
Privacy Badger – Block spying ads and invisible trackers - swartzcr
https://www.eff.org/pb
======
bobsky
Nice. It works well with other extensions i.e. adblockers - Privacy Badger can
significantly increase your privacy online because Adblock does not block
invisible trackers by default; via FAQ.

Another fantastic extension from the EFF team with collaboration from The Tor
Project, is HTTPS Everywhere, get it here [https://www.eff.org/https-
everywhere](https://www.eff.org/https-everywhere)

~~~
mtgx
Is Privacy Badger still necessary for people that already use ublock and its
own tracking filters?

~~~
shkkmo
You can use Privacy Badger on sites that you want to support with ad views (as
long as those adds don't track you).

A good example of this is many of the webcomics I read. Many of the adds on
those sites are for other webcomics, I've found a couple of good new webcomics
that way.

~~~
bitJericho
Much better to simply buy their merchandise instead.

------
antsar
According to EFF's Panopticlick[0], the biggest thing making my browser unique
is the list of plugins that I am running. Short of disabling JavaScript, I
don't know of a way to prevent that. Can this hypothetically be solved with
Privacy Badger and are there plans to do so?

[0] [https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
stephengillie
This is yet another benefit to whitelisting JavaScript. Faster page load, more
lightweight pages, less advertising and spying and crapware, less information
going out.

And if you like a site you can enable it.

Go ahead, call me crazy like most people do.

~~~
antsar
I agree that this is better. Unfortunately, whitelisting is tedious so I often
resort to enabling all JS when I quickly need to use a site or five that
require it. Many don't have the patience to keep doing this, so disabling
plugin enumeration might be a nice middle ground for them.

Security/privacy doesn't have to be all-or-nothing.

~~~
stephengillie
We should be able to make "Security Groups" where we can apply less-
restrictive settings (JS on, cookies) to trusted sites.

The Internet Explorer security model has 4 levels (Internet, Local Intranet,
Trusted Sites, Restricted Sites) and you can choose a preset security settings
package, or build your own, for each level.

Maybe Chrome/FF/Safari need something more similar to that, where we can
specify different groups or levels, and then assign those to websites we
visit.

The biggest problem with the IE method is that the UI is more tedious to add a
site to a zone in IE11, than to add a site to the JS whitelist on Mobile
Chrome.

------
SwellJoe
This may be exactly what I want. I don't actually mind ads that respect my
privacy and my attention. If ads didn't track my every move and didn't disrupt
my workflow by making noises without permission or otherwise stealing my
attention and time, I would have zero use for an ad blocking tool.

Of course, this doesn't say anything about stopping those invasive noisy ads
or ads that block content, so I may still have to keep using uBlock. Maybe in
some future ideal world, advertisers will learn that if they want me to see
their ads, at all, they have to respect my privacy, my time, and my attention.

Maybe someone needs to make a "show only ads from people who aren't assholes"
plugin.

~~~
j_baker
The "show only ads from people who aren't assholes" is basically what
AdblockPlus does.

~~~
DaveWalk
Good point. I know EFF has a mission versus the one-man show that is ABP, but
isn't this mostly identical otherwise? Is Privacy Badger just APP with a
political statement attached?

Maybe there's something to be said for that...put your money where your
browser is and support the web you want. You could also just donate to the
EFF, I guess.

~~~
glass-
ABP is not a one-man show, it's now developed by a company (Eyeo GmbH) that
makes a lot of money getting companies like Google to buy into their
"acceptable ads" scheme.

ABP also considers ads that track people (such as Google's) to be acceptable
and whitelists them by default.

~~~
DaveWalk
Thanks -- I did not know this. Is there an available list of what ABP
considers "acceptable ads?"

~~~
dmarti
The "acceptable ads" criteria are here:

[https://adblockplus.org/en/acceptable-
ads#criteria](https://adblockplus.org/en/acceptable-ads#criteria)

If you make a modern-looking long-scrolling article that has an ad somewhere
in the middle, it's not "acceptable". If you get a crappy CMS that splits
every article into 9 pages with an ad at top and bottom, then it is.

The main weird thing is that 3rd-party tracking is "acceptable" (!)

(I recently added some details on the problem to the Aloodo tracking test,
because users have started to assume that ad blockers fix everything.
[http://blog.aloodo.org/posts/adblockers-myths-
facts/](http://blog.aloodo.org/posts/adblockers-myths-facts/) )

------
eridal
Nice addition to my list

    
    
      - uBlock Origin
      - Self-Destructing Cookies
      - BetterPrivacy
      - HTTPS-Everywhere
      - Privacy Badger

~~~
shkkmo
How much overhead to does running all of those incur?

~~~
saidajigumi
Far, FAR less than the page- and cpu- weight of the crap they block. As in,
it's a hugely transformative experience for web browsing, even for many
"normal" sites that aren't merely social media click-farms.

I'll add to the list: Uninstall Flash completely. For much of the crowd here,
that's probably a no-brainer after the recent spate of Flash zero-days, but
still.

~~~
shkkmo
I suspect that depends entirely on the site you are visiting. This one for
example loads almost nothing so running additional plugins will indeed add
overhead.

Many of the sites that I use the most load very little unneeded resources and
I tend to leave lots of tabs open while working.

Granted, I am not a "normal" web user, but so far all of the responses to my
question have brushed it off as unimportant. My suspicion is then that they
don't know the answer, which makes the brush off unconvincing.

~~~
saidajigumi
> I suspect that depends entirely on the site you are visiting.

Yes, that's obviously true. But for my part, whatever overhead these tools do
add is low enough that, even for no-crap sites like HN, if I can notice it at
all it's within the page-load-latency noise threshold. Moveover, the increased
browser stability, laptop battery life, etc. is an overwhelming win.

FWIW, I just fired up Chrome on HN and messed around with the dev tools a bit
to see if there was any obvious overhead. Without taking the time for anything
like rigorous analysis, loading HN with all extensions disabled vs. uBlock
Origin and Privacy Badger had no immediately obvious effect on page
load+render times. The superficial results agreed with my intuition: I'd have
to collect data and run an analysis to uncover any added page load latency.

------
dannysu
I was using Privacy Badger, Ghostery, Disconnect, AdBlock Edge or uBlock.
Nowadays I just use uMatrix[0] & Self-Destructing Cookies to have a whitelist
browsing experience rather than a blacklist experience.

Perhaps when Privacy Badger does more for detection of first party stuff, then
I'll add it back again.

    
    
      [0]: https://addons.mozilla.org/en-US/firefox/addon/umatrix/

------
peteretep
I would be interested in an easy-to-use local packet sniffer that attempted to
give me hints on what I was leaking - what isn't via https from all apps on my
machine, for example.

Obviously wireshark would get you 50% of the way there - to add to that then,
a pretty UI focussed on scaring users with what information is being leaked -
hostnames for SSL sites they're visiting for example.

~~~
schoen
This is a great project idea. A challenge is in classifying all of the
elements of every protocol dissector as interesting or uninteresting. For
example, TCP sequence numbers are high-entropy but low-consequence. MAC
addresses are high-severity but normally not propagated to an ISP or a remote
site operator.

There are also tensions between trying to identify leaks to a network
eavesdropper and trying to identify leaks to a remote site (or ad network). In
many people's analysis, the network eavesdropper is worse because you didn't
mean to communicate with them at all, so any information they derive
whatsoever is a pure loss of communications security. But for projects like
Tor Browser and Privacy Badger, it counts as a loss of privacy if different
sites can recognize you as the same user, even if you intentionally
communicated with those sites.

Using HTTPS will prevent a sniffer from recognizing that some tracking cookies
or identifiers are being sent, so you simultaneously get a true improvement
against the network adversary and a false negative measuring privacy against
the ad networks.

~~~
flatulentone
Considering that digital electric meters have been compromised, and that the
one I studied had dual-band radios including WiFi spectrum, it may be best to
assume that there may be unexpected data pathways that could use a MAC
address. Note that the WiFi of many routers broadcasts the wired MAC addresses
on the LAN as well as the wireless clients.

