
Why is Stack Overflow trying to start audio? - iokanuon
https://meta.stackoverflow.com/questions/386487/why-is-stack-overflow-trying-to-start-audio
======
Nick-Craver
I just wanted to chime in from Stack Overflow here and let people know: we are
aware of the issue. And we're NOT okay with it. We're trying to sort out how
to kill the audio behavior now. It's not very straightforward to find where
it's coming from, but we are working on it. We've also reached out to Google
for their assistance in tracking it down. If anyone can offer advice, we'll
more than happily take it.

\- Nick Craver, Architecture Lead at Stack Overflow

~~~
coldpie
Why are you allowing arbitrary javascript to be served to your users?

~~~
wlesieutre
Not just arbitrary JavaScript, arbitrary JavaScript where they can’t easily
even see where it came from! Sheesh.

Could we require advertisers to sign their ad code to have a trail of where it
came from, prevent tampering, and make it easier to pull the plug on bad
actors?

The people bearing the costs of the internet ad economy aren’t the people in
any position to do anything about it. So there’s very little pressure to fix
anything.

Maybe if the US government started threatening to enact something like GDPR
unless the a democratic industry gets its shit together.

~~~
manigandham
Large adtech demand/sell side platforms do not want to remove these bad actors
because they make money on percentage of spend. They are incentivized to
increase volume and ad spend at all costs, and there is no regulation to stop
them from doing otherwise by continuing to deal with shady companies and known
malware techniques.

------
ndiscussion
How We Make Money at Stack Overflow: 2016 Edition: Quality ads. "...we don’t
want to use an automated system that selects some ads for us. We looked at
this. It didn’t allow us the control we required to maintain the level of
quality we want to maintain."

How We Make Money at Stack Overflow: 2019 Edition: Taking money from Microsoft
and Google fingerprinting our users 100+ ways

source: [https://stackoverflow.blog/2016/11/15/how-we-make-money-
at-s...](https://stackoverflow.blog/2016/11/15/how-we-make-money-at-stack-
overflow-2016-edition/)

~~~
rsj_hn
Your options, as I see them.

1\. Text based ads only (no third party js)

2\. HTML based ads but no js (run it through DOMPurify
[https://github.com/cure53/DOMPurify](https://github.com/cure53/DOMPurify))

3\. Look for a js sandbox -- this _will_ break arbitrary js, will not be
supported in all browsers, and will require dev work on your side:

    
    
      * Google Caja  https://github.com/google/caja
    
      * MentalJS  https://github.com/hackvertor/MentalJS

other options are available as well, in varying levels of maturity and
support.

I think using a sandbox iframe is not going to be able to defeat browser
fingerprinting, because the sandbox control options are not rich enough. You
would need to block all JS.

~~~
lostmsu
> HTML based ads but no js (run it through DOMPurify
> [https://github.com/cure53/DOMPurify](https://github.com/cure53/DOMPurify))

Or use iframe.sandbox, which was designed for it.
[https://www.w3schools.com/tags/att_iframe_sandbox.asp](https://www.w3schools.com/tags/att_iframe_sandbox.asp)

~~~
rsj_hn
Using an iframe sandbox has some issues:

1\. scrollbars and positioning can cause problems with iframes that an inline
div doesn't have, especially if there are multiple small iframes on the page.

2\. As soon as you allow script in the sandbox iframe, then you are
susceptible to these types of fingerprinting attacks. The fact that you have
origin isolation doesn't really block what the ad was doing. This is because
iframe sandbox was never designed to block fingerprinting attacks, it was
design to create a separate origin that gave the dev broad control over
features like 'allow js' 'allow access to origin', etc.

~~~
Groxx
> _1\. scrollbars and positioning can cause problems with iframes that an
> inline div doesn 't have, especially if there are multiple small iframes on
> the page._

I'm not quite sure what you mean here, but I'm curious. Have any examples?

~~~
rsj_hn
Ideally you would like the iframe to not be visible -- you don't want it to
show scrollbars if the content overflows.

But at the same time, you want to see all the content in the iframe. If you
knew ahead of time exactly the layout of the text in the iframe you could do
this, but it's harder when you have dynamically generated content inserted
into the iframe, and now add to that wanting the page to be on different
devices with different viewports, resolutions, users resizing the page, users
increasing or decreasing text sizes for accessibility or changing default
fonts.

And if you don't control the content, some of it may contain fixed size
elements or absolute positioning inside the frame.

It's a really difficult problem that we were struggling with before ultimately
giving up on trying to use iframes for this purpose. And when you make a
mistake you either get ugly scrollbars in your iframe or part of your content
is cut off when the user resizes the page.

~~~
DCoder
Solving this problem requires the JS on the parent and child frames to
cooperate and talk to each other about their sizes, so the parent can resize
the iframe to match the size of its content. This is not something ad
providers would bother to implement on their own, let alone in a consistent
way.

~~~
rsj_hn
Correct, there are solutions, but in our case none of them were feasible
because we didn't control what was happening inside the iframe.

------
superasn
Maybe it's to identify users behind a VPN as this is fingerprinting the
device, not the connection.

That's why I think the idea of running each site in a container is so
effective.

And while we're at it the container should just spit out random shit like
different resolution, audio api, user agent, once in a while (unless the user
turns it off) to thwart such attempts.

Unfortunately when the creator and maintener of 67% of all browsers is an ad
company who is exploiting this in the firsr place, then there is no chance
that this could happen

~~~
apetresc
> And while we're at it the container should just spit out random shit like
> different resolution, audio api, user agent, once in a while (unless the
> user turns it off) to thwart such attempts.

Wouldn't that break the legitimate feature-detection uses for these APIs?
Asking the user to identify and whitelist each call is impractical, especially
since the fail-case in this scenario would be subtle (you'd still see the page
but it might randomly be in the wrong mode, or images might be scaled
incorrectly, etc). At that point you might as well just turn Javascript off.

~~~
superasn
Yes I thought about it that's why "unless the user turns it off" comment in
parens. I think out of 100 sites I visit everyday no website needs to access
the audio api without my consent maybe except one or two which i can
whitelist. Same for user agent, I don't think it should break if the container
says I'm running firefox v65 or v67, etc.

~~~
shawnz
If websites had to ask permission to enable responsive features like screen
size detection, then nobody would use them

~~~
dmitrygr
Good! Then maybe they'll go back to writing normal html and let my user agent
present it to me how I like and how my device best does

~~~
shawnz
If that's how you feel, why not disable CSS?

~~~
progval
It was already possible to write CSS that adapts to various screen sizes
before CSS became a privacy issue (ie. before CSS 3); except it was called
regular CSS, not responsive.

My guess is the difference between "regular CSS that adapts to screen size"
and "responsive CSS" is that the former only has a single set of rules while
the latter has different CSS rules that get enabled/disabled based on screen
size.

Conditional rules -> different content gets loaded -> server gets notified of
what rules are enabled -> fingerprinting

------
kylegordon
And this is why, even with the best intentions of site operators, my browser
will continue to use the best ad-block tools I can get, and my networks will
be protected by tools like PiHole.

~~~
jimmaswell
This seems melodramatic for something as trivial as an audio request.

~~~
mikeash
It’s incredibly disrespectful. Nobody wants some random ad listening to their
microphone. That they’re trying it anyway indicates that they’re hoping to get
some people with browsers that don’t block it, or trick some people into
saying yes.

It’s not harmful, as long as you’re not one of the people who gets tricked.
But it does indicate that they want to do you harm, and try to. That they
failed doesn’t make it all better.

~~~
jimmaswell
It's probably just a mistake and not actually trying to collect anything.

~~~
mikeash
You think it’s hitting the JavaScript microphone API by mistake? How?

~~~
ladberg
It's Google's fingerprinting for tracking you across the web. It won't
actually listen to or play anything, it just opens it up to see if it's there.

~~~
mikeash
We have no way of knowing that when a permission alert comes up. The only
reason we’d ever allow it is if we were tricked or exploited.

------
ploxiln
It's pretty obvious that the only real fix is to accept money in exchange for
putting an image with a hyperlink on your website.

Anything involving javascript will do shenanigans for various reasons.
Fingerprinting via any means possible is industry standard ad-network behavior
at this point. No one in the industry could imagine doing any less - it's
impractical, it's absurd. But targeting! But fraud! But the only fix is to
just give it all up, go back to how it was done in the 90s.

------
johnwheeler
I wonder if the top brass at alphabet ever worry that their trillion dollar
empire is based on fragile foundations like web audio fingerprinting, etc.

that sure would keep me up at night.

obviously, i know google does more, but it seems like a large chunk of their
revenue must be dependent on shady technical tricks like these working.

~~~
colinbartlett
They realized it was a risk so they built their own browser to have more
control. And it worked. Only now, users are wising up and moving to Firefox.

~~~
gdw2
Is firefox less fingerprintable?

~~~
jes
I'm not an expert, but I'm running Firefox Nightly for exactly that reason.

[https://blog.mozilla.org/futurereleases/2019/04/09/protectio...](https://blog.mozilla.org/futurereleases/2019/04/09/protections-
against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-
and-beta/)

~~~
butteroverflow
What's your user agent like? I would imagine there are not many Nightly users
out there.

~~~
a012
Still there are a lot of information in your user-agent and metadata (OS
version, platform, screen size, timezone, and more).

------
miohtama
I like the comment on SO: "Deanonymizing via fingerprinting - illegal in EU"

------
inglor
Why is this surprising to anyone? It is clear that ads use tracking mechanisms
and cookies and this is no different.

Audio feature detection isn't even a novel techique.

I've seen trackers look at download stream patterns to detect whether or not
BBR congestion control is used, I have seen mouse latency based on the
difference between mouse ups and downs in double clocks and I have seen speed-
of-interaction checks in mouse movements.

Just checking for the constructor of something an ad might legitimately use
(like audio) is relatively benign to be honest and it is naive to expect ads
to not do this and it is why I use an ad blocker even on sites without
annoying ads

~~~
inglor
And as a fun fact networking timing fingerprinting attacks and work even if
you don't have JavaScript enabled and I have been able to make a PoC that was
very accurate (I did not release it but I did disclose some bits to relevant
parties)

~~~
saagarjha
I hope "relevant parties" includes "browser vendors" and not "adtech
companies" :)

~~~
function_seven
Which one is Google?

------
atoav
I don’t get the modern ad stuff, any reasonable person uses an adblocker
anyway, because ads are often slow, problematic in terms of privacy and
security.

The fact that even people of a big site like stack overflow _don’t know_ where
it comes from _instantly,_ is only further proof that using an adblocker is a
resonable decision.

Maybe it is naive, but all ads should be in my eyes is a picture and something
that counts the page views. And when you are a site that has ads as it’s main
income you should have at minimum one employee who knows and tests each ad
before it gets accepted and put onto _your_ server.

Only then your customers will trust the ads you use and only then any
reasonable person can even consider deactivating the adblocker for your site.

I am pretty sure somebody explored this idea before me, why doesn’t it work?

~~~
bongobongo
It works, it just won’t happen because all the structural incentives point to
the status quo. Another reason to love our current crop of monopolists...

------
jackdh
Has there been any serious thought / discussion about how the cat and mouse
chase of the ads vs ad blockers is going to end?

It would be interesting to see where we are in ten years.

~~~
Gibbon1
I think ad blocking is a misnomer. What people are trying to do when blocking
ads is prevent marketing people from spying on them. And the performance and
resource consumption that comes from that.

Personal opinion: Laws are needed to make what advertisers are doing illegal.
Advertisers are spying on people to the extent where if the government did it
they'd need a warrant.

~~~
yoz-y
I disagree. The tech crowd is using adblockers to prevent spying and resource
consumption. But majority of people running adblockers just don't want to see
ads.

