Hacker News new | past | comments | ask | show | jobs | submit login
Funding Choices – Google’s new tool for GDPR compliance and content monetization (fundingchoices.google.com)
233 points by celere on Sept 17, 2018 | hide | past | favorite | 163 comments

I'm still surprised no one has yet figured out a way to store sensitive data about personal interests and preferences on the client-side and let the client itself pull appropriate ads for the user to see. The quality of such a system should be comparable or better to server-side technologies with the right amount of tuning, and much less privacy-invading than existing approaches.

Personally I'd love to support more websites through ads if two conditions could be met:

- A way to ensure that ads don't try to harm me by e.g. leading me to websites serving malware or abusing my computer's resources (e.g. miners)

- A way to keep my privacy and control what data is collected about me (and who has access to that data)

Currently I simply can't turn off the ad-blocker even if I wanted as most sites become completely unusable and outright obnoxious by showing large, blinking or content-hiding ads, videos, popups or fake overlays. That's why most people use ad-blockers (IMHO). If ads are decent, relevant and non-obtrusive I personally would be happy to see them.

Also, go to any large website these days (without ad-blocker enabled) and check how many third-party trackers they load. There are many sites that send my data to more than 50 (!) different ad networks and partners, which is just insane.

Brave, with the Basic Attention Token (BAT), is building exactly the client-side anonymous contribution + ad-matching system you describe. We will take BAT to other apps after proving the model in Brave.

BAT in Brave is opt-in -- each user consents before anything local happens with data or zero-knowledge/blind-token attestations -- and users can get _gratis_ BAT grants right now using the stable desktop browser (this is coming to mobile in about a month). The anonymous contribution system is the basis for the also-opt-in Brave Ads system, which uses local data only, local machine learning agent, and no cookies or user tracking by any server (even ours). Ads match against a catalog fixed daily or less frequently for a large set of users in a region who speak the same language. Attribution and confirmation use Chaumian blind tokens.

Users get 70% of revenue for opt-in, user-private (in tab), high quality ads at user-configurable frequency. We are working with publishers to provide user-opt-in ads for sites too, 70% revenue to the publisher, 15% to the user. User ad trial is under way right now, ping me if you want to be included. System should be available in Brave 1.0 in a couple of months.

I'm a big fan of that idea.

Imho the beauty of your BAT system (the way it is envisioned) is it's independency from the current model of monetizing the web, which is ads, gradually evolving towards direct transmission between publisher and consumer.

Ads in the way they work on the web are just a very inefficient system of transferring this value, and they don't serve the original function of marketing anymore. It turned into a big game of psychological warfare.

The system is so inefficient that it finances almost the complete operation of Alphabet/Google.

As a user I don't know how the system works in the background, and when I read the recent news about Brave attacking Google for GDPR violation it was the first time I read about RTB and the technical aspects in the media. People need to know, so they can decide if they want to feed such a system!

Funding Choices seems to be a part of Google's answer to the growing problem of ad-blockers, but it can also bee seen as Google's answer to competition like Brave/BAT.

I read somewhere that under the umbrella of Funding Choices Google is also experimenting with subscriptions like BAT, but without the token.

I don't know how successful Google is with this, but this might be a tough competition for Brave, they will fight tooth and nails, and they control the Android ecosystem.

BAT is attractive for power users as you ride on the wave of privacy-friendliness which Google can't, but I think the real challenge will be the average user that wants a standardized, seamless cross-platform solution that can be used as the main payment gateway for accessing content, which is increasingly via gated Apps.

With Google controlling so much of the market with Android and Chrome, I wonder how they will react to BAT if it ever becomes successful, as they could theoretically quickly scale any competitive project.

I think the biggest advantage of BAT would be if big players could acknowledge it as a de-facto standard for decentralized transfer of micro-payments and privacy friendly ad networks. For this to happen it would be necessary to be somewhat "Open-Source", i.e. not strictly tied to a singly company controlling much of the tokens. I am thinking in line of an open consortium with different players holding a significant part of the BAT tokens each.

Thanks for the comment.

On your last paragraph, we can't standardize the BAT ecosystem until it is proven, and as it consists of more than the ERC20 token -- specifically it includes endpoint software currently developing in Brave, plus an anonymous accounting service alongside the Ethereum blockchain -- it won't be proven via the existence of the token alone.

On a future blockchain with anonymity, high throughput, and low fees (a trilemma?), the BAT ecosystem could be fully decentralized. That blockchain does not exist yet.

So our roadmap divides and conquers (the Mercury, Gemini, and Apollo phases), and we will expand beyond one browser when the system is ready, some time next year in my best guess. In particular (as noted in my other comments here), we need a high-integrity and fraud-resistant open source SDK.

Note that the BAT has diffused since inception to over 69,100 holding Ethereum accounts (https://etherscan.io/token/tokenholderchart/0x0d8775f6484306... -- you can see our User Growth Pool and Bittrex's liquidity pool as the top two accounts). The remaining roadmap work items are about token mechanics not token ownership.

> The system is so inefficient that it finances almost the complete operation of Alphabet/Google.

Since Youtube is wildly unprofitable, Alphabet/Google has to be funneling in money generated from other sources. Thus, Youtube is funded by ads, just mostly not from the ads on Youtube.

It was mentioned in a private email that the only reason YouTube exists is that Google's servers happens to have a lot of free disk space in the days before SSDs.

Is the limiting factor for youtube really disk space? I would imagine it is bandwidth.

YouTube was a separate company acquired by Google in 2006: https://en.wikipedia.org/wiki/History_of_YouTube

Yep, I mean YouTube existing within Google obviously.

How will you prevent the user from "opting in" but then not displaying the tabs? E.g. an extension could render white boxes in another (mostly transparent) window above the browser, thus acting like an ad-blocker.

Brave's agent is C++ built into the browser, it prevails over extensions (which we will also guard against at the point of installation).

It is a mistake to think of the BAT ecosystem fraud threat (which exists, for sure) as the same as the threat with remote scripts for ad view or click attribution and confirmation as practiced by ad-tech today. Third party scripts run without any integrity guarantees, so get fooled by fraudbots and cheated by other scripts (see "cookie stacking").

The "plane of adequation" defining truth as correspondence between an ad and its observed effect is browser native code, not Nth party scripts loaded into a DOM stew on page, or extensions and their JS scripts, which have privileges above page scripts but below browser native code.

Therefore the fraud threat to the BAT platform is a botted Brave instance including the BAT SDK. This is why we are planning to use secure remote attestation enclave/zone tech to ensure SDK integrity, and sensor M/L to check all the sensors for proof of humanity.

So for fraudbot users to get money out requires a costly simulation (see AML/KYC/etc. point I made in another reply today). Just hiding ad tabs (without faking identity for KYC/etc.) to waste ad spend would require faking the payable ad actions attested by the SDK, including human-like event streams.

Fraud risk never goes to zero with humans in the loop, but with BAT's native agent code, we keep the cost of fraud way above the low cost of fooling today's ad-tech scripts on page.

Thanks for the detailed post. It's awesome that you folks are trying to fix the funding model of the web .

Any chance of putting brave on f-droid? Its the only app on my phone that I manually download/update. Totally worth it though :)

It is on the Android team’s todo list. If you want to help please dm me on Twitter. Thanks.

Thank you the details.

Do my ip-address, sites-i-visited, date/time of visit, geo-location ever gets stored in on a server outside (eg outside my phone or my computer I am browsing on)?

None of those get stored or even sent, except of course for IP address.

IP address is not yet masked for update pings (same as for all self-updating browsers, required for security patching) and for similar pings to check for updated ad/tracker blocklists. If you do not opt into any BAT ecosystem features (contributions or ads, which enables contributions), then your IP address is not otherwise used, but it does show up in our logs. See https://brave.com/privacy/ under "Technical Infrastructure".

(We'd like to do the update ping via Tor since we have Tor tabs already, but this is in the future.)

If you opt into BAT features and take free BAT grants from us, then IP address and a wallet identifier are used for antifraud purposes, but not otherwise. This is covered in the privacy policy at https://brave.com/privacy/ under "Payments".

Given that the individual take from this would be miniscule, what’s the advantage over an ad blocker? This sounds like a lot of faux-currency nonsense for little reward (client side at least) to fix a problem that already has a working solution. Plus, the existing solution blocks all ads, and tracking scripts, which is a huge win.

The individual take has yet to be demonstrated, but do some math. $80B gross USD (at least; the IAB said $88B) spent on digital in US last year, say across 250M people (with Dr. Augustine Fou of NYU estimating fraud took $16.2B, lots of bots too). That is $320 gross ARPU if spread evenly -- which it is not. (Note we are worldwide and build for Europe and Asia too, not just at the US.)

Many of Brave's users at this early stage are "lead users" (Eric Von Hippel, MIT) and represent off-the-grid prospects because they block assiduously, either in Brave alone or with Brave + uBO or another solid blocker. Lead users are worth much more due to their high usage of search, ecommerce, and paid services. I would not be surprised if our users can make $70/year as we bring the system up in 2019 -- when ad deals will be harder to come by and we'll subsidize revenue from BAT's User Growth Pool -- and climb by 2020 to above .7 * 320 or $224 net user revenue per year.

Let's find out! We aim to find the fair price for human attention after blocking all the fraud, arbitrage, and abuse in the current system, using the BAT ecosystem.

Note that by default, user revenue share flows back monthly and anonymously to each user's top/pinned sites and creators on YouTube, Twitch (and more UGC platforms to come). We expect most users to avoid the bank-like AML/KYC/anti-sanction/anti-fraud checks required to take out their revenue, but legit users are welcome to cash out (our partner Uphold, and more to come, can exchange BAT <=> many fiats and cryptocurrencies/tokens).

If we are right, then most Brave users, with their individual data sets and Brave instances/agents, will in effect replace the corrupt, crowded intermediary space using and abusing remote scripts to target and confirm ads today. After we have the model performing, it's on to other browsers, games, podcast apps, and so on.

To support your numbers somewhat: iirc at one point about 5 years ago Bing was giving out ~$120 a year in Amazon gift cards if you were a heavy searcher on Bing

People already pay more than that to avoid ads on things like YouTube, Hulu, and other services. Given that people often spend quite a bit of time online, I wouldn’t be shocked if they’d be willing to not pay, but just “miss out” on a fraction of what they’d actively pay to avoid ads... to avoid ads. That of course is all before they consider that the system is designed to avoid them ever cashing out.

I’m guessing the population aware of and interested in ad blocking and the population willing to half ass it in Brave is very slim indeed. I suspect that a majority who have become motivated to use an ad blocker and especially a script blocker have no patience left for any incarnation of advertising, regardless of fractional “rewards” on offer.

We full ass, never half ass :-P. Also, nice try suggesting we get only a subset of users who care about ad blocking -- our main win vs. Chrome is speed, 2-8x faster on top news/media sites on mobile, and correlated lower data and battery costs.

Your negativity aside, the test has not been run to completion where it matters, in the market. I keep noping out of YouTube Red or TV or whatever it's called, because Brave blocks all ads there and (with forthcoming work to enable playback controls in various settings including cars) easily beats the pretty-terrible YouTube mobile app.

The idea of charging for Brave that you lead with occurred to us, but browsers and even non-corrupt ad blockers are free, so it looks like a high hill to climb. Perhaps with the slicker video controls and integration work, but anyway, glad we got past the assertion about "miniscule" revenue to users. In my experience, paying users beats charging them :-D.

> I'm still surprised no one has yet figured out a way to store sensitive data about personal interests and preferences on the client-side and let the client itself pull appropriate ads for the user to see.

When I was at Middleware2017 I saw a poster/demo about this, MoCA+: https://koreauniv.pure.elsevier.com/en/publications/demo-moc...

I guess the problem is the same as with privacy techniques in general. If you ask companies to restrict their access to data, they just tell you no(1), as it might be worth a lot of money or open up new business oportunities they haven't thought about yet.

(1) This is anecdotal from projects of my colleagues in privacy research

I think another issue is the first rule of network security - don't trust the client.

That cuts both ways, so we trust the client (users have to, even if remote sites do not) and do not trust servers to take individual user data in the clear and use it wisely & fairly. This applies to Brave servers too. Flip the model.

This is the big idea I always pitched at hackathons (like startup weekend). I think it’s a great idea. 100% opt-in ads. My tagline was “a sufficiently relevant ad is indistinguishable from content.” It’s meant to be aspirational. The idea is that if you are looking to buy something, awareness of choices or information about that choice should be so valuable that it’s considered to be a benefit by the user. It’s basicallt an inversion of control approach to ads. The cpc’s and cpm’s would be amazing. :)

Unless I specifically seek them out, I have no interest in learning about new products or services ever. Thus, an ad would never be relevant enough to be content for me.

Well I do. Sometimes there's a product or a service that can provide value in a way I haven't thought about, or I haven't come around to specifically seek out yet. I don't mind seeing ads for such things.

What I do mind is seeing ads for stuff I don't care about at all, and if the ads get in the way of what I'm doing.

I've been considering buying a 3D printer lately. I don't have a lot of experience in the domain and I'm not sure where to start, so clearly I'm actively looking about information regarding 3D printers.

What I'm definitely not looking for is ads. Actually I try to avoid anything that might remotely look like one, from official websites (obviously) to comparisons of 3D printers that look like they could be biased one way or an other. Because obviously every company selling 3D printers is going to tell you that theirs is the best you could ever find. Even if they don't outright lie they'll put the emphasis on their strong points while conveniently forgetting to mention the drawbacks.

I really think ads are useless from a consumer perspective. I can believe that there was a time where the best way to reach potential buyers was buying an ad in the newspaper but with the ultra-connected society we're in it's just a waste. Make a great product, send it to a bunch of influential bloggers in the market share you target to review and if it's good the word of mouth will do the rest.

In a society where you can find reviews and recommendations for basically anything online, why on earth would I ever want to see ads? If you need to convince your potential customers that they need your product by spamming them, maybe your product is not that useful in the first place.

Of course the dark side of this is that of course marketing has caught on, now we have "native advertising" and people getting paid to pretend that they like something.

I think ads are useless when you want to decide within a product category ("Which 3D printer should I buy?") but they can help you become aware of it in the first place ("There are affordable 3D printers now? Maybe I should get one.")

Unfortunately the majority of the consumer market revolves around a few common products and so most ads are about shifting revenue between functionally identical brands.

But I do occasionally see ads for relatively obscure stuff that might cause such an "I didn't know that existed." experience for other people. (I'm apparently hard to target.) For example https://news.ycombinator.com/from?site=viva64.com are essentially ads, but they are still interesting to read, and afterwards you might be in the market for a code analysis tool.

You always see high conversion rates for new ad mediums, and those rates reduce over time as marketers abuse consumer's attention.

One of my favorite examples is Amazon reviews. Once you a time, those were legit and you'd see consumers referencing online reviews for products even if buying the product in a store physically, because it was valuable content.

Now, the reviews are so untrustworthy there are multiple sites that automate going through them to flag BS.

The unfortunate thing is that even after an ad medium becomes ignored by the majority of an audience, there's still an audience that's one to two standard deviations below the norm in suggestability that get preyed upon by advertisers. So it's those people that are the 0.1% clicking on general banner ads and purchasing a product. These are the same people that "call now" for those late night TV marketing commercials.

So the cycle for any ad medium is to get the attention of an audience, abuse it until most people stop paying attention, and then prey on the suggestably handicapped. It's a shitty industry, and quite unfortunate as if everyone could agree to not be awful, the fundamental feedback loop is one intrinsically motivated (find out about crap I'm highly likely to enjoy). But we're talking about a class of organizations (corporations) that can't even self regulate when lives and health are on the line, so that's certainly not going to happen for ads.

>...people getting paid to pretend that they like something

If I remember my history correctly, this is how the very first radio sponsorships started as.

Right - a certain segment of the population is incredibly valuable for exactly this service.

I include myself in your description - love seeing relevant ads. There's a sweet spot there between those with high disposable incomes, high open mindedness and high affinity for novelty.

This population is by far the most attractive consumer for advertisers.

So when a friend talks to you about a product they recently used and loved and think you'd love as well (and I don't mean a friend on MLM payroll), you aren't interested in hearing about that recommendation?

And I'm guessing you skip over any HN posts that are about a new product or service you weren't already aware of?

There's a reason word of mouth is the most influential medium for converting to a sale, and it's because a recommendation from a friend is typically not "polluted" by advertisers lacking scruples - so the "pitches" you hear are about things someone who knows you decently well thinks you'll like, and only for products/tv shows/services that the person actually thinks are good.

It's also part of why recommendations motivated by affiliate rewards or MLM sales are seen with such disdain, as it's behavior from a friend that crosses a love for acceptable behavior.

If we only saw ads online for things that matched our interests AND are very good products, we'd have a different attitude about advertising (but that will never happen, as it requires prisoner's dilemma type agreement across too many parties).

>If we only saw ads online for things that matched our interests AND are very good products

I see your point, but for me, even this is not true. I don’t need to buy things, yet I am susceptible to advertisements. Ads just convince me to buy things I don’t need. The ads you describe would be even worse. I would prefer instead to never hear about new products or services.

But you read HN don't you? Can you tell articles from ads here? What about Paul Graham's submarines?

Being tricked by false headlines and articles published as news when secretly advertisement doesn't lead me to opt in to more ads.

It depends on how useful the advertising is. It's not the tracking or privacy the regular user is most concerned about, it's the everyday experience that tells him advertising is still stupid and annoying.

Despite all the billion dollars ML systems with gazillion of factors analyzed on petabytes of data, all we've got is 'hey, you googled for a 10uA accuracy bench multimeter yesterday! now for two weeks we will show you all the $15 multimeters ever existed!'.

Look at this (don't worry, it's short one-page) thread for example of how it might be instead - https://www.eevblog.com/forum/testgear/benchtop-dmm-advise-n... - and what if the message from Tek engineer that closed a deal was actually advertising? He just posted a link to relevant appnote, that's it. What if automatical advertising system showed the same link to the same appnote as an advertising to the same user?

Yes. I don’t know. I don’t know what those are.

Do you ever look at HN without knowing what you're going to see?

This is the idea behind the Brave browser, right?

The cheap CPC and cpm is why Google and Facebook would never consider doing that. Especially Google I've noticed recently that they try to be as misleading as possible to new advertisers to get them to pay a lot of money for crap as targettng. For instance they call what are effectively as interactions as clicks and refer to the cost as CPC even though in all of Google's other as types CPC refers to click to website. But in Gmail campaigns it means ad interactions which convert to almost an order of magnitude fewer clicks to website but the advertisers pay at best only half the cost of regular clicks.

Star Wars of all things provides a interesting vision here. Did you ever notice that for the most part the machines/robots are not networked? That AI seems to exist but is intentionally kept dumb (C3PO).

I think this is a interesting model. To as society come to the conclusion that more connection of devices, smarter AI is not the right solution. That what works best is the right amount of connection and AI

Except that they helpfully leave unsecured network ports all over literally every ship and building so that R2 units can plug in and do whatever they want. We can ignore that part for a “right amount of connection” example.

See also: Butlerian Jihad.

This is an intriguing idea! Thank you for bringing it forth.

Out of curiosity, how familiar are you with how ad systems work? Generally there's a huge inventory of ads, each with different criteria attached to them and metadata about bids. When a request comes in, ads whose criteria are met are selected out and an instant auction takes place. The resulting ads are then shown.

I cannot think of a way that allows for both honoring the ad criteria and keeping personal interests and preferences solely client-side. You can't even take advantage of any form encryption here, as the results of the filtering would allow the server to infer the private data. This means you'd almost certainly have to get all the data to the client to allow querying locally.

OK, fine, that's workable. Then you just track impressions and so on to figure out when advertisers get charged. A potential drawback is that it's very possible that with impression and click data it could be possible to reconstruct most or all of the data a user might wish to protect. And there's no way to get away from this, either - pretty much all online advertising models rely on tracking one of impressions, clicks, and actions.

As for your two conditions:

> - A way to ensure that ads don't try to harm me by e.g. leading me to websites serving malware or abusing my computer's resources (e.g. miners)

Policing the contents of ads can be quite the task. Ensuring the contents of arbitrary external websites is next to impossible. There are no good ways to do this in a fully automated system at scale when someone else controls the other server and can change what content it serves at their discretion.

The best way I can think of to ensure this is to limit access to this hypothetical advertising platform to entities with the expertise and resources to protect themselves and anyone who comes into contact with their servers. Works for me, but being shut out of access to the biggest and best advertising systems might be a problem for many groups.

> - A way to keep my privacy and control what data is collected about me (and who has access to that data)

You know what? I think I know exactly what you want. You want the newspaper model. Collects no data from you, preserving your privacy. Only accepts advertising from partners that can be trusted, ensuring your safety. Doesn't need to closely track impressions, views, or actions.

> Generally there's a huge inventory of ads, each with different criteria attached to them

I think what he is describing is a future where the ONLY criteria ads are selected on is the standard user data set. Basically I open my browser settings, go to its "relevant ads"-section, enter some basic ad targeting info such as my age group, gender, and 2 hobbies.

Then because I entered "fishing" as an interest, I'll see a lot of fishing gear ads. Great!

If I'm NOT willing to enter any targeting info into my browser, or if I enter bogus info (or install a plugin that randomizes the info) then sites will not show me relevant ads.

I don't mind seeing ads for fishing gear if I told the site I'm interested in fishing. That's completely fine. I do mind seeing ads for hotels in San Francisco just hours after I searched a different sites for cheap flights there, or ads for that exact shoe I made an incomplete checkout of in a webhop store last week etc.


In that case, it's going to fail the test of being just as good pretty hard. Being able to target flexibly and based on user actions (or location, or other salient data) is really valuable to advertisers, in a measured-in-units-of-currency sense, and thus to publishers. It means better results from more narrowly targeted ads, and it also means more valuable ads to publishers.

It's perhaps not impossible, but it strikes me as a difficult thing to convince advertisers and publishers alike to take on.

> fail the test of being just as good pretty hard

Yeah I don't see the online ad business ever adopting something else because it's "as good", I think that browsers should drive this and ensure sites simply don't get this type of information, so the adoption to something better (for consumers) is driven by necessity.

The adoption of a system like the one I'm describing rests solely on the fact that the current information ads are based on, would dry up for one reason or another. Either because they don't dare use it (regulatory) or because they simply never get the information (technical).

I was under the impression that the past years of rapidly evolving DNT, third party cookie blocking, widespread use of adblockers (even in phones) etc was already rapidly drying up the amount of information available to track users? Perhaps I'm overly optimistic?

The ad industry has proven very good at finding new ways to track people, defeating each new approach to block tracking. They've proven similarly good at learning to infer things they haven't actually been directly told, which is very helpful for getting around regulatory barriers.

In practice, not everyone keeps up on their patches, meaning they tend to be vulnerable to known tracking methods. Total ad blocking prevalence is not as high as one might guess: https://digiday.com/media/ad-blocking-charts/

Additionally, neither Apple nor Google is incentivized to make it easy to block ads on their devices. The only people I know who have done so are ones who have gone to non-trivial lengths to accomplish this.

Sadly, I think you may be excessively optimistic.

> Yeah I don't see the online ad business ever adopting something else because it's "as good", I think that browsers should drive this and ensure sites simply don't get this type of information, so the adoption to something better (for consumers) is driven by necessity.

Pretty much AdBlock could do that.

It let's you opt out of serverside-profiled and unprofiled ads, and opt-in into relevant ones profiled on client side.

In the late '90s there was a place that did something like that. That was a time of slow internet connections, with a majority still on dial-up.

They had a product for Windows computers that provided a caching, prefetching web proxy. The deal with it was that if you let it show you adds occasionally (I think it was whenever you launched your browser to your homepage or once a day if you visits to your homepage were less frequent) you could download all of the company's other Windows programs and use them free as long as your browser was configured to go through the proxy. These were programs that normally were sold on floppy or CD-ROM for $20-40 each.

The way the ad delivery worked is that the proxy would download ads, which consisted of an HTML page and some additional data. When you went to your homepage the proxy would serve up one of the ads instead, with a link inserted to take you to your real homepage.

There was a Forth-like language built into the proxy. The additional data for an add could include code written in this language, which would be run when the proxy was choosing an ad to show. The code had access to various things the proxy knew about the local system and user. It did not have any access to the internet. The code would decide how strongly the ad would like to be shown at this time.

The only thing that went back to the internet in regard to ads, as far as I remember, was counts of how many times each ad was shown. (Not that it would have mattered much if more went back. As far as I know the proxy didn't really know much about you other than the physical characteristics of your computer and your internet connection. I don't think they had gotten to the point of trying to infer interests from browsing habits).

This particular approach would probably not be feasible today. They only had a handful of ads available at any one time, with the inventory changing slowly by today's standards. It did not take much resources, even for modem users, to download the entire ad inventory and keep it up to date.

Can you imagine trying to put Google's entire ad inventory on every PC, and keep it up to date, so that the client can choose the ad entirely locally?

Sounds like AllAdvantage (https://en.wikipedia.org/wiki/AllAdvantage). An inspiration in part to Brave, but of course it did not blind itself to user data as we do.

The entire Google ad supply does not need to be downloaded, just a relatively brief catalog (which compresses well) of live edge URLs and metadata (keywords, essentially), updated as new deals for a given region with large enough user base come online, and old deals expire.

This type of thing is also generally considered malware today. As a person who used to do IT support for a university, one of the most common malware issues would be Chrome extensions or whatnot switching your homepage to point to a ads-infested search engine instead of Google, and redirecting all search engine websites to the ad-infested one.

I worked on this a while ago at Mozilla. There was a presentation at ACM CCS '16 on what we did. Unfortunately the effort was discontinued, but we definitely solved a lot of the technical issues.

Wasn't that how ads were actually implemented on Firefox's homepage several years ago? IIRC, Mozilla developed it in cooperation with IAB as a solution to privacy (the ad-funded web being practically unavoidable), deployed it (maybe only in alpha or beta), and then people went ballistic over advertising in Firefox - without realizing it was a huge privacy gain - and Mozilla pulled it. Here's one article I found quickly; note that ads are based on local browser history.


And it looks like Mozilla is trying it again, though this is from a few months ago. What happened to it?


That sounds really cool, is there any documentation (papers, presentations, code) available of that effort?

This idea keeps coming up. There’s a few reasons it hasn’t happened:

1. To really leverage the personal data, you need to run it through a model and correlate it with ad inventory. Those are two things you don’t tend to want to deliver to an insecure client. Then you need to collect data on how those ads performed to update the model.

2. For all that, it’s still more convenient to manage GDPR opt-in. Don’t underestimate the convenience of centralized management.

> I'm still surprised no one has yet figured out a way to store sensitive data about personal interests and preferences on the client-side and let the client itself pull appropriate ads for the user to see.

Mozilla did this for Firefox, except a step better: the client pulled the same set of ads from the server regardless of the user preferences, but decided (client-side) what to display, so the server could never even infer behavior about the client from the requests.

Unfortunately, people didn't care, and they complained that this was an intrusion of privacy regardless, so they dropped it.

It turns out, there just really isn't market for privacy-focused advertising. People who care about privacy generally dislike advertising in all forms and block it, without regards to whether the advertising actually is an invasion of privacy or not.

>so the server could never even infer behavior about the client from the requests.

It reports click through so this isn't true.

> people didn't care

> there just really isn't market for privacy-focused advertising

My impression was that people just didn't understand it and Mozilla's communication about it was poor. That doesn't mean that there's not a market.

> I'm still surprised no one has yet figured out a way to store sensitive data about personal interests and preferences on the client-side and let the client itself pull appropriate ads for the user to see.

Correct me if I'm wrong, but isn't that the idea behind Brave? Blocks ads and (assuming you opt-in) replaces them with less obnoxious ads chosen by the client?

Or just show ads relevant to the content? What better indicator of what the user is interested in right now?

An ad which is relevant to 1% viewers still sells, likely enough to keep it published.

But it's irrelevant to 99% of the viewers, and it's impossible to tell them from the 1%: among other things, because the viewers are not keen to share too much data about themselves.

I think we should see ads as the (annoying) cost of commercially-produced free content. I wish a micropayment solution would take off to allow for easy and reliable paid opt-out on multiple sites I might visit. (I already have Youtube Red, and it's great.)

> I'm still surprised no one has yet figured out a way to store sensitive data about personal interests and preferences on the client-side

I'm pretty sure iAd works like this no? Also it wouldn't be massive advantage, you'd be serving less relevant ads (so losing out to competitors) and you can still track which ads a device requests.

Do you have more information on this?

We're working on something similar to this @ my company. Feel free to ping me directly, I'm happy to elaborate.

We are also building such a product. The core idea is: Your browser knows you best. We leverage this to display offers tailored to your browsing behavior that include a valuable user benefit without any of the information ever leaving your browser. You can read more of how we do this in https://myoffrz.com/en/fuer-nutzer/. Plus the code is open sourced here: https://github.com/cliqz-oss/browser-core/tree/master/module.... The product name is MyOffrz and is integrated in the Cliqz Browser/Extension as "Cliqz Offers" and in the Ghostery extension as "Ghostery Rewards Beta" for German users.

In their example, under "Gather consent seamlessly", their example shows "Yes" and "Other Options". Now, I haven't yet read the GDPR in detail, but I was under the impression that opting out should be as easy as opting in. A quick search returns:

> The ICO also said that, while "GDPR does not specifically ban opt-out boxes," that method of communication is "essentially that same as pre-ticked boxes, which are banned"

If this is correct, using the product as shown on the screenshot (and as used by several websites) is in violation of the GDPR.

I wonder if Google will pick up your legal defense costs if you get sued for using their product.

(Edit: I tried to find answers to these questions, but apparently the only way is contacting my Google representative, which I don't have)

Having cleared all cookies recently, I'm re-encountering all these dialogs. They've gotten cagier.

Anecdotally, a third of these cookie dialogs are violating those principles, either preselecting all third party advertisers, or claiming all 60+ third parties are necessary for the functionality of the site so Allow or Go Away. Or having only one OK/Agree button.

It's not just little guys. Slate.com for example:

Slate’s Use of Your Data

By clicking “Agree,” you consent to Slate’s Terms of Service and Privacy Policy and the use of technologies such as cookies by Slate and our partners to deliver relevant advertising on our site, in emails and across the Internet, to personalize content and perform site analytics. Please see our Privacy Policy for more information about our use of data, your rights, and how to withdraw consent.



The privacy policy generally says you're welcome to go opt out of each individual third party then delete their individual cookies from your browser, beat yourself up.

Slate for example, says, "You may choose whether to receive interest-based advertising by submitting opt-outs..."

The justification appears to be "EU doesn't tell us what to do":

"Please note that the Services are directed towards users who reside in the United States. By using the Services, you consent to the collection, storage, processing, and transfer of your information in and to the United States, or other countries and territories, pursuant to the laws of the United States. Some of these countries may not offer the same level of privacy protection as your own."

This Privacy Policy also features dynamic legalese:

"Slate tracks when EU readers grant consent for Slate to collect and process data through the use of an identifying cookie on your browser. The browser through which you are currently viewing Slate does not currently have such an identifying cookie. If you are an EU reader this means that Slate is not collecting or processing data from your current browser session."


// I am currently reading from EU -- a good time to clear your cookies.

I noticed that about Slate too, yesterday, when another HN article linked to them. Now I just open sites that break GDPR laws in a private tab, accept all of their cookie things and skim the article and determine if it's worth properly reading (while blocking ads, canvas super cookies, etc.). When I'm done I close the window and all the data they place on my machine is wiped. This means the outcome for them is even worse than if they had behaved themselves and offered a "minimum required" box that I would have probably ticked.

> claiming all 60+ third parties are necessary for the functionality of the site

If you consider financial needs underpinning the site operation, it's technically true - without the 60+ 3rd parties, they could run out of funds to host the site, after which the site would not function at all.

There are other sources of funding than advertisements

Interestingly, Dutch news websites usually handle GDPR popup dialogs property. Example: https://nos.nl/.

It's just as easy to opt-in as to opt-out. Just tap the checkmark or the X and then Save your preferences.

This hits another big point I've been wondering about GDPR. If site X has third-party JS from Google, Facebook, or so on, who does GDPR apply to? Is site X the one collecting the data, or is it the third party?

GDPR distinguishes between the "Controller" and "Processor" for data. A Controller has the most responsibility under GDPR. A Processor has separate responsbilities, and generally fewer of them.

In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.

Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.

from Article 4:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Generally speaking, site X is the data controller and the third party JS providers are the data processors. GDPR applies to both, with the controller being the party primarily responsible for ensuring compliance.

+1 for actually mentioning (let alone citing!) the article. There is so much information floating around, much of which slightly exaggerated, misinterpreted or misremembered, and if you want to check it you basically have to go and search through the whole thing. Even Dutch data protection authority has lots of info and FAQs without any reference to the law at all. So whenever I refer to it, I often have to go "at least, that's what our national authority says, I have no idea which article in the international law this is based on. Here, go and read some Dutch!"

My understanding (IANAL) is the site requested (i.e., X) is the data controller: X caused the third-party requests to occur, and is therefore responsible for any data transmitted over them.

Google Contributor was service from Google that used a pool of money set aside by the user to bid on ad slots, and if a particular ad auction was won, the ad would be replaced in the pageview with a pictorial pattern of the user's choice. The program was not well publicized, although tech journalists have covered it and I have written [1] about it in my comments when Brave and Flattr came up and have wondered why Facebook (sitting on a huge trove of real identities) never did the same.

But in 2017 it was shut down for a few months, and relaunched as a program which would omit all ads from the target site if the site was a partner, and the user has marked that site in their account. The amount charged for each pageview is set by the site [2]. Only a handful of websites are supported, although most are news sites -- local papers or TV channels.

This new Funding Choices program aims to greatly expand the list of sites that use Contributor by offering a managed solution that solves a better-than-before subset of two pain points at once: regulatory compliance and monetization.

[1] https://hn.algolia.com/?query=niftich%20google%20contributor... [2] https://support.google.com/contributor/answer/7359560

I appreciate that Google appears to have reached out to local newspaper sites (qctimes.com, napavalleyregister.com), for Contributor. But if I were a major content publisher, the relatively small and mostly non-notable list of current Contributor sites [0] would make me think that Google isn't highly invested in this project. Which is not a good first impression considering that many people think that Google is too quick to abandon projects. They should have booked a few more major sites and media brands; right now, the 2 sites that are highlighted are the National Post and Popular Mechanics.

[0] https://support.google.com/contributor/answer/7324995

IMO Contributor is still pretty new, and without users the time and effort spent implementing it probably isn't worth it yet, especially because many of those running adblockers just ignore it entirely (I can't even count the number of times I've read "why pay for contributor when adblockers are free?).

If/when it hits a critical mass of users, suddenly it will become a lot easier to justify the cost of implementation.

Hopefully tools like this can help get some sites to implement contributor or something like it so paying for access can get a foothold and become a viable option.

Funding Choices and Contributor seems to be good choice for small-to-medium blog/news site operators. Compared to Flattr and others I see the potential here to fund a news outlet entirely with this services.

I would not trust any opt-out offered by a company who's bottom line is directly dependent on violating people's privacy. The only opt-out that can be trusted is one that does send any network requests to the stalking company until consent is given.

That's the same reason why you wouldn't want to ask an alcoholic to guard a warehouse full of vodka at night, as you'd probably find a few empty bottles the next day. Same thing with an advertising company, even if they claim to respect your privacy, nothing guarantees they're not secretly looking at it anyway (and using it to adjust their ad tracking in a way that's undetectable from the outside, as to not be sued for it). It's even worse, because at least with alcohol you can count the bottles and find the empty ones. With data collection, if they're careful, you have no way to know whether your privacy has been violated.

And who is going to build that illegal feature into Google's services? And how much are that person, and the other persons that know about it, going to be paid for them to not be a liability?

Maybe I'm naieve, but I feel building automated law breaking systems is not something corporations do. I have no doubt individuals within corporations break laws whenever they feel like they can get away with it, but leaving trails like checked-in source code, and operating services that other services depend on, that just sounds like too much of a liability to me..

> Maybe I'm naieve, but I feel building automated law breaking systems is not something corporations do

Did you already forget the VW diesel scandal? That was exactly that - a huge corporation systematically breaking the law with lots of people even in the highest ranks aware of and supporting it.

Well yeah, and it was ridiculously dumb, lots of people go to jail and big fines were levied. I suppose that you have a point and corporations might do it. At the same time I like to believe it's just not worth it for them.


    Exxon, Royal Caribbean, Rockwell International, Warner-
    Lambert, Teledyne, and United Technologies each pled 
    guilty to more than one crime during the 1990s.

    Five banks (Citigroup, JPMorgan Chase, Barclays, Royal 
    Bank of Scotland and UBS) had to pay a total of $2.5 
    billion to the Justice Department and $1.8 billion to 
    the Federal Reserve in connection with charges that they 
    conspired to manipulate foreign exchange markets.

    In 2008 and 2009, a salmonella outbreak killed nine 
    people across the U.S. and sickened hundreds more. The 
    source of the contamination was traced back to the 
    Peanut Corporation of America (PCA), a Virginia company 
    run out of its CEO’s garage. The salmonella outbreak 
    turned out not to be a tragic accident, but rather the
    direct result of PCA’s and CEO Stewart Parnell’s 
    decision to intentionally ship contaminated products. In 
    2014, Parnell was convicted for his role in the crime.
The list just goes on and on and on and on.

I can find a few small fines, but as far as I can tell nobody went to jail for that one.

> A Volkswagen AG compliance executive who pleaded guilty in the U.S. for his role in the company’s $30 billion emissions cheating scandal was sentenced to 7 years in prison.


And Germany temporarily jailed a bunch of executives (including Audi's CEO, who is still in jail as far as I know) this year to stop them interfering with investigations, and results of those investigations might lead to more being sentenced once they're done.

yes, VW was small fines. GDPR, especially for something like what is being suggested here, would be astronomical. Not saying nobody will do it, because humans are stupid.

to quote vincent vega re: the keying of his car, it would be worth having them do it, just to catch them doing it.

>VW was small fines


$30 billion is not small fines, add to that that it isn't over yet. It's already more than what BP paid for their oil spill, and the oil spill is thousand times worse in terms of its environmental effect.

At least in this article it's the biggest fine for any corporate crime levied.


There are very few fines that have been higher. Hyundai only paid $100 million for their emission scandal one year before, with not much fanfare: http://time.com/3555696/hyundai-kia-fined-carbon-emissions/

Or Uber using Greyball to try and evade regulatory enforcement in specific locations?

Don't frame it as "build an illegal feature". Frame it as "build a feature" and hand it off to an enthusiastic junior dev eager to please their manager and get ahead. At a previous employer, I had a manager ask if, when implementing certain functionality, I could do it in such a way that it coincidentally broke third party tools attempting to interact with the component. They were very careful to phrase this in an offhand manner and never discuss it over legally discoverable mediums (only face to face). The entire matter seemed dubious and I certainly didn't want my name associated with such a move in the source control history, so I never implemented that request, it was never mentioned again, and nothing ever came of it - but a different dev might have jumped much faster at it.

I take great care to separate my browsing sessions. Still I find YouTube recommendations on my main account on topics that I watched on another machine in my home network. My typical setup involves:

1. Virtualbox VM restored to a snapshot after each usage (browser completely clean, never uses my main Google accounts here)

2. Firefox on main machine with clear all cookies set, ublock origin. Rarely logs into my main Google account, if I do, always in incognito.

3. pfsense with block lists for Google & Microsoft

4. Mobile with Disconnect tracking blocker (mobile wide) plus Firefox focus & Firefox set to clear all history on exit.

Still Google manages to track me. Whenever I see those recommendations in YouTube, I feel like Google is mocking me - "ha ha do whatever you want, you can never hide from us".

Check how unique your fingerprint is using panopticlick[1] and try to fix it by adopting more common settings. Also don't use Firefox Focus: it has telemetry and shares data with a third party[2]. Use the german version[3] if you must, it has telemetry disabled by default.

[1]: https://panopticlick.eff.org

[2]: https://www.ghacks.net/2017/02/12/firefox-focus-privacy-scan...

[3]: https://f-droid.org/packages/org.mozilla.klar/

Maybe you ended in the "people that put too much effort in anti-tracking" bin, and you get recommendations for those kinds of people :p

You jest, but having worked in the ad tech industry, I can say this is actually a completely viable means of tracking people. This is why you don't load uBlock Origin into your Tor Browser or use a custom User-Agent string while using your VPN. Everything you do that is different than what everyone else does (i.e. the default) is a means of identifying you. And if I could do it at that startup, certainly Google can do it in a million more ways a million times more accurately.

If the bin is big enough or merges with other bins, it becomes the new norm.

Tor Browser has a strong "disable JavaScript" option that is relatively popular; the remaining vector is then tracking images and the rule would be to check for Tor exit node that hasn't downloaded the image cookie.

Even with JS on TB tries to reduce impact of such history based attacks.

Pretty targeted and obviously possible to fuzz.

Changing your user agent is also probably a bad idea. There are other ways to detect browser, so you're pretty unique of you're using Firefox on MacOS with a Chrome for Windows user agent.

Yes, don't use any custom extensions in TB or any custom user-agent string or otherwise deviate from the default.

You're right. Google probably wouldn't build an outright illegal feature. However Google would and has built features that are at the very least in legal grey areas/haven't been explicitly regulated. Thing like the WiFi tracking feature, bypassing safari's cookie restrictions, tracking android users' location even when they opted out of that or had their GPS feature turned off, and so on.

They did and will do that again because they know whenever they get caught they have to pay several million dollars at most after years of such violations and then they can be on their way to rinse and repeat with something else like that.

Google was fined billions for outright illegal practices and is mostly concerned about power, not illegality.

Furthermore, in hierarchical structures people only care what those above them think. "Illegality" of the feature is something for lawyers, not them. At best they rely on morals, but even that is screwed by perks, incentives, the environment they work in, peer pressure, management, corporate propaganda, etc. Generally in such structures you can make people do anything, even kill other people and be ready to get killed.

I dont think Google was fined billions over privacy violations, just antitrust ones and only in the EU. In the US Eric Schmidt's constant lobbying to Obama got them off the hook for the antitrust investigation even though the FTC staff investigating their violations recommended antitrust action against Google.

Google is a corporation responsible for thousands people job (so your analogy is irrelevant) that complies with the European Union laws. If Google does things under the hood, it will be noticed, and it will be exposed to a potential 4% fine of global revenue.

By the law, opt-out is the default.

They are proposing an industrialized solution for new and old businesses to transition to EU regulations more easily. Trust Google or not, but in the meantime, they are proposing new services to answer businesses and legals needs.

Unless you let that alcoholic guard two warehouses, and allow him to have a few bottles from one of them. In that case, he'd be stupid to take from the one where's he not suppose to.

I assume you are extending the analogy by implying that one "warehouse" would be paying users, and the other "warehouse" is free to use / advertising / giving up private data users.

This analogy falls flat, because unlike an alcoholic which can be satiated at some point, FAANG can never be satiated. More information is always good. Thus taking data from both warehouses is better than restricting yourself to only one.

Secondly it also falls flat because your paying users is often the more juicy targets (from an advertising point of view), since they are already well enough off to pay for ad-free internet services, thus also well enough off to target for more lucrative advertising.

Getting back to the analogy, it is like an alcoholic guards two warehouses, one stocked with free budweiser beer, and the other stocked with the finest scotch, and hoping he wont take a swig from the scotch.

Man, there must be the really good stuff in that other warehouse. Won't do any harm to go look...

I hear so-and-so's private stash is in that warehouse. A lot of people can get in that warehouse. They'll never know it was me.

Unless the alcoholic is the only employee that will do the job (zero competition), which means he can steal from both warehouses and still not get fired. Same situation with Google/Facebook/etc, they're too big to fail and can do nasty things without any consequences.

I actually mentioned "opt-out" links in spam in the essay.

I hope they find ways to do this while actually complying with GDPR.

A lot of (primarily US-based) sites now say things like "We need to track you to keep running, consent or click this link to enter a maze of poorly documented ways you can try to opt out, if you decline then goodbye".

Some even let you opt out of tracking (taking several minutes to 'process' this opt out), and then tell you they can't serve you a site that doesn't track you.

I'm OK with those - I don't go there any more.

> Engage ad blocking visitors

> With Funding Choices you can automatically identify ad blocking visitors and ask them to disable their ad blocker especially for your site — or give them an alternative way to fund your content via Contributor.

> Contributor lets users buy an ad removal pass for your site, helping you monetize your site's content again.

Great! Now, can I have that for Google? I'd gladly pay in exchange for the added privacy.

You'd think you'd get it with gsuite...

Gotta love their choice of wording, "recover lost revenue from ad blocking users", like blocking ads is equivalent to stealing money from the site owner.

But that's true isn't it? What's with this entitlement that sites should be ad-free while still providing value? I own a blog, there is no way I could have a profitable subscription based model (believe me, I tried).

Exactly. People don't get that getting rid of ads helps only the big players (because they can require subscriptions), while hurting the little guys.

People may subscribe for big newspapers and such, but they won't subscribe to a lot of smaller blogs, for example, on various blogging platforms, which do provide value, but they are not big enough to warrant a subscription.

Ads solve this case and I haven't heard any viable alternative for them for small players.

You can see this in action on HN when people constantly use big publications like The Verge and NYT when complaining about ads or suggesting that everyone needs to find a new business model.

Meanwhile my forum now costs more money than it brings in. It's been giving teens a place to write collaborative fiction for over 10 years now.

Seems a bit sad that we'll eventually just be left with the sites big enough to live without ads. We're in the middle of a great centralization which you'd think most of HN would be wary of.

Instead I see the opposite, people basically welcoming it with a bloodlust in their eyes. What they don't realize is that their favorite examples of ad-dependent websites cast around HN like The Verge will be the last to die.

There's an entitlement problem, but it isn't on the part of readers. Advertisers, ad networks, and publishers have made so many terrible decisions that they drove readers like me to ad blockers.

I'm not against ads, but I don't want to be tracked. I don't want a 500 word article to download megabytes of crappy javascript.

Publishers are probably costing their audience more in battery life and bandwidth than they are ever making from the ad they are showing.

"Publishers are probably costing their audience more in battery life and bandwidth than they are ever making from the ad they are showing". Have you done any calculation? The bandwidth/battery life cost for serving JS negligible. It's nothing compare to fetching/rendering images/videos, or even your mobile OS.

I've done some rough calculations. Just going by bandwidth, I pay $10 / GB (Google Fi). For that page with 500 words that I want to read that's been bloated out with 5 MB of ads and tracking script, I'm paying 5 cents.

I understand your issues... But I'm downloading your code, how it is displayed, and whether I run it your way is up to me - I already requested it, and your server fulfilled the request. If you wanted contractual obligations, they need to happen before you hand over the content.

That isn't a very good argument. Just cause you downloaded something doesn't give you the rights to it.

If that was the case piracy would be legal, software trails wouldn't be legal. Windows license or photoshop trial up? Well I downloaded, your server fulfilled the request. I have legal rights to it now.

Oh, this art? I am selling it. Well I saw it on the internet, my computer downloaded, their servers fulfilled it. If they didn't want to hand over the rights they should've blocked me from viewing it.

That kind of argument is an argument I expect in a non-tech site with people making excuses. You know that isn't a solid argument you made at all.

The way the internet works doesn't create a vector that allows that. If they did implement that you'd need a multiple round trip check, the site would be slammed for being slow to respond cause it have to download a script, check if your blocking, report back then start the downloading process for the site. Just not feasible.

Those smaller sites would lose to bigger sites that can get away with slower response times or ignore pre-checking anyways.

> If that was the case piracy would be legal, software trails wouldn't be legal. Windows license or photoshop trial up? Well I downloaded, your server fulfilled the request. I have legal rights to it now.

Piracy is someone intentionally breaking a known license contract. Software trials require contracts first. Either upon download or installation. You agree to a license before you use Windows. Those agreements are binding. The web also has systems in place for similar contract negotiation. If you don't use that, it's kinda on you. Some users will choose to use your content in the way you intended, others won't, and you have no recourse.

> You know that isn't a solid argument you made at all.

Unfortunately for you, it's already held up under law. There's a reason the big players are trying for new solutions than attempting to ban users from blocking them.

> If they did implement that you'd need a multiple round trip check, the site would be slammed for being slow to respond cause it have to download a script, check if your blocking, report back then start the downloading process for the site. Just not feasible.

We already have that. Quite seriously. HTTP has the structure for authorisation, and the process for handling it if you're not. Not using that structure, is a choice that leaves you vulnerable.

And that is why the argument is always based on morality: "You should not do it, because it is bad" - which proves your point.

When someone publishes something on the web it is free by definition, and by law.

Publishers can chose to not make the content available, but it seems up to now relying on ads and moral shaming is a more profitable way.

The servers are entitled to send what data they want. The client is entitled to accept what and how they render it. That is how the protocols work. The servers can block visitors who don't login or load the ads but that has its own costs as they often find them not worth unblocking and just stop visiting.

Given the security issues involved with ads as a vector, general abusiveness, and poor programming leading to memory leaks and insane waste blocking by default is wise.

Even big ad networks have been caught hosting outright viruses from lack of vetting. There is no right to a business model and they have no right to access client systems.

If I'm correct you only gain money from advertising when the user clicks on an ad. If the user does not click (and you could argue that people who install adblockers will not) than no money was lost.

The entire debate around copyright and online monetisation is trapped in "entitlement" of publishers in the METHOD of extracting value. Have you ever considered that maybe it's not that people don't want to support you financially, but that you're methods are wrong?

So maybe subscriptions don't work, but let's take pirates as an example. Multiple studies have proven that pirates spend more money on the things they pirate than non-pirates. So in actuality piratisation is increasing the amount of money publishers are making since the act of piracy it self actually represents no cost to the publisher.

> If I'm correct you only gain money from advertising when the user clicks on an ad

There are also ads which pay per impression. CPM ads.

But ads don't provide money until clicked on. So there's no money lost by implementing ad blocking. The only real thing lost is the potential that someone will click on the ad.

That depends on whether the ad is sold based on conversions, clicks, or views. All three models are in use on the web.

Remember, we're discussing a blog here. CPM, with rates in the $2 range, are not going to provide anything resembling reasonable revenue - let alone profit - for a blog post.

There are notable exceptions to this for bloggers who can get hundreds of thousands of views on a regular basis - but most people are lucky to get a thousand unique views.

Yes they do, CPM vs CPC.

CPM, for a personal blog, is going to provide negative revenue (the cost in time and upkeep of the advertising platform and integration). Do blog posters really think that alienating someone over their decision on what to render in their browsers is worth that 2/10th of a penny?

Yes because those pennies add up and pay for badwidth and content. It's not just someone, it's 30%+ of traffic.

Came here to make a similar point. That phrase reveals a mindset that they are entitled to force our browsers to execute whatever javascript they decide.

Well, it does cost them money to serve you the site.

Their bandwidth bills would be a lot cheaper if they weren’t sending megabytes of JS for every kb of actual content

Bandwidth isn’t the main cost of running a website you also have to pay people to make content. Compared to that bandwidth is free.

You have no idea what you are talking about. JS doesn't nearly cost as much as images, and most ad-related JS are minified. For many websites ad serving is the only profitable model. You won't make money off subscriptions unless you are one of the big players and don't have to worry about growing your user base.

> You have no idea what you are talking about.

No personal swipes on HN, please. Your comment would be fine without that bit.


For many websites ad serving is the only profitable model. You won't make money off subscriptions unless you are one of the big players

I was, until recently, a paying subscriber to the NYT, and there is no difference in the ads and tracking crap they pull. So I call shenanigans on that.

Put Google's JS on my website and let google harvest all my user's information. Sounds about right. I don't see much difference between FB and Google these days.

There are actually parts of this I like better than the current status quo:

* Ad blocker detection and a way to ask for funding? Seems nice. We will get a view on the actual market value of the content. As the Internet started out free and hand plenty of content, I assume content producers will get a rude messages about their actual value here.

* A good base platform for the GDPR is also nice. A big player like Google cant flaunt the law too much, and browser plug ins have one big target to block, verify or modify

Some extras to make the ad ecosystem sane again:

* Micro-payments. You could get to choose between an ad, a micro-payment, or no content.

* Content producer vetting and taking responsibility for their ad's. Todays ads are bottom feeders. If, say, a car site would get an image from e.g. a car company, and place ads on their own site, you get a better ad for the customer, no privacy violation, and more respect and use for the ad vendor. This is the stack oveerflow/jobs model.

* A header element like X-Interested-in. Use your browser to set a free-form value, and let the ad vendors get some input to give better ads , while you are completely anonymous to them.

What I think we're seeing here is that Google's bottom line was damaged by GDPR.

So to give Google info about my visitors and later compete with me? No thanks.

Presumably, these sites already use Google ads (and probably Analytics too).

I started up CodeFund last year in an effort to help fund open source projects and developers. This year, we opened up the source code (https://GitHub.com/gitcoinco/codefund) and provide ethical advertising. We don’t do any tracking, profiling, cookie setting, remarketing, etc. and our ads are chosen by the audience that the website caters to. We also give back up to 70% of all gross ad revenue back to the publishers. https://CodeFund.io

I would be willing to load ads if I didnt have to see them. I’m happy. Content provider gets ad shown so they are happy. Advertiser doesn’t get anything, but I don’t care.

You can please everyone with AdNauseam ;-)


...the content provider is only happy that the ad is shown because advertisers pay them for it. Advertisers aren't going to pay content providers if people loaded ads without seeing them.

How would they know?

Because the browser would tell them.

And if this became a trend, it'd be really obvious in their ROI and they would stop funding the content provider.

So essentially a bitcoin miner running in the background?

We also have a GDPR-like data protection law (almost identical bar right to be forgotten; which do not have in here) in Turkey. A Turkish version is also needed.

Nice!! Another Google product that will be EOL'd in a few months, leaving both users & website owner unprepared... Really: Google became so unreliable on the business side these days that I wouldn't use their product for anything but playing

Ironically, I believe they actually did already shut this down once before. I think this is a revival of it: https://www.searchenginejournal.com/google-contributor-progr...

Yes, they re-launched contributor as a "opt out of ads on a per site basis" instead of the old global "show me kittens or blank space instead of all Google ads". The reasoning given was it was a " better experience" to have no ads on a page at all instead of a mix of Google ad kittens and non-Google regular ads.

Fine, but there are only two sites that support it, so it's fairly useless. Maybe Funding Choices will make it more useful.

Here's a list of about 20 sites using Contributor: https://support.google.com/contributor/answer/7324995?hl=en&...

Bit off topic, but AngularJS 1.6? Why is Google still using an old version of their own framework, is upgrading that hard?

Upgrading from AngularJS (1.x) to Angular (2+) is not trivial. They are two unrelated product that "by chance" share the same name.

I understand that moving to Angular is not trivial, however this is old even for AngularJS.

1.7.x is in a long term support, while 1.6.x stopped being supported since July. The version they're running has at least three vulnerabilities: https://snyk.io/test/npm/angular/1.6.0

Ah you're right about that. I was taking for granted that 1.6.x was the last before 2+.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact