Hacker News new | past | comments | ask | show | jobs | submit | page 2 login
Adblocking: How about Nah? (eff.org)
918 points by dredmorbius 55 days ago | hide | past | web | favorite | 533 comments



Remember that the formal name for a web browser is a User Agent.

This metaphor makes it clear that when there is a conflict of interest between you the user and whatever the server on the other side wants, your Agent should act in your interest.


Not when the User Agent is built by the world's largest online advertiser.



That's an agent that serves users to ad networks.

"To Serve Man."


This - so far I have a title, 'The death of User Agent' of an article about how browsers turned from user (my) agents, who represent my best interests on the internet, into corporate agents (which act in best interests of their makers - on my own computer!)


There's some interesting history here of which I'm. only vaguely aware, such as Hewitt's Actor Model:

https://en.wikipedia.org/wiki/Actor_model


Regrettably, nobody bothers to mention that JavaScript is really what's to blame for all of this. If unnecessary use of JavaScript earned the same sort of derision that "best viewed in IE 6" banners did, we wouldn't be where we are today.

That genie is too far gone to put back in the bottle, but that's the real problem with the online advertising 'ecosystem'. JavaScript enabled pop-up ads, it enables tracking, it enables coinminers and other malware.


> JavaScript is really what's to blame for all of this

Along with CSS, cookies, external images and fonts, redirect links, referrer headers, browser caches, and IP addresses that don't change over time and that can be linked to physical locations.

Javascript certainly doesn't have its hands clean, and there have been some frankly stupid decisions in how it was designed -- but stopping dedicated trackers is more complicated than you're making it seem. I don't need Javascript to put a tracking pixel in your email.


> CSS, cookies, external images and fonts, redirect links, referrer headers, browser caches

Aside from CSS and redirect links, all of these features are fairly straightforward. The consequences of disabling the Referer header, for example, are pretty small and easy to understand: you'll stop sending sites information about what links you used to get to them, but some very picky websites that check the header (e.g. image hosts that try to prevent hotlinking) might not work. This means browsers can provide options to let the user choose their preferred balance of privacy, functionality, performance, and "helping us improve your experience".

With JavaScript, on the other hand, it is very difficult for end-users to tell what a given website is doing. Are those hundred kilobytes of minified code a tracking/fingerprinting script, a crypto-miner, or a Hello World app in the UI framework du jour? It's hard for even an experienced developer to know for sure, and it's basically impossible for browsers. Your options are (1) allow everything, (2) use really crummy heuristics like "what domain is this file being served from", or (3) disable JavaScript and give up on using half the websites on the Internet.


I do think most of these things (with the exception of IP addresses and caching) are easier to solve than Javascript. I disagree that they are trivial to solve or that combined, they are substantially less harmful than Javascript. Let me try to sidestep this debate though and focus on the broader problem.

JS has a few stupid design decisions, but the fundamental reason Javascript is hard to run safely is because it's a turing-complete language that exposes a lot of powerful features.

You can argue that the web doesn't need a turing-complete language that exposes a lot of powerful features. Can you argue that phones don't? Can you argue that personal computers don't need that?

All of the tracking that happens on the web right now also happens on mobile phones and desktops. Users have broadly shown that the "only download code you trust" security model doesn't work (see recent articles on both the Android and iOS app store for reference). Even something basic like adblocking on Android is kind of terrible -- the best app I know of is AFWall, and that's maybe half as powerful as something like UMatrix because it's relying on static firewall rules.

You get rid of powerful applications on the web, and users will go back to downloading apps like crazy just so they can order pizza from their phone. Since currently, all of those platforms are pretty terrible for privacy; it is very hard to argue that a world where people could only download native apps would be more private than the world we have now.

We could also keep the web and switch wholesale to a SaaS model for everything, which is broadly bad for consumers, and carries its own privacy risks (there are some computations like password generation that I don't want to be done on a 3rd-party computer). Switching over to using forms and remote computation for everything on the web would also greatly increase the prevalence of 3rd-party cookies, making them much harder to block.

The point I'm getting at is that I don't see a world where Javascript vanishes and privacy gets any better. In fact, it might even have the opposite effect if the deprecation of Javascript means people download more Android apps. Privacy is a really hard, complicated problem and there probably isn't any single solution.


> I don't see a world where Javascript vanishes and privacy gets any better.

If JavaScript vanished, it would accomplish one huge win for privacy: it would split the "reading content and submitting forms" part of the Web out from the "powerful applications" part.

It is cool that you can use JavaScript to build a collaborative 3D modeling program. It might even be better for privacy than a native app. But it is less cool that Facebook and every news site you read gets access to the exact same capabilities and attack surface as the 3D modeling program.

And personally, I think ordering pizza would land on the "content and forms" side of the divide.


Absolutely. What is Javascript? It's andom pages all over the world telling your computer to download code from other random pages all over the world and execute it. Executable data is one of the first no-no-s of security.

A native app collaborative 3D program could be worse for privacy if it were closed source. If it were open source, then no way. For one thing, unlike a Javascripted one, it wouldn't update behind your back. Its code wouldn't be obfuscated, and wouldn't be dynamically pieced together from the four corners of the world.


I think GP is making a reasonable argument about capabilities, and that's something that we should be pushing harder for both on the web and on native. I also think that's something we are actively looking at on the web, we're just looking at it from a feature/platform perspective instead of at a language level.

On the other hand, I don't think the Open Source argument holds at all. This is pushing for something that just isn't going to happen. Now we need to not only get rid of Javascript, we also need to convince Facebook to Open Source its native app?

I run mostly Open Source native apps, but the only way I can do that is because web-apps take the place of many native apps I would otherwise need to install on my phone or computer.

> For one thing, unlike a Javascripted one, it wouldn't update behind your back.

Most people's phone apps are set to auto-update, and most PC apps have the ability to download and execute additional code on the fly. I like to think I run a pretty tight Linux system, but all of my programs have write permissions to their own personal install directories.

It sounds to me like your problem isn't so much Javascript as it is 3rd-party requests/assets and mutable web-pages. These are also interesting problems to talk about, but they're largely unrelated to Javascript. It would maybe be helpful to see the web move more towards a DAT/IPFS model where webpages could be versioned.

On the Javascript side of things, all of this boils down to the security idea the users should only run code that they trust. Users have broadly rejected that idea -- both on the web and on native platforms like phones. They want the ability to safely run untrusted and semi-trusted code.

We can argue over whether that's a reasonable thing for them to ask, but that's the position we're in. The web is trying to figure out how to let you run untrusted code.


No, the law is to blame. Digital surveilance should be considered separate to advertising and should be regulated or made illegal.


JavaScript enables functionality in the same way that cars enable transportation. They aren't the only solution. And there would be far less injury, death, and pollution if we all just didn't use automobiles. The world would be a safer, cleaner place. And a small fraction of people would be happy with it.

JavaScript is the same. We'd have a cleaner, safer web without it. And only a small fraction of people would be happy with that.


If JavaScript is an automobile, HTML/CSS is an electric bike. You can get pretty much wherever you want on an ebike, they're safer than cars, more intuitive, and lighter on natural resources. Nearly everyone knows how to ride one, and there's very few surprises, unlike automobiles which are repackaged in all sorts of odd ways (gas on the left or right, or maybe it's electric, car vs truck vs bus). And all that complexity comes at a cost to both the driver (who knows if the car is spying on you) and the manufacturer (need to keep up with the current trends because reasons).

Sometimes you need a car, but usually an ebike will be more than sufficient. Going on a road trip or doing a large Costco run? You probably want a car. Just picking up some eggs from the grocery store or making a visit to the library? An ebike is probably the best option, and is also likely faster (closer parking, can ride on roads, sidewalks, bike trails, etc).

I use a static site generator for my blog and personal web site, and there's absolutely no JavaScript involved. I use JavaScript with a web framework for webapps because otherwise we would need to build a desktop app, which would limit our reach to those platforms we have the resources to support.

I'm of the opinion that you should use the simplest technology that will get the job done. It's far easier to make a static site secure than a dynamic one. It's far easier for a customer to vet your server-rendered site than your pile of JavaScript (nothing runs locally, so they just vet form actions and HTTP headers).


If only using JavaScript required a license to operate and came with a set of rules enforced by fines and jail time :)

If every browser had done the sane thing from day 1 (no third-party scripts and no cross-domain communication) we wouldn't be in the mess we're in. Sites could still use all the power that comes with scripting, ad networks just wouldn't be feasible.


Sites would collect the data with first-party scripts and tunnel through their own servers to ad peddlers.


That's fine. Now the first-party and ad peddlers have to work with and trust each other instead of using my machine, my ignorance and my disinterest in their dealings as an intermediary.


> The world would be a safer, cleaner place. And a small fraction of people would be happy with it.

You might be missing how expectations change after the introduction of a technology. I wouldn’t guess that people would be unhappy about not having cars before the car was even invented.


JavaScript enabled pop-up ads, it enables tracking, it enables coinminers and other malware

Isn’t this like saying atoms are to blame for nuclear warfare? Atoms enabled nuclear weapons?


Yes, if the world had functioned just fine without atoms, and then atoms were invented and foisted on everyone for little gain.


JavaScript isn't from nature. It could have been designed so that it didn't enable those things, but it wasn't. It's probably more accurate to say the ability browsers grant JavaScript is to blame, but that's just splitting atoms.


It's not possible for a system that can communicate remotely to prevent tracking on some level by using unique IDs and fingerprinting even without JS. It's also not possible to have a programming language that can't also be used as a coin miner, it's just a CPU based operation and there's no way to discriminate between user desired computation and exploitative computation. Your point about pop up ads is valid in that JS does not need to be able to influence the state of the browser in that way, this is the only example that crosses outside of the sandbox.


I really, really want to see someone write a coin-miner using only HTML and CSS.


> It's also not possible to have a programming language that can't also be used as a coin miner

It's certainly possible.


Agree. I no longer use an ad-blocker, and haven't for some time. Especially so since CSS took over.

Originally I used NoScript (and Firefox 'View>Page Style>No Style'), now I just tend to use uMatrix, with appropriate media types disabled.

It makes for a faster, and easier to read web, where I still see the occasional ad, but once configured, usually not.

I'd guess that use with Javascript disabled seems to be accepted in part due to Safari on iOS supporing it - possibly it was the default (I can't remember).


Hence my use of NoScript

https://en.wikipedia.org/wiki/NoScript


It's crazy Steve Gibson (of all people) calls this too impractical to use.

If you're a total tech-novice, sure, but as a power user it's fine. I'm blocking ycombinator.com right now. I can still submit this. If something doesn't work, just click the icon and trust its domain. If pictures don't show, trust a CDN. Amazon, Paypal, 99% of sites work with an initial adjustment of trust settings.


The percentage of sites that function without JavaScript enabled is decreasing over time.

Things like React are accelerating that curve. Even for sites that could function without it, they are throwing up hands with "welp, they can't disable it anyway because other sites...so let's not test that use case anymore."

I don't like it, but it is what it is. Technical people aren't going to drive the decision to work without JS. In the end, it's a cost decision, with the usual PHB[1] outcomes.

[1] https://www.urbandictionary.com/define.php?term=PHB


You can often enable it for the site, but block the doubleclick et al tracking scripts. It's not all or nothing.


Steve Gibson is ... well, he used Windows XP until fairly recently. He's not some one you should take advice from.

I used noscript until Firefox changed to the new web API and noscript stopped working briefly. I switched to ublock origin in medium mode and haven't looked back. More compatible and practical nowadays.


If you blanket trust a CDN, doesn't this allow bad actors to still send JS to your browser? Anyone could use that CDN.

I found uMatrix easier to use and more configurable than NoScript.


You're being downvoted of course, BUT whilst JavaScript wasn't created for all this, and itself isn't to blame, the fact that big corporations have pushed the technology forward I think is telling. At the end of the day what do Google (and others) really want? What do they have to gain with all the technology they are using, enhancing, improving?


I would like to create something new.

Something like the unholy child of RSS Feeds / Podcasts / NNTP / Email / Pub-Sub / Gopher / Google Reader

A new language (or two complementary languages) separating content and presentation, limited, possibly not Turing-complete but expressive. Specifically less powerful than modern web browsers.


What if the Web were filesystem accessible?

https://old.reddit.com/r/dredmorbius/comments/6bgowu/what_if...


In other words, you can build any program with a Turing-complete language.


But you can't build a pop-up if you don't have access to create new windows, yet you can still be turing complete. For example, WASM is Turing complete, but it can't create popup windows because it has no access to the DOM.

I think JavaScript should have to request access to use browser APIs, and you should be able to disable access to any of all of them. For example, I should be about to disable:

- network access (disables adding script tags, XMLHttpRequest, fetch) - 2d canvas access - 3d canvas access - WASM

And so on, just like mobile apps, but perhaps more granular. The app should also be able to put a note as to why it needs each specific feature.


That would be a usability nightmare.


Being Turing-complete seems a bit overkill for a hyperlinked document platform.


Yes! All the replies here are missing the point completely. It’s not that JavaScript is somehow uniquely bad among programming languages. It’s that the entire idea of putting a general purpose programming language into the system was a bad idea.

99% of my web browsing shouldn’t need it. Every site I visit uses it, but almost all of them could be built just fine without it.


The web has long-ago graduated beyond just serving up documents, and having a capable language and platform was key in enabling it.

There are downsides to everything, but we cant dismiss that positives that came from it.


The problem is that document delivery is still the main function, but the platform wants to be a fully capable app platform.

Yes, it’s great that the web is capable of stuff like Google Docs. But all those capabilities are actually liabilities when it’s a news site.


It is a fully capable platform. How it's used isn't a fault of the platform though. It seems user-agents and adblockers are applying the proper protections, just like how antivirus works on your desktop.


But nobody whines about antivirus and begs you (and the government) to disable it, so they can sell you.


Well the difference is ads and malware are not the same thing, but they use the same vectors. The comparison would be more like removing DRM protections vs using antivirus.


wait for WebAssembly to be ubiquitous in the browser. Another turing complete language, but faster and smaller.


In practice it will be slower and bigger. Everybody will be just compiling entire C++ frameworks to wasm. A web app needs to do something with images? Here is the entire ffmpeg compiled to wasm. Need a single widget from Qt? Here is the entire Qt compiled to wasm. I'm pretty sure nobody is going to carefully refactor existing C++ libs to select only the subset of features needed for web.


Flash shares a lot of the original blame.


I've been blocking ads ever since I learned that I could stop seeing DoubleClick ads by blocking their domain in /etc/hosts.

I won't ever apologize for doing so. As far as I'm concerned, any advertisement that depends on JavaScript is malware, and I think that my right to protect myself online outweighs the need of publishers to turn a profit.

IMO, profits are like respect. They must be earned, and if the only way you can turn a profit is by spying on people then maybe you shouldn't be in business in the first place. If the only way you can get me to use your product is by giving it away and selling my data, then maybe your product shouldn't exist?

As far as I'm concerned, the data I generate by using a search engine should be treated with the same care as my medical records. It should not be mined or traded. It should not be kept longer than 30 days.

And if that breaks the internet, so be it. You brought this on yourselves.


Best way to block ads in 2019?


Adguard on desktop and Android. Globally blocks all ads across browsers and apps (except embedded ads like IG and Twitter). Truly magical and worth every penny.


Are you asking about blocking ads on a smartphone? Or on a desktop/laptop? The answer depends on your platform, you see.


Both?


Blokada on Android + PiHole on wifi. In the really occasional instances where I'm away from wifi and Blokada is down, it's night and day.


On iphone, Perfect Browser. Easily the most configurable and best browser at adblocking.


iOS: https://apps.apple.com/cz/app/dnscloak-secure-dns-client/id1...

Why Dnscloak: doesn't route your traffic through a third party with dubious motivations.


In the browser: ublock origin

On the whole network: pi-hole


The great thing about getting older for me is realising that nothing is indispensable. Everything eventually ends, we move on with our lives and do something else.

So sure: maybe someday un-adblockable content will be a thing. Do I care about that content? Turns out maybe I'll just walk away entirely. The internet has a lot of utterly ad-ridden services with far too high an opinion of how important they really are.


There is so much content. Great content, too. The miracle of over 100 years of mass media recording tech. And, you know, 4000ish years of written word records and storytelling. Ad-supported web trash is mostly just a distraction from better things that can be had used for just a little money, or checked out from a library. My life'd probably improve if it all went away (Web would have a better wheat/chaff ratio, I'd be less distracted by junk).

So sure, make your sites, services, and content so annoying that I stop using them, and close copying loopholes, somehow. Or ban spyvertising and let it all go down in the flames of the prophesied ad-pocalypse. I really don't care a bit either way.


I absolutely agree. Every now and then I open up a link that and me too disable my adblocker and if I can't bypass it in <5s I just close the tab and move on.

There is very little on the internet that is completely unique and of interest to me. If you try to put up a barrier to your content I will go somewhere else almost every time.


Firefox offers blocking you from "third-party tracking cookies" by default, so if you are concerned - make the switch.

https://blog.mozilla.org/blog/2019/06/04/firefox-now-availab...


Safari also does this with their Intelligent Tracking Prevention (ITP).


It's simply better to go to the options of your browser and disable third-party cookies altogether. And at that point why not keep using Chrome, which is faster, heh


Chrome isn't faster anymore in my experience. FF has made great advances in performance.


How is that still a debate?

I often use firefox reader mode just because websites use custom fonts, and to remove all the clutter, even when there is no ads.

Also, it won't be long until reddit is sued and must remove comments where people copy-paste the entire article because of pay walls and ad blockers. Same for outline. I guess website will start findings ways to prevent copy pasting, and maybe someone will create some app that just let their users browse a PNG rendering of websites.

It's almost as if normal newspapers might be considered a good alternative.


I think Reddit is largely protected from being sued (in the US) for copyright infringement in comments/submissions as long as they comply with valid DMCA notices. But yeah, that involves removing the content.


> I guess website will start findings ways to prevent copy pasting

This is already a thing in some places. I wanted to use a table of data I found on a website but found I couldn't copy and paste it into excel. Instead I downloaded the webpage and parsed it to extract the table and rebuild it manually.


A huge part of advertising is getting users to feel that they can trust in a product or service enough to spend their money on it. Spend a bit of time watching TV commercials and see how many methods of establishing trust you can spot.

This is why the way web ads are served is utterly farcical. How can you build a person's trust by invading their privacy in a hundred different ways just so you can be sure the ads they're seeing are a little bit more targeted than what's on TV?

People often say that they would be happy to have reasonable ads that don't interfere with website function and which respect their privacy, but it's been so bad for so long that it would likely be very difficult for an ethical, privacy respecting ad service to get off the ground. Many people have been burned too many times to believe and unblock such an ad service. EME shows that there is no interest in even trying this approach. They're just going to continue escalating the arms war.

They're going to lose.

Companies advertising on the internet need to wake up to the fact you can't support a war against the privacy of your potential customer base and expect them to trust you. Yes, you've dug quite the hole for yourselves over the last couple of decades. Why keep digging?


I'm amazed that all the interested parties haven't got together to flesh out a microtransaction standard. The whole ad-blocking debate would be moot if we could pay a few cents to read an article free of distracting ads. If you choose not to pay, you get the ads and don't get to complain about ad-blocker-blockers because you were offered an alternative.

I know it has been attempted in the past with little success, but all those attempts were just companies going it alone and hoping for the best. If the W3C, browser makers, banks and publishers all got together a standard could be developed. Something that would be core to web standards. It wouldn't be easy, but it would solve a lot of problems.


Micropayments is simply the wrong model for numerous reasons.

I've written on this several times:

https://old.reddit.com/r/dredmorbius/search?q=micropayments&...

Nick Szabo, Clay Shirky, and Andrew Odlyzko far more ably:

http://szabo.best.vwh.net/micropayments.html

http://www.shirky.com/writings/fame_vs_fortune.html

http://www.dtc.umn.edu/~odlyzko/doc/case.against.micropaymen... (PDF)

A vastly more sensible option: a means-based, universal fee (a/k/a tax) and payments to creators based on both UBI and quality + access distributions -- a universal content syndication mechanism:

https://old.reddit.com/r/dredmorbius/comments/1uotb3/a_modes...

$100 per person per year from the world's richest 1 billion inhabitants would match all present publishing income, and present ad spend. Truth is we're already paying for the content, we're just not getting it.


> The whole ad-blocking debate would be moot if we could pay a few cents to read an article free of distracting ads.

It would not. You're worth more to the advertisers than a few cents, so even if you and everyone else chipped in, many ad-supported sites would see their revenue plummet, and close their doors. Consumers spend a lot of money buying things, from groceries to appliances, and a percentage of each of those sales goes to the ad budget to steer that buying. Unless everything in every store got a few percent cheaper, consumers literally don't have the money to distribute to the websites at anywhere near the level advertisers pay. Every single American would have to pay Facebook $15-20 per month to match the advertising revenue Facebook generates per user, not a few cents. The cost of using Google's services would be similar to a cable or cell phone bill, assuming every single person that uses them continues to and signs up for that bill.


It's been tried countless times. We tried as well: https://news.ycombinator.com/item?id=19038540

The issue isn't the payment tech, it's human behavior. People don't want to or can't pay for all the content they consume.


I don't think this is down to human behavior. Some content has zero or negative value.


Who gets to judge the value of content? And how can it have "negative value"?

Regardless, the action of consuming the content itself means that it has inherent value. I believe whether it's worth it is a decision for the user instead of dictated by someone else.


> Who gets to judge the value of content?

The user. That’s the context – the user deciding who gets their money.

> And how can it have "negative value"?

Zero value, plus the time it took to find out that it had zero value.

> Regardless, the action of consuming the content itself means that it has inherent value.

Not really.


I believe that's what I said, but to be clear: yes it should be up the individual, however if you look at most people's actions then their demand and willing consumption of content does not align with what they can or will pay for.

For example, blocking ads (even though most know that is the trade-off for the content) instead of refusing to visit the site. If the content has no value, why visit the site at all? Surely not ever pageview has zero value?


We tried compensating users for every ad they see, using a browser extension (ClearCoin), but Google took it off the Chrome Web Store because extensions have to have a single purpose; ad blocking & replacing is apparently two purposes. Maybe they just didn't like us.


I'm browser crypto mining. There's a direct link between the time a user is engaged, and the amount of money a publisher earns.

The relationship is direct between reader and publisher; making quality content becomes important again, there's no adoption friction, and ad networks become a thing of the past.

It's no wonder Google blocked browser mining quick-smart.. it had the potential to bring down the entire house of cards.


Stop spreading this nonsense.


What part of his comment is nonsense?


I'd say the part where it is ignored that I don't want websites to drain my laptop battery? :)


I think there is middle ground: * Browser imposed intelligent CPU limits * User Preference: Don't want mining? You'll see ads instead.

The reality of humanity is that people operate via incentive. The internet is no different - publishers are incentivised by money. There must be a mechanism to provide that - today's interpretation is increasingly aggressive advertising, which makes noone but the advertisers happy.

Crypto-mining provides an incentive for publishers to invest in their content, knowing they will be duly rewarded, without a middle-man. Users know that they are providing revenue to publishers simply by the act of viewing content.

It has the potential to be empowering for everyone involved.

However, to riposte as glibly as you did: If you don't feel like compensating a publisher for their content, they may not feel like serving it to you. It's lose-lose for everyone. What do you propose, then?


Something is different in the arms race this time.

Browser development is almost exclusively funded by advertising. Chrome, in the obvious way. Mozilla is funded entirely by Google. Safari is the only surviving exception.


And ironically Safari has the worst adblocking capability of the 3. Open source is the only effective weapon against corporate control of software.


Safari's (Webkit's) declarative adblocker is really good while optimizing for performance and battery life.

Have you tried 1Blocker X?

Though, for fun, I've rolled my own Safari extension for content blocking. You get 90%+ of the way just concatenating lists of ad domains and feeding them into the blocker. But, for example, you can encode all of Easylist as content-blocker rules.


Chrome is now moving to a declarative model and it is widely considered to be a downgrade purposely meant to stifle ad-blocking technology.

I think the ideal system would support declarative and non-declarative modes (since a fully declarative system could never account for every possible use case).


I can see that given the choice between declarative rules vs. a "onRequest(req)" handler, almost every developer would just opt for the latter because it's more general and open-ended.

And there's no pressure from users to choose the more restrictive but performant option because people basically have zero insight into what's killing their battery, much less which competitor is better in that regard.

Given the gulf between Safari vs Chrome battery performance, I'm not all that convinced that the declarative api is pure downside like HN cynicism and Twitter outrage might suggest.

I can agree that it would be nice to have competing implementations, but that's just the result of browsers being so complex that once your hobby horse feature is removed from one, you basically have nowhere to turn.


> Given the gulf between Safari vs Chrome battery performance, I'm not all that convinced that the declarative api is pure downside like HN cynicism and Twitter outrage might suggest.

Safari was already beating Chrome on battery life before its extension API was neutered. This is post hoc revisionist rationalization.


So obviously the correct response from the Chrome team is to continue avoiding an approach that is known to save battery life /s


To clarify: Safari was already beating Chrome on battery life before _Safari's_ extension API was neutered.


What's your point? That Chrome now can't adopt Safari's extension API to save battery life because...? Improving Chrome's battery life by adopting a simpler extension API helps close the gap. That's a significant benefit whether or not Safari did it first or whether Chrome still has room for improvement.


The grandparent was implying that Safari's better battery life justifies their decision to use the declarative API. But that was already the case before they adopted the declarative API, so it's not obvious that the declarative API has anything to do with that success. Maybe it's just a minor improvement, or maybe it isn't an improvement at all.


I'm not sure how you could make that argument and ignore the fact that the declarative API is technically simpler and its battery benefits are apparent from that aspect alone.


It's not apparent that the benefits are significant in any way. They could be minuscule and therefore not worth sacrificing important user experience features like adblocking over.

It could also be that because of the reduced expressiveness of the adblocker, more ads are missed, and you might therefore end up with a net increase in the amount of code that has to be executed by the browser. So the declarative API could actually lead to a performance decrease in practice.


The Chrome team has already evaluated the change and explain why the benefits are not miniscule [1]:

> In addition to these safety concerns, there are also significant performance costs. In most cases, these costs are not from the evaluation of the extension script processing events, but rather from everything else coordinating the script. That overall performance impact can be very large, even for an extension written as performantly as possible where the JavaScript execution time is negligible.

> As it’s designed today, the blocking version of the Web Request API requires a persistent, long-running process, and is fundamentally incompatible with “lazy” processes - processes that can be set up or torn down as-needed, conserving valuable system resources. There are also significant costs associated with the serialization of the request data, the inter-process communication needed to send that data to the extensions, and the processing of extension responses.

You are free to dismiss the writeup as lies, of course. You're also free to handwave it away by saying "well I don't like the trade-off". But you can't discuss this as if the benefits are not apparent.

[1] https://blog.chromium.org/2019/06/web-request-and-declarativ...


This blog post is highly misleading. For example, they start off with several paragraphs about security/privacy implications, but this change doesn't have any security/privacy implications. That's because they have explicitly stated that they will not deprecate the observational webRequest API, which has exactly the same privacy considerations as the content blocking API. However because the observational API provides "important functionality for which there is no alternative" (to their tracking business), it will not be deprecated. But the content blocking API which also provides important functionality for which there is no alternative (but hinders their advertising business) is being deprecated.

Furthermore here you can see a tweet from Justin Schuh, lead of security and privacy on Google Chrome, where he claims that the "sole motivation is correcting privacy and security deficiencies" (which I just debunked as being a possibility), not performance: https://twitter.com/justinschuh/status/1134092257190064128

So between Justin Schuh and Simeon Vincent (author of the post you linked), who is lying? It must be at least one of them.

But let's ignore the misleading claims about security/privacy and just focus on the performance issue.

In this post, they include absolutely no numbers or measurements of the performance effects of using the content blocking API. They give some explanation of what is technically required to implement each approach, and certainly the declarative API is a simpler approach, but you made that point already. And I responded to it. Just because the API is "obviously simpler" doesn't mean the performance advantage is in any way significant, and could even be outweighed by the increased ad load due to the less powerful API. It's just not at all obvious from what they are saying here that the change is worth compromising user functionality over.

If you want a source with actual measurements, you should check the Ghostery team's response to the manifest v3 changes: https://whotracks.me/blog/adblockers_performance_study.html

Here are some highlights:

> All content-blockers except DuckDuckGo have sub-millisecond median decision time per request.

> Time to Process a Request in Ghostery (median): 0.007 ms

> Loading Ghostery's Blocking Engine (from cache): 0.03 ms

> Memory Consumption of Ghostery's Blocking Engine (at startup, in Chrome): 1.8 MB

Note that last one: 1.8 MB memory consumption. And they're arguing that we need to be "setting up and tearing down this component as needed" to conserve that "valuable" 1.8 MB. Nonsense.


None of this is particularly convincing.

> That's because they have explicitly stated that they will not deprecate the observational webRequest API, which has exactly the same privacy considerations as the content blocking API.

It's still a substantial improvement if popular extensions that don't need to use observational webRequest (ie. content blockers) no longer use this more expensive method. It's a leap of logic to suggest that supporting observational webRequest means that the simpler content blocking API has no benefit.

> Furthermore here you can see a tweet from Justin Schuh, lead of security and privacy on Google Chrome, where he claims that the "sole motivation is correcting privacy and security deficiencies" (which I just debunked as being a possibility), not performance (...) So between Justin Schuh and Simeon Vincent (author of the post you linked), who is lying? It must be at least one of them.

Neither. The change may be motivated by privacy and security but as Simeon Vincent explains, it also has substantial performance benefits. I'm not sure how you logically leap to the conclusion of "this has no performance benefits" from "we did this for privacy/security reasons".

It's also extremely misleading to compare the performance of a content-blocked site to internal browser performance. You know what has the best overall performance? An extension that blocks the whole page; 0ms speed, the best performance, almost zero battery drain, except that this hypothetical extension consumes substantial resources on its own. But hey, the 0ms page speed makes up for it. It'd be pretty silly for the Chrome team to base their decisions on the performance of rendering an incomplete webpage depending on both random extension makers and random website creators.

> Note that last one: 1.8 MB memory consumption. And they're arguing that we need to be "setting up and tearing down this component as needed" to conserve that "valuable" 1.8 MB.

Ghostery is only one extension among them, and all the adblocking extensions in that performance study ran a pre-pruned set of EasyList rules when popular adblockers run more rules in practice.


Static blacklists versus live heuristics is a pretty obvious compromise, and prone to lose in the long term arms race. That's exactly why Chrome proposed manifest V3...which is basically implementing Safari rules.


It could be a good feature for Mozilla to be the best privacy protector. Firefox used to be the fastest, if they can be fast and the most private, they might be able to regain some mindshare and maybe market share. There’s just the problem of most of the funding coming from Google.


Right and also encrypted media extensions are a new development.

I think the solution is a new web protocol that does not require an OS in a box (browser). It will be supported by decentralized (mostly p2p) protocols. It probably will not have any JavaScript.


Just another few thoughts on this: this new browser could support a much more limited and high performance default protocol. For example, markdown. Media and applications could be attached to links, but carefully controlled -- for example only displaying or loading media and applications when the user switches to that tab and launches them.

Attached applications could be web assembly with I/O abilities such as a simple canvas-like UI.

If you can find or create a suitable and high performance p2p system (or group of systems) for enabling people to load and publish these lightweight links, you could provide a useful and viable alternative to the traditional web that would be approachable by small development teams.

Built in p2p search could be a killer feature for such a system.

EDIT: made a github for it and submitted to HN https://news.ycombinator.com/item?id=20544892


(Too late to edit: The bit about Firefox revenue should read 'almost entirely' -- they have some negligible revenue streams, but the vast majority of income is dependent on Google)


Chrome deprecating the most useful adblocking apis is a pretty strong shot across the bow signal. (manifest V3 if you haven't heard)


There is also “Brave” but that seems to be a Crome clone.


Any "browser" without its own engine isn't really relevant here, as 95% of their product is being maintained by a third party. This includes Brave, Opera, Gnome Web, and now even Edge.

(I'm admittedly not sure how I'd classify stuff like Pale Moon, which is primarily based off someone else's engine but now backports its own patches.)


But isn't it? Google Chrome is trying to reduce ad blocking by changing webRequest API, but others that use the same engine can simply undo that change.


I think there's more involved than simply undoing a change. Apart from the obvious tedium of chasing upstream code changes, the extensions themselves have to be installed from a willing (and trusted) repository. The chrome web store can omit extensions that use an API in an unsupported way.

Brave already integrates ad-blocking at a lower level than the webRequest API, so this is less of an issue, but you sacrifice your choice in blocker.

https://brave.com/improved-ad-blocker-performance/

The recent Chromium’s Manifest v3 controversy around the overheads of the various extensions using the WebRequest API to inspect and potentially block undesired requests did not affect Brave as requests are processed natively, deep within the browser’s network stack.


If we're thinking of traditional ad blockers, I can see where you're coming from. But really, I don't think that's in danger. There will always be forks, or binary patches, not to mention router/DNS level solutions.

What I find much more scary is the prospect of the entire web stack becoming much more locked down as a consequence of both (1) ad blocker prevention and (2) the consolidated browser market. Think Encrypted Media Extensions, but for everything.

If there were ten browsers in active use today, getting them all to agree to something like this would be almost impossible. Unfortunately, there's only 2–3 browsers, and if Firefox loses any more marketshare...


> Mozilla is funded entirely by Google.

Do you have a source for that?


There isn't a source, because Mozilla doesn't break it down. They just say that they get almost all their revenue from "search royalty payments", and their two biggest deals are with Google and Baidu. You just have to guess how much comes from Google (90% market share worldwide) vs Baidu (the biggest search engine in China, which is also the largest single internet market but not as well funded as the US market).


https://www.mozilla.org/en-US/foundation/annualreport/2016/

> Mozilla Foundation philanthropic programs and activities are funded by public support from individual donors and foundations ($13.8M), as well as from royalties earned that are paid by the Mozilla Corporation ($8.3M). Total revenue and income support to the Mozilla Foundation in CY 2016 was $23.4M.

> The majority of Mozilla Corporation’s revenue is from royalties earned through Firefox web browser search partnerships and distribution deals around the world. Mozilla Corporation’s revenue and income support for CY 2016 was $506M

https://www.computerworld.com/article/2500712/google-to-pay-...

> Google to pay Mozilla $300M yearly in new search deal, says report



I've been browsing with EME disabled for years, most stuff still works, I just leave sites that don't. If I accidentally hit a site with EME too much, I add the domain to my link block list so I never see links to them ever again. If most people would get on board with that for just a year, it could sway the industry to stop using it.


Same experience for me with sites that try to pull off GDPR shenanigans. If you don’t make it easy for me I just close the site and never return, and let’s be honest, my life is better for it. The more hostile the web becomes the more likely I am to go for a walk in the park instead. Fine by me, really.


For anyone else wondering, EME is Encrypted Media Extensions, browser DRM.


At the end he mentions EME (encrypted media extensions) which may be the real front in the war. Actually the browser and video market consolidation with EME could really slant the odds in the advertisers favor because and Google and Netflix can make it really hard for people.

Eventually we may make a hard break from the old internet into a new one. I'm looking for practical and scalable cryptocurrency and smart contract solutions to become popular. After that you may see a new type of browser protocol that does not have a full operating system in it and can be implemented by mere mortals. It might depend on one or more decentralized protocols such as IPFS or dat or even one of the many less popular academic content-oriented-networking systems. There is a strong possibility it will not have any JavaScript.


In the end, it's an arms race, and I don't think either side is giving up on it anytime soon. The only thing that concerns me is that one side has way too much money, while the other side has way too much time.

Let's see who wins.


There is no winner here. Its Whac-A-Mole. Ad companies try some kind of new technique to stop their ads from being blocked.

Users innovate new ways to block them. Its a never ending cycle.


the point of the article is that the wars is over.

money won by enlisting the corrupt law makers. from now on, content will have DRM (e.g. netflix) and if any adblocker even tries to touch it, the creators can be jailed.

now if you want to create/contribute an adblock, besides time, you must have impeccable opSec or also be willing to do time in jail.


Why hasn't google used this on youtube?


No idea - if you are a publisher AND the ad network, why not just serve ads from first party domain, indistinguishable from content?


IMO this war will lead to greater consolidation on publisher side. If only FB/Google are left with ability to make money of the web, we'll be left with hobbyist who do it for free or super platforms.

Right now Verge created a wordpress website put google ads on it and can afford a team to right some content. If all third party ads are blocked option left would be `paid content` or go to Google/FB platform to publish wherein you'll have lesser control but more revenue as all ads are first party.


I can't use most of the sites at work because of ads and I can't install an adblocker because it would have access to corp data. When I search for something related to work, I know that most of the sites would display inappropriate junk on half screen with my colleagues probably watching behind. The solution I use us to search on stackoverflow only, but it too displays some garbage, and I have to scroll the page so the ads won't be in view. It's a hilarious situation.


Have you thought about forking/compiling ublock origin and loading it yourself?


Google and other ad businesses need to create "AMP for ads". Ads should allow only basic HTML elements without javascript. Figure out a way to track only what's really necessary, maybe even get allowed tracking level set by user in browser settings (an improved version of Do Not Track). That might be even used to check if user agrees to have cookies set. It should solve the annoying cookie banners issue too. Finally, let's add option for user to select "text only" mode for ads to keep additional downloaded data to minimum and maybe even make ads accessible. Update: And, of course, after a quick search I find that AMP for Ads is an actual product from Google https://amp.dev/about/ads/ Sorry for not researching before commenting.


> Google and other ad businesses need to create "AMP for ads".

Is that not what Google Ads is?


No, Google Adsense allows javascript so advertisers can fingerprint and track the user's browser. Occasionally, some advertiser will drop the charade and just set top.location="https://example.com/" and, after too many user/publisher complaints and a few days, Google will manually block them.


I never click on ads. Never ever. I get that every ad doesn't need to be clicked e.g. videos that mindlessly show you a product. But atleast there is no direct feedback going back on those in terms of ad placement effectiveness/click-rate etc. They can keep burning their money showing ads - I just won't provide them any feedback on whether/where their money was wasted vs well spent. Also the best way to kill them is for lesser and lesser people to click on them.


Click frauders will always ensure a steady stream of 'conversions'.


What I find interesting about this post is that it only talks about blocking ads but not about how to replace them as a source of revenue for websites.

I actually do pay for some websites, including for not seeing ads on Youtube (with mixed results now that ads are just baked in the video, when the entirety of the video itself is not an ad) and I want an easy way to do so : I want to be able to access the content I want while its creator gets paid.

So far, ads have been a successful way to do micro payments (the only ?).

Instead of waging this increasing war between ads and ad blockers, I would rather see organizations that try to find a better solution (with privacy somewhere at the top of the checklist).


Ads are forbidden on my network. I'm running a strong pihole that forbid advertising domains, obnoxious tracking and well known malware sites. Sponsored search results do not work and some websites are inaccessible, but it's fine, we don't need them. Ads are "The Great Evil" I will teach my children to fight, in all their forms, before drugs and alcohol.

If you are running an ad-dependant website and struggle to make money as a result of the campaign people like me are running, then you'll have to adapt. If you fail to adapt and your website closes, it's fine : as a society, we didn't need your services.


Podcast ads are usually read by podcasters themseleves they don't track nobody sometimes they are even funny and if they are not to long, I don't skip them. So they are great example how all ads should be made.


Advertisements are one thing but most of these "ads" are actually gathering more info than they advertise. JavaScript trackers are just awful if you care about privacy, which I do. It's pi-hole and no-script all the way for me until they stop with this rubbish.

Targeted ads are another kind of problem. I don't really want to be told or suggested what I should or could buy, I can make up my own mind. I know some people don't mind them and that's fine.

In all honesty I preferred the annoying pop ups.


I block ads because I don't want my computers to be hijacked, and sites that sell ads do not do proper due diligence in protecting the public from hostile advertisers.


It's somewhat ironic that this page contains the most impressive procession of banner ads that I've seen in a long while. And almost all of them keep changing every thirty seconds or so. Apparently I've been successful in systematically avoiding sites that would torture me like that. They may succeed once but only at the price that they won't see me again.


I can't even tell; I'm using an ad blocker.


+1. I seem to have lost mine. I should really go and get a new one.


Use uBlock Origin, not any of those top search result Google sponsored AdBlock plus or Ghostery (which is owned by an ad company)


The EFF site is full of ads on your machine?!? That doesn’t sound right (and disabling ad block doesn’t cause it to serve any to me, unless you count the mailing list signup form after the article).

I’d guess that you are looking at a different page or your machine is compromised.


Originally the post was linking to boingboing.net, only later it was changed to EFF.


I'd submitted the BoingBoing version of this initially.


OP -- I realised the article was served from EFF as well only. after submitting the Boing Boing version. HN's mods edited the link, thankfully.


I don't block ads or set up adblockers for customers and family members because I object to ads. I do it because it significantly cuts down on the number of potential attacks on systems.

Between malicious code ending up on ad networks and ads that take people to malicious sites, it only makes sense to block connections to things that are not actually needed for the display of pages. Most people who get a take-over-the-screen "We are Mikrosoft and have discovred that your computer infected call us helpful people at Mikrosoft and we will fix your comptuer" messages aren't getting it because they're visiting dodgy sites or even ones that have been hacked - they're getting them because either someone got that into an ad network or because they clicked on an ad that turned out to route them to one of those.

I can't babysit everyone and really don't want to, but I can at least cut down on some of the crap that hits their computers.


I think the ad blocking arms race is unfortunate because it's converging on recognizing/disguising ads so that they can be hidden/served despite what the other side wants. That's lame. I don't have any need for a hyper evolved system of coersion/rejection.

Wouldn't it be far better if instead we focused on identifying content and finding ways to serve it more efficiently? Why download the whole page and then hide 95% of the data?

I'd like to see a system where we crowd source the identification of content. If 100 people all view a page and see 100 different ads but the same article each time, a smart browser extension should be able to conclude that the uri actually refers to the static text. Store that on ipfs or somesuch and when I click the link, don't waste my bandwidth downloading the site, just serve up what I wanted in the first place.

I'm not sure how such an approach would play out--but all we're getting out of the current strategy is smarter and smarter ads. I can't imagine we're gonna look back in 100 years and be glad we aligned our incentives in such a direction, so I think trying something different would be worthwhile.


So there is a technical solution to ad delivery that is pretty hard to impossible to block that is serve everything from the same domain. It’s very possible today and even desirable with http/2. You can configure this with cloud front and multiple origins or using service workers with cloudflare... I’d guess it’s only a matter of time before this becomes the more common way to deliver content and ads as one origin...


There are obstacles to this, for advertisers.

Tracking impressions (something advertisers seem to want) is facilitated by third-party servers. Self-served ads defeat this and raise fraud concerns.

Standardised advertising units (display sizes) mean that blocking elements strictly on dimensions is possible. One of my early userContent.css stylesheets, borrowing from online souces, did just this, and was highly effective, for a time.

Obfuscated content and JS can get around some of this, thou stylesheets whitelisting elements would be yet another workaround.


That is why the edge computing - changes this trust issue... It's just a matter of time before you have a advertising module you can install in cloud flare as a service worker implementation that both parties can trust... this with obfuscation could make it really hard to block and pretty viable for advertisers... let alone the fact that you can shift the analytics into the cloud edge servers... this both eliminates the argument of speed to access the content and removes your ability to block it. I see this as the future of adtech...


What seems to happen in practice is that infrastrucure domains and hosts used for advertisig are blocked by default. Amazon's aws & s3 domains come to mind, and they're rather horribly abused (Bezos's own WashPo have covered this). Which may be why generic buckets are going away.


Here in India you might have heard of this little service called Hotstar. To start with, this is a paid subscription service, and I believe at the time I purchased it it cost me something like ₹1000 a year. This would lead you to expect that they aren't interested in Ads, wouldn't it?

No. This service is so adversarial to anyone who doesn't want to be tracked, it doesn't even work in Private windows. It stops working itself when you open the Browser's debug console. If this wasn't enough, this service stops working when you have uBlock origin (which finds that there's a /track request going out a hundred times every minute).

I responded by creating a new browser profile just for this website and routing all tracking domains (mostly segment.io) to 127.0.0.0 in my local hosts file.

I haven't used that service for a long time, but recently I heard they are now showing in-content ads between programming! So basically they've taken cable TV and put it on the internet with higher fees and shittier service.


Why is JavaScript even allowed in ads? Why can’t they be limited to images, text, and/or looping HTML5 videos?

Could you imagine if cable companies could control your Smart TV when showing ads and collect data about your viewing habits?

A minority of us have been saying this for years, WHEN will the tech industry cry loud enough for change?


I still firmly believe that in-browser crypto mining could solve internet advertising problems fairly for both parties.

1. As a user, you set your preference: no mining - ads will show instead. No ads, there will be some mining.

2. The longer a user stays on a page, ie the more engaging the content is, the more money the publisher earns. In theory, this would trigger a natural correction for dark publishing patterns: click bait would diminish, articles split over X pages would reduce. True, engaging content would win.

Hitherto all alternatives for remunerating publishers have flopped (an engaged user has no easy way to remunerate aside from pulling out a credit card..) .. so we have been stuck with ads.

I was truly sad to see in-browser crypto mining get banned. For a brief moment, it seemed that pleasing everyone was going to be possible.


Gigantic waste of energy. Why drain my battery to not see ads when I can just use an adblocker? Ignoring these, why reward longer content, content I happen to keep in the background, or content I happen to leave in the foreground while away over more valuable content?

Donating directly is a much nicer solution for me, and there’s so much room for improvement there too in the areas of privacy, fees, and convenience. (In a world where in-browser mining were a good idea, an out-of-browser miner could provide the equivalent for this kind of manual donation.)


Because aside from insidious advertisements, it's the only compensation mechanism that provides revenue to publishers without demanding a behavioral change from users.

Obviously, there need to be intelligent structures in place - and these can be enforced by the browser (as they already are today) - CPU limits for inactive tabs, CPU limits based off the computer's power-mode. The ability to disable mining at the cost of seeing advertisements.


I'm not sure why you think people avoiding ads would accept mining. I find mining environmentally unethical even when you're using your own resources; it's mindboggling to me that distributing this to general population is even an idea worth discussing.


It's so negligible for creators as to be meaningless. If it's meaningless except (maybe) to those who are so ultrapopular as to derive value from it, what good is it to normal people?


Is it necessary that ad blockers be totally all-or-nothing in their approach? Pop-up blockers didn't kill all ads. They just killed pop-ups. If it's really the privacy violations that are the problem, and not the user experience of seeing a bunch of ads, why not find a middle ground?

Make an ad blocker that just dishonors cookies, clears localStorage, etc for the ad domains, rather than blocking the requests altogether. Publishers won't make as much money since advertisers won't be able to track you. But at least you could give the publishers the ability to make some money from ads served to you.

If this approach gained adoption, you might see a growth in the market for non-tracking ads (analogous to the growth in the market for non-popup ads described in the article).

Why not?


Adblock Plus has their "acceptable ads" feature[1] so it's already a thing. But there was some controversy around it, which I don't recall well enough to give a fair hearing.

Also, Firefox has a good deal of tracker blocking[2] built in that tries to go after browser signature recognition. I think the problem with that is it can break some sites, though I have it on and don't see a lot of problems.

Beyond that, many ad blockers let you customize the lists, and there are tracker blocking lists. But I think they all default to standard ad blocking, so the hindrance is configuration.

[1]: https://adblockplus.org/en/acceptable-ads [2]: https://support.mozilla.org/en-US/kb/content-blocking


> Adblock Plus has their "acceptable ads" feature[1] so it's already a thing. But there was some controversy around it, which I don't recall well enough to give a fair hearing.

You can pay the makers of Adblock Plus to have your ads declared "acceptable". However, I do not want somebody else deciding for me which ads are "acceptable".


> Is it necessary that ad blockers be totally all-or-nothing in their approach?

Yes, it is. Publishers and advertisers have overstepped time and time again. They must be reminded of their place, and nothing short of grabbing them by the scruff of the neck and rubbing their noses in the mess they made will suffice.

> But at least you could give the publishers the ability to make some money from ads served to you.

I could, but why should I? The publishers had a chance to be reasonable, and they just kept pushing. I'm done being reasonable. The publishers should be glad they aren't facing the Internet Death Penalty[1].

1: http://catb.org/jargon/html/I/Internet-Death-Penalty.html


I love reading the views people have about digital advertising on HN, and as someone who works in the space I often agree that they are not providing a great experience and the tracking is too much, but what is the alternative for monetisation of content on the web?


Paid subscriptions. Literally way more than 99% of "free" content is so bad that world would be better without that.


Your business model is your problem. Have you ever heard of having a day job?


Show me just one ad per page, no scripts, no movement, no tracking and I'll be fine with that.


I counted eleven interstitial "advertising" breaks within an article on some site recently. I use adblock, so the label. was the only trace left, but that's still absolutely ridiculous, and is precisely why I'm doing same.


I think we’re going to need adclickers: similar to adblockers except they put the ad in a sandbox and click it. As long as this registers as a click, someone somewhere will want to be paid and sooner or later the whole ad economy nightmare will implode.



There's a browser extension that does that: https://adnauseam.io


The article kind of ended abruptly. The point about Encrypted Media Extensions and DMCA and rise of encrypted video playback within browser is an interesting point that needs more elaboration.

The story of how Internet grew and what made it valuable to users and what threatens it – it is worth articulating and illustrating and repeating each year as more and more people take Internet more seriously but don't know about these happenings under the covers.

Also, for the business model innovation to happen, existing business models need to be studied with care and deeper and broader understanding needs to prevail over more and more users.



Everyone should click as many ads as possible. Fuck over the datasets. The ads I get are now stupid and hilarious. I broke their algorithms and I cost every crappy advertiser money.


The EFF very directly is trying to blame Do Not Track being useless on browser vendors and media companies when the reality is that it was a dumb idea whose existence likely does more harm than good (as it makes people think they can avoid tracking by using it, when they have done literally nothing to people who are tracking them by turning it on except provide one more bit of browser setting variation that can be used to differentiate--and thereby track--users). What the hell, EFF?


We need to move towards an economy where many essential internet services are publicly funded and there are rational subsidies for journalism meeting very minimal standards.


I really wish there was some sort of proper monetization model for rss. The web has no reason to be this obnoxious pile of bloated unreadable spyware. I want to support more of these companies because I think what they do is important but it gets hard to justify 10 bucks a month for each of them. When I try and whitelist ads I often find I can’t even find content on the site anymore and my browser slows to a crawl.


What is the difference (if any) between companies who nefariously, vehemently, and willfully track users and stalkers (who we classify as criminals) chasing after their obsessions? Why is it legal for the business? Aren't the end-goals pretty much the same in both contexts and the only differentiation in both cases is the fact the adversaries are either a business or an individual?


FYI, The title doesn't suggest one to stop blocking ads, but means the opposite.

> When you visit a site, the deal on offer is, "Let us and everyone we do business with track you in every way possible or get lost" and users who install adblockers push back. An adblocker is a way of replying to advertisers and publishers with a loud-and-clear "How about nah?"


How about we just don't let the advertising industry develop or fund our browsers and web standards? Users need to be able to control what kind of content their device will load and display, so it's probably time to develop technology that supports it (and scrap the current web, which is now basically billboard ads for the internet).


Don't let them. Use Firefox or Safari instead of Chrome or Edge.


I use Safari, Firefox/Mozilla is wholly dependent on money from the ad industry (Google). But Safari also goes in the direction the ad industry desires through its adoption of new standardized features. There is really no way out using the current "web", we need a simple, open alternative that isn't controlled by the ad industry and adopts only features in the best interest of the users first and content creators second.


Ny main gripe lately is with YouTube.

YouTube's gotten a lot more shitty about it, too. I wouldn't block ads on there but they treat their creators like crap and they treat me like crap. Nowadays if I don't block them I get two ads in a row and if I don't skip the first one, I have to wait on the second one, too. And often some ads go on for minutes. The longest I've seen was a 50 minute ad. Or ads that scream at you, as loudly as possible. Especially when you're trying to enjoy more laid-back content. Ugh.

And a lot of that revenue doesn't go towards paying the creators their proper share. I would gladly pay for an ad-free YouTube but they're dead-set on shafting creators, making their lives as miserable as possible. Random demonetisations, horrible handling of fair use, etc. All this without ANY kind of proper support. If I pay for a service or rely on something to make a living, I expect to be able to at least somehow talk to a human being, etc. They've gotten more and more and more hostile towards creators and users. So now they get the Brave-treatment (since they fiddle with adblock on Safari, I use Brave just to watch YouTube. If they detect adblock and can get through it, you get actively punished with longer and more frequent ads.)

Little wonder that most small people without VC investment backing them have looked for alternatives to this, they understand how sites that host content being hostile towards the userbase is a race to the bottom. With off-site patronage and superchat and burnt-in ads they're in control. Sadly you do have to be of a audience certain size to take advantage of these but they're far more pleasant for everyone involved (except the firms that host the content).

For sites in general that model seems to be viable, too. But you do depend on your audience for this which can be a good thing generally as often it seems to keep the content more honest. The content that panders is very often just going to slowly die off.

I would be okay with ads if they weren't disgustingly obnoxious and consistently trying to intrude in my life and take my data.

Lots of bigger websites have an insane quantity of ads, some even have their entire backgrounds replaced with clickable ads. One accidental misclick and you're pissed off. There are sites where the occasional ad is sometimes interrupted by content.

I simply can't take it. Performance-hogging, data-stealing, annoying, time-wasting ads. They're everywhere.


This embarrassing early era of an internet built on the ludicrous house of cards of advertising can't come to an end soon enough.

I look forward to reading in the history books about how some of the world's greatest minds spent their time and energy figuring out how to build businesses on manifestly bad UX.


What a weird phrase: “how about nah”. Is this a reference to something I’m totally missing out on? I can barely pay attention to that point the article make when it’s framed in such an odd and unclear context.

I get wanting to have style to your writing but not at the expense of clarity.


It means something to the affect of "Thanks, but no thanks, I'll do this my way", with a bit of extra snark.

I liked the term "adversarial interoperability" that they used in the article. I think it is an interesting concept. Although I might want to reframe it as protecting individual autonomy.


Breaking this cycle of blocker-blocker-blockers is what makes me actually like Adblock Plus's "Acceptable Ad" options. It provides a counter-offer, rather than just "No.", whereby advertisers can feed you unambiguous and untracked ads.


> It provides a counter-offer, rather than just "No.", whereby advertisers can feed you unambiguous and untracked ads.

That ship sailed in 2001, hit an iceberg, and sank with all hands.


I always thought the Do Not Track option was naive. It did nothing to stop tracking except beg.


This misses the real intention of DNT, which was to give browser vendors plausible deniability when advertisers inevitably rejected it.

The one and only reason that browsers (with the exception of Google's) don't block ads out of the box (like they do for pop-ups) is out of concern that ad-supported websites will explicitly blacklist their user agents, driving away their users and causing the browsers to lose marketshare.[1] DNT was the shot across the bow that said "we can do this the easy way, or we can do this the hard way". The obvious outcome was that the ad networks would choose to ignore it, which formed the foundational justification for gradually introducing ever-stricter policies reining in ads by default.

[1] The inverse is true as well: the nuclear option of any browser whose marketshare sinks to the point of unsustainability will be to immediately introduce on-by-default adblockers, since at that point they have nothing left to lose.


In a sane world, DNT would be opt-out and enforced by legislation.


There's legislation to stop robocalls. How many have you gotten in the last 24 hours? I've had 3, and it's been a pretty typical day.


I never had one in my life. I'm 27 and have had the same number since I was ~13 or so. I did get a few spam text messages, maybe one every three years.


The richest companies on the planet don't robocall me, but they do stalk me all over the internet and wherever I bring my phone, which I consider worse.


I have never received one. Nor have I gotten any SMS spam.


Meanwhile I haven't gotten any in many years, because my spam call filter works a treat, and always has.

Though I am thinking of turning it off and putting up a "Hello? Hello? Sorry I can't hear you could you repeat that. Uhha, go on..." recorded message about 5 minutes long, just to waste their resources. That would actually be a promising addition to a spam filter.


And that spam call filter probably requires proprietary software, which has access to your call logs and theres every chance that the spam filter app company can steal your data.

> Though I am thinking of turning it off and putting up a "Hello? Hello? Sorry I can't hear you could you repeat that. Uhha, go on..." recorded message about 5 minutes long, just to waste their resources. That would actually be a promising addition to a spam filter.

This a nice idea but on the rare occasion that your filter incorrectly blocks the wrong person, you might be annoying someone who really needs to talk to you.


Android phones do it automatically, assuming your carrier hasn't monkeyed with the phone app.

I think Google keeps a spam probability score for callers' phone numbers based on how many people have marked a call as spam.


Spam call numbers are randomly generated. Blacklisting can’t work without collateral damage.


I’m surprised it helps at all. Why wouldn’t a robocaller generate a new random number every time?


They do. The common strategy is to pick numbers with the same area code to pretend to be legal, and some advanced callers try and pick numbers that match even more recognizable digits (like your office). All this traffic is a major source of revenue for VOIP operators.


Microsoft made it opt out and people screamed.


People, or advertisers?


Just like legislation stops robbery and murder.


You don't think there would be way more robbery and murder if it were legal?


Now that's getting into some serious philosophy there. In this respect, would we be moral people without it being codified in law? I'd like to lean towards yes, because before state's law it was religious law. Humans have always projected their morals via the powers at be.


Without legislation you'd have large tech corporations running robbery networks tracking everyone's behaviour and and recommending who it would be most profitable to rob today based on their behaviour, location, etc... oh wait.


Except DNT is more like saying you can murder anyone unless they ask you politely not to murder them.


Legislation doesn't stop criminals. The best way to stop browser tracking online is to make it technologically impossible for malicious actors to track the browser.

Everything else is just a band-aide.


Legislation doesn't stop criminals.

But these are incorporated entities. If proper privacy laws are/were put in place and enforced, they would have to honor DNT. This is as much a failing of these companies to respect privacy as it was the failing of governments to protect privacy of their citizens.

Besides violating privacy, ad networks have also been a proxy for malware. They should have been sued into oblivion for that as well.

I agree that since the proper means have failed, blocking is the best solution. Do people who are not computer savvy a favor and install a proper ad blocker for them. We can do much better than 26%.


It's a matter of what order you want to tackle things in. I'm not interested in only stopping the worst actors. I want to stop all tracking, and if I can't, I'll settle for stopping some of the worst actors through solutions like legislation.

I understand that some people come from the opposite direction -- they try to stop the obvious bad actors with laws, and if those laws fail, then they'll look for solutions that put control in the hands of individuals.

I don't dislike those people, but my perspective is that people who focus on tracking by corporations don't have a good perspective of the entire problem.

> Do people who are not computer savvy a favor and install a proper ad blocker for them. We can do much better than 26%.

Amen on that. I'd like to see the ad industry collapse, but that's a separate conversation.

I'm not convinced that pervasive advertising to the degree we currently see is good for society as a whole. I would encourage people to block ads even if they didn't include any trackers at all. I would even block ads off of one-way mediums like the radio if I could.


Incognito mode enforces what do-not-track was supposed to do, and there, the cat-and-mouse game continues. But the reason Chrome can continue to support this is that most people don't use it.


The only thing more naive is the cookie notice law.


I also hate that law. I block cookie notifications as well. My browser can alert me if I want to be notified about cookies.


The same could be said of robot.txt files.


Couldn't we solve this problem by always clicking on ads we don't like, then close the tab?

If I like a company, I tend to scroll down in Google Search until I find their organic result. Hopefully that makes a difference to their bottom line.


Like this [1] browser extension? It hides all the ads and also clicks them in the background.

[1] https://adnauseam.io/


If a company is advertising on their own keywords 1) It's much cheaper because AdRank is better 2) They're probably doing something wrong - if people have typed your brand in already and you've got good SEO then there's no reason to advertise on it


The real problem is that the browser does not give enough ropes for the user to hang themself and also a few more just in case, and gives too much control over it by the data received from the server instead.


If I buy the paper version of the New York Times the ads are on every page but I don’t mind them. They are not watching me. Nor would I mind ads on a page, if they are rendered as plain HTML. Just no Javascript


I subscribe to the print edition of the local paper.

I'm not interested in logging in to the paper's website so that it can 1. feed me yet more ads and 2. track in minute detail exactly what I'm reading and for how long.


> setting Do Not Track in your browser does virtually nothing to protect your privacy.

It sends another signal, that this person is an aware contrarian, and may be receptive to this or that source or style of engagement.


i'm on a vpn that blocks ad networks no software in my browser is needed


Yep. I don't trust any third-party add-ons in my browser to have full read/write access to all web sites I visit.

I use a domain block list in `/etc/hosts`: https://github.com/StevenBlack/hosts


Which VPN is that?


PrivateInternetAccess


Is there a way to make an ad "blocking IO" from the point of view of the ad network, but my browser can keep on going (sans ads of course).

Sort of like laying the phone down when a telemarketer calls.


> and indeed, some ad-blockers actually track users!

Can someone please explain this?


Browser extensions can see quite a bit of your activity. And if they know your browser/IP/OS and the sites you visit, there's money to be made.

Here's an article on it: https://www.wired.com/2016/03/heres-how-that-adblocker-youre...


Nobody was bothered with ads the way they used to be. But currently you can't use internet without ad-blockers.

Advertisers are pushing too much and they are overheating their market.


Most companies overdo the ads on their sites. If it was one or maybe two banners or the like, it would be okay, but no, let's cover 2/3 of the content with ads.


Just install noScript. All the really nasty stuff ads do gets blocked but people being sane (things like what project wonderful used to do) still works.


Are there any advertising companies that don't target ads with tracking? But just serve ads based on content of websites?


We’ve made full circle again. Were back in 1999. Tons of ads pace being bought with clickfraud (facebook). Zillions of scripts etc, when all you want is someone to put a text link + a pitch which is relevant to the page (current search, current article, type of content in the video), not the user.

Problem is they can’t. Publishers earn through the massive amount a low quality traffic, bots, and even misreporting impressions and clicks.

I want ads, if they’re relevant.


I really like https://tab.gladly.io/?u=antupis which raises money for nonprofits through adds.


The title could've been worded better. It makes it sound like the article is against ad-blocking.


So has anyone found a reliable solution for a ad blocker blocker blocker?


500th comment.

(Wow, this must be one of the most discussed HN posts.)


They are not ad blockers, they are HTML firewalls.


So what can I do to fuck them over?


J'aime l'application



It has waaay less ads than the copy. Somebody displayed a twisted sense of humor by using the BoingBoing link.



Appreciated -- I realised the EFF's link was better 10s after submitting.


When I loaded the BoingBoing version of the article my browser contacted 53 third-party domains and a grand total of 373 cookies were set. The BoingBoing privacy policy does not mention "Do Not Track", usually a signal it is ignored, and it discloses nearly none of the third-parties. The cookie opt-out link goes to the NAI site which does not work on Safari because Safari won't allow the third-party cookies required to opt-out by the NAI. BoingBoing's privacy policy lists nine types of advertising, none of which are behavioral.

The author of this article, Cory Doctorow, is an editor of BoingBoing and has some level of control of this.

In contrast, I got zero tracking from the EFF site. Exact same content, completely different privacy experience.

I'm not an absolutist that you can't criticize a system you benefit from (it's ok to criticize Apple's labour practices if you own an iPhone), but there is a big difference between admitting participation in a flawed system and passing yourself off as an objective critic of a system you benefit from.

Doctorow knows where his paycheck comes from.


It is really hard to reconcile BoingBoing's behavior as a publisher with their content. This goes far beyond ad tracking. The BoingBoing store sells categories of products (insecure IOT disasters) that the site's editorial content rails against, and I've lost count of the number of cheap dollar store level knockoff products are pushed by the editorial staff in order to take advantage of amazon affiliate links.

I've seen people banned, and have been banned myself for drawing attention to these things on their bulletin boards.

>> I'm not an absolutist that you can't criticize a system you benefit from (it's ok to criticize Apple's labour practices if you own an iPhone), but there is a big difference between admitting participation in a flawed system and passing yourself off as an objective critic of a system you benefit from.

Exactly. Also, given the site's legacy, political slant, and access to technical talent, if they don't choose to explore ethical modes and models of behavior and publishing, what hope should we have for the rest of the industry?

(The only positive thing one can say about BoingBoing on these matters is that they do not block ad blockers.)


Does that changes anything to the truth and validity of the points he is making, though ? Because if yes I would like to know what and how, and if no then this is an ad-hominem.

Nobody said advertising wasn't paying the bills.


This is not ad hominem. It’s directly relevant. No attempt was made to avoid discussion of the issue at hand by attacking Doctorow. Let’s please keep our fallacies straight.


I actually think if he was more transparent the piece would have been significantly better. For example, "At BoingBoing we rely on these systems as well. Why? The simple fact is we have virtually no alternatives to the adtech status-quo and our choice is either to participate in the system as it is or go out of business. This is why I'm calling on likeminded publishers to...". Instead he passes himself off in a disingenuous way, and people reading his words could reasonably assume that his own site was perhaps better, when in reality it far exceeds the mean for the amount of tracking on a website.


Yes it says boingboing are hypocrites and not the right people to spread this message. At the very least they could have used this as an opportunity to say “you may have noticed we have tons of tracking on this article, here’s why...”.

There’s something to be said about being a trustworthy source.


The capitalist will gladly sell you the rope you hang him with.


I emailed him about this, and his response was essentially, it's not within the ability of publishers and their writers to get rid of these kinds of ads. Pop up ads went away because the consumers worked around them - that's why advertisers stopped demanding publishers put them on their sites.

So, wanna get rid of tracking cookies, continue as a consumer to block them and make them pointless. Advertisers will then stop demanding BoingBoing uses them.


>> it's not within the ability of publishers and their writers to get rid of these kinds of ads

Sounds like a failure of imagination.


Sure, but it's not what got rid of pop up ads.


Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: