
Deconstructing Google’s excuses on tracking protection - randomwalker
https://freedom-to-tinker.com/2019/08/23/deconstructing-googles-excuses-on-tracking-protection/
======
gregdoesit
>This isn’t the first time that Google has used disingenuous arguments to
suggest that a privacy protection will backfire. We’re calling this move
privacy gaslighting, because it’s an attempt to persuade users and
policymakers that an obvious privacy protection—already adopted by Google’s
competitors—isn’t actually a privacy protection.

Exactly. Firefox and Safari have both implemented and keep improving the type
of fingerprint protection that Google is throwing their hands in the air
about.

This summary is a thorough response, pointing out just how ridiculous and
meritless the original post[1] from Google was.

[1] [https://www.blog.google/products/chrome/building-a-more-
priv...](https://www.blog.google/products/chrome/building-a-more-private-web/)

~~~
dialtone
You are aware that Google has vowed to actively fight any sort of
fingerprinting right? [https://techcrunch.com/2019/05/07/googles-chrome-will-
soon-g...](https://techcrunch.com/2019/05/07/googles-chrome-will-soon-get-new-
privacy-features-with-better-cookie-controls-and-anti-fingerprinting-tech/)

~~~
magashna
"Don't be evil" they said, until it became inconvenient.

You can't take Google at their word because their word doesn't mean much.
Especially when those vows directly contradict their main source of revenue,
targeted ads.

~~~
adam12
I loved Google back in 2005. It's sad to see what it has become.

~~~
airstrike
I still loved it as late as 2008... remember this?

[http://blogoscoped.com/google-chrome/1](http://blogoscoped.com/google-
chrome/1)

------
TACIXAT
Google's original post is super gross. It dismisses the idea that there could
be alternate ways to fund content (i.e. micropayments). I get why they promote
"free content" but it is not free at all when you are trading your attention
and privacy.

Further, their privacy sandbox sounds like it would just monopolize the
advertising space to them. If they don't allow advertisers to collect data,
that takes control away from advertisers and centralizes it to their ad market
platform.

The post also creates some weird false dichotomy between cookies and
fingerprinting. Let's just block both, yea? That's what is best for the user,
and probably best for the web in the long term.

We absolutely need a new funding model for the web (to kill ads). The biggest
barrier I see are the high transaction fees of digital transactions (30 cents
+ 2.9%). I don't know if the solution will be Brave, Libra, or something else
entirely. Whatever it is, it can't come soon enough.

~~~
manigandham
The biggest barrier is that people don't want to pay for content. This has
been the subject of endless discussions over decades and just yesterday there
was a large HN conversation over too many video subscriptions causing people
to turn to piracy again. Not to mention it negatively affects the vast
majority of people who can't afford to pay for everything they consume.

It's possible to enable advertising while maintaining privacy and security.
What was missing was legal and regulatory forces to push advertisers and
adtech into it. Now it's here.

~~~
d1zzy
I would say it's a combination of:

\- convenience: do not underestimate it, lots of supporting evidence that
people want maximum convenience. Notice how a small UI change as "one click
purchase" increased Amazon sales significantly or why they even make/sell
those buttons to put around the house to press and refill periodic stuff

\- access: like I was saying in another reply, it's simply the case that in a
lot of situations, users (because of age, location and economic status) simply
have no good means to pay electronically

\- affordability: 10 cent/view pay seem like nothing to us but in many places
that can add up to a few USD per month that may be the cost of food of a
family for a week. So now you'd have to do geographical location based
pricing, dealing with all the crap that comes with it (people using proxies to
avoid it, etc)

~~~
manigandham
Convenience and access have been tried by several startups (including a
project that we did a few years back). It's being attempted yet again by the
Brave browser with blockchain tech. With micropayments, there's a big problem
with decision fatigue.

Affordability is the largest factor by far though because most people just
cant pay for everything they consume for free today. When you look at video
content especially, it can easily add up to several dollars per day in spend.

------
jsgo
Somewhere along the way, ad networks got incredibly greedy (I know, gasp).

I remember when I was much younger, there were banner ads on a bunch of pages
(and pop-ups/pop-unders of varying levels of frustration). The banner ads were
fine even when we were rocking 56k internet: not beloved by any stretch, but
typically reasonably okay.

I have previously toyed with ad blockers, but at a certain point stopped,
figured I'd play nice or whatever. Then there were sites that over time
legitimately ate into computer resources to the point they were eating way
more energy than reasonable (I can't remember which one, but there was one
that if I left the site open long enough, it'd crash all open tabs). At that
stage, I went back to ad blockers. I really wish it didn't come to it, but
man, that whole "give somebody an inch and they'll take a mile" is in full
display online now.

~~~
abdullahkhalids
The energy usage and slow down of your computer are relatively minor concerns
when it comes to ads. The real problem is that ads use every dark pattern in
the book to influence your beliefs and decisions, effectively taking over your
very valuable brain cycles.

I think as this conversation evolves, we will find that there is an additional
human right, the right for others to not use undue force to influence your
mind. This whole battle is ultimately one to secure this right.

~~~
m3rc
Energy usage may be not that high, but data usage, especially on mobile
devices, is very high.

Even on my home network something insane like 30% of packets sent and received
are ad or tracking related, which I know because they all get blocked by the
PiHole sitting next to the router.

Choosing to block ads literally makes my browsing go faster, and keeps my data
limits from being blown out. AND it prevents fingerprinting of my habits? It's
a complete no-brainer.

------
skybrian
This new initiative seems to be about some changes to Chrome that were
overlooked due to hazy justifications that seem to have distracted everyone.
I'm guessing the justifications are especially unclear because Google doesn't
want to upset advertisers. But how about we look at the technical changes
they're announcing, rather than how they justify them?

\- Forcing websites to explicitly mark cross-site cookies, or they get blocked
for cross-site usage. They also seem to be hinting at adding better ways to
clear cookies in Chrome. [1] [2]

\- Further attempts to block fingerprinting. (Vague, seems hard?)

These seem like... good things? The SameSite initiative makes CSRF attacks
harder. Maybe not big news or as strong as you'd like, but in the right
direction?

[1] [https://web.dev/samesite-cookies-explained/](https://web.dev/samesite-
cookies-explained/) [2] [https://tools.ietf.org/html/draft-ietf-httpbis-
cookie-same-s...](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-
site-00)

~~~
0xffff2
>Forcing websites to explicitly mark cross-site cookies, or they get blocked
for cross-site usage.

Why does anyone even allow third-party cookies anymore? I've had them disabled
for years at this point, and I can count on one hand the number of times it's
been noticeable, and I think there was only a single time I actually found it
worthwhile to enable third party cookies to access the site.

~~~
mormegil
Just a piece of anecdata: a (large) bank we work for struggles with this all
the time. Because of historical/branding reasons, they use several different
domains. The services used to be quite independent, so everything used to work
fine. Because of PSD2 APIs and other developments, they moved on to a central
(SSO) authentication page, used from all services on various domains (needing
the common authentication cookie). Since then, we fight with the various
privacy protections, people blocking third-party cookies, etc. (I'm not saying
it's technically impossible to solve, or even saying it's wrong to block
third-party cookies. Just... we'll have a lot of work to do, as everyone moves
in that direction.)

------
doe88
Funny how Google paints itself as the somewhat Justice Scalia of web privacy
using _originalist_ arguments to make its point. Personally I never been
impressed by these constructions and in this case to the extent that it would
be rightly interpreted I would be more a _living_ web privacy kind of person
anyway. I ultimately think in the web as in the constitution it is
disingenuous to think framers would have envisioned at its conception all use
cases and especially all potential abuses.

------
diegof79
I felt a dejavú while reading Google statements. It remind me a time when
Microsoft published statements about how harmful was OSS for software
innovation.

~~~
zygimantasdev
That sounds like an interesting read - could you provide a link?

~~~
insulanus
This might be a good starting point: [https://www.pinsentmasons.com/out-
law/news/open-source-is-ba...](https://www.pinsentmasons.com/out-
law/news/open-source-is-bad-for-business-says-microsoft)

------
schlipity
Has anyone ever considered just giving 3rd party javascript less access to
things? That may fix the fingerprinting problem too.

I do have some appreciation for how badly it would break a lot of the web
applications though, but it seems like it might work.

~~~
cameronbrown
It'd be really easy to circumvent. Proxying Google Analytics through your own
origin would become standard practice.

~~~
tinus_hn
Then it wouldn’t be able to be used to track you across the web.

~~~
cameronbrown
Until all your data ends up being re-associated with you in some way across
multiple websites. Nothing stopping these sites from sharing data if it ends
up mutually beneficial.

~~~
yjftsjthsd-h
Intentionally sharing data that identifies users would hit GDPR pretty
quickly, no?

~~~
cameronbrown
Yep, but it's completely invisible to users so that could be tough to prove
without a data breach. And there's massive profit motive to get away with
this. Right now Google still keeps these websites in check with regards to
Analytics/Ads data usage, remove the middleman and things are going to get
much worse.

GDPR only safeguards your data from the honest. What we need is a
technological solution.

------
jedberg
How do we reconcile wanting to block fingerprinting so we can't be tracked,
with the fact that almost every modern front end uses fingerprinting for
things like figuring out the canvas size for responsive designs? I definitely
don't want to be tracked, but I'd like responsive designs to keep working.

~~~
syrrim
Fingerprinting requires sending information back to the mothership. If we got
javascript that was sandboxed from making web requests, then it could have
access to whatever private data it wanted without entailing a privacy risk.

~~~
jgraham
The web has so many vectors for exfiltrating data that it seems hard to come
up with a js sandbox that is both useful and cannot leak data. Any DOM write
access whatsoever allows you to do things like update link targets to include
the private data or manipulate the DOM in ways that can be read by unsandboxed
script. Even wothout considering timing attacks I'm unconvinced that there's a
way forward that involves trying to separate js with permission to read system
state from the network.

------
Schnitz
Switched back to firefox on Mac, Windows and Android a few weeks ago and never
looked back. Only using chrome for work.

------
bgdnyxbjx
On top of the generally absurd claims made in the official Google post, that
writing was just terrible. Comma splices all over the place, sentences
starting with So and But, very strange tone and wording in some things. Did
anyone edit this?

Oh and I love the “thank you in advance for your help” lol what?

~~~
thetinguy
Starting a sentence with conjunction is not grammatically incorrect.
[https://www.merriam-webster.com/words-at-play/words-to-
not-b...](https://www.merriam-webster.com/words-at-play/words-to-not-begin-
sentences-with)

~~~
bgdnyxbjx
So you are saying that this was a totally fine way to write? But it sounds
very awkward and sloppy to me. Maybe, it’s just me.

~~~
nvrspyx
I mean, you just used both of the ones that you mentioned in this comment
alone, unless that was intentional. I think it sounds fine, so long as the
writing is not intended to be super formal.

------
standyro
This letter lost me really early on:

>> "There is little trustworthy evidence on the comparative value of tracking-
based advertising."

This is flat out wrong. Google and Facebook have proven that there are
BILLIONS of dollars on the table for the value of "tracking-based advertising"

As an engineer who used to work in ad-tech, making appeals to reason to these
companies won't help. There's a lot of money flowing in this sector, and
unless large internet companies see the value in changing their ad-based
business models, the only thing that will dissuade them are shifts in public
opinion, laws, and policy.

Or a rearchitecture of the web, which I'm all for :)

~~~
kodablah
> This is flat out wrong

Only if you assume value == money. The question is not whether advertisers
will pay extra for tracking-based advertising (your definition of "value"),
the question is whether they are getting what they're paying extra for (what
others are considering "value"). That someone pays for extra for something
doesn't not necessarily mean it's worth it.

~~~
amazingman
While I agree with you philosophically, you are using a different definition
of “value” than the parent, i.e. you are talking past the _point_ of the
parent comment.

------
prepend
I feel so bad for the author of this post. I would love to bump into and chat
with the author 10 years from now at some conference and learn about the
arguments that went into why this was written.

I wonder if the director of chrome engineering has drunk the koolaid enough to
believe this? Or whether they feel really bad about carrying water to pay the
bills.

------
hartator
To be fair, most of the reasons for trackers is to fight ad fraud. Most of
traffic on ads are just bots.

~~~
zacksinclair
The vast majority of tracking is about behavioral ad targeting.

~~~
jakeogh
And behavioral modification by selectively lying to the user.

------
choppaface
What if Google is so entrenched in this position because they see a ton of
evidence? What if Google is “right”?

I tried out Google’s non-personalized ads for a while, and wow the ads were
bad, especially on YouTube. Not like irrelevant but downright obnoxious. But
wait, we’ve seen this before!

A couple years ago, Google noticed that ads were starting to get downright
atrocious and started fighting them. One relevant blog post:
[https://blog.google/technology/ads/building-better-web-
every...](https://blog.google/technology/ads/building-better-web-everyone/)

Why Google oh why are ads so bad? Because advertisers got more evil? Yes and
no. Google got more evil advertisers as all the good ad money went to
Facebook’s properties.

2012 [https://www.emarketer.com/newsroom/index.php/google-edges-
cl...](https://www.emarketer.com/newsroom/index.php/google-edges-closer-
facebook-display-advertising-twohorse-race/)

2019 [https://www.emarketer.com/chart/217028/facebook-vs-google-
sh...](https://www.emarketer.com/chart/217028/facebook-vs-google-share-of-
total-us-digital-ad-spending-2016-2020-of-total-digital-ad-spending)

Google’s recent blogpost is frustratingly “right”: given the opportunity cost
of bad ads, an average user is better off opting in to higher-quality
tracking-targeted ads. BUT! That is only because Google the ad company lost
the good content. And sadly, Google the software company owns the browser, so
they have to make do in a Google world.

This isn’t even an issue about privacy. It’s about a company overtly
misrepresenting the interests of its users in bad faith. No different than
Uber tacking on the $1 “safe rides” fee as a pure margin generator rather than
as protection for riders.

~~~
burnaway
You need to consider some users A) don't want to see ads at all (exhibit A:
lot of posters in this thread) B) rather see "dumb" ads than personalized one
if it comes through individual level tracking and profiling (that's me). From
this perspective no amount of evidence can convince me they are "right" and I
have no wish to contribute in any way to "betterment of ad quality" for the
price it is proposed. This is comment is no reflection on the rest of your
argument btw, just addressing the premise.

~~~
feanaro
> You need to consider some users A) don't want to see ads at all

Exactly. I'm really stupefied with arguments that I'm "better off" by opting
for tracking ads. Why am I better off? What good does it do to me? It almost
seems like these arguments are coming from some other world which I am not
living in.

~~~
Ambele
I think some ads are good. Specifically the kind that informs you of something
new. Sometimes when I see an ad with a trailer for a new movie in theaters,
I'm appreciative that I learned a movie that I wouldn't have otherwise known
about.

------
musicale
> We find this passage from Shoshana Zuboff’s The Age of Surveillance
> Capitalism to be apt: “Demanding privacy from surveillance capitalists or
> lobbying for an end to commercial surveillance on the internet is like
> asking old Henry Ford to make each Model T by hand. It’s like asking a
> giraffe to shorten its neck, or a cow to give up chewing. These demands are
> existential threats that violate the basic mechanisms of the entity’s
> survival.”

This quote is hilarious, but if, as the article suggests, privacy-invading,
tracking-based ads aren't much better than content and region-based ads,
presumably advertising companies like Google could abandon it and still
provide similar value to their customers.

It might even save time, resources, and money since they wouldn't need to put
as much effort into tracking.

------
gnode
> the pickpocketers will just switch to muggings. That would be even worse.
> Surely you don’t want that, do you?

A contrast with law enforcement, is that the abusers are not punished and
deterred, but instead encouraged to escalate the potency of their behaviour.
Anti-tracking technology is preventing pick-pocketing by expecting people to
ride in armoured cars. This should be part of the solution, but we also need
deterrence.

Laws like the GDPR should in theory help, but sadly enforcement with regard to
tracking consent has been lacklustre, and consequently and predictably the law
is widely flaunted. This makes the mitigating technical measures all the more
necessary, yet they are not a panacea.

~~~
joes223
I think the today's adtech is more like video cams installed in everyone's
house and squads of criminals that do targeted raids based on information
obtained from those video cams. First people figured that such cameras exist.
Then they started installing steel doors. Now they're removing those cameras.

------
anticristi
Can someone explain me if this isn't (technically speaking) and uphill battle?
Let's say all browsers implement first-party isolation and anti-
fingerprinting, won't tracking simply move server-side?

"Hey AdTech Network. Here is the server from Free Newspaper. Can you send me
an add for Free Newspaper user X at IP Y?" "Hey Free Newspaper. Oh, that guy?
I just saw him buying a flight ticket at Flight Aggregator. He is definitely
Flight Aggregator user Z. Here is a targeted ad."

~~~
cameronbrown
It's totally possible and why IP addresses are PII. If you've got enough
websites working together it's probably possible to reconstruct their browsing
history, and I would guess even more accurately than with client-side tracking
(where blocking cookies and adblockers at least give you some control).

~~~
anticristi
So then why are people so annoyed about Google not implementing anti-tracking
technology, instead of being annoyed at legislators not regulating tracking à
la GDPR?

~~~
cameronbrown
I don't know. But it seems to me there's a lot of misdirected anger in the
air. Trump is investigating FAANG yet nobody is willing to give him the
benefit of the doubt there. If everyone was screaming at government then maybe
something would change.

------
JMTQp8lwXL
Is there someway it'd be possible to develop a browser that fingerprinted as
identically as possible for everybody? Surely we have different IP Addresses,
but we can make things like querying for viewport dimensions the same.

~~~
tortemp7163
The TOR browser already achieves this. All TOR users have an identical
fingerprint.

------
airnomad
I find it amusing how commenters on HN are so privacy-sensitive while good
share of software industry today supports, depends on or directly is involved
in people tracking, this way or another.

~~~
yjftsjthsd-h
Eh... _some_ of the industry, sure. I work in a B2B company, others work in
hardware devices, etc. I'm not sure what the relative proportion might be, but
it's certainly not the whole industry.

~~~
airnomad
Go talk to your marketing team and you would be amazed by level of tracking
those guys doing or _should be doing_ in order to win the market.

I work in a very boring niche for a small company and you'll receive email
from us and we'll know what ads you clicked to find us 1 year ago and that
we'll keep your entire browsing history and utilize it to tailor our messaging
and that's just a begining of it. And our budgets are fraction of what huge
online advertisers spend.

Modern digital marketing wouldn't be possible without tracking and that's just
how it is.

If we make it harder via regulations, we'll just make it more expensive and
that's all. Kind of similar as drugs - demand is so strong that supply is
going to be there no matter what you do.

------
einhverfr
It's almost like Google wants to track and deliver advertising.

Almost like they have some financial interest in determining user behavior so
they can deliver more targeted ads. Almost like they are an adware company.

Nah, can't be that. That would be like a conspiracy or something......

------
auslander
That surveillance economy strongly reminds me Tobacco industry. It was cool
and trendy until everyone woke up and regulated it to death, as it should be.
GDPR is just the beginning.

------
undoware
fantastic essay. thank you

~~~
joes223
I believe that this is a part of a well funded campaign against Google by some
of its rivals or enemies. Oracle? Regardless, whoever is implementing this
attack, they're doing a fantastic job. Google's business is basically
connecting Advertisers (wolves) with Users (sheep) and the most important part
of this business is to keep this ecosystem stable. Someone's apparently found
a way to destabilize this system: wolves are getting bigger and greedier,
while sheep is dying out. The only solution here is to cut the population of
wolves, but Google is still in denial and lies to itself that maybe the
extinction can be stopped by formalizing the process of chasing sheep.

~~~
burnaway
There are people with strong beliefs and opinions they are ready to fight for
- within the frame of their daily job, using their free time, their own money
etc. All this without being enthralled to a "bigger entity", as a part of a
conspiracy, serving a special interest playing power games, or simply someone
paying them. I am one of those people, in agreement with this post, I can see
the OP being in this category as well. If this is all too surprising for you
that is a reflection on you.

------
1024core
Ironically, this site wants to use my browser's canvas to fingerprint me.

Umm.. no thanks!

~~~
Crosseye_Jack
I'm not 100% its being done for tracking, the canvas usage is being used to
insert emoji into the page from WordPress Servers. It being a WordPress based
blog kinda explains that.

Now are WordPress using that ability to track users which the owner of this
site isn't aware of? That's another question.

Edit: This page doesn't contain any emoji, But it prob just a WP Plugin that
replaces any into broswer/os emoji.

------
jiveturkey
[https://www.blog.google/products/chrome/building-a-more-
priv...](https://www.blog.google/products/chrome/building-a-more-private-
web/):

> Some ideas include new approaches to ensure that ads continue to be relevant
> for users

'nuff said

------
oconnor663
> To appreciate the absurdity of this argument [about encouraging
> fingerprinting], imagine the local police saying, “We see that our town has
> a pickpocketing problem. But if we crack down on pickpocketing, the
> pickpocketers will just switch to muggings. That would be even worse. Surely
> you don’t want that, do you?”

Calling arguments "absurd" or "disingenuous" is itself arguing in bad faith,
and respectable publications can do better.

This sort of thing happens in real life all the time. In the debate over drug
policy, one of the major arguments for legalization is that drug prohibition
leads to different types of crime. On the one hand, this is a "defeatist"
attitude to have about drug policy. On the other hand, the world is
complicated, and sometimes we have to make compromises.

The author continues:

> Based on peer-reviewed research, including our own, we’re confident that
> fingerprinting continues to represent a small proportion of overall web
> tracking. And there’s no evidence of an increase in the use of
> fingerprinting in response to other browsers deploying cookie blocking.

That's an excellent, concrete point to make about the question. But it's not
"absurd" for others to have less confidence in that conclusion. It sounds like
a tricky open question.

~~~
naringas
this is the criticized argument

> large scale blocking of cookies undermine people’s privacy by encouraging
> opaque techniques such as fingerprinting. With fingerprinting, developers
> have found ways to use tiny bits of information that vary between users,
> such as what device they have or what fonts they have installed to generate
> a unique identifier which can then be used to match a user across websites.
> Unlike cookies, users cannot clear their fingerprint, and therefore cannot
> control how their information is collected. We think this subverts user
> choice and is wrong.

the argument claims:

\- people block cookies so fingerprinting methods had to be implemented

\- cookies, unlike fingerprinting, can be deleted

\- because cookies can be cleared people should just embrace them and keep
their ability to choose

------
privateSFacct
> To appreciate the absurdity of this argument [about encouraging
> fingerprinting], imagine the local police saying, “We see that our town has
> a pickpocketing problem. But if we crack down on pickpocketing, the
> pickpocketers will just switch to muggings. That would be even worse. Surely
> you don’t want that, do you?”

Actually, fingerprinting is not JUST used to track users for ads. Describing
the characteristics of a device is used for lots of other purposes as well.
For example canvas size etc etc useful for other reasons. Many / most web dev
folks rely on fingerprints (user agent / screen size) when targeting layouts,
adding / removing features etc.

The whole analogy where police are cracking down on criminals is the same as
cracking down on fingerprinting is what is "absurd" and "disingenuous". A
better analogy is wanting to have a 10mph speed limit to reduce pedestrian
deaths. It would (and I like car free planning so would support it). But it
would ALSO make commutes etc slower.

~~~
reaperducer
_Many / most web dev folks rely on fingerprints (user agent / screen size)
when targeting layouts, adding / removing features etc._

I've been building web sites commercially since 1997. I have never done any of
those things.

Unless the company you work for has the marketing or advertising department in
charge of the IT department, this shouldn't happen. I'm sure that Facebook and
a bunch of other terrible companies do it, but they shouldn't. The closest I
ever came was during the era when you had to detect IE6 and work around that.

But, no, "most" web devs don't do that. Maybe you do. Maybe the people in your
company do. But that is not "most," or even "many." I'd say it's probably not
even a plurality.

To put it bluntly: If you think that's web development, you're doing it wrong.

~~~
privateSFacct
I'd be curious if you were commercially successful.

The shift from IE to chrome was told by user agent strings. Almost EVERY web
developer was tracking this and figuring out what features would work
reasonably and what would not during this shift for the websites they
maintained. In other words, what parts of the standard HTML were widely
supported among users visiting their sites.

If you worked internationally you'll know that this was very different on a
country by country basis.

Surprised to hear the claims that only a few do this. It is CRITICAL to
developing useful websites -> you need to know what version of HTML to target
at a minimum. Screen size, mobile vs desktop all also matter.

I'm now realizing why some web devs can charge so much - they might use these
tools -> while others don't?

~~~
shkkmo
I find your tone innapropriate for HN

User agent sniffing is a bad idea and fragile. Feature detection and shims
work much better. CSS media queries are quite sufficient for screen size and
resizing issues.

Most importantly, none of this ican be fingerprinting unless you are sending
these metrics back to your servers which is IMHO unethical.