~~~
BonesJustice
In most cases, I don’t think it’s ads as concept that’s the problem. If
websites only had static ads in the sidebar, I question how many people would
bother with ad blockers.

But when ads block content; include flashing animations, audio, and video; and
take up more layout space on a site than the actual content; _then_ people
have had enough.

~~~
umanwizard
Are you disagreeing with the person you replied to? Your tone suggests that
you are, but the content of your post seems to being agreeing.

~~~
BonesJustice
I disagree that most people use ad blockers because they “don’t want to see
_[any]_ ads.”

Meaning, if advertisers hadn’t built more and more intrusive ads and had stuck
with static ads that don’t severely harm the UX, then I doubt most users would
bother with ad blockers.

~~~
Gibbon1
Yeah no one would care about magazine style ads with an ordinary click through
link. Especially if clicking resulting something useful instead of being the
browsing equivalent of jumping into a dumpster fire.

The advertiser arms race has resulted in a classic tragedy of the commons.
That's my diagnosis of the problem. Traditionally regulation is needed to fix
that. Exactly what that entails is beyond me.

------
lol768
It's insane to me the extent to which companies will go in order to prevent
cross-site scripting attacks.. and yet they're perfectly happy to include
unvetted, potentially malicious JavaScript _on the same origin_ in the form of
ads.

There is no reason these ads should be _anything_ other than a linked image.

------
mappu
There's something up with my PulseAudio (maybe changing audio output formats?)
that means i hear a very loud "pop" when pages try to do this.

e.g. Browsing to an arstechnica.com article, with speakers on but nothing else
playing.

------
ddtaylor
How about stop letting remote sites execute arbitrary Javascript on your
pages?

------
captn3m0
A little bit of corporate newspeak (and digging):

Ad URL:
[https://static.adsafeprotected.com/sca.17.4.95.js](https://static.adsafeprotected.com/sca.17.4.95.js)

JS Domain: adsafeprotected.com

Domain Owner: Integral Ad Science, Inc[0]

Google's recent stance on the matter of fingerprinting[2]:

>Chrome also announced that it will more aggressively restrict fingerprinting
across the web. When a user opts out of third-party tracking, that choice is
not an invitation for companies to work around this preference using methods
like fingerprinting, which is an opaque tracking technique. Google doesn’t use
fingerprinting for ads personalization because it doesn't allow reasonable
user control and transparency. Nor do we let others bring fingerprinting data
into our advertising products.

The important part being: _Nor do we let others bring fingerprinting data into
our advertising products._

The same company advertises their fingerprinting capabilities:

>Browser and Device Analysis: We analyze the technological fingerprints of
browsers and devices in order to uncover bots fraudulently posing as human
users. We can validate what type of mobile or desktop device a browser is
running on, providing additional context with which to identify fraud.

And it is this fingerprinting that gets them selected as a Google Brand Safety
and Viewability Preferred Measurement Partner[1]

>New York, NY – Integral Ad Science (IAS) has been selected as a preferred
partner in Google’s Measurement Program for both brand safety and viewability.
Partners were selected after meeting rigorous standards for accuracy and using
reliable methodologies to measure KPIs that matter for marketers. The program
is designed to make it easier for advertisers to source trusted, third-party
measurement providers.

The gist of it being that Google has heavy cognitive dissonance, with their
advertising wing rewarding partners that fingerprint users (against their own
policies), and the Chrome team barely managing to introduce some anti-
fingerprint measures, which are clearly not enough.

[0]: [https://integralads.com/capabilities/ad-
fraud/](https://integralads.com/capabilities/ad-fraud/)

[1]: [https://integralads.com/news/google-selects-ias-brand-
safety...](https://integralads.com/news/google-selects-ias-brand-safety-
viewability-preferred-measurement-partner/)

[2]: [https://blog.google/products/ads/transparency-choice-and-
con...](https://blog.google/products/ads/transparency-choice-and-control-
digital-advertising/)

~~~
pdkl95
> Google has heavy cognitive dissonance

Perhaps, but I think some of that behavior only appears dissonant. Like the
NSA, Google often uses carefully constructed language that is designed to
sound like a statement about a topic of concern without saying anything
actually useful. For example:

> Google doesn’t use fingerprinting for ads personalization

The only reason to add "...for ads personalization" is if they _are_ using
fingerprinting for for other purposes. This could include other ad-related
purposes like attribution.

Google claims about not using _specific_ data for a _specific_ purpose are
probsabl7 true. They simply fingerprint (and probably correlate) everything
else.

------
kabwj
If you don’t use an ad blocker you should expect your browser to behave in
strange ways.

If you don’t use an ad blocker you should consider your computer compromised.

~~~
penagwin
It's been known that ads are commonly used to spread viruses / invasive
tracking for years. And I've used adblock for almost 10 years!

Honestly, how are still allowed to execute javascript at all?! I get it if the
ad-manager still executed javascript, but how is it okay to let random 3rd
parties run js on your website?

------
jasonjayr
Why can't Google come up with an AMP for ads? That will transpile a restricted
javascript (or whatever) into a runtime that just doesn't do these things?

This would get rid of the greasy ads, and Google could focus on making tools
that allow site owners to filter by "features used in ad", and ad developers
could actually return to delivering ads, rather than collecting fingerprints?

~~~
progval
> That will transpile a restricted javascript (or whatever) into a runtime
> that just doesn't do these things?

They already invented that:
[https://github.com/google/caja](https://github.com/google/caja)

"Caja uses an object-capability security model to allow for a wide range of
flexible security policies, so that your website can effectively control what
embedded third party code can do with user data."

------
crispyporkbites
As a website publisher, is there an ad network available for me to use that
doesn’t allow advertisers to run JavaScript?

If so, what kind of rates can I get?

------
z3t4
I guess it's part of Googles Ads's endless battle against "robot" clicks. A
site as big as SO should not use Google ads, but instead use their own ad
service. Just make an automated system where people can signup and show an ad.
Make it cost 1$ per 100 page views. That would probably earn SO two orders of
magnitude more then they get from Google Ads.

~~~
cameronbrown
> $1 per 100 page views

Eh, that's like 10x average CPM nowadays. And advertisers usually are paying
per click, not impression.

~~~
z3t4
As an advertiser, yes, but on Google Ads you know that 90% of those will be
fake ¹. And as a publisher on Google Ads you only get something like 1$ per
10000 impression ². Advertising directly on SO you know all views are not only
legit, but also target at developers, so I think advertisers are willing to
pay more. While most advertisers are paying per click, the whales only care
about impressions, not clicks (TV commercials).

1) Measured by analyzing the traffic I got from Google Ads 2) That's what I
get from Google ads as a publisher, but you used to get a lot more in the
epoch, like $5-10 CPM

~~~
cameronbrown
Is such a high fake impression rate common on the display network?

------
pnw_hazor
Programmers make these tools. When challenging said programmers who work for
companies that promote this kind of behavior (G) they suggest that they work
for these evil companies because their job is interesting and it pays well.

This practice could stop tomorrow if the best and brightest of us decided so.

~~~
luckylion
I doubt that. If "the best and the brightest" wouldn't do it, the second best
and second brightest would be asked. At some point, somebody will do it. Also,
isn't Google already selecting for moral flexibility? I find it hard to
believe that a principled developer would start at Google, much like a
pacifist engineer wouldn't work at a Pentagon contractor. So they are getting
the best and the brightest whose limits of what they won't do because of
personal ethics don't include ad tech, surveillance etc.

I'm not so sure that education would help either, it's my impression that
ethics is just individually set. Of the people that understand Kant's
categorical imperative, some will act accordingly and others will ignore their
knowledge because doing so gets them more money.

------
amadeusw
Does Microsoft (ad owner) or Google (ad provider) perform the fingerprinting
in this case?

~~~
dymk
Google

~~~
dudus
It seems that the specific script comes from
[https://integralads.com/](https://integralads.com/) as stated by another
commentator. I think the blame is to be shared here.

integralads is guilty of developing and selling this technology. Microsoft is
guilty of buying it and using it Google is guilty of serving it. And why not
also StackOverflow is guilty of offering that space to advertisers without
enough vetoing of their ads.

After reading about integralads I'm not even sure if the purpose is to
fingerprint, it seems to be more targeted towards detecting fraud, which does
not require fingerprinting necessarily.

My point is that it's not as easy as pointing to one company and blaming them.
This is a problem that concerns anyone on the Ad space.

------
thelazydogsback
This issue (along with many others) is due to one simple fact -- the internet
is still primarily about _presentation and rendering_ not _information_. We
had both client-side template-based rendering and Semantic Web initiatives --
these failed for various technical and non-technical reasons at the time, but
I'm hoping we go in that general direction again at some point. Nobody else
should be able to (definitively) decide what information I want and how it
should be presented to me. We only get the Internet that the majority are
willing to put up with.

------
JimBrimble35
Aside from the obvious usability benefits, this kind of thing makes it
abundantly clear why much of the web has gone to javascript dependent SPAs. If
you need JS to run the site, then you also have to leave it on to be
tracked/fingerprinted.

Kind of makes sense why companies like Google and Facebook have invested so
much in creating open-source front-end frameworks. The ROI is probably
phenomenal.

I get that stackoverflow isn't an SPA, it just made me think of this point.

Side-note: you can block JS on stackoverflow and still view answers. That
works for 98% of my usecase for the site.

~~~
__jal
> If you need JS to run the site

... Then I move on. Those dorky little crapware widgets are basically never
worth looking at in any case, and I do take that sort of strategic tooling
decision as a signal that I probably don't want to accept the 'bargain' being
offered.

~~~
JimBrimble35
That's fair, my point is that in many cases (a rapidly growing number of
cases), the entire site is JS. If you need to service, then you have to accept
the tracking.

------
louhike
Gosh, it's incredible the length they will go to de-anomize user data. I guess
I will think better next time a website I like ask me to add them to my ad
blocker whitelist.

------
miguelmota
Seems like classic fingerprinting behavior from Google Ads. It's unfortunate
and hope they fix it quick but most importantly figure out a way to prevent it
in the future

------
6gvONxR4sf7o
I would love for this to be illegal.

~~~
dymk
Thank God we live don't live in a direct democracy

------
boomlinde
Tangentially related anecdote: I came across a site the other day that
requested access to the MIDI API for no apparent reason. Is this a common
tracking vector? The available MIDI interfaces can say something about the
system but in 99% of cases (the 99% that don't have any physical MIDI
interfaces) I don't imagine that you'll discover anything other than operating
system family.

------
helloworm
Has anyone made a plugin that does a DOS on each ad server(s) detected? Then,
we have built-in DDOS on the ad servers, if enough users install it.

~~~
anfilt
While the idea is cute you do realize that would have criminal repercussions
for people who install said plugin in certain countries.

------
ReedJessen
Is this a scandal?

~~~
dymk
It's 2019, everything is a scandal

~~~
dRaBoQ
And everyone is outraged.

------
nvr219
Always use ublock (origin)

------
iamnotacrook
It's ok. SO's policy on abusive ads is to mention it on mets and hope a
moderator notices and then acts upon it.

~~~
gortok
As a community elected moderator
([https://stackoverflow.com/users/16587](https://stackoverflow.com/users/16587)
) I can tell you with certainty that moderators have no control over ads; only
the development (and maybe the community team). In this case we would do the
same thing the OP did, in addition we would reach out in Stack Overflow chat
to the community team do inform them of the situation.

~~~
iamnotacrook
Well perhaps you should get your story straight because on this page:

[https://meta.stackexchange.com/questions/329763/were-
testing...](https://meta.stackexchange.com/questions/329763/were-testing-
advertisements-across-the-network)

which is being prominently announced in a yellow "featured on Meta" box you
can read:

"If you see any ads that are inappropriate or have any questions about this
experiment, please let me know by starting a new question and tagging it with
advertising"

and

"If you wish to report an advertisement, please take a screenshot of the ad
and paste the URL (if possible) along with the site where you saw it to a
comment or answer. I'll report it to the ads team and we can track it down to
investigate."

Screenshots? Start a new question with a tag? Track it down? Shouldn't you cut
to the chase and have a "report this ad" button built-in so you can
immediately be alerted to malware/abusive/inappropriate ads? Perhaps it's not
moderators who have the power here. As a non-moderator/employee I couldn't
care less what you call the people who do it; it seems entirely inadequate.
Run the ads now and if enough people complain or it gets embarrassing - like
google and/or microsoft spying on users - then publish a theatrical apology.
No, that doesn't work for me.

No, my ad-blocker is never coming off.

------
alinspired
this is the time to appreciate uBlock Origin's advanced mode, since 3rd party
JS is blacklisted by default [https://github.com/gorhill/uBlock/wiki/Advanced-
user-feature...](https://github.com/gorhill/uBlock/wiki/Advanced-user-
features)

------
unixhero
"Probably it tries to use the AudioContext for browser fingerprinting. – Bergi
11 hours ago"

------
avip
If you're a newcomer to this long thread, pls CTRL+F manigandham and read all
his comments as a primer. Lots of misinformed couch-comments here. If you'd
like to reasonably rant about ad-tech (and that's welcome), understand the
value it provides first.

------
eyeball
I’ve been noticing horrible battery drain on my iOS devices lately. The
battery monitor in settings says the worst offender is “safari audio”. I
wonder if it’s something similar.

------
zaphirplane
If this is caused by accepting JS enabled ads. What’s to stop the ad from
changing the dom or redirecting the browser to a SO fishing site

------
EGreg
I don’t get how it can get the fingerprint to be so unique as to attribute
ads. Most mobile browsers are exactly the same, you have the same screen
resolution and so on. And most desktop browsers when maximized are the same
resolution. I mean there must be groups of thousands of users for each
combination of fingerprinted features. So it’s not all the way down to the
person, right? It’s just correlations?

~~~
appleiigs
No, it's not all the way down to the person. Yes, it's just correlations. Even
if the fingerprint was so unique and it went down to 1 user, it wouldn't be
able to actually identify that person's name etc.

The most likely use-case here is ad fraud detection anyway.

~~~
Cpoll
> The most likely use-case here

I'm not so sure. There's a lot of market value in knowing that User 2341423
went to Site A, then Site B, then bought this item, etc.

------
emmelaich
It now makes sense that you’re rewarded for staying logged in.

------
paulcarroty
Ultradisgusting case on StackOverflow: 99.999% top answers are edited by
moderators - they just promote yourself with free content.

We need a real alternative - without stupid ads and master-slave karma-based
community relations.

------
sergiotapia
Is there something I can use to randomly fuzz every tab individually as I
browse the web?

They can track me through websites and I don't want that. Already using ublock
origin.

~~~
fimdomeio
Not exactly what you asked for but got this from mozilla today:
[https://blog.mozilla.org/firefox/hey-advertisers-track-
this/](https://blog.mozilla.org/firefox/hey-advertisers-track-this/)

------
unixhero
Post closed due to wrong category.

------
meerita
Did anyone checked how much data from our data plan cede to advertising? I bet
it's 30%-40%.

~~~
chance_state
I have been using uBlock Origin for about three years and I browse the web
heavily (4-6 hours/day). In that time it has blocked 13% of requests (10% on
mobile).

I don't have enough info to quantify the amount of data blocked though.

~~~
gorhill
It's often the case that what is blocked prevented more scripts to be pulled,
which scripts could pull even more scripts and so on. Those subsequent waves
of scripts are not counted as blocked because they never had a chance to be
pulled by the first wave of blocked scripts.

I have a tweet in my timeline which illustrate this:
[https://twitter.com/gorhill/status/934474012377444352](https://twitter.com/gorhill/status/934474012377444352)

~~~
chance_state
Makes sense, thanks.

