
Is Stack Overflow allowing ads to use fingerprinting to track users? - SnarkAsh
https://meta.stackexchange.com/questions/332974/is-se-allowing-ads-to-use-fingerprinting-to-track-users
======
situational87
I love how the onus is always on the end user to find and report the "bad"
ads. How on earth did that insane status quo become acceptable and widespread?
The user is expected to know how to unminify and read JS in order to figure
out if they are being screwed or not? Seriously?

The first time I got served malware via web ad was in 1998. I started manually
blocking ads by modifying my hosts file that day. Haven't stopped blocking
since.

It's a broken model, stop forcing it down our throats and stop shrinking the
definition of "bad" advertising.

~~~
tedivm
Yeah, if people want to put all the pressure on me to decide which ads are
reasonable then I'm just going to block all ads and move on.

~~~
DoctorOetker
what is the copyright status of all the user contributions on all the stack
exchange platforms? I would love to see a decentralized p2p stack exchange
platform with LaTeX support, i.e. a stand-alone client...

------
u-dissolve
tosdr.org (Terms of service; didn't read) is a website that simplifies
website's Terms of Service and Privacy Policy to make it easier for people to
read.

Stack Overflow is given the lowest rating (class E) in terms of user rights.
(For reference, even Google has a class C rating.) Here are the worst points
taken from SE's privacy policy:

* This service allows tracking via third-party cookies for purposes including targeted advertising.

* You agree to defend, indemnify, and hold the service harmless in case of a claim related to your use of the service.

* This service forces users into binding arbitration in the case of disputes.

* Many third parties are involved in operating the service

* The service may use tracking pixels, web beacons, browser fingerprinting, and/or device fingerprinting on users.

* Blocking cookies may limit your ability to use the service

* You waive your right to a class action lawsuit

* This service can share your personal information to third parties

* The court of law governing the terms is in a jurisdiction that is less friendly to user privacy protection.

* The service can sell or otherwise transfer your personal data as part of a bankruptcy proceeding or other type of financial transaction.

* The service uses your personal data to employ targeted third-party advertising

* This service retains rights to your content even after you stop using your account

[https://tosdr.org/#stackoverflow](https://tosdr.org/#stackoverflow)

~~~
SnarkAsh
They also promised a profile option you could use to opt-out of arbitration...
but never actually implemented it.

[https://meta.stackexchange.com/questions/333388/what-is-
the-...](https://meta.stackexchange.com/questions/333388/what-is-the-status-
of-the-secure-electronic-opt-out-of-the-mandatory-arbitration)

------
pavel_lishin
But won't somebody think of the poor businesses who'll surely be driven to
ruin if they can't track my every step?

These people keep shitting in the well, and yelling at us for buying bottled
water.

~~~
mrspeaker
I think if the next few years are going to be entertaining. At the moment a
handful of shitty companies are abusing their ability to track users - but for
me (and I think for many non profit-affected nerds) the outcome seems clear:
ANY AND ALL third-party script have to go.

Even when that means losing all the third-party goodness (CDNs, analytics,
cloud providers...) that we've come to depend on. Yep, they save an
uncountable amount of time and effort - but at the cost of tracking users'
every step... We can't have one without the other!

~~~
JaggedNZ
Honestly, if all third party scripts are blocked, the ad networks will just
start making their participant sites serve the javascript direct and/or run
local applications to proxy the data back to them. And unfortunately most
management will force the changes through, because they want in on that ad
revenue gravy train.

~~~
hermanradtke
This is much harder to do, especially in larger enterprises where changes can
take months. This includes updates and bug fixes.

If this is where we push the industry, it will be a huge win for users.

~~~
Doxin
I'm willing to bet that IF this happens it'll amount to a lot of companies
just including something like this on every page:

    
    
        <?PHP echo(file_get_contents("http://google.com/nefarious_crap.html")); ?>

------
jhayward
It is ironic that just after I read this item I opened Safari and discovered
that the latest update (Safari 13.0) had removed all protection from trackers,
malicious advertisers, and unwanted media that I had previously used. So
without notice I would be exposing my computer to those hostile elements if I
hadn't noticed.

This is not what I want - Apple has done a bad thing.

~~~
3JPLW
See the post on content blockers from a few days ago:

[https://news.ycombinator.com/item?id=21025252](https://news.ycombinator.com/item?id=21025252)

------
cj
I miss the days when you could simply buy an ad spot on a specific site for X
days/months (no targeting, except when choosing what site to buy ad space on,
an no javascript, just regular banner ads).

Is there still a market for these kind of low-tech ad buys these days?

~~~
nopriorarrests
You can probably do it, but your competitor who do target users will end up
with $30 CPA and you will get $300 (or worse). So, unless you are ok with x10
user aquisition cost, you will quickly stop doing it.

~~~
bryan_w
To say nothing about the fraud. If you can't link clicks to buys, you will
quickly find yourself paying for bot clicks

~~~
pavel_lishin
/u/cj specifically lamented the lack of pay-for-time, not pay-per-click. Of
course you have to track to accurately reward on a pay-per-click basis -
that's why pay-per-click is a shitty model.

------
softwaredoug
Remember when many of these businesses started out with a “don’t be evil”
mindset? The incentives always end up chasing the money in the end...

~~~
jasonsb
Is it possible to take an investment and continue to follow this mindset?
Bootstrapped companies can afford to do it, but investors will not be happy to
find out that they are losing money.

~~~
JohnFen
> investors will not be happy to find out that they are losing money.

You can run a business ethically without losing money. I think what such
investors won't be happy about is that you aren't making money _fast enough_.

~~~
TeMPOraL
Which is kind of a point of taking VC money; if they wanted you to grow
sustainably, they'd tell you to get a loan from a bank. These days I treat
"took VC funding" as a negative when evaluating whether to commit to using a
service.

------
6gvONxR4sf7o
Isn't the definition of fingerprinting something to personally identify you?
There's only one person connected to every fingerprint, and it's there to
identify you across websites. That's what PII means to me. How can stack
exchange say fingerprinting isn't collecting PII? I wonder what they _would_
call PII.

~~~
srbby
How can I take your fingerprint (IP, user agent info, etc) and trace it back
to you as a person?

~~~
6gvONxR4sf7o
How can you take my literal fingerprint and trace it back to me as a person?
Or even my name? There are tons of people with my name. It's still PII.

You do it by matching it up to other records with my fingerprint or name.

~~~
srbby
I can't. Neither can SO.

~~~
TeMPOraL
But some of the countless third parties perusing that data can.

------
JohnFen
Hmm... this appears to be an intentional and conscious decision on the part of
SO. I guess that means I'm done with SO.

------
cmroanirgo
It seems like our browsers need a sandbox mechanism for 3rd party js to
restrict a) dom access b) ajax

Of course, I use uMatrix for that at the moment, but it'd been better if we,
as users, can tell what sites are _actually_ interested in providing privacy,
by hobbling advertising antics from the get go.

------
luxuryballs
Am I the only one who doesn’t care about this kind of tracking stuff? Like I
really don’t care, is there some reason why I should? I feel like the worst
thing that can happen is I get shown more relevant ads. If I use Adblock then
it’s irrelevant, but if I don’t then what’s wrong with having targeted ads? A
court has already ruled an IP address is not a person, they don’t really know
it’s me, it’s just a construct they created that they think is me.

~~~
rednixion
The "premium" aggregators I've seen used in some enterprise software campaigns
can be extra nasty, I had someone at work forward me a link(over IM) that a
competitor sent them targeting our userbase(our company name was in the title
of the page, contents of the page was why they were better) since mailing to
in email on our domain seemed odd; they sent me a "you visited our site, now
call for a demo" email a few minutes later that had my full name, a week later
they called my parent's house asking for me (guess it was the only historic
phone number associated with my name). Ever since then I have viewed tracking
data as unacceptable because the likelihood of misuse is only dependent on how
much someone is willing to pay an aggregator to turn a small ID indicator into
a person.

Also another court has ruled differently about whether or not an IP address is
PII:
[http://curia.europa.eu/juris/document/document.jsf?text=&doc...](http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1406323)

~~~
luxuryballs
Thankfully I am in the US because the EU is nuts. Isn’t it their fault all
these websites have a stupid cookie warning? People should just accept the
fact that using a web browser means cookies.

~~~
Doxin
While historically the cookie warnings were only an annoyance these days they
often have a (working!) option to reject cookies, giving those popups at least
some purpose.

Really though setting cookies isn't the problem, and you don't even need to
show a popup according to EU law. You only need that popup if you use the
cookies for nefarious things such as sending tracking information to ad
networks. Setting a cookie for functional things such as remembering logins
has always been allowed without a giant-ass disclaimer and nothing has changed
in that regard.

------
100100010001
I think devices need better security. Anything that JavaScript can access
should be set to default values where they all equal null. Only once a user
allows a certain website to access certain data will that data become
available to that website. If every browser did this along with the apis for
cellphones then users can finally regain control of what is collected.

------
nine_k
It takes relatively little rep to get the "opt out of ads" privilege on SO.

It would be great to have an "opt out of ads for $nn/no" option, like Google
Contributor. The amount to pay could look uncomfortable, though.

~~~
NobodyNada
That only removes the ads that display inline (above the question and between
answers), see [0]. The ad that started this controversy was a sidebar ad
([1]).

[0]: [https://stackoverflow.com/help/privileges/reduced-
ads](https://stackoverflow.com/help/privileges/reduced-ads) [1]:
[https://meta.stackexchange.com/q/331960/258777](https://meta.stackexchange.com/q/331960/258777)

------
manigandham
Most adtech is RTB (real-time bidding) where ad slots are auctioned off and
filled as you load the page. SO (and publishers) have no real control over the
ad payload that comes back. There has been progress to use sandboxed iframes
but there's still JS running inside those placements.

The JS won't be going away, it's part of a long supply chain of data,
verification, viewability, anti-fraud and other layers baked in. For those
saying publishers should do 1st party ads, that would lose them most of their
income due to operational and sales overhead and doesn't really prevent
everything anyway because they still have to accept the ads advertisers want
to run, including the JS from vendors.

However the situation is slowly improving. Adtech has weathered through
adblocking, native ads, anti-tracking tech but has failed to police itself
because of a lack of consequences. Now there's finally regulatory pressure
with GDPR, CCPA, and more that will finally force a change from the outside. I
expect many of these issues to be greatly reduced within the next 1-3 years.

~~~
alkonaut
> For those saying publishers should do first party ads, that would lose them
> most of their income

Yes? Does that make it less likely? Less needed? No

If publishers can buy targeted ads with fraud detection, they will. But when
they can’t (because the idea of the auctioned third party js blob finally
dies) there will be money in dumber ads.

What might happen of course is that if someone wants to spend $X on ads that
are dumb and untargeted they might as well buy a spot on the side of a bus. Do
there would be a flow of ad money back from the web to traditional
advertising.

~~~
TeMPOraL
> _Do there would be a flow of ad money back from the web to traditional
> advertising._

That's not an improvement, because manipulating matter involves using up more
resources. For all their problems, on-line ads harm the climate less.

That said, I of course welcome anything that can roll back the current state
of on-line advertising. Even dumb on-line ads would still be more profitable
than physical ones, and since advertising is a zero sum game, I don't expect
the publishers to really lose money on that.

------
w84it
How does this work technically ?

Usually when you submit an ad to a network, you dont get to use your own js or
even remote images.

Is it the ad network and not the advertiser doing this ?

~~~
JohnFen
It's almost certainly the ad network. But the advertisers willingly joined the
network, and the site willingly uses the network, so they get blame as well.

~~~
TeMPOraL
In fact, all three should get the blame, as all three are in a position to fix
the problem.

------
srbby
Cynical pov: if you don't use an ad blocker, you know you are exposing
yourself to this. Why get upset at all?

~~~
wool_gather
SO used to have non-evil ads and a lot of people who do use blockers
whitelisted them on that basis. No more, I guess.

------
jakeogh
Bad conclusion. Web browsers are written to be fingerprintable. They are
deliberately anti-user. Expecting web pages to "just not" is pointless. The
solution is to fix the browser.

