
I Visited 49 Sites. Hundreds of Trackers Followed Me - uptown
https://www.nytimes.com/interactive/2019/08/23/opinion/data-internet-privacy-tracking.html
======
jordanpg
And all in the service of vacuuming up tiny fractions of pennies in
advertising revenue.

What a silly, fragile business model whose days are numbered.

It's amazing to consider how much revenue has been generated, predicated on
completely unnecessary and (now) easily disabled browser features.

I have to imagine that like the cigarette manufacturers of yore, companies
whose lifeblood is based on this kind of nonsense are kept up at night
wondering where the money will come from when this house of cards collapses.

~~~
Shaddox
Sorry to disappoint you my friend, but the ads and paid subscriptions are just
a small fraction of their income. The real money maker is in tracking user
behavior and selling that aggregated data.

If worst comes to worse, they can just track your behavior on their website
alone.

~~~
tiborsaas
I keep seeing this claim. Where to sell this data and how much for example 1
million unique visitora / month worth?

~~~
vertex-four
User data for a single website is probably not worth much. User data for every
single website a user visits in a day? A bit more. Hence, advertising
networks.

------
gnu8
What we need is a way to jam these trackers with generated data to the point
that they are useless. Something like
[https://trackthis.link](https://trackthis.link), but running 24x7 on
countless computers, phones, raspberry pi, hacked routers, and virtual
machines.

~~~
archie2
You can install the AdNauseam browser extension - it's a fork of uBlock Origin
that can automatically click links for you. The idea is that you click on
every single ad link while you browse the web, and completely muck up all of
the data that trackers have on you.

[https://adnauseam.io/](https://adnauseam.io/)

~~~
metalliqaz
I really don't understand how that tool is useful. So AdBlock blocks an ad,
then this tool sweeps in and undoes any privacy benefit you get from not
loading the tracker, AND wastes your bandwidth at the same time.

Edit: Yes, I understand that it is annoying for the ad networks to have to
register lots of wasted clicks, but that doesn't benefit me at all. It just
makes my own browsing slower. I figure at least 20% of the people browsing the
web would have to use the extension for it to make any difference to the ad
networks, and it's probably higher than 20%. That's never going to happen.

~~~
nabnob
This paper by the creators of AdNauseum explains their approach and philosophy
- [http://ceur-ws.org/Vol-1873/IWPE17_paper_23.pdf](http://ceur-
ws.org/Vol-1873/IWPE17_paper_23.pdf)

Individual people opting out of tracking doesn't meaningfully attack the ad
tracking infrastructure, and will always be limited to a small percentage of
technically proficient users who care about privacy.

A collective approach feeds bad data into their infrastructure, making their
data less meaningful for ad tracking and also helping protect the privacy of
everyone.

------
kylecordes
I imagine an alternative history where browsers simply never had the feature
of cookies and similar tracking mechanisms available to servers or domains
other than the primary one in the URL bar. Or even more severely, where all
assets and scripts had to be loaded from the same domain. That would have
various downsides but would also have created a much less tracking prone web.

~~~
ianai
I wish there were a way to enforce this client side.

~~~
nerdponx
uBlock Origin and uBlock Matrix can both enforce it. But you won't be able to
read the news or check the weather.

~~~
cik
That's why you use AdNauseum instead. I read news, check the weather, and
generally live my life. Combine it with ExplodingCookies and life is better
than it was.

~~~
nerdponx
In my understanding, it's trivially easy to identify and filter out those fake
clicks.

Also I don't want to screw with advertisers' perception of who I am. If
anything, I really like how ads are actually relevant to me -- it's a lot
better than the days of penis pill banners. I just want them to stop following
me around so closely and putting my "anonymized" data at risk of exfiltration
by hackers or governments.

------
codezero
Heya. I work for Heap (mentioned in the article). If anyone has questions for
me. Let me know.

Heap doesn’t sell or share data to third parties, we don’t do any cross site
identifiers, or fingerprinting. We aren’t in the ad business, that’s Google
and FB.

In other threads folks have said “but you can’t control what might be done
with Heap data in the future” that’s right. I’m happy and pretty secure, and
will fall on a sword if Heap ever becomes an unethical company.

(I’m commuting for the next hour but will get back to reply soon)

~~~
saagarjha
> In other threads folks have said “but you can’t control what might be done
> with Heap data in the future” that’s right. I’m happy and pretty secure, and
> will fall on a sword if Heap ever becomes an unethical company.

This doesn't help me one bit, though :/

~~~
codezero
What would?

~~~
danShumway
At the very least, a credible precommitment that Heap won't transfer data to
other companies in the event of a merger, and that if Heap goes out of
business that data will be destroyed.

Here's what Heap's privacy policy says:

> We may share or transfer your information in connection with a prospective
> or actual sale, merger, transfer or other reorganization of all or parts of
> our business.

You're banking on Heap being an ethical company forever, yet your privacy
policy basically gives you carte-blanch rights to sell my data to any other
company in the event of a merger. Heap runs into tough times and Oracle/Google
buys them out? Any privacy guarantee you make here is immediately out the
window.

You're asking people here to trust you, while your privacy policy explicitly
states in legal language that you're allowed to stab us in the back. If you're
not planning to stab us in the back, then why is that language necessary?

~~~
codezero
This is a great idea. I’m going to try to find if any other companies have
language like you describe.

I understand that you are assuming any acquisition will lead to some malicious
or unethical intent, but I’m not so cynical, that said, it’s be nice to have
some protections.

~~~
saagarjha
FYI: many other companies do have this exact language in their privacy policy
and treat their data as an asset during acquisition negotiations.

------
kareemm
Can’t wait for ad tracking to be regulated. The rising awareness about how
tracked we are suggest the Wild West days are coming to an end.

~~~
twox2
Don't hold your breath. Ad tech is what keeps the internet free. You might be
willing to pay for content to keep from getting tracked, but consider the
billions of folks out there that can barely afford to get online in the first
place.

~~~
dredmorbius
Fund publishing as a public good.

~~~
wutbrodo
Publishing of what? Public funding of publishing isn't a complete non-starter,
and can work very well in narrow cases, but there are serious problems
involved in the state spinning up an infrastructure where it decides what
speech in general is worthy of state funding. It's disheartening to see how
common it is to see people throw out a vague "make the gov't do it" without
acknowledging or grappling with the deep fundamental questions about how this
would be implemented.

~~~
dredmorbius
Publishing of everything generally public. "To publish" is literally "to make
public":
[https://www.etymonline.com/word/publish](https://www.etymonline.com/word/publish)

I'm aware this is an uphill battle. It may well be a hill I choose to die on.

For further thoughts / arguments:

Many of the arguments for Sci-Hub generalise to all information. This piece
also specifically invokes the arguments of the CUNY Graduate Center and Joseph
Stiglitz (Nobel laureate economist) on information as a public good:

"What the academic publishing industry calls "theft" the world calls
"research": Why Sci-Hub is so popular"
[https://old.reddit.com/r/dredmorbius/comments/4p2rwk/what_th...](https://old.reddit.com/r/dredmorbius/comments/4p2rwk/what_the_academic_publishing_industry_calls_theft/)

Generally:

"Why Information Goods and Markets are a Poor Match"
[https://old.reddit.com/r/dredmorbius/comments/2vm2da/why_inf...](https://old.reddit.com/r/dredmorbius/comments/2vm2da/why_information_goods_and_markets_are_a_poor_match/)

"The Medium Is the Message: how the technological and revenue environments
shape content"
[https://old.reddit.com/r/dredmorbius/comments/278e2o/the_med...](https://old.reddit.com/r/dredmorbius/comments/278e2o/the_medium_is_the_message_how_the_technological/)

"Forbes asks: Why do programmers hate advertising so much?"
[https://old.reddit.com/r/dredmorbius/comments/24107v/forbes_...](https://old.reddit.com/r/dredmorbius/comments/24107v/forbes_asks_why_do_programmers_hate_advertising/)

"A Modest Proposal: Universal Online Media Payment Syndication"
[https://old.reddit.com/r/dredmorbius/comments/1uotb3/a_modes...](https://old.reddit.com/r/dredmorbius/comments/1uotb3/a_modest_proposal_universal_online_media_payment/)

"Specifying a Universal Online Media Payment Syndication System"
[https://old.reddit.com/r/dredmorbius/comments/2h0h81/specify...](https://old.reddit.com/r/dredmorbius/comments/2h0h81/specifying_a_universal_online_media_payment/)

"Richard Stallman's "Internet Sharing" content syndication proposal (2012)"
[https://old.reddit.com/r/dredmorbius/comments/3p0bp6/richard...](https://old.reddit.com/r/dredmorbius/comments/3p0bp6/richard_stallmans_internet_sharing_content/)
[https://stallman.org/articles/internet-sharing-
license.en.ht...](https://stallman.org/articles/internet-sharing-
license.en.html)

A general problem of advertising, not otherwise addressed, is that it tends to
produce shit content. Though this essay doesn't directly address that, it's
very much a Tyranny of the Minimum Viable User dynamic:
[https://old.reddit.com/r/dredmorbius/comments/69wk8y/the_tyr...](https://old.reddit.com/r/dredmorbius/comments/69wk8y/the_tyranny_of_the_minimum_viable_user/)

Another is that advertising tends strongly toward oppressive rather than
liberating informational regimes:
[https://old.reddit.com/r/dredmorbius/comments/6b32jo/what_ma...](https://old.reddit.com/r/dredmorbius/comments/6b32jo/what_makes_an_information_regime_oppressive_vs/)

And problems with other proposed payment alternatives, such as micropayments:

"Repudiation as the micropayments killer feature (Not)"
[https://old.reddit.com/r/dredmorbius/comments/4r683b/repudia...](https://old.reddit.com/r/dredmorbius/comments/4r683b/repudiation_as_the_micropayments_killer_feature/)

A general bibliography on publishing and media:

"Media, Advertising, Sustainability, Externalities, and Impacts: A light
reading list"
[https://old.reddit.com/r/dredmorbius/comments/7k7l4m/media_a...](https://old.reddit.com/r/dredmorbius/comments/7k7l4m/media_advertising_sustainability_externalities/)

TL;DR: I've been thinking about this for a while.

Mind: _getting to_ public goods payment is going to be difficult. I don't deny
that in the least. Partial approaches may well be a viable path there. Sci-
Hub, ZLibrary, Library Genesis, the Internet Archive, libraries (public,
offline, online), file-sharing, samizdat press, #pdfme, and other measures are
appropriate.

And "how do authors/creators" get paid: UBI/GMI would be a good start.
Performance/lectures are an option. Publishing-as-a-shingle (in the
professional advertising sense) is an option. Patronage and grants are
presently used and have a long and storied history. As discussed in the essays
above, _both_ technology _and_ business model effect the _forms_ and _types_
of works created. Advertising has been tried and found wanting.

------
heinrichhartman
So ironic that the NYTimes, where this article is published, is itself one of
the worst offenders. The article clearly states this as well:

> Among all the sites I visited, news sites, including The New York Times and
> The Washington Post, had the most tracking resources.

So hat-tip for the self-awareness. Now how about "sweeping your doorstep" ?

~~~
dantondwa
This comes up every time there's a NYT article. However, note that the
management and the journalists are different people and the fact that th
website of the NYT itself is reported as having trackers is a proof of this.

~~~
MichaelApproved
> management and the journalists are different people

That's clear and not being disputed. When people mention workers calling out
management, it's sort of in a praising way. They're commending management for
at least allowing workers to call them out.

Many institutions would not allow that to happen, so it's good to point out
the _Times_ when they do.

~~~
so-impressed
And yet nothing changes, so to feign self awareness is the height of theater.

They do it in the open. They say they do it. They tell you they know it's bad,
this thing they do. And they do it anyway.

It doesn't make them better than others to pay lip service and not change. If
anything, they lead by example and it makes them worse for having done so.

Shop lifting is a crime, but hey, everyone does it, so watch me pocket this
candy bar. And some beer. And a TV. And maybe I'll just grab some money from
the cash register. And yeah, I think I'll steal the assistant manager's car to
get away. See? This is just how the world works!

~~~
qroshan
Pray tell me how exactly should a news publisher survive without targeted
advertising. Public should pay for stuff or accept targeted advertising

~~~
jahlove
Subscriptions did not help save the 1,800 local newspapers that have shut down
in the US since 2004.

------
bkloppenborg
Are there any reasonable, self-hosted alternatives that can provide me with
information on how visitors use my website without submitting them to cross-
site tracking?

~~~
winterthedeep
Check out Matomo [1] (previously known as Piwik) or goaccess[2]. Matomo offer
a web dashboard, while goaccess is terminal-based.

[1] [https://matomo.org/](https://matomo.org/)

[2] [https://goaccess.io/](https://goaccess.io/)

~~~
katsura
Actually, GoAccess has web interface as well.

------
throwaway343374
As a business owner, it bugs me to have Google and Facebook trackers in my
code. But I feel like I need to buy ads, and then I also need to use these
trackers to attribute purchases to ad installs. So using some sort of self-
hosted tracker just doesn't seem like an option.

Is there an answer to this dilemma that doesn't involve foregoing ad
purchases, which seem pretty important to growth and revenue?

~~~
criddell
> I also need to use these trackers to attribute purchases to ad installs

Why? What would happen if you didn't have that data?

~~~
michaelbuckbee
An aspect of the many "trackers" on the sites, etc is that much of the
tracking isn't about tracking you (the person browsing around) it's about
tracking the company doing the ads.

Wrapping back around to your question: "What would happen if you didn't have
that data?" The answer is that Facebook/Google/Any Given ad service could just
make up numbers about how ads performed.

The attribution data gives you two hard data points:

1\. How much you paid for the ads 2\. How many sales/leads you received

Everything else like views, clicks, video views expanded with sound on in
Guatemala, etc. are all prone to manipulation and mis-reporting.

------
penguin_booze
I find it ironic that NYT objects to my reading articles in private mode, but
publishes pro-privacy articles.

------
jgalt212
Silly Question: If online advertising is a near duopoly, why are there so many
trackers?

~~~
ummonk
Ad analytics and optimization goes far beyond Facebook and Google, although
most of the resulting ads are run on their ad networks. Numerous established
companies and startups in the space.

------
andrewaylett
EFF's Privacy Badger and Firefox's (experimental) first-party isolation go
_some_ way to mitigating this bad behaviour. But taking special measures
shouldn't be necessary.

~~~
NikolaNovak
Question - how do they compare to "Cookie Autodelete" extension?

I recently reformatted, switched to Firefox, and installed Multi-Containers,
Auto-Delete, and uBlock Origins; open to suggestions on what other robust,
stable, mainstreams extensions I should try :)

Thx!

~~~
nerdponx
You'll also want an addon to clear "local storage" and "session storage",
which is basically a shadow database where trackers can store identifiers.

~~~
NikolaNovak
Thanks! Any particular ones to recommend? "Cookie AutoDelete" extension does
have a "LocalStorage Cleanup" option, but it looks to be somewhat experimental
and temperamental...

------
BubRoss
I think if regular people start to care about this the next step will be pi-
hole or some other filtered dns in the router. It makes a massive difference.
Sites load in half the time, use half the CPU and some sites like anandtech,
techradar, and just about any other news site trying to get a wide audience
actually becomes usable.

~~~
Digit-Al
That's great whilst you're at home but as soon as you go out and switch to
your mobile network you're back to being tracked again surely.

Is there any _easy_ way around that?

~~~
Digit-Al
Thanks for the replies all. I do appreciate the time taken out of busy lives.
However, I did specify "easy" and as soon as you start talking about creating
your own VPN and the like you've lost about 99% of the people out there who
are perfectly intelligent in there own right but when it comes to computers
they barely know what a sub-directory is.

Hell, I've been a software developer for years, and once built my own PC, but
I balk at the idea of building a pi-hole. For a lot of people you may add well
ask them to change the engine in their car.

Until there is a plug and play solution to privacy I do believe it belongs to
the digital 1%.

------
simplecomplex
So? What’s the problem?

If I go in public someone might photograph me or see me. If I visit a website,
it might log information about my visit (to show me ads).

Sounds fine to me. I like reading free news articles, paid for with ads. If I
don’t like it I can stop reading them.

~~~
majewsky
A single photograph of you in public is usually not a problem. But if I were
to follow you around and take a picture every 10 seconds as you go through
your day (including at home and in the bathroom), would you like that?

~~~
simplecomplex
Advertisers don't follow us around and take photos of us, so that's not
something we need to worry about. But CCTVs do have photos of us being taken
every 10 seconds in public in major cities. It's not an issue. Nobody is
publishing CCTV photos of me. Similarly, advertisers aren't telling your
spouse what websites you visited. They just want to show you ads that are
relevant to your interests.

My point is that the expectation of privacy is unreasonable in every
situation. For example, it's unreasonable in public or when doing business
with others.

~~~
majewsky
It's only unreasonable insofar as "they totally could do that". Whether they
_do_ do that is a matter of regulation.

------
acd
How ever ad locking and do not track extensions does not block ip tracking.
Say that you can read browser window size + ip that is unique enough to track
you.

------
yborg
It's much worse than this, this doesn't even discuss tracking by apps on
mobile devices, which is an increasing percentage of overall Internet use.

------
stinky613
It really is crazy. For example, CDW.com has so many tracking websites
whitelisted in its header that our firewall blocks it:

    
    
        Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cdw.com *.richrelevance.com *.bazaarvoice.com *.qualtrics.com *.optimizely.com *.hotjar.com cdw.needle.com nexus.ensighten.com api.bluecore.com bluecore.com px.spiceworks.com *.liadm.com scripts.demandbase.com triggeredmail.appspot.com connect.facebook.net d31y97ze264gaa.cloudfront.net *.bounceexchange.com www.googleadservices.com *.doubleclick.net *.google-analytics.com st1.dialogtech.com bat.bing.com *.googleapis.com nsg.symantec.com analytics.po.st px.ads.linkedin.com po.st *.cnetcontent.com selectors.cnetcontentsolutions.com *.akamaihd.net *.google.com *.twitter.com *.justuno.com *.liveclicker.net www.netapp.com dpm.demdex.net *.d41.co *.cxense.com static.ads-twitter.com vault.pactsafe.io pactsafe.io *.webcollage.net *.ziftsolutions.com *.simpli.fi pixel.mathtag.com *.googletagmanager.com *.googlesyndication.com googletagservices.com t.sellpoints.com a.sellpoint.net media.flixfacts.com www.youtube.com media.flixcar.com *.flix360.com *.easy2.com *.go-mpulse.net *.cdnwidget.com *.rlcdn.com *.flixsyndication.net *.adobe.com *.hotjar.io *.eloqua.com *.swogo.net *.swogo.com *.nanovisor.io *.btttag.com *.gstatic.com; style-src 'self' 'unsafe-inline' *.cdw.com *.bazaarvoice.com cdw.needle.com *.cnetcontent.com *.justuno.com *.webcollage.net *.ziftsolutions.com t.sellpoints.com a.sellpoint.net media.flixcar.com *.easy2.com *.amazonaws.com platform.twitter.com *.typekit.net *.adobe.com *.nanovisor.io *.btttag.com; img-src 'self' *.cdw.com *.bazaarvoice.com *.qualtrics.com cdw.needle.com nexus.ensighten.com px.spiceworks.com *.liadm.com *.bounceexchange.com www.googleadservices.com *.doubleclick.net *.google-analytics.com bat.bing.com nsg.symantec.com *.cnetcontent.com selectors.cnetcontentsolutions.com *.akamaihd.net *.google.com *.justuno.com www.netapp.com dpm.demdex.net *.cxense.com vault.pactsafe.io pactsafe.io *.webcollage.net *.ziftsolutions.com *.googletagmanager.com t.sellpoints.com a.sellpoint.net media.flixfacts.com media.flixcar.com *.flix360.com *.easy2.com *.amazonaws.com platform.twitter.com *.linkedin.com *.tribalfusion.com *.company-target.com www.facebook.com events.bouncex.net *.cdnwidget.com *.rlcdn.com *.cloudfront.net *.adobecqms.net *.turn.com st2.dialogtech.com secure.insightexpressai.com px.gumgum.com *.bluekai.com k.intellitxt.com *.everesttech.net *.adnxs.com sync.fastclick.net simage2.pubmatic.com us-u.openx.net ads.yahoo.com pixel.rubiconproject.com *.advertising.com magnetic.t.domdex.com *.rfihub.com *.mathtag.com *.mathtag.co *.amgdgt.com *.casalemedia.com www.bluecore.com *.prod.bidr.io cdn.optimizely.com syndication.twitter.com x.bidswitch.net pe.intentiq.com loadm.exelator.com insight.adsrvr.org um.simpli.fi acuityplatform.com data: *.dotomi.com *.flixsyndication.net liveintent.com cbssports.com maxpreps.com wogo ce.lijit.com soma.smaato.net cs.admanmedia.com eb2.3lift.com live.sekindo.com *.adobe.com *.sc.omtrdc.net df7xs8p1yjitw.cloudfront.net *.core.windows.net *.nanovisor.io *.btttag.com; frame-src 'self' *.cdw.com *.bazaarvoice.com *.qualtrics.com *.hotjar.com *.liadm.com *.bounceexchange.com *.doubleclick.net nsg.symantec.com selectors.cnetcontentsolutions.com *.google.com *.twitter.com *.liveclicker.net *.cxense.com *.webcollage.net *.ziftsolutions.com pixel.mathtag.com *.googletagmanager.com googletagservices.com a.sellpoint.net www.youtube.com media.flixcar.com *.easy2.com www.facebook.com *.rlcdn.com rs.gwallet.com *.liveclicker.com pages.cdwemail.com www.emjcd.com *.dotomi.com *.flixsyndication.net cdw.zuberance.com *.hotjar.io *.eloqua.com *.swcontentsyndication.com www.cisco.com *.nanovisor.io *.btttag.com; font-src 'self' 'unsafe-inline' *.cdw.com cdw.needle.com *.googleapis.com *.cnetcontent.com *.webcollage.net a.sellpoint.net media.flixfacts.com media.flixcar.com *.easy2.com *.flixsyndication.net *.typekit.net *.adobe.com *.nanovisor.io *.btttag.com; connect-src 'self' *.cdw.com *.richrelevance.com *.bazaarvoice.com *.qualtrics.com *.optimizely.com *.hotjar.com cdw.needle.com nexus.ensighten.com api.bluecore.com px.spiceworks.com *.liadm.com scripts.demandbase.com triggeredmail.appspot.com d31y97ze264gaa.cloudfront.net *.bounceexchange.com www.googleadservices.com *.doubleclick.net bat.bing.com *.googleapis.com nsg.symantec.com *.cnetcontent.com *.akamaihd.net *.google.com *.justuno.com www.netapp.com *.d41.co vault.pactsafe.io pactsafe.io t.sellpoints.com a.sellpoint.net *.go-mpulse.net platform.twitter.com *.company-target.com www.facebook.com events.bouncex.net *.cdnwidget.com wss://*.hotjar.com p.po.st *.cdnbasket.net *.akstat.io data.g2.com data.g2crowd.com *.adobe.com *.hotjar.io *.swogo.net *.swogo.com *.nanovisor.io *.btttag.com; object-src 'self' a.sellpoint.net *.nanovisor.io *.btttag.com; worker-src 'self' blob: *.nanovisor.io *.btttag.com; media-src 'self' *.cdw.com *.cnetcontent.com *.webcollage.net media.flixfacts.com www.youtube.com blob: *.flixsyndication.net *.nanovisor.io *.btttag.com;

------
11thEarlOfMar
Coming to you from my new install of the Tor browser...

How much does it reduce tracking? Or at least make it not useful to the
tracking firms?

~~~
penagwin
Depends on what you're doing. On some websites you actually stick out (all tor
exit nodes are public and easily identifiable).

Depending on how closely you stick to the recommend configuration (default
window size and such) it'll at least minimize _some_ of the tracking
capability of most sites.

The best methods to prevent tracking IMO are ublock origin + decentraleyes +
HTTPSeverywhere (Http is leaky) in incognito mode, periodically you should
destroy the session (restart your browser).

Tor really only helps with the IP part, the rest are extensions + incognito
mode.

------
DoubleGlazing
I just had a look at the article, Privacy Badger told me there was 14 trackers
on the page.

~~~
nwsm
yeah that's covered in the article.

------
tempodox
I fully expect future historians to call this era the Surveillance Economy.