How does uBlock calculate the "blocked since install" percentage?

------
dabeeeenster
"It's not very straightforward to find where it's coming from, but we are
working on it."

This encapsulates the entire problem with the current state of digital
advertising in 1 simple sentence.

~~~
keyle
But you know, we wouldn't stop serving ads until we work it out... no no
imagine the loss in revenues.

~~~
craftinator
Let's be adults here. This is SO, and I imagine you've used and enjoyed the
use of their services just like the rest of us. Support them by letting
passive ads sit on the edges of the page, and appreciate that they are
actually trying to solve this issue.

~~~
scarface74
They could “solve” the issue by not having third party ads. Of all the sites
on the internet, StackOverflow has the demographics that any advertiser would
crave. How large of an inside ads sales force would you need to target higher
than average income earners?

How large reputable sites trust third party ad servers is a mystery to me.

Besides, native ads that could be served from StackOverFlows own servers would
be harder to block.

~~~
manigandham
That's just not how digital ad campaigns are run. Advertisers, agencies, media
buyers and the rest of the supply chain don't negotiate with individual sites
like that, not at any scale that can sustain a site like SO.

~~~
wool_gather
No. They _already do this_. This is how ads have been run on SO forever. The
new ad network ads that they've started with are an aberration from SO's own
_established practice_.

~~~
manigandham
No they don't. They use their own adserver (bought from adzerk) to physically
serve the ads, but they have always come through RTB connections to ad
exchanges.

There are private marketplaces and "automated guaranteed" deals to isolate
their inventory in _its representation and pricing_ from the rest of the
market but the actual campaigns they get exposure to, and the creatives
delivered, aren't special to them.

~~~
ceejayoz
I've seen plenty of SO-specific ad campaigns being run on the site.

~~~
manigandham
They run house-ads for their own jobs board and products, and they will have
private marketplaces inside the exchanges, but those campaigns and creatives
will still go through the standard adtech supply chain with all the JS-based
layers added on.

[https://www.stackoverflowbusiness.com/advertising](https://www.stackoverflowbusiness.com/advertising)

They do sell job postings and have sponsored tags so it's not all network ad
revenue, but that's a minority of the income. Since they released their Q/A
SaaS product now, maybe they’ll shift to selling that as the primary revenue
stream.

------
rkagerer
TLDR: A case of invasive fingerprinting triggered by a Microsoft ad delivered
by Google.

~~~
rkagerer
Are all fingerprinting techniques used in the wild pretty generally well-
known? Do any browsers have an option to blindly return a standard set of
values regardless of actual client capabilities/metrics? (i.e. make it
difficult to achieve more granular results than browser agent).

I know Mozilla made an anti-fingerprinting announcement recently but IIRC all
it does is check scripts against a blacklist:
[https://blog.mozilla.org/futurereleases/2019/04/09/protectio...](https://blog.mozilla.org/futurereleases/2019/04/09/protections-
against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-
and-beta/)

~~~
sfink
There's an option in Firefox, yes. privacy.resistFingerprinting or something,
you can search for it. It tends to break a number of sites, iiuc.

------
synthmeat
It's most likely for web scraper detection. State of the art was using video
codec availability as fairly reliable data point, and I haven't seen audio
being used for this. Quite interesting.

~~~
jupp0r
What makes you think it would be for web scraper detection vs user
fingerprinting?

~~~
synthmeat
Because they had a lot of trouble with sham sites generated by their content.

~~~
icebraining
They literally provide full website dumps of all the content:
[https://stackoverflow.blog/2014/01/23/stack-exchange-cc-
data...](https://stackoverflow.blog/2014/01/23/stack-exchange-cc-data-now-
hosted-by-the-internet-archive/) (yes, the post is old, but they still update
the archive).

