Hacker News new | past | comments | ask | show | jobs | submit login
Trackers (jacquesmattheij.com)
874 points by henrik_w on March 11, 2016 | hide | past | favorite | 209 comments

Believe it or not, some stores sympathise with you. They might actually be run by people like you, people who read your story.

They still want to know how you proceed round the store, because that helps them optimise shelf layout, identify hard-to-find items, and so on. So yes, they might use the standard in-store CCTV to observe your journeys, and when they figure that you and people like you always have difficulty finding the eggs (seriously - why is it always so hard to find the eggs?), they'll move the eggs somewhere more prominent, so they can sell more eggs and you can buy what you came to buy.

But that's as far as it goes. They don't follow you out the store, let alone into your bedroom. They don't match anything with third-party data, let alone your mobile phone number. The store just wants to know where to put the eggs.

Unfortunately, your bouncers have simply been told to "hurt them if you have to, I’ve really had enough of it". So last time they came in, they smashed the CCTV cameras. The store-owner remonstrated with them a bit but the whole debate around bouncers has become so polarised that there was really no point arguing.


And if this metaphor seems a little obscure, this is why it is irresponsible, populist and ultimately self-defeating for uBlock and chums to block self-hosted Piwik and other such internal analytics tools. Because some of us are trying to do the right thing and your bouncers are still beating us up.

I find it interesting that a lot of content producers have feel entitled to users' participation in analytics at all.

Sure, it may be frustrating when a user blocks tracking tools (especially self hosted ones) but that's the their choice.

We got by for decades without analysing user habits (even in a local only context, without correlation with third party data). There are so few examples of cases where analysing user behaviour was a make or break factor in a store's survival. Sure, it can be useful to know what a user looked at and, as you suggest, how difficult it is to find the eggs. But there are better ways.

Physical stores at one point (and still now, in many cases) respect that user choice. Want to participate? Get a loyalty card. We'll watch how you spend, but we'll give a little something back to participants.

On the web, the solution is simple. Do it on your application servers back end. Have your request handler (which should probably know a lot more about your user in the context of your application than any third party tool) log user requests and actions. You'll be able to tie data gathered to a logged in user and their local purchase or browsing history.

You'll get to know your user better and you'll avoid third party tools that creep out a growing proportion of your users.

You're not entitled to participation in analytics.

In the "good ol' days" (TM the shop-owners in a community knew quite a lot about their customers.

Oh Mary just gave birth, Henry is currently sick, Walter likes his coffee a little stronger, James a little weaker (something with his stomach). Danielle drinks only tee, has two kids and the marriage is not really happy. And so on. A lot bordered on gossip, a lot was very valid and relevant information. People talked.

So it was totally normal in a smallish community for the store owners to have an extensive profile on every customer. All in their head for sure, but non the less. And guess what - everybody benefitted. The clerk could recommend based on what he knew. People would be directed to relevant produce.

By the way this works even today. If I buy at my normal place I get personalized recommendations for cheese from the lady behind the counter. We talk, she knows a little bit about my tastes and I get to try new things.

And guess what - everybody benefitted

I grew up in a town with <1000 year round residents. We had a general store like this. We avoided the general store as much as possible. Some families went as far as getting their mail through another town because the local post office was inside the store.

The reason is quite relevant to this thread. The shopkeeper, his wife, and all the regular customers who sat around to chat while they drank their coffee were gossip hounds.

People valued their private lives more than letting a social circle they weren't involved in know anything about them. Not who sent them mail, and not even what type of breakfast cereal they liked.

"Everyone benefitted"? Nah, I think you've just heard too much "small town community" bullshit from politicians.

Different strokes, different folks. Personally, I like that people in my town know me. Gossip goes around, sure, people know more about me than I might be comfortable with but in general that establishes in the long run a familiarity that works for me. It feels like a very large family, and I like that.

So what you're saying is that not everybody benefitted?

"Danielle drinks only tee, has two kids and the marriage is not really happy........ People would be directed to relevant produce."

What's the relevant produce for an unhappy marriage? Whiskey?

I'd actually talk to a few people before I'd say "everyone benefited" because many didn't and absolutely hate it. I've seen people rearrange their schedule and go way out of the way just so they can run an errand in peace and with some privacy and dignity. Myself? I know I've avoided places specifically because I'd be likely to see someone I know there.

Having a conversation once in a while with the person selling you cheese (which is choice!!) isn't the same thing as being tracked.

Not everyone wants personalized recommendations either. Or recommendations at all, most people know what they want and are creatures of habit.

I don't want recommendations at all from anyone who is selling me something! The incentives are misaligned to say the least. What if you found out the cheese salesman got commission from certain brands? You'd think she'd suddenly recommend them?

That's great, if you want personal recommendations.

But I do not. I want a choice, the choice to share my data and have personal recommendations, or not share anything and have generic ads. But no one give me that choice, so I have to take it by "hiring the bouncers"

This is the direction we should and, I predict, we will be headed. Personal recommendations and analytics should be optional and opt-in. The EU cookie law is a step in the right direction but the reason it's so clumsy is because cookies for now are opt-out.

The way to get there is to separate the browsing/shopping process from the tracking/recommendations. Instead of bouncers we should have personal shoppers. The majority of people I speak to have no problem with trackers so there is no reason not to make it more transparent where users can choose which data they want to share and for what purpose.

I've never seen a single site with the EU cookie warning saying "click here if you're ok with cookies, or click over there if you'd rather we didn't use them." It's always "click here to proceed with cookies, or fuck off."

As it should be. It's none of our "right" to visit any particular site. The person who sets up the site gets to identify the terms of use - since they're the one footing the bill for it.

If you don't like it, that's your prerogative - you can go somewhere else. If enough people do that, the person who owns the site loses out. But I can't see why it's not entirely within a provider's rights to say "if you use our service, you must agree to X. Otherwise, Y."

I think a better use of resources than the clunky EU cookie law would be to say "sites can analyze what visitors do on their site - but only there." Then it's truly opt-in (by virtue of using the site), and sandboxed. There's no "following you home" - the site owner would only have access to what you do on their site.

Opting out by not participating is approaching impossible, and doesn't send a visible signal to site owners. There will never be "enough people", but that doesn't mean the issues are not important. If the minorities who notice problems (missing wheelchair ramps, lack of braille on signs, ambiguous color indicators, gross violations of privacy) are silenced and ostracized, we all suffer.

Well, the whole thing is kind of academic anyway. I can tell my browser to say "sure, I accept cookies!" and then drop them on the floor.

The difference is the customers also knew the same amount about the store owner. Oh, Gerald started running the store when his father got too sick to do it and he's been at it ever since. He's been trying to convince his son to take it up when he retires, but the boy only wants to play guitar, and so on.

There was trust because they were all part of a community. That's not the case with anonymous trackers that people aren't even aware of.

I can't think of one website/company that I would like to have this small town clerk-customer relationship with.

Youtube's recommended videos are unfailingly terrible, and Amazon's recommended products just feel like annoying add-ons that might "accidentally" get bundled into my cart if I hover my mouse too near them. I generally already have something in mind if I want to buy/watch online.

I'll stick with recommendations from friends/actual people. That's why last.fm/spotify has been so great for music discovery relative to pandora/rdio - you can browse real people's collections instead of an algorithm's guess of what you might like.

you can browse real people's collections

Wait, what? Do they know that you are browsing? Seems also creepy...

You can optionally choose to share play lists for sure, I'm not sure if they still do but spotify by default shows everyone what you are listening unless you put it into some private mode (a tad less creepy)

For a single store, or family business, that's equitable and I'd opt in by shopping there or visiting the website. On the web the small business is often the artisanal butcher, small crafts or the one HN reader running their side project trying to compete with IBM. Happy to share some data. Happy to help and try and support by giving you my money.

The web is mostly not like this. The ad and tracker networks are on multiple sites and are so agressive and successful at retargeting that it almost induces paranoia. Sadly out of ignorance the innocent small business is using a network that's borg like in their assimilation of everywhere.

Tesco, Forbes and the agressively multi round funded startups can fuck off. Especially as they give no shits for apparently anything. Fuck that man, get bigger fast. Let me show you this ad for VisualThing++ for the 96th time, even though it's well over a week since you accidentally clicked on the maximise on rollover sound playing flash abortion.

Back when I was being persuaded that all advertising and tracking online was becoming evil I'd innocently visit somewhere work connected say SEOMoz, as was, then see ads for them EVERYWHERE, for ages. Like the bad commission only salesman who ruins parties and friendships with only one topic of conversation I'd go read something in the evening on sports and the ads would be having a conversation about Moz, or random startup service we looked at for work. WTF man fuck off and stop following me!

Even on the web the good ol days, as you describe them, wouldn't be so bad, but that's not what we have. Not even close.

Counterpoint: the barista always knows what you want.

We got by for decades without analysing user habits

Depends when you start counting the decades. Since Netscape and the 'coming out' of the www, we've always paid attention to where people go on our own web pages.

And stores have always paid attention to how many items they sell.

But (continuing the metaphor) now they're tracking what each customer buys and when, where they came from and where they go, where their eyes wander and how long they look at an item...

Then sharing that data with other stores to profile customers, and find out who's sick, pregnant, graduating, on a diet, what political candidates they support...

Tracking today is nothing like tracking site visitors in the '90s.

Completely agree. It's the sharing that bothers me.

Back in the 90's when everybody installed those wacky click counters on their page, it all seemed so innocent...

1896 is when "loyalty programs" (wherein the store collects loads of info about your purchases & habits) started.

To be fair, you're not entitled to free content free of tracking either.

True, but we aren't really given much choice either. Even if I buy for a service or buy a product from a company, I'm not going to be excluded from tracking.

Amazon isn't going to not data-mine the shit out of my purchases, even though I paid for a product.

I do question the value of all that data collection though. Sure it's interesting, but I don't really believe that data collection and analysis at the current scale translate directly to more sales. Honestly what's the value of tracking me around the net, how is knowing what sites I visit going to translate to a sale of some product?

> Even if I buy for a service or buy a product from a company, I'm not going to be excluded from tracking.

Exactly! I subscribe to SiriusXM for my car, because I really like the music options. Last night I looked at installing it on my phone. It requires access to my contacts (why?); to my phone status and identity (what the heck?); to direct-dialing my phone (WTF‽); to view my network connexions; to pair with Bluetooth devices; to install shortcuts.

It plays music. It should need access to my SiriusXM username and password, and to the network. That's it. There's no way that I'll install the app: I may be paying, but I'm apparently not the customer.

Those permissions seem abusive, but some of them are not too odd for a music-playing app (phone status is useful for pausing the music when a call comes in, BT pairing for speakers and headphones), but mining your contacts or dialing just seem absurd (and should be blocked with xprivacy or Marshmallow's App Permissions).

Phone status I'll agree is useful, but there's no need for a music-playing app to control BT pairing - the phone can do that itself.

Walmart wouldn't run an ad in GQ highlighting it's clothing section: because the ad isn't going to resonate with the person seeing it.

However, unlike Walmart who would get on the phone with an account executive with Conde Nast (GQ's publisher) and talk through the campaign, most website advertisers and publishers do not have people dedicated to doing 1-1 sales. Publishers want the most money possible per ad unit and advertisers want the most sales possible within a reasonable acquisition cost. To balance those two things out and create value on both sides, ad exchanges and the demand platforms that tie into ad exchanges provide tons of targeting and remarketing opportunities. That allows advertisers to target their most profitable audiences. However, in order to offer all the rich and detailed targeting options, the exchanges and platforms have to know what individuals are doing so they can create personas and profiles of you.

If this happened magically in the magazine industry and magazine ads could be customized to the individual reader, then Walmart might buy some space in GQ if they learned a small portion of GQ readers are actually bargain hunters and shop at Walmart all the time for clothes and only read GQ more for their interviews and cocktail recipes rather than for men's fashion info.

You're completely right. But you know what? I kind of preferred the Internet back when most of the 'content' was being produced by people who loved it, for the fun of it and not for money. It's the difference between an amateur and a professional, and I was fine with that.

Sysops of BBSes used to watch their users while they were online. When the BBS only had one line this was easy (and often you couldn't do anything else BUT watch them.)

So, to say that analysing user behaviour is new is probably an overstatement, at least in the BBS example.

You write "Do it on your application servers back end", but then the parent comment actually argues specifically for "self-hosted Piwik and other such internal analytics tools". So, I'm now confused: do you actually agree with it? or disagree? or what? was there something edited in the parent comment in the meantime? did I miss something?

There's a difference between using tools like Piwik (which still burden the browser with additional HTTP requests), and logging the relevant data in the application or server code itself (Apache/nginx logs, or writing your own context aware logging code in your Django/Rails/whatever framework application).

What I'm suggesting is that applications can completely unobtrusively log visitor data internally, without requiring the client to make additional requests. In the same way that ad networks could serve data through your own application backend (rather than being requested by the client), if the ad networks and advertisers could stomach losing access to cross site user data tracking.

The GP was complaining that users still block Piwik and other self-hosted solutions. Of course they do. I'll block every single request I can, if it's not just fetching the content that I want.

Some developers and content providers complain that by blocking analytics services (including internally hosted ones) means they'll be left completely in the dark. This is wrong. They can always log visits through their web app code on the server side - they'll have the benefit of complete request context access ("Is the user logged in?", "Is their account in credit?", "Did they buy this item at some point in the past?") but simply won't be able to correlate this data with other websites logs (a benefit to the users, from a privacy perspective).

As a user, there is absolutely no benefit to me whatsoever of your site knowing my age, income bracket, recent (off-site!) browsing history and interests. None. Ad networks, advertisers and content providers will benefit. I won't.

> I'll block every single request I can, if it's not just fetching the content that I want.

Do you block images, css, and other stuff that doesn't pertain to the content at hand?

> What I'm suggesting is that applications can completely unobtrusively log visitor data internally, without requiring the client to make additional requests. In the same way that ad networks could serve data through your own application backend (rather than being requested by the client), if the ad networks and advertisers could stomach losing access to cross site user data tracking.

Yeah if all you want is referrer, user agent, url requested, and ip. But what about other great information in help with making your site BETTER for your users, like screen size?

> As a user, there is absolutely no benefit to me whatsoever of your site knowing my age, income bracket, recent (off-site!) browsing history and interests. None. Ad networks, advertisers and content providers will benefit. I won't.

I find it strange given the demographics of HN that people still believe by me putting Pwiki on my site to gather analytics about my visitors, that somehow taps into your bank account to see your income, requests your tax documents, downloads your birth certificate and gives me a full list of your last 100 visited urls.

That data is only available if I somehow put a tracking pixel on as many sites as I can. Such as a 3rd party script.

So because of that I can see blocking Google Analytics, or 3rd party trackers, but what are you doing by blocking 1st party stuff like Pwiki other than giving a big fuck you to the website owner?

> Do you block images, css, and other stuff that doesn't pertain to the content at hand?

No. In many cases, the styles and images are content that I'd actually like to see. In some cases, sure - I'd eagerly jump right back on that Gopher train and trim out all the extra crap you want to funnel into my browser.

> Yeah if all you want is referrer, user agent, url requested, and ip. But what about other great information in help with making your site BETTER for your users, like screen size?

Screen size? In 2016, optimising for specific screen sizes is archaic. Exercise responsive design. As for things like javascript feature availability - if you're already using javascript (a rich web app, as opposed to simple content), then you'll already have the facility to pass this data back to the server, the same server, that's serving the requested content.

> I find it strange given the demographics of HN that people still believe by me putting Pwiki on my site to gather analytics about my visitors, that somehow taps into your bank account to see your income, requests your tax documents, downloads your birth certificate and gives me a full list of your last 100 visited urls.

You're being facetious. I don't think anyone made this suggestion. I know I certainly didn't.

My issue with things like Piwik is primarily the additional requests my browser makes to help you accomplish something that you could have done on the server side. When I'm reading your blog, my browser shouldn't be expected to make extra requests once the content has loaded, just to give you a better idea of how people use your site. It doesn't benefit me, and you're not entitled to my cooperation. I can choose to block Piwik if I'd like. You can always log the limited data on server side.

> [...] giving a big fuck you to the website owner

And by expecting users' browsers to make additional requests (using additional data, and additional CPU cycles - however few), I could maintain that you're "giving a big fuck you" to the user.

This sense of entitlement to user data, usage data, analytics, and the right to make the client behave as you wish is relatively new over the past decade. I don't like it, and it sets a dangerous stage for the future of the web.

I completely agree with you. Not to mention the current trend(?) with solutions like hotjar or inspectlet where the whole html is sent to their servers with realtime cursor position, click and scroll information. This is really disturbing. And I guess 99% of the visitors don't even know that they are being tracked.

Believe it or not, people have been optimizing the eggs location long before the Internet, using the simple art of [anonymous] sampling and statistics. There is absolutely no technical need to track everyone's every move, the ad / surveillance industry is overreaching by a huge margin. See http://www.nielsen.com/us/en/about-us/nielsen-families.html for an example of sampling in action.

Furthermore, the eggs are hidden on purpose, such that people have to walk a long way along aisles filled with high margin impulse buy crap. As a customer, this "optimization" is actively trying to exploit my atavic weaknesses and damage my health. Thank you very much, I don't sense a whole lot of sympathy for me here, just a race for the quick and dirty buck.

They have been doing it for a long time, but we know the game now. Most people haven't figured out they are being digitally tracked, but when that happens, I have a feeling consumers will get proactive, and really begin to withhold, or make it difficult for entities to track buying habits.

As to eggs in the back of the store, yes milk and eggs are always in the back of every store I can recall. We all know the game. Why piss off your loyal customers? Too many MBA's? I don't know, but it's obviously not working. I don't like shopping anymore. I don't think I'm alone.

I can't think of any brink and morter store that's doing well. And they always blame the Internet?

Whole foods was doing great for years. Now with uniformed security guards roaming around, tired workers, sneaky product placement; their quarterlies are the chits. They blame competition. It's not competition. Your stores became like everyone else. By the way, the CEO did promise to make staples affordable and he delivered. Milk, eggs, butter, and bread are cheaper than Safeway, along with their brand of product. There 365 products are reasonably priced.

I am very respectful to pretty much every store I shop in.

By respectful, I treat the store like I live there. I put away items of I didn't need. I don't just leave the item in the cart, or in another area of the store. I don't mess up shelved items, like books, etc. I treat the employees with respect, and try to make their horrid jobs easier.

That said, when I walk into a store like Home Depot. A store that is tracking my movements throughout the store with CCTV, and takes a picture of my mug at every isle, checkout, bathroom entrance, point of sale, etc.; I could care less about how I treat the store. Do I care that every one of my transactions is transferred to some server in Richmond Virginia--yes!

It's funny, I used to like the company. I was glad when they opened up near me. The employees seemed like they liked/respected their employer. I used to go to their stores just to browse. I usually ended up buying something.

Jump foreward to today. I only shop there if I absolutely have to. I walk into that chit box, and can't get out quick enough. If I don't need a product in my hand it goes anywhere except where it was located. My mood changes once I walk through those doors and look into those cameras. I don't think I'm the only one who dislikes being monitored, tracked, and manipulation with product placement.

Their employees seem like they are working in a correctional facility. literally every employee seems misserable.

Home Depot is a perfect example of too much tracking(I don't know all their digital tracking tools--I just feel like I'm being watched. I don't like showing my ID when returning an item with a receipt.), bad security, and general useless advice from MBA's who should have at least one year of grunt level retail work before being promoted to screwing up a store.

I have a feeling tides will turn eventually.

I made a small purchase in store at Home Depot with a credit card (a bad habit, which I've resolved to do less of [0]). A few weeks later I received an email asking me to review it, to an email address I had used for online ordering. In retrospect, it wasn't so amazing that they'd correlate this information, but that they'd have the audacity to assume I wanted my relationships with them to converge.

It's similar to price checking something on Amazon, not even logged in, and then them spamming you about that item. Your average person is so overloaded and unobservant that these things apparently don't set off their creepy detector.

[0] I started doing so because it's easier to return items, and I try not to keep stock when a store can do that for me. Speaking of returns, they run your license with a 3rd party verification company that is obviously also surveilling you. Furthermore, if this company's digital voyeurs decide you should no longer be able to return items, you have little recourse. I believe using a credit card avoids them wanting to see ID [1], and obviously prevents their system from denying your return.

[1] Although I've got my license's serial number / 3D barcode covered with blackened masking tape. A picture, name, address, and birthday is more than enough to "identify" me for civilian purposes, thank you very much.

> it is irresponsible, populist and ultimately self-defeating for uBlock and chums to block self-hosted Piwik

First, a precision: EasyPrivacy blocks Piwik. uBlock Origin enables EasyPrivacy by default. If you think it's wrong for Piwik to be blocked, bring the issue to EasyPrivacy maintainers.

Now, why is it "irresponsible" for Piwik to be blocked?

Some of us just do not like to have all our movements scrutinized, even by 1st parties -- I personally consider this a healthy stance, I just do not like to be treated as a product.

Also, what guarantee there is that all the data collected by one 1st party through Piwik is not sold to any number of 3rd parties? There is no guarantee -- thus all tracking deserve to be blocked as much as it can. It's for the same reason I choose to not disclose my phone number or postal code at the cash register when they ask in brick-and-mortar stores.

I think the 'ethical' choice is some kind of a middle ground approach. It's true if everyone blocked all tracking and analytics the web could not exist as the largely free service that it does today. Websites also would struggle to improve their quality without the analytical data.

That's why I think the orbital strike option of block everything all the time is ultimately selfish. I think individuals should make some attempt to block ads/tracking that they think is itself immoral but not block what they consider fine.

For example, I don't block ads in google search results since they are unobtrusive and clearly marked as ads.

If you're really this worried then you should probably be spoofing your request headers and hiding your IP behind a VPN, because those will reveal a lot more about you than what most 1st party trackers will.

> Some of us just do not like to have all our movements scrutinized, even by 1st parties -- I personally consider this a healthy stance, I just do not like to be treated as a product.

And that is your choice and I can respect that, but please, don't be one of those entitled people who complain about a website completely blocking you for blocking their stuff.

And for the record, I love uBlock and your work. I use it myself, but I use it in blacklist mode only. Which I feel is the best way to do it. Block the shady sites, don't hurt the ones who just want to get a little analytics.

If you make it an arms race, you will never be done racing. You should be honored that people want to use your site, not angry because you feel entitled to creep on them just because they made a GET request.

Yeah, I get it. I should be honored to pay a server bill to display content that you want to see, and not get anything out of it.

You should be honored I had the content you wanted to see and agree to what I require in exchange to view said content.

So many people claim they'd rather pay a fee to view a site than have an ads shown to them.. But in practice, I highly doubt anyone would pay for the amount of sites they visit daily that display ads in exchange for delivering the content they want to see.

Why are you so hung up on the server bill? The costs of distributing information are next to '0'. The cost of the creation is an entirely different matter.

Cost of creation is one aspect, a server bill is the most tangible way to show cost. Take your post for example. Did it cost you a lot to write it? No. But I bet the cost in resources on your server for it making the front page of HN did go up.

It's negligible compared to the time I spent writing it. At the same time, there are no ads on that page and there isn't a single tracker on it either. And the way the page has been slimmed down the bandwidth costs are a lot lower than what you might think they would be (that page transfers less than 15K of data).

If server costs are a worry then definitely spend some time on thinking about slimming down the presentation to the point where those are no longer a worry.

Whether that page gets viewed 10K or 100K times doesn't bother me, if it would get into the millions I'd have to do something about it (probably slim it down even further).

I mean don't get me wrong, I absolutely loved your post and I understand it, but your argument right now is pure anecdotal.

I haven't ran a site in the last 5 years that had an advertisement on it. But I have ran sites in the past that served over 400,000 unique visitors a day, and the only way I could afford to continue delivering the content that those visitors came for was to either require them to pay for it, or put advertisements on it.

I couldn't afford at that time a $1500/mo server bill to give content out for the love of it. It was a full time job just to curate and provide the content let alone work a full time job to pay for it too.

I see both sides. If you want to block ads and trackers, I fully understand and that is your right. I just don't like the fact that people feel entitled to the content of the website without agreeing to view the other stuff on the same page.

Once again, if you block my ads, go for it, your right. But it's also my right to deny you that content on the fact that you blocked my ads.

Ah, but you are conflating ads and trackers, which is exactly the root of the problem. I'd be more than happy to view the ads, I might even click on them. But I point blank refuse to be profiled/tracked/long term cookied/finger printed and served a side of malware to boot.

That is the problem here.

But people fight the trackers by installing adblockers, because lets face it, the biggest offenders are ad companies. And all ad blockers are in whitelist mode by default, and nobody cares enough to turn it to blacklist mode, as a result the guys who display tasteful, unintrusive, non tracking ads, get caught in the crossfire, and the go to argument by these people is "It's my right to block anything I want." but in another breath they're complaining because a company decided that if you block their ads, they're blocking you.

Yes, but I think it is a step (or rather several steps) too far to blame the users here. The advertising industry decided to take what it could so here we are today. Web properties have had ample time and opportunity to dial up the heat on the agencies and the ad-tech companies to stop this all from happening but the money was just too good.

So now the unintrusive, non tracking ads (the good guys, if you wish) will be lumped in with the rest, because they are a very small fraction of the total and people that have finally had enough of all this can't be bothered to be precise enough about how hard they slam the door.

And I'm not complaining about companies that block me because I run an ad blocker, I couldn't care less, their loss, not mine, there is enough content out there that you couldn't consume it in several lifetimes if you wanted to.

I would just like to say I enjoyed this discussion. Most people don't like my stance on adblocking (I'm not totally against it, I use and love uBlock Origin) and it usually ends up with me being downvoted to oblivion for having an alternative opinion.

Have a good weekend and happy high five Friday.

The same to you. Thank you for the exchange and have a nice weekend!

Ads in some context are okay. People who use adblockers wouldn't click on your ads even if they'd see them. But tracking is a completely different thing and much more serious. And most of the time I don't even have a choice, the website just tracks everything about me with no way of turning it off.

The way trackers are implemented, they aren't a trade of good content for some info. They're a proposal of "I won't even let you find out whether I have good content unless you give me your info up-front". It's literally the privacy-invading equivalent of a clickwrap EULA that you can't read until after you've already agreed to it.

To which the answer is "no, now take the business model that you thought required this and shove it somewhere anatomically improbable".

I can understand phone number, but what possible reason is there to refuse to give zip code? The only thing I can think of using that information for is to determine the optimal location to open another store.

Zip code data correlates strongly to wealth.

With tinfoil hat on, they mighy want to get a few more fingerprinting bits. https://panopticlick.eff.org

I thought part of the reason they ask for zipcode is that it is for verification purposes if you use a credit card to pay

I've only ever run into that when getting gas, and even then only in high-fraud or very busy areas.


The advertising industry and tracking has gone too far. The amount of websites with local analytics is small. I suspect that nearly all US based shops with local analytics is breaking (EU) data protection law. Why should I assist them in breaking the law when it harms my privacy?

Unfortunately, the reason the eggs are hidden is that they are a low-margin item and people looking for them will pass more high-margin items on the way and be possibly tempted to buy.

> And if this metaphor seems a little obscure, this is why it is irresponsible, populist and ultimately self-defeating for uBlock and chums to block self-hosted Piwik and other such internal analytics tools. Because some of us are trying to do the right thing and your bouncers are still beating us up.

Honestly, we only need a statistically significant sample for a few buckets...so unless uBlock and chums hit ~85% none of this effects me. The same is true for virtually every "good actor" in the space.

You just need to be able to run an A/B test that is statistically accurate + analytics + RUM.



Ad blocking is a reasonable proxy for tracking blocking since they usually go hand in hand. [e.g. uBlock]

Real world, I see ~35% block rates at $DayJob. I don't care about that at all and I'm amazed any "good actor" would given 65% of the population is more than enough for as many statistically accurate samples as you'd need.

So when you say "you are doing the right thing", what isn't included in the above?

> They don't follow you out the store

This is actually factually incorrect.

Some hints here:


And it goes even deeper than that.

Self-hosted, same-domain Piwik doesn't track you on other sites, and doesn't pull in any external data sources.

Yes, I got you, I was just pointing out to you that if in-real-life stores are capable of following you out of the store using their CCTV systems there is absolutely no reason to assume that you can't use a website's analytics suite to couple that with other databases at your disposal.

The major reason why companies will self host analytics services is not because they are trying to protect the privacy of their visitors, it is because they don't want to give out business critical information to third parties.

Once, a shop had hired an assistant called "Cookie" to do the job and another one even had hired a specialized clerk (named W.B. Alizer, for the record) and I was totally fine with this. But then, stores started to hire some guys from the Tracker bunch, but said it would be ok, since they had strict orders to stay indoors.

Now, this became a little distracting. Every now and then I had to wait for the guy to catch up, who was crawling along with me trying to measure the width of my foot steps with an inch rule, and then there was this guy, who insisted to peek into my pockets and to keep track of its contents in a quart book he had attached to the lining of my coat. (Over time, my coat became that heavy, I had to stop and rip out the lining in order to proceed.) Yay, it was all to my best ...

Then, something funny happened as stores began to engage in something they called "optimizing". Had the super market around the corner once sold 5 different sorts of cheese, it was now just 3 with the 2 best selling ones missing (they didn't have much potential for future optimization as they were sold out constantly). Some months later, they started to hide the bread behind a fake wall as soon as I entered and pushed whole piles of umbrellas in my way (since I had once bought one on a stormy afternoon a year ago – I would have understood, if it had been bagels, because I started to buy these as I was searching for the bread in vain.) That is, until last Halloween, when I discovered that there was still bread to buy, when I entered the shop in disguise.

Last month, I bumped into a girl that looked rather familiar, just as I was preparing my wig and false mustache for getting some bread at the super market. Remember Cookie? She is still working at a store, inside the server room. We chatted a while, and now I'm a habitual to her work place again. The store is a bit farther away than the fancy super market, but it really outweighs the inconveniences of the other place.

A little obscure? :)

> hurt them if you have to

> they smashed the CCTV cameras

What? Nope. Not at all. You can still track everybody without a blocker, can you not? Or what harm do you incur that translates into harm or property damage in your metaphor?

They cry that they are hurt when you block ads. Forbes.com may be the worst of them, but even if I allow ads they block content if I don't allow the trackers. I was going to email them to voice my concern about this, but there wasn't a contact page easily accessible (they really blocked their pages!).

I think you make a good point. There is an argument to be made against ad blocking, but it can't be made honestly if they are also requiring tracking technology to also be turned on.

Integrate analytics and tracking server-side. Duh. (And if you so need window size and other easy-to-get-via-client-side-JS information, render the script into the page instead of putting it into a .js file.)

And maybe make all this optional for those that don't want to be tracked. (I mean allow them to register and opt-out of server-side tracking too.) I think they might even start to like you and become sort of loyal.

You are missing some basic facts about how marketing works. Let's start here to demonstrate.

...when they figure that you and people like you always have difficulty finding the eggs (seriously - why is it always so hard to find the eggs?), they'll move the eggs somewhere more prominent, so they can sell more eggs and you can buy what you came to buy.

You think that stores are in business to sell you eggs, and are slightly puzzled that eggs aren't easy to find. But you confidently continue proceed despite direct evidence that stores don't act like you think they should.

The answer to your question is that stores are in business to sell you as much as they can, and the eggs are just there to get you to see everything they have to offer. If they made it easy to buy eggs then your life would become easier and they make less money.

Stores know this because they hire consultants who tell them what to do. And the ones who refused, made less money then got out-competed or bought out by the ones who followed the advice. Now they all know to bury eggs, and the big ones make each store's layout different so that they can maximize how much consumers wander.

You know what else those consultants told them? Candy bars are high profit items, but nobody is going into your stores to buy junk food. Those are impulse buys. So put them right where everyone is forced to stand and wait for the cash register to make it as hard as possible to avoid the impulse.

Look down the cereal aisle. They put cereals with healthy branding at eye level for moms, and the obviously exciting cereals at eye level for kids. Note that branding and reality are unrelated. Take a look at the serving size and sugar per serving on all the boxes. No matter what the branding, most of the cereals work out to be about the same.

It goes on and on. Marketers have fine-tuned their art to a science. No matter where you look, they have mastered details you wouldn't have thought of. And while they aim to hit your emotional buttons, they do NOT fundamentally aim to please YOU. You're not the client. The store is their client, and your being unable to stop opening your wallet is the product that the store is buying.

Hmmm.I have seen more evidence of supermarkets shifting the position of everything every few months, so that you have to hunt more to find your eggs, then see lots more other stuff you will need to buy while searching around.

Grocery Store Tactics: Easter Simulator Edition.

Why can't you just ask people for permission first?

I think even if we were to accept that some places use tracking responsibly, it's the capacity which could so easily be abused, and so lacking in benefit for the individual, which warrants the blanket use of privacy blocking.

Given this, a little more difficulty in "finding the eggs" is a good trade-off, especially since it's not like designers are naive and consigned to random interface choices, and you can actually still do A/B-type testing without user tracking.

Otherwise, users have to trust that site owners, out of empathy, will do the right thing with data, and that a broader network of tracking won't occur -- despite that it's totally rational from the site owner's perspective to broadly track users. That strategy is beyond brittle; it's unbelievable.

Some of us find even that level of tracking to be creepy and invasive, and would rather opt out. You never asked us if we wanted to be "helped" around your store, but we have now answered that question anyway.

What is meant by "populist" in this critique?

It means roughly the same as when the term is applied to politicians when they promise lower taxes: A popular measure that actually has detrimental effects in the long term (with the possible connotation that the politician should/does know this and is just exploiting some base emotions).

Does it not sound solidly, unambiguously sound for the long-term health of the market to increase the ability of consumers to make informed decisions?

It's a way make "popular" sound like a bad thing.

Your second paragraph... that does not apply to grocery stores here in the US.

They fill the center with junk and the fresh food, eggs & milk along the sides. Often eggs & milk (commonly used together) are on OPPOSITE halves of the store!


> But that's as far as it goes.

You, the store owner, may know that; but how do I, the customer, know it? How do I know you aren't selling data from that CCTV camera to others, who don't own your store and don't have the use for the data that you do? Even if you aren't doing that today, how do I know you won't tomorrow, when someone shows up with an offer you simply can't refuse? And so on and so on.

You're right that this is a sad situation, when people's desire for privacy means cutting off access to data even for the (few, I suspect, but still...) store owners who actually want to do something with it that might benefit the customer. But it's what we have. If you want to know where to put the eggs, you'll have to figure it out some other way.

>And if this metaphor seems a little obscure, this is why it is irresponsible, populist and ultimately self-defeating for uBlock and chums to block self-hosted Piwik and other such internal analytics tools.

uBlock didn't block it. I blocked it, by using uBlock, which I picked because of its stance on trackers. So its more like I found a cloak of invisibility so I don't show up on your cameras. You can't blame the store selling the cloaks, because I and every user like me chooses to wear them. You have to blame the user for using the cloak... but to what point? You are blaming me for not letting your code run on my machine.

If you want to read a good book on studying in-store shopper behavior, you should checkout "Why We Buy" by Paco Underhill. He runs a firm that studies shoppers by secretly following people around in a store and writing down everything they do.

I assume that if you change the file names of those internal analytics tools then they will stop being blocked.

bad analogy; no one is smashing your cctv cameras; they're just donning an invisibility cloak on the way in. as is their right, even if nethack would like to claim otherwise :).

Thank you Jacques for writing how something that would be completely unacceptable in the physical world is deemed perfectly fine online. It has always bothered me.

Take for example how the FBI wants to have automatic access to the data in all iphones through a backdoor. Would that be considered OK if they asked lockers makers to make their locks accept a master key so they would be able to enter in anybody's house, so they could monitor further people they suspect to be terrorist?

Of course that would cause an uproar, but the general public being so uneducated with technology, I guess they don't see how the two are related.

> Would that be considered OK if they asked lockers makers to make their locks accept a master key

Didn't TSA do exactly this, only to have CAD designs of the master keys reverse-engineered from a photo and posted in GitHub? https://github.com/Xyl2k/TSA-Travel-Sentry-master-keys

"Would that be considered OK if they asked lockers makers to make their locks accept a master key so they would be able to enter in anybody's house, so they could monitor further people they suspect to be terrorist?"

I don't know. But I know that it would be absolutely normal to pick your lock and/or knock down your door if they had a warrant. It would even be OK for them to ask the lock company, door company, and landlord to help them do that. For that matter, the landlord could even be compelled to surrender his master key for the entire apartment complex.

All of those things could happen out here in the big blue room, and nobody would blink an eye. Funny how these metaphors to the physical world clear things up, isn't it?

But when the FBI gets the key or picks the lock it does not make any other door more insecure, or enables other parties to get into other doors.

What if the FBI would ask all landlords to install a special door to every apartment, but only the FBI has the key to this special door? What if someone successfully copies that key? Now they have access to all apartments.

First off, this already happens: every major corporation uses multi-party disk encryption, usually branded as "recovery options" or some such. They keep their private keys secure.

Second off, the FBI is not asking for a special door to every apartment. They are asking a lock manufacturer to create a key and use it to unlock a single lock that is brought to them, after the lock manufacturer explicitly designed their locks to make the creation of such a key possible, so that this legal case would exist.

There is an interesting debate to be had here, but this rhetoric using overly simplified analogies is not it.

Obviously, "making all locks insecure" is a different situation than bypassing a single door. Which is why we don't do the former, but (currently) do the latter, judiciously.

But hey: what if the lock company makes a standard lock, with a plain ol', low-security, five-pin key, and attaches it to a bomb that destroys the apartment when it's picked incorrectly? Does the lock company now get to beg off when the police come looking for help opening a single door?

"Oh, we'd love to help you, officer, but you see...if we help you open this particular lock, then all criminals will know that you can disable the bomb, and that would make all of our locks less secure!"

This makes no sense whatsoever.

Yes, I think they do.

It's already possible, any physical lock or home or safe can be opened with a warrant. The fact that we're almost at a point where we can hide something from the government (even with a warrant) is groundbreaking.

It's perfectly fine that the FBI or the police can open a physical lock with a warrant. The warrant is supposed to be delivered by someone representing the Justice department, which is (theoretically) independent from the police. What would be unacceptable is that they could just bypass that authority and enter to anybody's home on a whim.

Which is what they are trying to achieve when they asked Apple to put a backdoor in their Iphones.

"The warrant is supposed to be delivered by someone representing the Justice department, which is (theoretically) independent from the police."

I hate to break it to you, but the FBI is part of the Department of Justice. I think you mean that a warrant needs to be issued by the judiciary, which (as far as I know) is a truism. Courts issue warrants, there is a warrant in the Apple case, and it in no way involves a "backdoor" being placed in all Apple phones.

You really might want to look up some of the facts about this case. It's not nearly as general as you think it is.

Warrants are really only a defence against mass, dragnet style surveillance since with enough will, anybody can become subject of a warrant if those who are investigating them have enough will to get one.

and all communications being recorded is like having every phone line tapped by default. And USPS / Royal Mail opening everyone's mail.

It's not "perfectly fine online". In fact, much of it is already illegal in most civilized countries, and has been long before internet was a big thing.

However, any attempt to execute and finetune legislation and regulation to explicitly include the online is generally either ridiculed (example: the EU "cookie law", which is actually a "don't track without explicit permission" law) or portrayed as anti-American protectionism on forums like HN.

I agree that there is plenty of whining by American companies about EU privacy protection laws, but the cookie law was still worthy of ridicule, even for an European like me who quite appreciates the Data Protection Directive. The intention was good, but the implementation was flawed, and predictably so.

Yes, indeed it was. They focused on the technical implementation rather than the activity.

I find it interesting that for most people the problem with ads is the tracking part. For me it's the ads themselves - I don't like seeing them, because I don't really want to buy stuff and think that a large part of the first world's problems (obesity, depression) are caused in part by ads.

In the world of ads, I'm constantly reminded that I don't have the perfect body and that my blender does not look as good as the latest model - I really don't want that, because my blender works fine and looks ok.

So yeah, I block ads and I don't really see why I should feel bad about that, the non-tracking feature is a nice bonus.

So the web will go back to sites that either require payment to enter or are run by people who post stuff out of enthusiasm. Sounds like a nice place to me.

Your nice place will probably never happen. There are alternatives.

On the internet, you are actually better off allowing sites to make money with these old fashioned banner style ads. The alternative on the web is baking this predatory persuasion into the content itself.

By blocking ads, you are pushing your enemy deeper into the medium. Deeper into the story selection process, deeper into the layout decisions, deeper into an app's data harvesting, deeper into the entire editorial philosophy of a publication.

Sure, but that has already happened. It is ridiculously easy to get almost any newspaper to print a commercial article and already now it is hard to tell the difference between for-pay articles and genuine ones.

If you have a instagram account with ~30k or so followers, you start getting offers to promote products for example. If you have less, you can still get deals, but then you have to hunt for them.

But this will happen regardless of ad blocking, because it is profitable. I certainly don't know how to avoid it, except to generally assume that all content is commercial content in for-profit sites. And also on some others.

Did you start visiting shops and places you didn't like just to mislead them? So you have more and more of them tracking you until they run out energy and money because their targeting is just wrong?




That takes the confrontation to a wholly different level and I'm definitely not yet so far that I'd do this but I can see why some would and who knows, maybe one of these days I'll join the ranks. For now, I think that simply blocking what I don't want and being strict in what I send out is my best bet at reaching some kind of stable long term solution. Retaliation is - for now - for me one step too far.

Fascinating. Is there anything similar for other browsers?

One can make a very long list of things that would look really really creepy in the physical world.

For instance I can draw a little cat in my agenda to remind myself to call a particular friend that day. The police will tell me: "what? you have not written that in plain english? You must tell me what it means and if you don't you will go to prison". (In the UK one can go to jail for refusing to decrypt one's own data)

I go buy the Telegraph at my local newsstand and the guy will tell me: "can I see your papers please?" "But I just want to buy a newspaper" "yes but I must report to the police every day who reads what, by the way I must also know which pages you intend to read" (the UK is passing a law that would force all ISP to record what websites their customers view)

Etc etc

Where this analogy breaks down is that the people sent to track you are invisible and can't be seen without the aid of special technology. So what you end up telling people is that they are being followed everywhere by invisible ghosts, who's only desire is to change what ads appear in their newspaper. And it appears that the reaction of most people is about what you'd expect.

If a store has policy of "If you come into our store, we'll have employees follow you home" and you don't like that policy, then don't go to that store. That simple. It doesn't make sense to go into the store and have your goons beat up their employees. That might mean that you can't go to the stores you want to go to, but that's how it goes. It seems as clear online as it does in the physical world.

(tldr without the analogy: The overwhelming majority of people don't care about being tracked online because there are no obvious ill effects. The problem with ad blockers is that it makes more sense to just avoid sites that show ads, but most people don't want to do this because it would exclude their favorite sites.)

If that's all you got from it then I should really do my best to write better. One of the key parts - to me - is that the data silos start trading your data as if it is theirs to whoever pays for it, and that goes a lot further than a real time bidding on ad space, even if that was the initial drive to collect that data.

The sad part is: It doesn't even matter what I do about privacy. I'm obviously in someone's address book. That someone wants to play some stupid game that asks for all contacts. Maybe that someone used an app like Cobook, which pulls data from their social network sites (and I'm friends with them there).

In the end, they get my data, along with a picture and whatnot and I personally wasn't even involved. Heck, I could even use a dumb phone and my phone number would be all over the place.

Recently, Facebook asked me once again to add a phone number "to protect my account". One time, my real phone number was prefilled in the box! They pretend that they don't have it, but since some of my friends use messenger, they surely have it somewhere in my shadow profile (a download of "all my data" obviously didn't contain it).

Yes, these secondary network effects are maddening. See also: https://mako.cc/copyrighteous/google-has-most-of-my-email-be...

I've updated the post to reflect this problem.

This concept of "your data as if it is theirs" is strange to me. Deciding who owns what information is difficult and not so obvious. I once heard a man on the radio saying that he "owned his face" meaning his likeness. Celebrities own their likenesses in that they can block people from using their likenesses to imply endorsement, but they can't block photographers from publishing a photo taken in a public area.

Ownership is much more nuanced than you're making it seem. It depends on where and how the data was collected and further, how the data is used.

Take car ownership. The department of motor vehicles tracks who owns what car, including non-dealership title transfers. That information gets sold to companies like Experian. Anyone can buy it (https://www.autocount.com/). So a company like Yelp, who knows where you live (you do like restaurant reviews from "current location", right?) can cross-reference that with AutoCount data to figure out what car you own. Is that weird? Sure. Is that wrong? Maybe. But it's been going on from before the internet, so I don't understand what's so different now.

That data ownership is enshrined in law in the EU. Not that anybody cares.

Yeah, those pesky geographical boundaries make things strange on the internet.

It is their data. What they sell is essentially their http access logs, the ip address and time of every page request. While that information may pertain to you, it's not yours. They own it and can do what they want with it, including selling it to the highest bidder. That's true for any website that keeps access logs.

If the idea that some websites sell their access logs really disturbs you, don't request pages from websites that do that. Just like someone who is afraid of heights can't go to high places, people averse to ad tracking won't be able to go to most websites. Most people don't want to give up their favorite websites, so ad tracking persists.

Many companies that produce or aggregate content do so with the expectation that their efforts will be rewarded with money from ads. When you use an ad blocker, you reap the benefits of their work while knowingly depriving them of what they expected to earn in return. It would be better if you just didn't read their content, effectively voting against their behavior with your feet. Blocking the ads is having your cake and eating theirs too. It's rather benign, there are much worse things, but it isn't really right either.

No company sells their http access logs, please don't talk nonsense. The data that is sold is sold to marketeers and is the highest grade profile data that you could get. See the 'schober' link on the page and try to at least be a little bit informed before you start throwing around such opinionated stuff. Schober is an easy target for me because they actually list what they sell, they are also a very old company (they were in business long before the web was born). But they are not the only ones. If you feel like reading a bit on what kind of information is being made available a good place to start would be the RTB spec:


So your whole argument here is based on a strawman.

What do you think RTB is? There are websites that will sell demographic information from user profiles, but that's relatively rare. The overwhelming majority of the billions of RTB impressions are based only on location and website audience demographics. Those are things you get from cookies and ip addresses, information that comes entirely from access logs. No, companies don't sell their logs directly, but the vast majority of targeted impressions are sold solely on what is contained in a standard server log.

You seem to be knowledgeable about online advertising and forthcoming with sources. Do you have any evidence that anything near 50% of online ad data sold is based on the highest grade profile data? Because I'm certain that is not the case. I think you're confusing the business of selling profile data on individuals, which is indeed very old, with modern ad targeting. It's hard to persistently match that up with an ip address and cookie, you see. Which is why major ad buyers prefer to buy cookies that tag large demographic buckets like "young males in the midwest with an interest in cars" instead of the names and profiles of individual people. It's common sense more cost efficient, and access log data is much more prevalent and reliable than profile data.

I don't think that any of this works in the way that you think it does. Yes, re-targeting is creepy, cookies are rampant and the average page loads way too many external files. But companies do all of these things for a reason, whether you understand the details or not. If you don't like how they do business, you can just stop going to their websites.

> You seem to be knowledgeable about online advertising and forthcoming with sources.

You'd think?

Only a small fraction of the actual bids will ever be on 'high grade data', but what you are missing is that all of the data is available all of the time.

So no, I'm not confusing anything. The advertising industry will use the data available to determine the value of an impression, if the value isn't there they will pass. But they still use the data in that decision, so whether it gets sold or not is not the key element.

> If you don't like how they do business, you can just stop going to their websites.

No, you can't. See there are these little things called widgets that pop up on websites that have absolutely nothing to do with the attempt to sell you something later and since you have absolutely no idea where you will be hit next you can only 'stop going to their websites' after you've been bitten.

There is a giant difference between a site-specific tracker that helps a site owner understand her own visitors and ad networks that share cookie data. analytics != ads.

Yes, this is true.

But: (1) the number of parties that only use site specific trackers is relatively small to the number of parties that use networks, (2) even those parties usually carry facebook/google and other embedded resources, effectively still leaking your data and (3) in the end, you can't be sure that they don't combine that data on the backside with data procured elsewhere.

I'm not sure whether we're talking about the same thing, but plenty of the web is people running sites tracking analytics on sites that have nothing to do with ads. Of those, Google Analytics would be the most common, and yes, Google is in the ads business.

But there are numerous services that provide analytics and have no part in tracking you elsewhere. Is Mailchimp involved in cookie trading? Segment? Intercom? Mixpanel? To my knowledge, no, there is nothing there -- they only know you via session cookies in the browser, and those businesses do not make data available to third-party ad networks.

Even in cases where they do bring in data, such as Intercom using FullContact to merge an email address with social data from Twitter, it's a one-way API call from Intercom, with nothing identifying the actual sites that will make use of it.

I 100% agree with you on trackers/beacons like "Scorecard Research", and to a lesser extent, Google Analytics, but "you can't be sure" seems like weak ground on which to take a strong categorical stance against any use of analytics tracking. There are real differences to the value they provide and the ability they have to do beyond that even if the incentives are there.

Well, the 'you can't be sure' in practice translates into 'everybody does it' but I'd rather leave enough room for those that do not engage in these practices. Absolutes simply don't cut it.

And the 'value they provide' is never provided to the users, always to their clients at the expense of those users.

Maybe an allegory about how, based on the tracking data, the price you pay for something (say airline tickets) changes. Or the availability of health insurance for your kids? I don't have any facts on which to base the latter, however, but I suspect it's either happening or only a matter of time.

Health insurance is regulated way beyond what you would expect. At least for the individual market, many plans are standardized across all carriers as mandated by the ACA. And in New York (if not elsewhere), rates are proposed in advance to the state and either approved or rejected (and forced to adjust), which can happen for being too high or too low compared to other players. The rates are then set for the year. This is not something subject to real-time bidding.

That would require proof, and I don't have that proof. Maybe someone in either of these industries can point to something solid?

edit: ok, found this: http://www.groovypost.com/howto/news/dynamic-pricing-use-chr...

But it's still a little weak as proof.

If ad-supported sites posted terms of use that precisely defined what info is to be collected, how long it's to be retained, and who will be able to access it, consumers would be able to make an informed decision about what sites to visit. As it is now, without defensive software, one is asked to just blindly trust the sites one visits.

The problem is that people still don't understand what it is they are trading for a "free" web. It really takes a story like Jacques wrote to drive it home. It has to touch them emotionally, because what we are asking them to be wary of touches them with very strong emotions (facebook, for example).

Great. You just inspired another european privacy law where website will be forced to ask you to read the terms before processing reading. What it will achieve is users will be annoyed and install a termblock extension to their browser, I mean kind of defensive software.

There are other options that lawmakers have.

In the analogy (and online), the newspaper with blank spaces (aka the ad-supported site) is a small and insignificant data player. It's mostly advertisers that are collecting and retaining the data, and not just on websites but in all kinds of ways. The profiles are kept by advertisers, and sold on data exchanges, completely out of the reach and control of the ad-supported site. So unfortunately, ad-supported sites that offer up their ad inventory via real-time bidding can't provide the information you'd want. You would really need to opt-in at every point where data is collected, which is everywhere.

But tracking is more pernicious than this.

I hope you realize that major political parties now buy this data and use it to target their campaign pitches to people in close elections. Do you buy diapers? You're probably interested in family issues. Do you buy gun parts? Let's classify you as leaning republican...

It goes way beyond uses that you would imagine. (PS: this is why if you ever sign up for a membership card at a retailer you should just use a fake name / address...)

>If a store has policy of "If you come into our store, we'll have employees follow you home" and you don't like that policy, then don't go to that store ... That might mean that you can't go to the stores you want to go to, but that's how it goes.

Actually that depends on the laws of the country the store is in.

I agree. This analogy is good up to the point where you consider that these trackers don't really know or care who you are. To them you're an anonymous hashed id.

Yes, they 'follow' you around, but they are essentially invisible and mostly aim to improve the targeting of ads/information.

It's easy to forget that a lot of this technology is very new and for a while there will be cases where it's seen as intrusive. Things will only get better over time.

> To them you're an anonymous hashed id.

You wish.

I've worked very closely with tracking companies. They are very strict about not storing any unhashed identifyable information such as email adddress, postcode etc.

Some are good, some are in compliance with the law and some are not. It's a mixed bag, and then of course there is the small detail that 'the law' is not the same from one place to another and that plenty of companies use this to their advantage.

Have you ever seen hotjar, inspectlet, mouseflow and many other service? I mean check out the demo page on the inspectlet site, type in your email address, check the recording and tell me they don't store it in plain text.

I got tired of seeing a drill show up on a bunch of sites after I just searched for it on Home Depot... I block ads on my workstation, but with tablets I just could not find an easy way to block trackers for my whole family.

So Metiix Blockade was born out of this frustration... Now I have "bouncers" protecting my whole network for every one of my devices.

I hate when a web page decides what ads and trackers it wants to pull down from the Internet. With Blockade, I have taken back control of that process and I get to dictate when and where I want to provide my information.

I love feeling like I have the real internet back. No more of these ads and trackers taking over every place I go.

Added a link at the end of the article, it looks like your project is free and clean as far as I can see.

Also consider pi-hole [1], notrack [2], uMatrix [3], dnsgate [4] and hostsblock [5]

[1] https://pi-hole.net/ [2] https://github.com/quidsup/notrack [3] https://github.com/gorhill/uMatrix [4] https://github.com/jakeogh/dnsgate [5] https://gaenserich.github.io/hostsblock/

All added, thank you.

It is funny how things change when you use the physical world metaphor. There was a campaign recently by the Dutch regulatory agency that made people aware of the implications of allowing permissions in "free" apps.

They made an (anecdotal) video by promising a free cup of coffee in exchange for your contact list on your phone:

https://www.youtube.com/watch?v=AYXM56YJWSo (Dutch unfortunately)

Nice video.

My wife has an Android phone, I have an iPhone. Recently, I wanted to install some app on her phone and it is still beyond my understanding, why Google still doesn't allow to deny certain permissions. It's all or nothing.

And no, a fucking video editor shouldn't require access to my contacts, my browsing history and the accounts on my phone.

Android imho is unusable until they let me deny certain permissions, because often, the "best" apps ask for basically everything.

As of 6.0 Marshmallow, you can disable any permission you want. https://www.youtube.com/watch?v=iZqDdvhTZj0

Install Cyanogenmod, or buy a phone with it pre-installed like a OnePlus, then you get "Privacy Guard" in the settings which lets you specify exactly what data apps can access.

Android isn't the problem. Google is the problem.

[edit] As in, you can restrict access to things like location, contacts, calendar etc.

That reminds me a lot of this video: https://www.youtube.com/watch?v=F7pYHN9iC9I

Would be great to make one similar combining the two concepts in regards to sharing phone data.

Check the Mozilla campain "The Hidden Business of the Internet" https://www.youtube.com/watch?v=7LcUOEP7Brc

That video is brilliant. Thank you.

'Please plug in your phone here, we need to get some data from it'


See this one [1] from mozilla

[1] https://www.youtube.com/watch?v=7LcUOEP7Brc

Well-made video. Although hosting it on Youtube (Google) is somewhat ironic.

If that wasn't posted to HN yet you should.

Really well put.

I've been operating browser separation (Google in Chrome, social in Chrome incognito, and everything else in a locked-down privacy mode only Firefox - all with uBlock) for a while, and also use anonymising VPNs for anything I really don't trust, and my own VPN with streisand and Dnsmasq (with a hosts very similar to https://github.com/StevenBlack/hosts/ ).

On my mobile every link I click in any app I open in Dolphin Zero (still on that DNS blocking VPN - which blocks all trackers in apps too), and I only keep apps I actually use and trust the publishers of on my device.

It feels like a chore (manually copying links from one browser to another depending on trust level), I wonder whether it's worth it sometimes... but then I occasionally get to see someone else's experience of the web and it's so incredibly and perniciously been invaded by advertisers that I am glad I do all of this.

It's become so bad that I even had to change my uBlock origin rules for my online bank ( https://banking.smile.co.uk/SmileWeb/start.do ) to block even first-party scripts... because they use Adobe, Omniture and Tealium tools to measure stuff and for A/B testing of their online banking features.

I now block absolutely everything and tell others to do so too, but unfortunately there is collateral damage.

The very sites I care about may not require advertising revenue, but do value tracking data that helps them spot errors, debug things, find out what screen resolutions they should cater for. Their analytics, client-side debugging, this is all now rendered useless to them.

PS: If you happen to work on Firefox for Android, please enable browser.privatebrowsing.autostart to be configured via about:config. I would love to default enable private browsing in a UA capable of running uBlock on my mobile.

I don't know enough about how uBlock works, but I'm mostly concerned about blocking trackers, and dislike invasive advertising. I use Ghostery with everything blocked.

I also bank with smile.

I've just confirmed that Ghostery is blocking Adobe, Omniture and Tealium trackers, but I was able to log into my account no problem. I also transferred some funds to a linked account.

What aren't you able to do with smile? And is it something specifically with the way uBlock blocks?

I noticed with Smile that when I first went to the login page it would fail to login the first time... they have some server-side code to track sessions linearly and force log-out if it detects background operations.

Their use of one of their trackers meant that the first time I ever arrived at their site (every time, because private browsing) it would set things up that touched their server and triggered Smile's security thing.

It was a minor inconvenience... but then I looked into it and noticed how much tracking they were doing.

My view on bank websites is that the only party that I should be speaking to is the bank, securely. No other party, ever.

I now block absolutely everything on my banking website, but I was very surprised this had to be done. A bank, of all sites, should never ever use a third party anything.

It's not just banking. How can sites be so credulous to include 3rd party javascript into their login form pages? It's an invitation to steal your users' credentials! If you really must rely on a 3rd party captcha service put the captcha into an iframe or put it on a separate page.

I think that better than an ad-blocking solution would be to feed all those trackers with fake information

Oh you want location data here it is, this morning I've been all over the planet. Want to know all the websites I'm visiting, sure, here's a million of them.

Just based on the fact that they keep trying to sell you the thermometer after you already don't care kind of points out that they're being had, and I'm all for helping it happen

The marketing industry is moving beyond trackers and cookies. Hastened by the mobile/tablet revolution (users switch devices way more often) and the stricter privacy laws in Europe (anti-cookie laws).

Now they either require you to login to get the "mobile" experience, like Facebook or Twitter, or they use probabilistic statistics to identify you without cookies.

That guy reading a newspaper in the park with a paper bag over his head and 4 goons on the lookout, feeding us uninformative/unlikely data, that guy is with 90% certainty Jacques Mattheij.

(When cookie-tracking was more common we set up a cookie-swap program. Stopped after a few months out of security concerns.)

This is - unfortunately - spot on, and there is much worse to come.

It's funny how a law that actually confirms a right that is solidly anchored in the declaration of human rights would result in technological circumvention rather than - the expected outcome - compliance.

Yes. And yet, you've also described a general phenomenon, I think. (e.g. the discovery of loopholes in tax law.)

If necessity is the mother of invention, profitability is the mother of circumvention.

(Great blog post, btw.)

There are some plugins that do that. Adnauseam clicks on every ad: http://adnauseam.io/, and TrackMeNot continually makes random search engine quieries: http://cs.nyu.edu/trackmenot/.

Would that be feasible to automate as a browser extension? Something like Ghostery, except that tracking scripts are run in a sandbox that returns random but feasible data for API calls?

I think (but I'm far from an expert) that it would be easy to filter out this fake information. Especially if it's obviously fake like "I've been all over the planet." A bit like spam vs "real" emails.

>feed all those trackers with fake information

If you're going to war, sure. But that's a lot of wasted resources.

One would hope that we can find a peaceful solution. But war is always an option.

It's already a war - not only according to the article.

Wow, that is genius. If there was such a thing, something like uMatrix, but that automatically feeds trackers with complete garbage, I'd install it in a heartbeat. The problem is that you will always reveal your real IP when you establish a TCP connection, unless you are using a proxy.

It's funny how much more relatable the whole privacy debate becomes when transposed to the physical world.

Some will disagree, but I think the comparison was spot on.

Exactly. I am using the same analogy to explain non-technical people about tracking, ads, surveillance etc. so that they can relate. Otherwise the abstract technical concepts seem like coming out of a science fiction story to them.

Add the part where one of the bouncers starts their own targeting company and does deals with some of the other targeters.

Good one, will do.

The solution would be a decentralization. Tracking is a real threat when we only have 1 search engine, 2 social networks, 1 retailer and a single ad network. The web has created global-scale monopolies faster than before , and it seems like the centralization of VC capital and IT talent is permanent. Tracking becomes less of a problem when they are unable to follow you everywhere.

This reminds me of the surveillance camera man - http://youtu.be/jzysxHGZCAU

I just disabled third-party cookies on my phone and computer. I'll see if it causes me any problems.

I already have adblock plus on my computer.

Once upon a time I used to work for a multinational company that did retail audit. They had developed a program which adjusted the ads a selected group of people were watching on their TVs. Then they provided them with special debit cards and monitored the relevance between viewed ads and purchases of goods in super markets. All that around 1999. And that was just once of a multitude of technologies they used. They also had a technology where a camera was tracing face movement to identify which items on the shelves attracted more attention by gender and age. I can’t even fathom what they’ll be using these days. Profiling is the holy grail of the marketing world. At least online we have the option of ad blocking. Offline we’re helpless.

I have blocked as much trackers as i can. Having said that, i know why they exists. See, when John produces shampoo, he needs to sell it. The only way is to advertise, one way or another, because without advertising, public knowledge, the shampoo does not sell. Now John does want to spend as less to ads as possible, that makes sense, since we, the customers, end up paying about that too. To spend less, John needs to show ads only to core group of buyers, for that he needs to know, who you are. Tracker does that. Shampoo costs 5 bucks. How much you agree to pay for that with advertising costs included? 6? 16? Really, are you ready to eat up 200% advertising markup? I have no idea, frankly.

Reminds me of Surveillance Camera Man:


What you probably missed is if I am a big enough retailer, I can pay off your bouncers to still follow you from a distance and still show up on your newspaper on one side since I have more than you and can pay off your bouncers to work for me while they still pretend they are protecting you. Just an example:


No, that's in there (near the end).

Cool. But, do you think a paid model for consuming content would work given the number of content sources and the frequency with which a user visits a single source? Don't content creators depend on some form of revenue and trackers are used to optimize the revenue.

I don't think advertising and tracking need to go hand-in-hand the way they do right now.

I'm all for blocking ads, tracking or non-tracking, analytics, etc. and wish swift bankruptcy on the propaganda-advertising industrial complex but this is silly. The analogy between physical world and the Internet is not valid or insightful, just like it isn't in case of piracy/stealing. Collecting info on what you read online is nothing like breaking into your house.

Picture your insurer scrolling through your browser history when you're renewing your health plan.

In small towns and pre-industrialization, stores had a tracking regime that puts Silicon Valley to shame: the shopkeepers knew you.

They didn't need credit cards or scores because they could identify your store credit account by your face, and your creditworthiness by your family's reputation.

If you were buying something out of the ordinary, you better believe your parents/spouse/church/friends/entire town would hear about it from the shopkeeper, who knew them all as well as he knew you.

A juicy conversation on a party line telephone shared with neighbors, interesting metadata on the postal mail also handled by people who know you and your business, a sighting in public with someone not your spouse, a visitor at an odd time of night, a strange car in your driveway - all these things could quickly become a public affair.

Technology is not bringing us a particularly new invasion, but it is helping at least that side of the "tight-knit communities" of old scale to modern population size and density. I think this is a horrific development, and it's certainly quantitatively unprecedented, but not qualitatively.

A large enough degree of quantity difference has it's own qualitative difference. This has been observed many times in other fields.

Are there any publicly know examples of hackers that have used tracking data for malicious stuff. As nasty as it is to have a large amount of your web history stored in a profile, I don't see a clear path to crime (perhaps extortion). Or didn't I get the burglar metaphor?

Burglar => malware or phishing through ad networks.

Sorry for being unclear, I'll see if I can tidy that up.

This might help getting rid of those that follow you: https://github.com/jakeogh/dnsgate

WOW! This is a great way to put it. Well done.

I didn't quite understand bouncers. Those are some tools for private browsing?

Ad/tracker blockers, I assume.

What's the analogue for "clearing your cookies"?

Go to every business you've ever visited, go to their filing cabinet, and remove every record that you've been there. Go to every library and bookstore and remove every record of things you've read and bought. Etc.

That's not the same as cancelling all your accounts and credit cards; you'd still have them, just not your visit data.

The most extreme thing you could do in the real world is delete your identity and start over from birth.

Disclaimer: I do digital media and online marketing for a living.

I used to help lead the paid search group at a top search agency and had a real birds-eye view of where things were moving in that role.

Everything is moving towards audiences. While keywords and search queries are signals that highlight intent, ultimately the audience piece is what the advertiser cares about--that's just one component of it. This is why FB, Google and everyone else under the sun wants companies to upload their CRM data, and then they use that for retargeting (1st party, or 1P data), or building lookalikes.

Then you have Adobe and other companies trying to get companies to sell this data on a marketplace as 2nd party (2P) audience data for retargeting.

There are also companies like LiveRamp and others that try to get companies with login data to provide cookie matches against hashed email addresses to keep cookies fresh and prevent them from just being deleted once and forever. I've been approached by these companies, and always turned them down because it just felt dirty.

That said, this thread seems to draw the usual crowd of everyone who hates anything related to advertising. I'm not going to try to change your opinions because I know that is not going to happen. However the reason all of this data gets shared is because it allows better targeting which leads to more relevant ads, which leads to more purchases.

Think about that for a second.

People are purchasing more when the content is more relevant to them. Nobody is holding a gun to their head making them take out their wallets and hit "Purchase." They are saying "this product/service is relevant to me and I want to buy it."

In that manner, advertising is helping people who want to purchase said thing. The issue comes in with the fact that because targeting isn't perfect (and I doubt anyone wants the level of tracking needed to make it so), and because a lot of advertising is building awareness (not simply retargeting and reminding you to buy something you initially displayed interest in), it becomes intrusive in a manner people dislike.

Unfortunately, because of the data available, there's still plenty of people who say "hmmm, I didn't know about this, but it seems interesting, I'll check it out" and then they purchase. So from an advertiser's standpoint looking at a spreadsheet of data they see "this audience segment had a conversion rate of X and an ROI of Y" and they keep doing it if it is profitable because that is what they are optimizing for.

I actually enjoyed Jacques piece, and I do think that there is some very questionable stuff going on in the ad space. The example of a random app tracking and selling data totally unrelated to said app is a great example. Companies are finding that they can monetize their data without visibly degrading the user experience by showing ads, and still get paid on a CPM rate for it, so expect to see more of that.

At the end of the day, I say all of this to highlight the fact that often is left out of pieces like this, which is that things are the way they are now because it works. Advertisers wouldn't be doing it if it didn't work, which means consumers are voting with their wallets in large enough numbers to keep fueling this behavior. In Jacques restaurant example, he was put off by the restaurant special promoted on his phone. I'd probably behave the same way because I've developed an aversion to the more invasive aspects of my industry and I'm overly sensitive to it now. But Joe Consumer? They see a relevant deal that will save them money and say "hmm, I like what they are offering, and it is a fair price, I guess that just made my decision easier" and they go eat at the restaurant. So the restaurant sees that of all the Jacques that see the ad and keep walking, for the pittance they pay they get enough Joe's in the door to make it profitable, and they keep doing it.

The positive feedback loop created by more targeting leading to higher profits means that it is working and we'll see more of it until the feedback loop is broken. Ad blockers are one avenue towards attempting to break it, and legislation is another. The question is whether pulling on those two levers will be enough to reduce the efficacy of the feedback loop to the point where advertisers stop doing this.

And a final note to those who might respond to my post. Please note that I'm not trying to paint an overly rosy picture of what advertising does or in any way trying to defend some overreaching aspects of it. I think people should own their data and be entitled to controlling how it is used. That is not the reality of the world we live in though, and so I'm simply making observations about how it impacts the various parties involved beyond just the protagonist of Jacques' story. I think there are more "clean" ways of doing advertising, that rely on a strong creative message, etc. Or viral ads that get shared because they are creating great content. But at the end of the day the media person's job is to take that ad/content and get it in front of the audience they are targeting.

Ads and tracking going hand-in-hand is the problem. If the advertising industry had not embraced tracking I think that the backlash against advertising would not be as strong as it is. It should be possible to receive an advert without also giving up a huge chunk of privacy.

That's one stance, but do you think it results in a more relevant experience for most people (emphasis on "most) viewing ads when they see products that are more likely to interest them (because of audience data or retargeting data) vs. a generic ad?

And from an advertiser standpoint, if the targeted approach is vastly more profitable than the untargeted approach of how things worked in the early Mad Men days (and it most definitely is), I have to say I can't really blame them for taking that path.

I'd be curious if there are any companies out there who position themselves as "ethical advertisers" and do what you outlined in terms of advertising without the privacy tradeoff. I'd also be curious how they might fare against competitors who don't take that stance. Again, people are voting with their wallets, and right now they are saying that they are ok giving up their data in exchange for free content, and that they'll continue buying things from companies who leverage said data to communicate with them.

> That's one stance, but do you think it results in a more relevant experience for most people (emphasis on "most) viewing ads when they see products that are more likely to interest them (because of audience data or retargeting data) vs. a generic ad?

They may spend less money, so it is clearly a 'win' for the advertiser and the property to do as much tracking and profiling as they can get away with (and they do).

> And from an advertiser standpoint, if the targeted approach is vastly more profitable than the untargeted approach of how things worked in the early Mad Men days (and it most definitely is), I have to say I can't really blame them for taking that path.

I don't blame them either, but then they should not blame the users for the inevitable backlash.

> I'd be curious if there are any companies out there who position themselves as "ethical advertisers" and do what you outlined in terms of advertising without the privacy tradeoff.

Unfortunately the good are suffering with the bad.

> I'd also be curious how they might fare against competitors who don't take that stance.

They made less money in the short term. But in the longer term there may be some life there, too early to tell.

> Again, people are voting with their wallets, and right now they are saying that they are ok giving up their data in exchange for free content, and that they'll continue buying things from companies who leverage said data to communicate with them.

That's mostly because people have no idea what is in their profiles in the various silos.

It's a bit like getting people to click blindfolded on a EULA and then later to say 'hey, you agreed to this', which in my opinion is simply not fair and taking advantage.

I think your last point on comparing against EULA's isn't the best fit here. If I see an ad, the actual data that led to me seeing that ad doesn't suddenly make the product I'm seeing an ad for less of what I might need. It might make me question the business I would buy it from, but there's a big difference between agreeing to purchase something where the terms of the transaction are known (you are buying X, this is the return policy, etc.) vs. clicking an EULA where you decided not to read it (which is the other reason I think this was a poor example...the EULA is there, people just choose not to read it).

Ah, but you got the timing wrong. The EULA reference is about the terms and conditions under which you are viewing the website - and therefore the advertising and all associated tracking mechanisms -, this happens prior to you viewing the ad and once you are on the page you are somehow magically bound by these terms but all the bad stuff has already happened.

Ah--sorry, I thought you were drawing an analogy against software installation EULA's that people typically click through.

I definitely concede this is a valid point in that visitors aren't exactly given a chance to opt out. I think we can both agree that if it were opt in, that wouldn't satisfy advertisers, but I think the EU approach around cookies is a bit heavy handed and ruins web experiences. I wonder if there isn't a happy middle ground somewhere.

Again, make no mistake, I think users should be in control of their data and data ownership is going to be one of the hot button issues of the next decade as tracking only becomes more pervasive and data storage becomes cheaper. But I also think that a large number of people like to jump to the conclusion of "I hate advertising" while at the same time buying stuff because of relevant, highly-targeted ads. What people don't realize is that publishers and such would have to resort to even more aggressive placements and approaches to make up the greater lack of revenue they'd suffer if they weren't able to offer highly-targeted inventory.

Jacques, you are definitely one of the standout posters on HN and I've come to recognize and respect your viewpoints as someone who has a pretty solid understanding of the ad industry and its various components. While I appreciate the perspective you painted in this piece, I'd challenge you to play devil's advocate and write another version of the story from the standpoint of an advertiser, a publisher, or a consumer who is less sensitive to advertising than you or I may be. This is a complicated issue and I don't think it is as black and white as your story makes it out to be. Exploring all sides of a problem tends to bring out those gray areas than just a single viewpoint.

Plus I'm a fan of your writing style, so I'd love to see this sort of analogy extended to the other players in the game ;)

Tough challenge, but I just might take you up on that. Keep in mind it took me > than a month in wall clock time to write this post so it will be a while if anything comes of it. I don't write these things in one go, I write an outline, let them sit for a bit, then update and bit by bit it becomes what I'd like to send out. So no 'quick response time' on anything like this.

But that's definitely a valid request, the viewpoint shift alone would be worth doing because it may help to figure out what could be done instead.

I think the publisher is the most interesting perspective of the options you listed and one that I can identify with.

Awesome and glad you find it to be an interesting challenge. Of course totally understand if it falls off the list, but I for one would love to read it if you decide to do it.

I'll do it. Can you drop me a line, I'd like to email with you on the subject.

For the first few seconds, i thought you're talking about real people who're tracking you. Later i realized.. Great writeup. So, true.

I find it infuriating how much traction this whole anti ad/tracking war is getting.

People mention there's no choice anymore. Wrong! It's still there, just like it was 10 or 15 years ago. Stop sharing your personal information online and the whole tracking thing doesn't matter anymore.

This analogy seems completely flawed imho. Nobody can get inside my home, or force my door or any of that nonsense, unless I specifically allow them when they ask!

I fail to understand how all these trackers can read my browsing history without me installing <popular plugin> and allowing it access to my browser? Or how are they going to read my contact list from my Android phone, or the one from my Thunderbird? Through thin air?

Nobody took the choice from us, we just happened to open wide our front and back doors, and then complain that random people come in and look through our stuff.

That you don't understand how it works even in the abstract is maybe an explanation for why you think it is infuriating that others are more concerned than you.

Being online is no longer optional, giving merchants and authorities your information is in many cases also no longer optional.

If you stop sharing your personal information online you will not be able to participate in a very large chunk of society's functions, some of which are mandatory. Heck I can't even the local tax office website without receiving a bunch of stuff that tracks me.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact