Hacker News new | past | comments | ask | show | jobs | submit login
Why is Stack Overflow trying to start audio? (stackoverflow.com)
909 points by iokanuon 23 days ago | hide | past | web | favorite | 402 comments

I just wanted to chime in from Stack Overflow here and let people know: we are aware of the issue. And we're NOT okay with it. We're trying to sort out how to kill the audio behavior now. It's not very straightforward to find where it's coming from, but we are working on it. We've also reached out to Google for their assistance in tracking it down. If anyone can offer advice, we'll more than happily take it.

- Nick Craver, Architecture Lead at Stack Overflow

Why are you allowing arbitrary javascript to be served to your users?

Wish I could upvote this 1,000 times.

It's ridiculous. It's a text-based ad. At worst, it's a clickable image. At what point did it become okay in your minds to let advertisers run arbitrary code?

I've left ads turned on specifically on StackOverflow because 1) I want to support StackOverflow, and 2) I trust them not to run malicious ads.

I don't even care that they're running ads network-wide. But if they're going to be running these kinds of ads anywhere on the site, they're going right on the ad block list along with everyone else.

It’s completely insane. Can you imagine a TV station receiving ads on tapes and playing them to their audience without looking at them first? Can you imagine TV stations occasionally showing ads containing porn, urging people to kill, showing extreme violence during cartoons, or containing specially crafted audio that blows out your speakers, and the TV station just shrugs and says they try their best to stop these things but they can’t stop everything?

Imagine a TV ad that tries to make your phone call a 1-900 number so they can rip you off, and the station says they don’t know where it came from but they’re trying real hard to put a stop to it. And somehow watching the ads themselves before broadcasting them never crosses their mind.

It’s worse than that. Imagine a TV ad which sends malicious code that gets executed to your television, which profiles the hardware in your TV and sends information about your viewing habits (tied to a unique ID) back to the advertiser.

In any other context we would call this a security vulnerability. I think that label also applies here.

You don’t need to, it happens already. Many TVs do screen grabs and send everything you do to the manufacturer or partners.

My Vizio's built-in software tries to do that. There's a reason it's not allowed to connect to wifi.

When you say "it's not allowed", do you trust its own settings? Are you sure it's not doing something like [0]? How do you even protect against that?

[0]: https://www.reddit.com/r/privacy/comments/bpr6xs/if_you_choo...

I bought a new wifi router and never told the Vizio the new credentials. If it manages to somehow figure out how to log onto the new router, and transmit the data about how I don't own cable service and mostly use it to play retro games? I'm going to be kindof impressed really; at that point, Vizio can have the data.

My wifi router has an interface that shows every connected device and I can blacklist them based on their physical address.

In the post I linked to, the TV in a similar situation was happily connecting to someone else's (open) WiFi network nearby. You can't really block those…

Let it connect to your network and then black-hole it?

But that's assuming it doesn't try to connect elsewhere if it detects it doesn't have internet.

And this safely outside the scope of what most people know how to do with their routers.

Imagine having to take countermeasures like this to prevent things you've purchased from spying on you!

Don't buy a "smart" TV?

Isn't every decent TV these days a smart TV? Not exactly practical advice

don't connect smartTV to the internet, juse use the DP/HDMI inout ;)


I guess with GDPR.

I bet you could do that with an ad that plays “Alexa- call 1-900-555-1234”.

The state of web ads is closer to the public pinboard only instead of having ads for grandmas couch its Mr CEO trying every trick to drain your money and track you.

Tv spots are very limited. Digital ad impressions number in the billions with 10s of millions of ad creatives. It’s not the same situation.

The only reason it’s not the same situation is because they’re willing to throw their users under the bus for a little extra cash. If they wanted to exert more control, they absolutely could. Ads would cost more and we’d see fewer distinct ads as a result.

That is absolutely not the only reason. Digital ads work entirely different from the TV medium and its more than "a little extra cash".

No single publisher today really has the power to change much, no matter how big they are. The issue likes with adtech (like Google) and advertisers.

Digital ads could work where every single one is vetted by people before it’s served to any users. There is no reason it can’t work this way, other than it being a lot cheaper to skip that step.

All creatives (and the root templates of dynamically construted ones) are actually audited on the advertiser-facing platforms before they ever get to the publisher.

Unfortunately running javascript means these ads can do anything at any time and change into malware. Other than adding some technical guardrails, the best practice would be to ban bad actors (of which many are known and usually the same shady people) but many large adtech companies look the other way because it makes money and they have no consequences.

Malware and adfraud is primarily a business problem, not a technical one.

So, don't allow them to run JavaScript. That's not necessary, just convenient.

See my other comment for how it all works: https://news.ycombinator.com/item?id=20290673

It's not that simple. There are many layers in the supply chain that currently requires JS. Publishers can't disable the JS and they can't demand JS-free creatives either.

Of course it’s that simple. Don’t let ads run JS. Done.

You’re saying that doing this would drastically decrease ad revenue. Which is what I’m saying too: it’s about money, not necessity.

Would a site like SO be unable to survive without ads that run arbitrary JS? I don’t know. Even if the answer is that they must do this to survive, it’s still insane that content companies let randos inject arbitrary code into their pages. If this is so entrenched in the industry that there’s no way around it, that just means the industry is insane.

Money is a necessity, that's how SO exists, and it wouldn't sustain its current size if it required JS-free network campaigns or tried to sell all ad space directly.

Simple doesn't mean it's easy or realistic. Yes, adtech has major problems but they're being slowly worked on and won't change overnight. This applies to any other industry where you think can just walk in and solve everything if everyone just did X. Reality doesn't work that way.

We know that advertising can work and make money without arbitrary JS. When there’s a clear existence proof, is it really wrong to say that a problem could be solved by not doing the problematic behavior?

Of course reality doesn’t work that way. Ad companies aren’t going to change, because they like money and don’t give a shit about users.

We’re stuck in a local minimum. It’s insane. It could be easily fixed if everyone just stopped doing the insane things. And they won’t stop.

Maybe the business model of ExpertsExchange where they charged money wasn’t such a bad idea....

The fact that everyone uses StackOverflow and nobody uses ExpertsExchange seems to say otherwise.

Well, my browser hasn't been running JS for ages and more people are going to do that. If the business isn't going to fix it, users will.

And yes, I'm enjoying my 90's internet and enable JS when it is needed (rarely) for specific domains.

Yet adverts on porn sites do operate as per our wish list:

* adverts are vetted by a human

* adverts are not allowed to inject JavaScript.

There have been a few interesting blog posts from businesses outside of the adult entertainment industry where they discuss just how work is involved in getting an advert approved on adult sites.

It’s a sad state of affairs when an adblocker is less required on porn sites than it is on Stack Overflow.

All major ad networks audit every single creative. The problem is javascript can change at anytime, and the publisher is the most exposed and also the most removed to be able to discover and mitigate. There have been some movements to whitelist the JS providers but volume is incentivized so most networks look the other way for now.

Adult ads are definitely not better and are served by even looser networks that allow anything. That industry has pioneered things like popunders, clickjacking, and monetizing every possible action on a window while serving as the primary vector for malware and browser bitcoin mining. I'm not sure what blog posts you've read but the only strict standards they would have is on getting paid.

Like everything, it depends on the sites in question. Disreputable adult sites aren’t going to be any better nor worse than disreputable sites of any other content. However adult sites run as a reputable business - of which there are many - most certainly do follow the points I described earlier.

