Let’s _fake_
DigiTrust IDs, convince them that it’s not blocked, and leave them none the
wiser! It’s the same approach Apple should have taken with (most) iOS
permissions - the app shouldn’t be able to know that it cannot access e.g.
user’s GPS location, it should just be _faked_ (i.e. random).

~~~
ComodoHacker
Could you elaborate, what's the purpose of providing fake GPS data to an app
requesting it?

~~~
LandR
For companies that want to track you and aggregate and sell your data if they
know you are not sending them data then nothing much happens to them, they
just lose some data. They can probably live with this.

However, if everyone sends them garbage datathen they don't really have
anything valuable then. The whole business model falls down.

~~~
lovehashbrowns
Having previously been in a position where an ad agency thought we were
sending trash data and literally threatened to boot our millions-of-dollars-
worth contract, that shit ain't no joke. And having that previous knowledge, I
would very much approve of sending fake data instead of blocking. That can
100% tank entire companies that don't have the engineering capacity to deal
with this in time. We literally had a week or two to clean up our data or be
gone.

~~~
Jordrok
How did it get to the point where there was enough "bad" data that the ad
agency took notice and was angry enough to take action? I like the idea of
jamming ad networks with junk data, but I would imagine that it would have to
happen at a massive scale to make any sort of difference.

~~~
lovehashbrowns
They accept a certain rough percentage of bad data because having 100% clean
data is a little impossible, but basically we constantly had people using our
app on virtual machines, phone farms, reverse engineering our API, etc. It was
a constant battle to ban them as soon as possible.

At some point, our ad partner contacted us letting us know that some of our
data was coming from blacklisted IP addresses--AWS, Linode, known bots, etc.
Ranges where a human almost certainly isn't actually viewing ads, and told us
to fix it asap or get out.

We ended up licensing an IP blacklist. It updates daily, and it comes with
both individual IP addresses and cidr ranges. We didn't have time to write a
fraud system to ban users, or do this check via our api. So my solution was to
check every IP that came in through our load balancers against the blacklist
and blackhole it somehow.

Since we were using nginx, I swapped to open resty because that comes with Lua
already fully baked in. Next, I wrote a Lua script that just checks if an IP
address is in the blacklist. It even had a caching module! That was awesome.

The real hard part was where to keep the IP blacklist. I came up with the
solution to use Redis. If an IP address exists as a key in the Redis DB, it's
blacklisted. This "if key exists" check is O(1) in Redis as far as I still
know. So I wrote a cron job that runs every day to download the new blacklist,
expand the cidr ranges, pipe the individual IPs into a second unused redis db,
save the DB and restart production redis so it picks up the backup and
refreshes its list of addresses. This list was massive, btw, especially when
you expanded the cidr ranges, some of which /8\. And the Lua script would just
run a GET query on redis. If the key exists, open resty would just return a
40x code. Lua+open resty and redis are all super fast so we didn't lose much
by checking every single API request this way.

After that, the ad agency was happy and we didn't get booted. But it was a
super close call. Basically if redis didn't exist or wasn't as awesome, I'm
fairly certain some engineers would have worked a solid 72hrs to write the php
needed for an effective ban system that could go into production. I wrote the
lua/redis solution and got it into production in an evening. So simple and
really fun to write.

If this were to happen to a company getting bad data from a browser, either
they'd have to clean up the data or get kicked out as well. Ad agencies pay
for this data, so it's not like they're gonna turn into a charity and accept
it. I'm sure it also messes up their datasets as well. I can't even imagine
what it would take to clean data coming from a known good source/ip but with
bad info. Yikes.

------
correct_horse
You know you're wrong when you put scare quotes around "tracking", and instead
choose to call it "anonymous audience recognition". Anonymous audience
recognition ranks amoung the most useless, actively misleading jargon I've
heard.

To be clear, this system neither recognizes an audience nor can anything of
this sort be fully anonymized. A universal ID such as this would recognize
every individual member of an audience, not an audience as a whole.
Recognizing an audience would look like telling an amazon seller that their
product is popular with people who also bought paper towels. Such recognition
would be possible from a list of transactions i.e. (paper towels, sunglasses),
(energy bar), (dish soap), (laptop, paper towels). In this system there is no
knowledge who made what transaction, no universal ID. Any Universal ID can't
be fully anonymous because your browsing history is you. You might search for
something related to your current residence, your hometown, your workplace and
the breed of your dog. These searches alone would be enough to uniquely
identify you already, but it would be difficult. Luckily you make boatloads of
searches a day, and combining all that data would make your identity much
easier to discover. This all assumes your search provider bought in to this
universal id system (use DuckDuckGo).

------
edhelas
> David Kohl, CEO of ad tech company TrustX, a member of DigiTrust, said the
> entire cookie-based advertising infrastructure needs a rethink that involves
> prioritizing consumer interests, rather than ad tech’s commercial interests.

Or basically just stop tracking people online ? And find another way to sell
your stuff ? #thinkoutsidethebox

~~~
dmortin
We could also pay for all the sites we use (google, youtube, gmail, reddit,
etc.), but it would be pretty pricey if you visit a lot of sites. Most people
would choose tracking instead.

~~~
wastedhours
But there's also a middle ground of advertising without excessive tracking -
YouTube and Reddit (and most major websites, including social media sites
where you're actively following interests) already have enough information on
your intent to show relevant ads for the content you're viewing, without tying
that to you individually.

A lot of the inventory I buy is now on intent-based sites, and the passive
profiles used for cross-site banner display for example, for us, tend to drive
the lowest quality conversions.

Advertising can still have a place, but it requires effort to do well (like
buying a sponsored post on a subreddit right now). Higher effort though I'd
wager will lead to better conversions for all in the long run.

~~~
reaperducer
That was the whole point of Google's advertising platform: it would deliver
ads based on the content of the page you were on. That's why it is called "Ad
_Sense_."

It has since morphed into something else entirely.

------
zwaps
>> Mitchell said. “They believe no third party can be trusted. We take a
different position: that trust should be established directly between
consumers and the brands, and publishers they trust, and with the third
parties that those brands and publishers trust.”

What the hell does this even mean?

~~~
deugtniet
It means that they don't want tracking to stop. And you should _definitely_
trust them as well as all their partners.

Good on Mozilla for doing this. I want privacy when I'm on the internet,
without having to resort to tor-like schemes

~~~
weinzierl
Not good at all. I still trust Mozilla to a large degree but I definitely
don't trust their partners. Mozilla needs money to operate, they need partners
and they'll will have to give something to them in return for the money - that
is all ok and just how things are. What is not ok is that associate so closely
with shady operations like Cliqz for example.

~~~
Majestic121
I think there's a misunderstanding : the quote above does not come from
Mozilla, but from one of the Digitrust people (Mitchell)

Here is the full quote :

“We know certain companies (Firefox) take the position that there is no
sufficient consumer value to justify ‘tracking’ — anonymous audience
recognition — of any kind, not even for use in communicating privacy choices,”
Mitchell said. “They believe no third party can be trusted. We take a
different position: that trust should be established directly between
consumers and the brands, and publishers they trust, and with the third
parties that those brands and publishers trust.”

------
chopin
If web sites are starting to track me via first-party cookies (which I allow
for now) those will be banned aggressively as well. Currently I am somewhat
lax on deleting them on browser close (I like to stay logged in for some
sites). But this will change on a whim when this becomes mainstream.

~~~
pmontra
I'm always more certain that we're going to see ad based web sites rendering
with webassembly in a full page canvas. Some sites will implement ways to let
us copy and paste text, others won't.

~~~
chopin
I will not use sites who are doing this.

------
chris_wot
I now exclusively use Firefox on MacOS. I refuse to use Chrome in any way now.

~~~
m712
You should take the next step and switch to GNU/Linux. :o)

~~~
krageon
Not if they enjoy having a well-integrated experience on a platform tailored
to their hardware.

~~~
m712
Unfortunately, if the hardware has a lot of issues the well-integrated
experience seems to quickly fall apart. I can't really speak about the desktop
side of Apple products but the MacBook line of products seem to be troubled
with many hardware related issues for years now.

~~~
danieldk
There is light at the end of the tunnel (I have been affected by some of the
problems): the new MacBook 16" switches back to a scissor mechanism for the
keyboard and brings back the escape key. If they bring those changes to the
MacBook Pro, most of my hardware qualms are resolved.

------
tialaramex
Aha, the Interactive Advertising Bureau not the Internet Architecture Board.

It's always hard to tell whether people think their three letter name is so
distinctive nobody could mistake them for anybody else or whether such
confusion is instead desirable...

------
beezischillin
Yeah, no. I don’t trust the ad industry. They’ve never been honest before, I
doubt they would start now.

------
aleppe7766
Sadly, it’s an industry that can’t regulate itself and has been overpromising
to less and less gullible clients. Unfortunately advertising is still the main
revenue source for publishers, good and bad. Google, Amazon and Facebook will
find a way around any but the most extreme and impractical blocking, with
logins and technology at a scale that isn’t remotely feasible for all the rest
of the industry. So in a way this stance is only advancing their strength at
the expense of that fainter and fainter competition that’s fed with the
breadcrumbs falling from the tables of the big three. Not sure if in the end
we’ll consider this battle as worth fighting as many of you presently think.

------
draklor40
I'd be willing to pay monthly for Firefox to make for the lost advertising
revenue.

~~~
ComodoHacker
You should be paying content publishers. They are the ones who lose
advertising revenue, not Mozilla.

~~~
draklor40
Mozilla makes a big chunk of money (or did) by making Big G the default search
engine. They have employees to pay and servers to maimtain.

Publishers online and offline have almost never made money without ads. The
only diff. is tracking readers is easy online. And that is not probably going
to change anytime soon. I don't trust publishers. I trust Mozilla.

~~~
ComodoHacker
>Publishers online and offline have almost never made money without ads.

Mozilla can't help with that, even if they break up with Big G.

Mozilla deserves our support for other reasons though.

------
joe5150
"Meanwhile, Google is set to make an announcement in February about how it
will treat third-party cookies in Chrome."

Google: our ad and analytics tracking cookies are first-party cookies if
you're using chrome :)

------
buboard
Firefox and others are good at blocking ads. But what's their replacement?
What's the plan here, to starve everyone of the only viable source of income?
(If you believe this is not true, try finding a way to accept micropayments to
a website). The endgame here will be that sites start blocking firefox. At
least Brave is trying something new.

~~~
obenn
The aim of this is to block tracking. I don’t believe Mozilla or anyone else
has much interest in blocking ethical, contextual ads.

~~~
sunshiney
The majority of site ads are affiliate ads. They are being blocked. The lower
income folks have been hurt tremendously already. Analytics is suffering from
blocks. Math runs business decisions re spending. No math equals bad
decisions. Banner ads? Ineffective but why buy when good numbers are not
available. The future online belongs to big tech and gorilla business as these
good intentioned decisions kill the middle and lower class online. Me? Been
running biz online for nearly 3 decades. The blood online is deep and getting
bigger.

------
johnpowell
Honestly.. I don't understand the details anymore. I just trust that Mozilla
and gorhil are doing their best. And if they can't help me nobody can.

------
sunshiney
I run online biz and have since 1993. Today, I am watching the death of small
biz online, the under-employed no longer able to increase income from online
biz builds, the death of affiliate income, the spike of subscription paywalls,
the growth of big tech as a result, the growth of sites as info brochures for
retail brick mortar, decrease in content,all melded with large increases in
labor costs, labor benefit bookkeeping and tax expenses,taxes due to nearly
2000 US jurisdictions. In time, you will have few sources for content online
and it will be concentrated in gorillas, direct mail will and is increasing,
retail will be big guys only, and the biggest losers will be the small guys.
But blocks won't be needed then as big guys will deploy the Cobra phenomena as
they can afford it. Loser: the average guy. Winner: the big guys. Ah well.
More poor people. Ah well.

------
syshum
Ofcourse, only CloudFlare gets to track FireFox users.

------
arkanciscan
So their plan to reduce the number of tracking cookies is to introduce another
tracking cookie? There's an XKCD comic about that.

~~~
handlewithcare
You have a link for that comic?

~~~
713233eb
Timeless masterpiece: [https://xkcd.com/927/](https://xkcd.com/927/)