You're right about false-negatives with sniffers. If you read the source on
pages you visit, you'll see https analytics data mining, so don't assume that
every outgoing https connection is okay. (and some browsers don't use your
normal DNS / hosts settings, so sites you think are blocked may not be)

------
escobar
> in fact Privacy Badger is based on the ABP code!

This makes me sad. They should have based it on uBlock. ABP is very bloated,
and really caused issues for my browsing experience. Not sure if I want to try
it after reading that.

~~~
quadrangle
Privacy Badger is older than uBlock, it existed before uBlock, so they
couldn't have based it on uBlock.

The bigger question today is whether Privacy Badger has value in light of
uBlock… I don't know… anyone?

~~~
MacsHeadroom
PB has value for people who only want to block trackers and not non-tracking
ads. Believe it or not, some people like supporting sites through ads. They
just don't like being tracked.

Personally I use uBlock and Privacy Badger. I'm not sure if it's entirely
redundant, but I have not had any bad experiences with using both.

~~~
quadrangle
"supporting sites through ads" is like supporting your local grocery store
through buying bottled water there.

Blocking ads and using reusable water bottles are socially responsible,
positive behaviors. Anyone encouraging ads or encouraging bottled water (or
_worst_ : encouraging bottled water ads) should be ashamed of the harm they're
doing to the world.

------
mey
I've been using this plugin since it's beta days and it's an excellent
approach to privacy issues online and 3rd party entities.

~~~
_delirium
I've also been using it for about a year and am generally happy with it. One
caveat is that it does sometimes end up breaking site functionality when it
blocks a script from loading, occasionally in confusing ways. Usually you can
fix this by overriding a few of the blocked things in the dropdown list, but
it takes a little bit of technical savvy to figure out what needs to be
allowed. I had to disable it on my parents' computer because they got
frustrated by sites breaking.

This is mostly with an earlier version; I just upgraded to 1.0 today.

~~~
shkkmo
Some sites do absolutely horrible. The worst I've seen set has been rdio. I'm
boing to put that down to bad developer priorities.

------
sethd
You have to enable JavaScript on that page just to read the text in a sane
manor, otherwise it's mostly white on a light gray background and barely
legible. (Firefox / OS X)

~~~
PhantomGremlin
_barely legible_

That's exactly what I thought. Interesting that they're so hostile to non-JS
people.

There's another trick that works on many sites, including this one. Keep JS
disabled but do View/Page Style/No Style. IMO the site looks _better_ that way
than with JS enabled.

Edit: one other trick I use frequently in Firefox for sites with poor
contrast. Preferences/Content/Colors/Override the colors .../Always. Kind of a
hassle to traverse so many menus. I'm sure there are ways to make that easier
to do, but I'm a muggle when it comes to this stuff.

------
chmars
I got the following Chrome warning about the extension:

 _This extension is slowing down Google Chrome. You should disable it to
restore Google Chrome 's performance._

Any other users with this issue?

~~~
snarkyturtle
Just peeked into the extensions tab to uninstall ghostery and saw this,
hopefully it'll get fixed soon.

------
xs
EFF team. Grats on having this out for almost a year now. Any stats from this
that you're willing to share? Like for instance have any advertisers noticed
this yet and stopped tracking people so ads can be displayed? I've got widgets
on my website for disqus, twitter, facebook, etc and each of these are blocked
by PB. This upsets me as the website owner that content I want my user to see
is being blocked. Any word from them about this?

------
retube
Is not simply turning off cookies for external domains a fairly effective way
of cutting a lot of tracking?

What's the downside to doing this?

~~~
wtallis
Privacy Badger is for people who want to use someone else's curated list of
what to block. You can accomplish the same manually by using other extensions
to block by default third-party requests and third-party cookies.

------
nivla
Does anyone know if this includes a database of tracking hosts or if its self
learning? Because for me on Reddit it counts all the CDN's as tracking domains
and the actual tracking domains as the non-tracking ones [1].

[1] [http://i.imgur.com/7aw6rHo.jpg](http://i.imgur.com/7aw6rHo.jpg)

~~~
schoen
One of the developers answers:

"It's self learning! Things above the that divider are things that are reading
or writing cookie, html5 local storage, or canvas data. Below are third
parties that are not. You can manually change any of them, and if one of those
domains is blacklisted via another site it will appear above that divider in
the future."

------
phantom_oracle
Question to EFF:

Does Privacy Badger itself track me?

I know I could read through the source-code, but it would be quicker for
myself (and others) to know if any tracking is done by EFF itself.

~~~
cautious_int
The FAQ site has this sentence:

 _Privacy Badger is governed by EFF 's Privacy Policy for Software._

In the privacy policy you have this:

 _Software Downloads: If you download and install software from EFF 's web
site, we may collect information about your visit to our site. Once installed,
our software may also connect automatically to our site to attempt to
determine if updated versions are available. As a result, our site may log
information related to the software downloads, such as your computer's IP
address. Our collection, anonymization, and use of that data is described our
web site privacy policy._

Web site privacy policy has this to say about the collected information:

 _Disclosure of Your Information

While EFF endeavors to provide the highest level of protection for your
information, we may disclose personally identifiable information about you to
third parties in limited circumstances, including: (1) with your consent; or
(2) when we have a good faith belief it is required by law, such as pursuant
to a subpoena or other judicial or administrative order._

So as a start you might want to disable automatic updates

------
bni
Safari already has a setting, Cookies and Website data: Allow from websites I
visit.

Is Privacy Badger the functional equivalent of that Safari feature?

~~~
mey
Privacy Badger inspects the target domain and then pulls out requests to 3rd
party domains. If you go to cnn.com and it makes additional request from your
browser for resources at say facebook.com. Those 3rd party requests can be
allowed, block cookies from the 3rd party or blocked entirely (so the request
is not made). The really nice bit, is if Privacy Badger see's requests to the
same 3rd party across multiple places, it'll filter it down automatically.

------
core2
How much money will EFF negotiate from Google to enable Ads? AdBlock got 500
Mil, you can go for a Billion. Go Go Go.

------
unicornporn
Badger is based on ABP code, so I suspect it would affect the performance
gains I got by switching to uBlock Origin.

------
justizin
Would be great to see Safari support for this, was a happy Privacy Badger user
on FF for some time.

------
slxh
The back and forward browser buttons appear to break the status reported by
this extension.

------
joosters
Is their hand-crafted 'yellow list' of allowed trackers viewable online?

~~~
mikegerwitz
[https://raw.githubusercontent.com/EFForg/privacybadgerchrome...](https://raw.githubusercontent.com/EFForg/privacybadgerchrome/master/doc/sample_cookieblocklist.txt)

~~~
joosters
Thanks!

Some of the entries seem suspect, e.g. YouTube.com - why do they think that
Google won't track you through pages with YouTube embedded items?

~~~
schoen
The entries there are things that seemed especially important for sites'
functionality; they are supposed to be there as a result of these criteria:

[https://github.com/EFForg/privacybadgerfirefox/blob/master/y...](https://github.com/EFForg/privacybadgerfirefox/blob/master/yellowlist-
criteria.txt)

If you don't want something to be on the list, you can also override it in
your own copy of Privacy Badger.

~~~
joosters
It still seems odd. Most users who install the extension aren't going to
carefully read an obscure GitHub page, they will wrongly assume that they are
now protected, while the 'yellow' list of very common sites is still allowing
many big companies to continue to track them. That seems wrong to me.

------
ocdtrekkie
I'm a decent fan of this because it doesn't block ads that behave themselves.
And ad blocking is still morally corrupt.

------
core2
I've sent "Do Not Charge" signal to the cashier on my way out of the store. He
said I need Charge Badger, but it's not available until 2017. I've tried also
"Do Not Track", but he refused to close his eyes. He charged me. Damn.