What you’re effectively doing is looking at Source Forge and then arguing that Github, Gitlab and Bitbucket are all probably just as bad.

Or -- the more expensive ads don't justify the ROI, meaning advertisers don't buy them, meaning fewer ads, but less content.

If you can't manage to oversee it because of the scale you don't deserve to take advantage of the scale.

That sounds nice but is neither realistic or even sensible. There are other solutions like sandboxing to prevent access to features, it's not an unsolvable problem.

Well I would argue if billions will see the content, that gives more reason to have it checked over before serving no?

Billions? No single creative is seen by that many. In fact, with dynamic creative optimization (DCO) and all the optimization that happens, you can easily get creatives that are custom generated and only see by a few individuals or even a single person.

The comment was referencing the parent: Digital ad impressions number in the billions with 10s of millions of ad creatives

I wrote both comments. There are billions of impressions but a single creative is not seen by that many. The point is that the scale is too large to validate on the publisher side.

It seems to me there are two solutions to this problem:

* remove the ability for 3rd parties to abuse their automatic powers (ie disable their ability to inject JavaScript)

* or have a human manually vet every creative

The problem here is you neither want to control their access nor take responsibility for monitoring their access. So the blame equally lies with yourselves for not managing an easily exploitable vector of attack.

If this were any other system, eg VPN, security professionals would tear you a new asshole and point out just how irresponsible your lack of management is.

You’re only excuse here is greed and frankly I’m disgusted.

Major ad networks already vet every creative. The problem is javascript which can change at anytime. Banning javascript in creatives is not a technical problem, it's a business and politics problem. Same with just about every other issue in adtech.

I'm not sure who you think I am or why you're accusing me but none of this is down to a single person.

I think this comment[1] on the linked Meta question explains it pretty well:

> To the people confused why ads need to run their own Javascript (even ones that are just static images): The short answer is that Ad Networks do not and cannot trust website operators. They need to run their own JavaScript served from their own servers in order to verify that a real user saw the ad and for how long, and they can't trust the website operator to tell them. And these pieces of JavaScript tend to be more invasive and privacy-destroying than the website's JS because they care, far more than the actual website does, that the "user" is not a bank of iphones in a sweatshop in China.

[1]: https://meta.stackoverflow.com/questions/386487/why-is-stack...

Not just arbitrary JavaScript, arbitrary JavaScript where they can’t easily even see where it came from! Sheesh.

Could we require advertisers to sign their ad code to have a trail of where it came from, prevent tampering, and make it easier to pull the plug on bad actors?

The people bearing the costs of the internet ad economy aren’t the people in any position to do anything about it. So there’s very little pressure to fix anything.

Maybe if the US government started threatening to enact something like GDPR unless the a democratic industry gets its shit together.

Large adtech demand/sell side platforms do not want to remove these bad actors because they make money on percentage of spend. They are incentivized to increase volume and ad spend at all costs, and there is no regulation to stop them from doing otherwise by continuing to deal with shady companies and known malware techniques.

This is not a solution. JS still runs, it just has limited access to certain features.

You also need to somehow <iframe> the ad content (and serve it from somewhere else with the feature policy header set/attribute on the iframe set) or else sacrifice use of these features on your own site.

The solution is to make the ads inert. They do not need to run code.

Why are you allowing arbitrary JavaScript to run on your device?

Sites like StackOverflow require JavaScript to work (or at least, to work in a manner approaching interactivity). So, even someone who disables JavaScript normally, would presumably enable it in order to use this popular and useful site. Furthermore – and importantly – they place trust in StackOverflow not to abuse the privilege of executing arbitrary JavaScript. That is an entirely reasonable thing for a technically savvy modern web user to do.

By serving this ad with JavaScript not vetted to StackOverflow's presumed standard, StackOverflow has violated that trust. Thus the onus is on them, not the user, to remove the offending ad or risk damaging their brand.

Honestly, what you said is like saying "why would you ever not keep a hand on your wallet" after someone got pickpocketed in a nice restaurant. Reasonable people have reasonable expectations of safety in certain places which they trust to provide it for them. No-one should go around being constantly paranoid of pickpockets everywhere, no more than anyone on the web should be constantly paranoid of malicious JavaScript even on sites with established records of safety.

> So, even someone who disables JavaScript normally, would presumably enable it in order to use this popular and useful site.

I agree that StackOverflow is at fault here, but enabling JS is not a binary choice — "allow all JS on this site" vs "block all JS on this site" are not your only options.

Tools like uMatrix allow me to control JS coming from different domains on different domains independently. For example, on SO I have enabled JS from Stack Exchange and related domains, but not from Google or other snoopers.

Revenues are important. The users will not notice unless something happens. And when something happens they forget fast.

More money that way

From the post:

"The ad is attempting to use the Audio API as one of literally hundreds of pieces of data it is collecting about your browser in an attempt to "fingerprint" it... Your browser may be blocking this particular API, but it's not blocking most of the data."

Seems like killing the audio is the metaphorical putting a finger in the dyke of serving arbitrary JavaScript to your users.

Maybe in the dyke holding back user outrage, but the dyke of serving arbitrary JavaScript was never built in the first place.

It's spelled "dike".

Not in England, which incidentally is where English originates from.

Nick, how did things go so wrong from three years ago?

e.g. https://news.ycombinator.com/item?id=20289841

I don’t know. I am so very much trying to find out and push to make things better.

So no vetting on new ad tech?

> we are aware of the issue. > We're trying to sort out how to kill the audio behavior now.

Are you really aware of the issue? The issue people have here is not the fact that the ad is trying to access the audio api per se but that it is trying to fingerprint the users.

If you're "NOT okay with it", how about stopping ads completely until you resolve this problem? That should give a bigger impetus to solve it ASAP as the bottom line gets hit for multiple stakeholders.

This is not just ads, but about fingerprinting and tracking users somehow or the other by third parties. It's plain evil, and not a decent thing to continue foisting on your unsuspecting users after you've known it. Tell management to take an ethical stance and preserve the reputation of SO.

Probably not his call. By "we" he's probably talking about the engineering team, which in many cases is nothing more than a conduit for whims of the marketing and sales teams.

The only time they'd do that is if the marketing team decided that the value-add from taking ads off cancelled out the profit loss from taking the ads off.

I completely understand that it may not be his call. That's why I said "Tell management to take an ethical stance and preserve the reputation of SO."

Maybe he (or someone else in the team) has already given this as a temporary solution but it's been rejected. Since we don't know what's going on in the background, this suggestion being put on a public forum is still worthwhile. It could also help external parties (like HN readers) add more pressure in not letting this kind of surveillance continue just because the company doesn't want to stop making money while they're working on a solution or waiting for Google (or someone else) to help.

Every minute they delay cutting this off puts thousands of people in a position of vulnerability.

So, we have:

- Stack Overflow makes a blog post about not using dynamic ads.

- Dynamic ads found on Stack Overflow, with aggressive fingerprinting.

- Architecture Lead doesn't know how this happened and is getting serious.

I have so many questions. I hope this gets a post-mortem.

The fundamental problem seems to be that you are including non-sandboxed JavaScript that you don’t control.

Perhaps you should stop doing that.

Would something like SafeFrame have avoided this issue?


Hi Nick,

If you're serious about this, I've built tools for the publisher side for stopping exactly this.

My email address is in my profile.

I’m very interested and very serious. Email sent.

I just saw this post, where an potential justification was provided for a similar script in the past: https://meta.stackoverflow.com/questions/335956/adzerk-servi...

It's hard to read the obfuscated code and be sure what's being done with the browser environment information. This script seems to generate some hash and put in some global variables, presumably for some other script to consume. I don't know whether such scripts send it to a server, compare it locally to a previously-known value, or ignore it.

I would pay for an ad-free version of Stack Overflow. Take my money, please.

I think the data in aggregate is worth more than people like you would pay for an ad-free service.

This is the actual problem at the heart of it all. And even if it were more profitable to take subscription fees than to serve ads, what's stopping you from "double dipping" and serving ads anyway?

Or taking your subscription money and tracking you anyway. Knowing your interests on one site helps target you elsewhere.

ArsTechnica (obviously a very different site compared to SO) has an ad free subscription model where it also removed all trackers for paying subscribers. It's possible to do this in an ethical way. Whether the site publisher is interested or not is a different matter.

> what's stopping you from "double dipping" and serving ads anyway?

People looking at the source code, like what happened here.

You think the NY Times, Linkedin, etc. is going to have the same response as StackOverflow? Good luck even getting in touch with someone who knows what you're talking about.

If LinkedIn (to choose a random example) advertises one of the perks of subscribing is that you won't be tracked, and then tracks you anyway, that's a story for The New York Times et al.

Sure. But my point was that the NYT is an example of a paid service that openly serves you a big pile of invasive ads, even if you're a paying subscriber.

Imagine if all the ads in the print edition were spying on and tracking your every move.

Very likely. I'd pay hundreds of dollars a year to Gogle if they guaranteed* me, with severe legal repercussions otherwise, that they wouldn't track me, or allow a single bit of my data, anonymized or not, leave their servers, or be used in any other way that wasn't for my own purpose.

Re-selling digital personas as commodities must be far more lucrative.

> Gogle

Is that the evil twin?

I actually wonder about this. SO's typical user is tech-savvy, and I would imagine many access the site with adblockers on (I do). So I suspect my value to the site in terms of ads is close to zero. I would happily pay a monthly subscription to know that the service will remain, given how much value I derive from it, if that gave me the assurance that they won't track me with ads/cookies/fingerprinting.

Their other income is from job ads, and I guess the value is that they have lots of data points about their logged in users (with scores high enough to imply they've interacted with the site a fair bit), in the form of what is posted, worth more than the aggregated list of websites that a user sees (as reported by ads).

I'd love to know more about this, as I have very little understanding of the economics of serving targeted ads. How much can they be making from ads?

But they're mostly wouldn't pay in ads either. The difference may be pay-for-ad-free vs adblock-and-no-money rather than getting more ad views.

It looks like something using fingerprintjs2.

This library is very popular.


Not sure how that plays with rules about how you can place ads etc, but <iframe> with a feature policy can stop access to audio I think.

Why don't you block all the JavaScript not coming from your origin and just display a simple link+PNG as advertising?

This is exactly why I block third party advertisements for myself and everyone that uses my network.


Hey don't drag satanism into this, Lucifer doesn't serve His followers arbitrary JavaScript!

I hear from multiple sides people reporting, to receive ads about topics thy only talked to friends about but never entered in a search engine.

Google has is currently as far away from their previous world famous "don't be evil" corporate culture.

Other examples are AMP where Google wants to make it harder to de-individualise URL's. This is being driven to an extend where Chrome on Android makes it harder to edit the URL.

Or games like Egress or PokemonGo, which in my opinion helps Google constantly update their WiFi SSIDs-To-GPS-location database.This database is rhen furthermore being used to track users location through a little permission called "WiFi Control", which also can not be found in the regular App Permissions settings entry.

To me WiFi-Control sound nothing like location tracking. But I have to admit, I am not a native speaker. Therefore I might be misunderstanding something.

"Don't be evil" was replaced by "Do the right thing" years ago. Great piece of corporate speak right there.

How We Make Money at Stack Overflow: 2016 Edition: Quality ads. "...we don’t want to use an automated system that selects some ads for us. We looked at this. It didn’t allow us the control we required to maintain the level of quality we want to maintain."

How We Make Money at Stack Overflow: 2019 Edition: Taking money from Microsoft and Google fingerprinting our users 100+ ways

source: https://stackoverflow.blog/2016/11/15/how-we-make-money-at-s...

Your options, as I see them.

1. Text based ads only (no third party js)

2. HTML based ads but no js (run it through DOMPurify https://github.com/cure53/DOMPurify)

3. Look for a js sandbox -- this _will_ break arbitrary js, will not be supported in all browsers, and will require dev work on your side:

  * Google Caja  https://github.com/google/caja

  * MentalJS  https://github.com/hackvertor/MentalJS
other options are available as well, in varying levels of maturity and support.

I think using a sandbox iframe is not going to be able to defeat browser fingerprinting, because the sandbox control options are not rich enough. You would need to block all JS.

> HTML based ads but no js (run it through DOMPurify https://github.com/cure53/DOMPurify)

Or use iframe.sandbox, which was designed for it. https://www.w3schools.com/tags/att_iframe_sandbox.asp

Using an iframe sandbox has some issues:

1. scrollbars and positioning can cause problems with iframes that an inline div doesn't have, especially if there are multiple small iframes on the page.

2. As soon as you allow script in the sandbox iframe, then you are susceptible to these types of fingerprinting attacks. The fact that you have origin isolation doesn't really block what the ad was doing. This is because iframe sandbox was never designed to block fingerprinting attacks, it was design to create a separate origin that gave the dev broad control over features like 'allow js' 'allow access to origin', etc.

>1. scrollbars and positioning can cause problems with iframes that an inline div doesn't have, especially if there are multiple small iframes on the page.

I'm not quite sure what you mean here, but I'm curious. Have any examples?

Ideally you would like the iframe to not be visible -- you don't want it to show scrollbars if the content overflows.

But at the same time, you want to see all the content in the iframe. If you knew ahead of time exactly the layout of the text in the iframe you could do this, but it's harder when you have dynamically generated content inserted into the iframe, and now add to that wanting the page to be on different devices with different viewports, resolutions, users resizing the page, users increasing or decreasing text sizes for accessibility or changing default fonts.

And if you don't control the content, some of it may contain fixed size elements or absolute positioning inside the frame.

It's a really difficult problem that we were struggling with before ultimately giving up on trying to use iframes for this purpose. And when you make a mistake you either get ugly scrollbars in your iframe or part of your content is cut off when the user resizes the page.

Solving this problem requires the JS on the parent and child frames to cooperate and talk to each other about their sizes, so the parent can resize the iframe to match the size of its content. This is not something ad providers would bother to implement on their own, let alone in a consistent way.

Correct, there are solutions, but in our case none of them were feasible because we didn't control what was happening inside the iframe.

4. Images! Why would they need anything else? Why would they need JS?

Images are much heavier than text (and let's face it, most of advertisement is just words). But these days, JavaScript is heavier than millions of colour pixels, so maybe images are better :)

Is there any reason they couldn't be vector SVGs?

There are plenty of ad networks that do not allow advertisers to run JS. You have to run the ad networks script but that's the only one.

Maybe it's to identify users behind a VPN as this is fingerprinting the device, not the connection.

That's why I think the idea of running each site in a container is so effective.

And while we're at it the container should just spit out random shit like different resolution, audio api, user agent, once in a while (unless the user turns it off) to thwart such attempts.

Unfortunately when the creator and maintener of 67% of all browsers is an ad company who is exploiting this in the firsr place, then there is no chance that this could happen

> And while we're at it the container should just spit out random shit like different resolution, audio api, user agent, once in a while (unless the user turns it off) to thwart such attempts.

Wouldn't that break the legitimate feature-detection uses for these APIs? Asking the user to identify and whitelist each call is impractical, especially since the fail-case in this scenario would be subtle (you'd still see the page but it might randomly be in the wrong mode, or images might be scaled incorrectly, etc). At that point you might as well just turn Javascript off.

Yes I thought about it that's why "unless the user turns it off" comment in parens. I think out of 100 sites I visit everyday no website needs to access the audio api without my consent maybe except one or two which i can whitelist. Same for user agent, I don't think it should break if the container says I'm running firefox v65 or v67, etc.

If websites had to ask permission to enable responsive features like screen size detection, then nobody would use them

Good! Then maybe they'll go back to writing normal html and let my user agent present it to me how I like and how my device best does

Agree. I wish the entire internet looked like GNU documentation page.

If that's how you feel, why not disable CSS?

It was already possible to write CSS that adapts to various screen sizes before CSS became a privacy issue (ie. before CSS 3); except it was called regular CSS, not responsive.

My guess is the difference between "regular CSS that adapts to screen size" and "responsive CSS" is that the former only has a single set of rules while the latter has different CSS rules that get enabled/disabled based on screen size.

Conditional rules -> different content gets loaded -> server gets notified of what rules are enabled -> fingerprinting


Things went downhill once we started writing HTML which required knowing screen size ;-<

Changing the resolution sounds like it would break a lot of websites, though.

and these websites certainly deserve to be broken!

Uh, I’m not sure I agree. Any website that needs to do nontrivial layout will query the browser viewport size.

Have you heard of those projects trying to defeat behavioral tracking where, whenever you visit a page, it simultaneously opens a bunch of other random pages in the background, hidden from you, and simulates activity on them, the idea being that Facebook has no idea what actual websites you like to visit because it's lost in the noise? What if instead, whenever you visit a page, your browser or a plugin or a proxy server or whatever opened the same page simultaneously in a bunch of hidden background windows, with a random configuration of audio enabled/disabled, user agent, screen resolution etc fingerprinted characteristics?

That way, the page displays correctly for you, but the server has no idea your actual fingerprint.

There's some trickiness to get this to work right; the collection of fake fingerprints would have to have a certain amount of persistence, because if it was regenerated every pageload, the server could probably tell that only one fingerprint kept showing up repeatedly. Maybe each fake fingerprint should have a completely realistic-seeming browsing session, happening in parallel with your real one, with half the collection continuing on browsing even after you're done? Except wait, ads could just separately target every fingerprint, and it doesn't matter if 99% of them are fake as long as its accuracy for your real one is still good. To defeat that you need the randomized activity using your real fingerprint.

The ideal would be if this was done through a proxy server, which would then know every fingerprint ever sent to a website. It could then provide you with a random collection of past fingerprints that have actually visited the same website, so every visitor gets a collection of fingerprints randomly drawn from the same "bag", rendering visitors indistinguishable.

Maybe, but that seems better than the current mess. I'd rather no features than features which act against my interests.

I’d prefer legitimate api usage be broken than suffer through all the abuses.

That, and it should be pretty easy to filter out this kind of fake "chaff" data.

everyone should be running the same container though.

And this is why, even with the best intentions of site operators, my browser will continue to use the best ad-block tools I can get, and my networks will be protected by tools like PiHole.

In the 2005 era when I was a young video gamer I used to play World of Warcraft. There was a site, Thottbot, that players would use to find out information about things in game. I picked up a keylogger malware from their adservers. One of the advertisers had been hacked and was serving Malware every few thousand ads. Since that day I've used an adblocker and I'll always continue to do so.

I wonder if that’s how I got hacked....

Exactly. Market solutions for market problems. I'd love to see the Raspberry PI foundation develop and sell a home router with PIHole for regular consumer use.

Considering the alternatives, that sounds really appealing for me. I'd also buy it for my less tech-literate parents.

You can't profit your way out of a problem you profited yourself into. There will never be enough people setting up PiHoles to offset the value of spying, and it's publishing platforms like StackOverflow that suffer.

Wouldn't it be cool if it was solved on the provider level? They already have to set up DNS servers, might as well make it a Pi-hole instance.

Many ISPs are part of conglomerates that also contain web content publishers, so they have a vested interest for ads to continue working.

Also, ISP-level adblock will lead to tons of support requests, esp. when news websites start blocking that ISP and tell customers to call the ISP's support to "fix" the internet.

That's not enough, sadly.

Besides disabling JavaScript you can put hosts file blocklists.

Simple corporation block list (e.g. Facebook, Google) https://github.com/jmdugan/blocklists/tree/master/corporatio...

"Someone Who Cares" list http://someonewhocares.org/hosts/

Ultimate Hosts Blacklist: 1 million blocked domains (once in a while you might need to unblock something) and also a bonus known hacking IP blocklist. https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist

This seems melodramatic for something as trivial as an audio request.

It’s incredibly disrespectful. Nobody wants some random ad listening to their microphone. That they’re trying it anyway indicates that they’re hoping to get some people with browsers that don’t block it, or trick some people into saying yes.

It’s not harmful, as long as you’re not one of the people who gets tricked. But it does indicate that they want to do you harm, and try to. That they failed doesn’t make it all better.

Wait, it was listening in on the microphone too? Doesn’t that break wiretapping laws?

The parent is wrong. It's for fingerprinting your audio pipeline. Trying to record audio would result in a permissions prompt.

My bad! It didn’t even occur to me that this might just be audio output, not input.

It's probably just a mistake and not actually trying to collect anything.

You think it’s hitting the JavaScript microphone API by mistake? How?

It's Google's fingerprinting for tracking you across the web. It won't actually listen to or play anything, it just opens it up to see if it's there.

We have no way of knowing that when a permission alert comes up. The only reason we’d ever allow it is if we were tricked or exploited.

Arbitrary code execution isnt really that trivial.

Arbitrary javascript execution is generally meaningless. Very rarely you'll get a zero-day or something, or maybe a site will use too much battery when focused.

Really? Malicious JavaScript can steal anything you can see and do anything you do. It can steal your passwords, bank account information, or transfer money out of your bank account. It just depends on what kind of page is serving up the arbitrary JavaScript.

But if that page is Stack Overflow, with millions of views, you are collectively wasting tons of power. Granted, you don't pay those bills.

Did you click the link..? It's fingerprinting, not just trying to legitimately play audio.

It's not just audio requests btw. Google regularly serves ads that automatically redirect users to scam sites. A client I work with gets hit with that about every six months. The ads are targeting only mobile users which makes it even harder to debug. There's nothing a publisher can do to prevent this but disabling Google Adsense completely. There is no support from Google. After a few days, a week maybe, Google disables the malicious ad (or they see that the credit card didn't work) and it stops.

It's pretty obvious that the only real fix is to accept money in exchange for putting an image with a hyperlink on your website.

Anything involving javascript will do shenanigans for various reasons. Fingerprinting via any means possible is industry standard ad-network behavior at this point. No one in the industry could imagine doing any less - it's impractical, it's absurd. But targeting! But fraud! But the only fix is to just give it all up, go back to how it was done in the 90s.

I wonder if the top brass at alphabet ever worry that their trillion dollar empire is based on fragile foundations like web audio fingerprinting, etc.

that sure would keep me up at night.

obviously, i know google does more, but it seems like a large chunk of their revenue must be dependent on shady technical tricks like these working.

They realized it was a risk so they built their own browser to have more control. And it worked. Only now, users are wising up and moving to Firefox.

No meaningful fraction of users is moving to Firefox [1] [2]. I wish this was the case, but it sure is not.

[1] https://en.m.wikipedia.org/wiki/Usage_share_of_web_browsers#...

[2] https://netmarketshare.com/browser-market-share.aspx

If Firefox is blocking trackers by default, how will you know if more are using it now?

Is firefox less fingerprintable?

Firefox has been putting a lot of attention to this area. https://blog.mozilla.org/firefox/how-to-block-fingerprinting...

I'm not an expert, but I'm running Firefox Nightly for exactly that reason.


It looks like the related feature is now in the regular release.

What's your user agent like? I would imagine there are not many Nightly users out there.

Still there are a lot of information in your user-agent and metadata (OS version, platform, screen size, timezone, and more).

firefox's charter allows for taking action against the interest of google. Chrome doesn't.

Seems to be, according to the creators of nothingprivate.ml: [1]

[1]: https://github.com/gautamkrishnar/nothing-private/blob/maste...

Not at all. In many ways since firefox has such a smaller market share you are significantly easier to identify than average.

This makes little sense. If the data collection capabilities are more restricted, how would one be easier to identify? Firefox has a significant market share still.

The absence of a data point is still an identifiable data point

Want to advertise a product aimed at digital privacy concerned people? Just push it at those you can not fingerprint..

They don't have to worry because they control the browser too, and so those tricks will continue to work for the foreseeable future.

Which is why one of several things should happen. The first option is that there be legal requirements to adhere to public standards if you are a content distributor. And that any standards compliant client side software be allowed to use the service. In some areas we're in a world where your telephone carrier sells you your telephone, e.g. twitter, apple's imessage, etc.

Other options would be that if you are a content distribution company, e.g. youtube, google, facebook, twitter, instagram, etc. then you cannot have any control of the client side applications that consume the content. Trustbusting would come into play here.

Or legal obligations to follow a user's desire not to be tracked with real criminal fines and jail time applied to executives, managers, and developers who failed to follow the law.

What kind of legal requirement can thwart a multinational corporation? The UN cannot enforce any laws, the only supra-national entity with this power is the EU (see GDPR).

It's easier to just use Firefox with uBlock Origin, Cookie AutoDelete, etc etc.

The kind in which FBI agents show up at the homes of executives, board members, and senior management at 5:00am in the morning with guns and warrants.

Individual legal requirements in each jurisdiction.

They have a pretty big moat around their business.

If you want to buy advertising online you're probably gonna end up dealing with them either directly or indirectly.

the internet is already a shady hack that only usually works

I like the comment on SO: "Deanonymizing via fingerprinting - illegal in EU"

Why is this surprising to anyone? It is clear that ads use tracking mechanisms and cookies and this is no different.

Audio feature detection isn't even a novel techique.

I've seen trackers look at download stream patterns to detect whether or not BBR congestion control is used, I have seen mouse latency based on the difference between mouse ups and downs in double clocks and I have seen speed-of-interaction checks in mouse movements.

Just checking for the constructor of something an ad might legitimately use (like audio) is relatively benign to be honest and it is naive to expect ads to not do this and it is why I use an ad blocker even on sites without annoying ads

One reason it's surprising is that, until recently, SO was particularly resistant to allowing invasive and/or obnoxious ads.

See also the recent decision to allow animated banner ads on various Stack Exchange network sites.

But for code that's supposed to be so smart in trying to fingerprint people without them knowing, calling an API that throws a warning in the browser seems like a really stupid move. Especially since that can be checked through feature detection, which is literally what this code is doing...

And as a fun fact networking timing fingerprinting attacks and work even if you don't have JavaScript enabled and I have been able to make a PoC that was very accurate (I did not release it but I did disclose some bits to relevant parties)

I hope "relevant parties" includes "browser vendors" and not "adtech companies" :)

Which one is Google?

Yes of course, browser and OS vendors.

I don’t get the modern ad stuff, any reasonable person uses an adblocker anyway, because ads are often slow, problematic in terms of privacy and security.

The fact that even people of a big site like stack overflow don’t know where it comes from instantly, is only further proof that using an adblocker is a resonable decision.

Maybe it is naive, but all ads should be in my eyes is a picture and something that counts the page views. And when you are a site that has ads as it’s main income you should have at minimum one employee who knows and tests each ad before it gets accepted and put onto your server.

Only then your customers will trust the ads you use and only then any reasonable person can even consider deactivating the adblocker for your site.

I am pretty sure somebody explored this idea before me, why doesn’t it work?

It works, it just won’t happen because all the structural incentives point to the status quo. Another reason to love our current crop of monopolists...

Has there been any serious thought / discussion about how the cat and mouse chase of the ads vs ad blockers is going to end?

It would be interesting to see where we are in ten years.

There's a passage of Carl Sagan's "Contact" that's on point and interesting to read 34 years later. The billionaire who helps to decode the Message (from outer space) and ends up building the working copy of the Machine made his fortune by selling tools to detect and block ads from television.

There is some discussion of the technical cat-and-mouse game he has to play as advertisers try to make their content avoid detection and blend in with the regular programming. In this version of the future, the ad blockers eventually win and network television is destroyed. (The book also features networked computers and email ("telefax"), but the concept of ads appearing on them was still too futuristic for 1985.)


Adnix and Preachnix were the essence of capitalist entrepreneurship, he argued repeatedly. The point of capitalism was supposed to be providing people with alternatives.

"Well, the _absense_ of advertising is an alternative, I told them. There are huge advertising budgets only when there's no difference between the products. If the products really were different, people would buy the one that's better. Advertising teaches people not to trust their judgment. Advertising teaching people to be stupid. A strong country needs smart people. So Adnix is patriotic. The manufacturers can use some of their advertising budgets to improve their products. The consumer will benefit. Magazines and newspapers and direct mail business will boom, and that'll ease the pain in the ad agencies. I don't see what the problem is."

Adnix, much more than the innumerable libel suits against the original commercial networks, led directly to their demise. For a while there was a small army of unemployed advertising executives...

I feel that it may go the other way: that receiving communication from a source that is supported by ad revenue while knowingly and actively bypassing those same ads will be seen as theft. I fully expect lobbyists to push for this and see some success in the next 10 years.

When people refuse to watch ads, there is theft going on, but it's theft from the advertisers by the media owners. The viewers aren't guilty of anything.

I don't understand your point. If an ad doesn't display, then the content owner doesn't get any money for it.

If it was always possible to detect whether an ad was seen, wouldn't it always be possible to block ad-blockers?

Many sites do.

It's clearly always possible to detect whether an ad was seen. Often, the content owners do not bother putting such measures in place, but the advertisers definitely do. (It's even easier from their perspective to check if the ad has been served or not, as many ad blockers prevent the ad from even downloading by sending all requests to that domain into a black hole and so the ad is never even requested from the server.)

Placing images I have not requested on a display that I own is vandalism.

I agree that the lobbyists will win. I wish we had politicians with some moral character though.

> In this version of the future, the ad blockers eventually win and network television is destroyed.

I love utopian visions of the future.

I think ad blocking is a misnomer. What people are trying to do when blocking ads is prevent marketing people from spying on them. And the performance and resource consumption that comes from that.

Personal opinion: Laws are needed to make what advertisers are doing illegal. Advertisers are spying on people to the extent where if the government did it they'd need a warrant.

I'm only mildly bothered by the tracking, since it seems so inaccurate, but the ads themselves always drive me to adblockers. Taboola were running pictures of rotten teeth for a while which was intolerable; Youtube ads are often louder than the videos.

They may be inaccurate when you actively block trackers but they are surprisingly effective if allowed to do what they want. The whole “I think they’re listening to me” effect is because of how effective these trackers are.

Web tracking data gets combined with your real life digital breadcrumbs collected by the data aggregators. Their profiles of you are extremely accurate.

See, I'm the opposite way. I don't care about seeing ads—it seems only fair, if I'm reading a site without paying for it.

Unfortunately the water hole has been poisoned, so now I have to block it all.

It really depends on the ads, I believe. You can't actually read that page when the ad people go all out. There will be a video playing in the background of the page, there will be animations in content and they will throw in a pop over saying if you really, really, really don't want to save $10.

Yeah, that is a good point. I guess I have unconsciously written off a certain class of website as simply unusable...

I disagree. The tech crowd is using adblockers to prevent spying and resource consumption. But majority of people running adblockers just don't want to see ads.

In most cases, I don’t think it’s ads as concept that’s the problem. If websites only had static ads in the sidebar, I question how many people would bother with ad blockers.

But when ads block content; include flashing animations, audio, and video; and take up more layout space on a site than the actual content; then people have had enough.

No, some of us block ads because we don't want to ever see any ads. Ever. At all.

Are you disagreeing with the person you replied to? Your tone suggests that you are, but the content of your post seems to being agreeing.

I disagree that most people use ad blockers because they “don’t want to see [any] ads.”

Meaning, if advertisers hadn’t built more and more intrusive ads and had stuck with static ads that don’t severely harm the UX, then I doubt most users would bother with ad blockers.

Yeah no one would care about magazine style ads with an ordinary click through link. Especially if clicking resulting something useful instead of being the browsing equivalent of jumping into a dumpster fire.

The advertiser arms race has resulted in a classic tragedy of the commons. That's my diagnosis of the problem. Traditionally regulation is needed to fix that. Exactly what that entails is beyond me.

I think you are misinterpreting the comment you're replying to. It's arguing that people block ads because they dislike seeing the ads they're seeing (as opposed to for privacy or resource usage concerns), not because they dislike all possible ads, which is what you're arguing against.

I don’t think it’s ever going to be so simple that we can bucket all non-tech users together. I occasionally volunteer as IT support for a small non-profit where everyone is non-technical and in many cases old. Their understanding of browsers were:

- Chrome is the fast one.

- IE is the one that have to use for some government/old websites.

- Ad Blockers are for safety (akin to anti-virus).

This was from a group that didn’t even know how to install Chrome on the new computers they got this year.

Group knowledge on this topic is largely going to be driven by what they’ve heard in the news or perpetuated by their social circles. And scary things will stick for long after they stop being true.

That doesn't mean the side-effect of most people avoiding spying at the same time is somehow an unwanted one.

I think most can agree here this level of spying on users is bad. Its sorta like child labor but a lot less obviously bad, in that it is obviously bad, nobody likes it, but there's enough taking advantage of it not being illegal, so its just socially tolerated thing. But once made illegal it will be looked back on like "how the hell did we think that was okay? how the hell did we willingly let it occur?"

I think the reality is more complicated. People sort of suspect being spied on, but it's hidden, not so real. It's abstract so if you ask any reasonable person, they'll say they don't like the spying, but few will take an impairment in function for something they use in order to avoid it because it seems somewhat distant.

Anecdotally, that's the case for me. I've been blocking ads since ~2000 because I don't like ads. It's only more recently that I've really stepped up efforts by not allowing third party scripts, using temporary/multi-account containers, using Decentraleyes, stripping identifiers from query strings, etc.

The sense of being spied on wasn't really what drove me to use an ad blocker. It was the fact that once or twice I got what appeared to be malicious code trying to take over my browser, go to pages I didn't want to go to, and prevent me from leaving, in order to promote some scam. I'm not in fact (even if it's naive) particularly scared of legitimate businesses or the CIA or whatever monitoring me.

I'm doing both. I don't want to be spied on, and there is no room in any sector of my life for corporate propaganda.

and for me, a third reason is that I don't want to be served malware through an ad.

Adsense is just going to start providing content for you to inline into your site.

Kind of like how https://old.reddit.com/r/gaming/ is just a sequence of ads being flawlessly delivered to an ad-averse demographic that eats the ads up.

I find it outright puzzling that CDN edge servers have not morphed into ad splicers yet, that business seems so obvious to me. The closest to a "guessplanation" I can come up with for is not happening is that there might be trust issues (overreporting/underreporting impressions) in the triangle of publisher, ad-network and CDN/ad-splicer. But I'm not convinced at all that this would outweigh the anti add-blocker advantages.

Until now, while most people don't use ad-blockers and browsers have accepted third-party cookies, there's an advantage to loading a resource from another domain, since an ID created and stored by doubleclick.net on site A could be read by doubleclick.net on site B, allowing for cross-domain tracking. As third-party cookies increasingly get blocked, I think we'll see that more and more.

Site-independent cookies, right, that's the big one that would be lost. Thanks.

Seems obvious without thought to me that it’s mostly moot. Very few people will be running machines like we have for the last 30-40 years, most will be on Android/iOS where ad blocking will be minimal.

Savvy users will continue to block on machines that aren’t walled gardens and through pi-hole style blocking.

I think the cat and mouse aspect will be completely overshadowed by tech giants continually neutering their users ability to block ads.

> most will be on Android/iOS where ad blocking will be minimal

Safari on iOS allows for content blocking, and Firefox for Android allows users to install extensions.

Safari on iOS allows limited content blocking. It doesn’t allow ad blocking anywhere else, which is most of the platform.

And, I was referring to the future and trends rather than the current situation. System wide ad blocking used to be possible on iOS without jailbreaking, now it’s not.

I expect in time google will go similar and change android APIs, or play store rules, to do similar.

> It doesn’t allow ad blocking anywhere else, which is most of the platform.

It also works inside apps adopting Safari View Controller.

On android many links are open in a Webview (e.g. opening links on Gmail app) and many ads come through webviews inside apps themselves (e.g. some ads inside the youtube app itself)

You can install hostfile blocking on rooted android devices.

We need a solution that works for the average Joe, rooting devices don't fall in that category.

I guess your parent post should have given it some more thought lol

I'm hoping in 10 years the world will have figured out that allowing arbitrary Turing-complete code to automatically run on one's personal machine is a terrifically terrible idea, and that the World Wide Web will instead orient itself around something that doesn't make security and privacy extraordinarily difficult to achieve (whether that's still HTML/CSS or something entirely new).

At the very least, though, eventually advertising agencies will hopefully figure out that this sort of tracking is pointless; "newspaper-style" ads are more likely to actually engage with the people encountering those ads (since said ads would be selected based on the page content rather than the person reading that content). This is how DuckDuckGo's ads work; the sponsored results are selected entirely by the actual search query. If content-driven ads (plus affiliate links, but I somehow doubt that's enough of DDG's traffic to be a deciding factor here) is enough to pay for enough computational power (and the development team to run it) to serve up 30+ million queries a day, then there's no reason it can't be enough for any other site.

With absolutely no disrespect intended, the hope that we'll forget about the WORA dream is delusional. WORA is inevitable and the Web, for all its flaws (and they are plentiful), is far and away the closest we've ever come. Even on mobile, which was a bit of a setback for the Web as WORA, JS has only been getting better over time. There's just no turning back the clock.

Security-wise, I think the best we can hope for is more and more OS-like sandboxing and isolation, capability-based security, and other defense-in-depth measures.

Privacy-wise, for defeating tracking and the like, ideally I'd hope for technical countermeasures to win the battle, but if we do end up having rely on legal measures, they have my full support, GDPR and CCPA included.

(Random idea for a technical countermeasure against fingerprinting: have you heard of those projects trying to defeat behavioral tracking where, whenever you visit a page, it simultaneously opens a bunch of other random pages in the background, hidden from you, and simulates activity on them, the idea being that Facebook has no idea what actual websites you like to visit because it's lost in the noise? What if instead, whenever you visit a page, your browser or a plugin or a proxy or whatever opened the same page simultaneously in a bunch of hidden background windows, with a random configuration of audio enabled/disabled, user agent, screen resolution etc fingerprinted characteristics?)

> WORA is inevitable

Indeed it is. It is not, however, dependent on running arbitrary Turing-complete code in my browser automatically and without my permission. Write-once-run-anywhere is perfectly possible and feasible under the traditional "download and install this program and run it" model.

I'm optimistic about WebAssembly (on that note) because of its usefulness beyond the browser; like I described in a different comment, it's only a matter of time before we start seeing GUI-enabled WASM runtimes that allow WASM-modules-as-programs to work as desktop or mobile apps indistinguishable from their native (or kinda-native, in the case of Android) counterparts.

> Turing-complete code

You can't build apps without turing complete code. We would be back to downloading and executing applications/programs.

> You can't build apps without turing complete code.

Sure you can. None of these things should require me to run your arbitrary Turing-complete code in my browser:

* Reading an article

* Writing an article

* Shopping online

* Searching for things online

* Reading social media posts/comments

* Submitting social media posts/comments

* Browsing a code repo

* Submitting issues / PRs / etc. to a code repo

* Reading documentation

That (non-exhaustive) category accounts for a solid 80% of everything I do online (and the other 20% are things which I'd rather be doing through native apps). All of these things should be possible (and indeed are possible) entirely with HTML (and optionally CSS) + a server somewhere handling the backend logic. If they're not, then your "app" is over-engineered, or it is indeed better off as something I explicitly download and install, which brings me to...

> We would be back to downloading and executing applications/programs.

Good. That's the direction the mobile world has already been going for a decade now. Native apps actually integrate with the platform. Web pages don't (or at least don't do so well). At least in that situation I'm explicitly "downloading and executing those applications/programs" by my own choice.

We even have things like WebAssembly now, with experiments and effort toward making it usable as a general-purpose compilation target/runtime outside a web browser. No reason why it'd take more than a decade for someone to figure out how to wire a WebAssembly module into some sort of Qt-based (or whatever) runtime + UI and get the best of both worlds.

> Good. That's the direction the mobile world has already been going for a decade now.

I genuinely don't understand this argument at all -- either you understand something about native platforms that I don't, or you're working under the assumption that all of your native apps:

a) aren't already vacuuming your data at the same rate as web apps.

b) wouldn't get considerably worse if they replaced the web ecosystem.

On the first point, native sandboxing is almost universally terrible. There's some promising stuff happening (notably with MacOS and with Flatpak/Wayland) but it's all just playing catch-up to where the web was years ago.

Pick just about any company that maintains both a website and a native version of the same app -- almost universally, the web version is safer to use. Nobody should be installing Facebook, Twitter, or Reddit on their phone. In fact, I would say the single best piece of advice I can give to anyone to improve their privacy/security on their phone is to stop installing things.

On the desktop, the situation is better, mainly because the desktop is very slowly turning into a niche platform and the web is a much more attractive place to put skuzzy, privacy-violating software. But this is a bit like the old argument that MacOS was more secure than Windows because no one was targeting Mac with viruses at the time. Get rid of the web and all of those skuzzy developers you hate aren't going to go away, they're just going to start making native apps. Where, again, the current sandboxing for most users and OSes is completely inadequate.

If your security model on the desktop is, "I'll only run code I trust", you can already do that on the web today. You can already turn off Javascript. And if you don't feel like the modern web-app ecosystem accommodates that decision, then what makes you think a theoretical, purely native world would accommodate you running a small, tight system that only includes code you trust? I can run a beautiful, tight Linux system because I don't have to install much software on it.

The unfortunate, horrible problem, is that running code we don't trust is gonna be necessary, no matter what world we move to. Sandboxing and permission systems are something we are going to have to figure out. Web or not, there is never going to be a world where you'll be able to trust all of the code you run on your computer. And currently, despite the many problems that browsers have, they're still still the best consumer-accessible solution for sandboxing code.

Of course integration and app performance suffers on the web. But frankly, neither of those are more important than sandboxing.

I think there's a bigger point you're missing.

> almost universally, the web version is safer to use. Nobody should be installing Facebook, Twitter, or Reddit on their phone.

Not only is this true, this would be even more true without JavaScript—if those sites were still usable, which they definitely could be, they just choose not to be. (Well, maybe except Facebook Live, but that could be an optional standalone app.)

> you can already do that on the web today. You can already turn off Javascript.

Of course, this isn't really true, precisely because so many websites that could function fine without JS (including things like news sites that should just be static content!) instead choose not to.

Which of course is the real problem with yellowapple's idea. Lots of services cripple their mobile website and push you to install their app instead; if we removed JS from the Web, everyone who could would just start doing the same on desktop too, right? Upstarts trying to maximize growth probably will work great on the Web, but as they get more established they'll start pushing people more and more towards their native apps, and existing established players will do that from Day 1 (of the new, JS-less world), including everyone mentioned so far—Facebook, Twitter, Reddit, GitHub, major news sites, because people will deal with the one-time friction of installing the app in order to access the network or content.

> There's some promising stuff happening (notably with MacOS and with Flatpak/Wayland) but it's all just playing catch-up to where the web was years ago.

And in the proposed 10 years being discussed here, there's no reason to believe locally-installed applications won't have exceeded browser sandboxing capabilities, let alone caught up.

Meanwhile, the web sandbox is actively deteriorating specifically because frontend developers want to do the things locally-installed applications can do.

> Nobody should be installing Facebook, Twitter, or Reddit on their phone.

Not at the current state of native app deployment, no, but that's improving rapidly and substantially, especially in the mobile space. Also: the vast majority of users are doing that anyway, so it's worth investing the time and energy into being able to sandbox apps without needing an entire HTML + CSS + JS engine/stack to do it (and indeed, both Google and Apple have made significant strides on that front in the last 10 years, though there's certainly still room for improvement).

> The unfortunate, horrible problem, is that running code we don't trust is gonna be necessary, no matter what world we move to.

Yes, but at least with a locally-installed app, I'm explicitly opting into that app existing and running on my device. This on its own will at least somewhat cut down on the amount of untrustworthy code running on my system.

Yes, I can do the same thing for a website's JS code (and indeed do so), but it's asinine that I need Javascript enabled to read a blog post or post to social media or do the myriad number of other things that are theoretically and practically possible with server-side processing exclusively.

> Of course integration and app performance suffers on the web. But frankly, neither of those are more important than sandboxing.

No, but sandboxing - again - is a problem that can (and almost certainly will) be solved within the next decade, at which point integration and performance benefits will make local app installation even more attractive than it already is.

> there's no reason to believe locally-installed applications won't have exceeded browser sandboxing capabilities

What? Sure there is!

1. The reason to believe native apps' sandboxing won't exceed the browser is that any sandboxing that works on native apps would also work on the browser app itself.

2. There's also 2 reasons to believe native apps' sandboxing may always be inferior to the browser:

(a) The Web has wider reach, and people are already more confident/careless visiting strange websites than downloading and running strange apps, so exploits targeting the Web are more valuable and therefore more resources are spent battle-testing it.

(b) Native apps currently have deeper access to the device which makes it easier for them to do bad things, and (similar to reason 1) will never have less access to the device than the browser app which is also an app.

(I'm aware there's arguably a slight exception here about Mobile Safari and W^X, but I don't think that disproves the overarching reasoning.)

The more I think about your statement, the more I don't know what you are trying to say. Do you think there is a fundamental difference between software that is precompiled all at once and software that is interpreted or compiled on the fly?

Desktop-wise, I've often thought [evergreen] client-side tools would emerge for content extraction via local [headless] browser automation. It's something I've contemplated building myself.

There is Weboob which might interest you http://weboob.org

Is there an ad blocker that interrupts/blocks your profile (the data that would normally be sent to the ad company), lets you edit/alter it, and allow the resultant profile to be sent to the ad company? As a consumer, I prefer relevant ads to irrelevant ads, and I might even prefer very relevant ads to no ads, but I don't want the ad companies to know stuff about me that isn't okay with me.

Google control most mobile OSes, almost all of the web browser market, and have more or less taken over the web standards process.

They've already won.

Tracking is more than just ads. A website owner wants to know who his visitors are. Where they come from. Which devices they use. Maybe he can support an other language, optimize for other devices, offer deals for a group of customers. But he doesn't want the risk to be fined by GDPR, so he skipps all this. Less optimisation, less/worse contacts - everybody lose.

I don't think most people have an issue with that single sites tracking usage on said site. (Also, much of that can be obtained with server logs.)

This issue is cross domain tracking like we see with ad network that profile you over many different sites.

Neural networks scan the final rendered image of the page for ads and remove them. You can't dodge that.

Sure you can, the same way TV shows have done it - by subtly incorporating it into the text of the article.

At that point I think most people wouldn't care. Nobody is offended because James Bond wears an Omega watch. When it is doing not so subtly then it becomes weird (e.g.: transformers)

I am. I despise that. It's the worst kind of advertising.

I am torn. On one side it is one of the most effective kind short of a direct referral by a friend. I can understand that if you despise the idea of advertising as a whole then it can be seen as manipulation. (Personally I don't mind)

On the other hand I think that it is the one that blends the best and can even have some value. For example I can imagine that people enjoy a car heist movie more if actual cars that exist are being used as opposed to some made up stuff.

In France there are laws against "accidental" advertising so in news and TV almost any brand will be taped over or blurred. It is actually way more jarring and ugly than just leaving it as it is. It is especially funny when you have the logo of national rail company, which is basically a gradient, blurred.

I don't mind it.

In fact, I almost spat out my Coca Cola, I was so surprised that you would think that.

It will always be a game of cat and mouse. Even with Neural networks involved :D.

[0] https://arxiv.org/abs/1412.1897 [1] https://arxiv.org/abs/1710.08864

It's insane to me the extent to which companies will go in order to prevent cross-site scripting attacks.. and yet they're perfectly happy to include unvetted, potentially malicious JavaScript on the same origin in the form of ads.

There is no reason these ads should be anything other than a linked image.

There's something up with my PulseAudio (maybe changing audio output formats?) that means i hear a very loud "pop" when pages try to do this.

e.g. Browsing to an arstechnica.com article, with speakers on but nothing else playing.

How about stop letting remote sites execute arbitrary Javascript on your pages?

A little bit of corporate newspeak (and digging):

Ad URL: https://static.adsafeprotected.com/sca.17.4.95.js

JS Domain: adsafeprotected.com

Domain Owner: Integral Ad Science, Inc[0]

Google's recent stance on the matter of fingerprinting[2]:

>Chrome also announced that it will more aggressively restrict fingerprinting across the web. When a user opts out of third-party tracking, that choice is not an invitation for companies to work around this preference using methods like fingerprinting, which is an opaque tracking technique. Google doesn’t use fingerprinting for ads personalization because it doesn't allow reasonable user control and transparency. Nor do we let others bring fingerprinting data into our advertising products.

The important part being: _Nor do we let others bring fingerprinting data into our advertising products._

The same company advertises their fingerprinting capabilities:

>Browser and Device Analysis: We analyze the technological fingerprints of browsers and devices in order to uncover bots fraudulently posing as human users. We can validate what type of mobile or desktop device a browser is running on, providing additional context with which to identify fraud.

And it is this fingerprinting that gets them selected as a Google Brand Safety and Viewability Preferred Measurement Partner[1]

>New York, NY – Integral Ad Science (IAS) has been selected as a preferred partner in Google’s Measurement Program for both brand safety and viewability. Partners were selected after meeting rigorous standards for accuracy and using reliable methodologies to measure KPIs that matter for marketers. The program is designed to make it easier for advertisers to source trusted, third-party measurement providers.

The gist of it being that Google has heavy cognitive dissonance, with their advertising wing rewarding partners that fingerprint users (against their own policies), and the Chrome team barely managing to introduce some anti-fingerprint measures, which are clearly not enough.

[0]: https://integralads.com/capabilities/ad-fraud/

[1]: https://integralads.com/news/google-selects-ias-brand-safety...

[2]: https://blog.google/products/ads/transparency-choice-and-con...

> Google has heavy cognitive dissonance

Perhaps, but I think some of that behavior only appears dissonant. Like the NSA, Google often uses carefully constructed language that is designed to sound like a statement about a topic of concern without saying anything actually useful. For example:

> Google doesn’t use fingerprinting for ads personalization

The only reason to add "...for ads personalization" is if they are using fingerprinting for for other purposes. This could include other ad-related purposes like attribution.

Google claims about not using specific data for a specific purpose are probsabl7 true. They simply fingerprint (and probably correlate) everything else.

If you don’t use an ad blocker you should expect your browser to behave in strange ways.

If you don’t use an ad blocker you should consider your computer compromised.

It's been known that ads are commonly used to spread viruses / invasive tracking for years. And I've used adblock for almost 10 years!

Honestly, how are still allowed to execute javascript at all?! I get it if the ad-manager still executed javascript, but how is it okay to let random 3rd parties run js on your website?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact