Shout out to nextdns.io, they run a global pi-hole grid. OK, it’s better, but conceptually.
”Block ads, trackers and malicious websites on all your devices. Get in-depth analytics about your Internet traffic.
Protect your privacy and bypass censorship. Shield your kids.”
All you do is point your DNS at it. (Or let one of their apps point DNS for you.)
But I really like the ethos:
”NextDNS was founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.”
”We are true supporters of the net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principals. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.”
In ~8 months it’s gotten mom proof while also being something I can recommend to techos. For me, it’s been more reliable than the enterprise Zscalar DNS filtering, and more configurable than other filters, particularly in allowing ad blocking and custom block lists and white lists along a rich set of built-ins.
I’m at 7% blocked out of 4 million queries in last couple months.
"He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic"
There is something about CDNs and DNS, usually not good. According to Paul Vixie, that is how we ended up with EDNS0 despite the objection of IETF. Wonder if this company gets permission to share data with Netflix. I would read the terms carefully.
Hopefully people will choose to run their own Pi-Holes on their home networks, preferably without pointing them at third party "upstream" DNS providers.
Some CDN rely on DNS for load balancing. They need information on end user network to properly resolve ( sending you to a server in the right geo for instance). If you use a third party resolver and it is not providing enough info, you may get poor performance.
That's not some fancy tracking, in the end the CDN will get your IP and traffic. (Not saying it's impossible to use it for tracking purpose)
By distributing its requests across the many authoritative servers for the domains you visit. The only one that still sees all your DNS requests is the ISP.
> They see all of your traffic anyway, so it doesn't really matter if they also see your DNS traffic, it's not like HTTPS hides who you are visiting.
Given a lot of traffic goes to cloud providers with IP pools that are discriminated largely by the HTTP Host header, it absolutely does somewhat hide "who you are visiting".
In other words, virtual hosting does provide some incidental "privacy". However, looking at the web as whole, not simply focusing on certain large CDNs, most HTTPS websites actually do not require the SNI extension. "Modern" browsers send domain names in the ClientHello plaintext automatically, by default, even though it is not required.
Then there are HTTPS websites who require SNI but do not actually check the name in ClientHello is the same as the name in the Host header.^1 Any name sent in the ClientHello will suffice to retrieve the correct web page. "Modern" browsers again blindly send more than what is required in that situation.
As such, it is the HTTP client, e.g. major browser, that is leaking information in plaintext unecessarily. "Modern" browsers are useful for displaying web content. However when it comes to retrieving it, they are less trustworthy. Too much is happening in these programs outside the user's awareness and control.
1. AWS Cloudfront is one example. It is possible to send a less descriptive, arguably more private, CNAME in the ClientHello whilst sending the known domain name in the Host header. https://news.ycombinator.com/item?id=21977961
It's sent un-encrypted in the very first handshake setup so the server knows which public key to return. Details here[0].
There is, as you can see from Wikipedia[0], an encrypted version(esni), but that only sort of solves the problem. See [1] for more details on those.
The high level overview is, perfect secrecy of who you are talking to is a very hard problem on the Internet, and while some of these new features might help, there are a LOT of leaks to plug, so if someone is able to watch your traffic go by, chances are they can tell who you are talking to, but they maybe can't figure out what you are saying. Which may or may not matter, depending on your security threat(s).
> is it the certificate handshake where host header is leaked?
Yes, because of SNI [0].
In short, the ClientHello message sent by your browser as the first step of TLS negotiation (After the TCP connection is made, obviously) includes the hostname of the server you are trying to connect to unencrypted so that the server knows which certificate to present in the case of multiple sites being served on one IP/port combo.
No. The SNI is transmitted in plain text as part of the ClientHello but TLS does not care about application implementation details. The HTTP Host header is encrypted along with the rest of the request.
I love how in this thread about, ostensibly, why tracking is bad and trackers should be blocked people are arguing that using GA is ok because doing anything else is "too hard". Why can't this same argument be applied recursively to any of the trackers in the NYT tracking sphere? I'm sure it can, and I'm sure that's why loading a NYT page loads dozens of various third-party tracking scripts: because doing anything else would have been "too hard" for the NYT marketing & technology departments.
Can you qualify that? In what sense is GA "nothing in comparison"?
Because the other companies are less well-known?
Because it's just one among 200 others? Even though it's owned by the largest adtech corp in the world?
Or is it because you told yourself that Google will probably do "less bad things" with that same data, after you give your users data away, completely out of your control.
I'm not into the analytics business, but how does it come that, somehow, of all the major tech companies, it just happens to be Google to provide the one irreplaceable analytics service?
In particular, how that apparently never worried anyone before they became the "seriously nothing else can scratch this itch" quality analytics??
Because I saw it happen and it worried me. Some people must remember, about a decade (!!) ago, that half-joking nervous realisation that there was a single corporation whose server-controlled javascript ran on 90% of all webpages.
Or the part where you share all of your site's analytics with a third party you had no choice in? That wasn't even a thing before GA came around.
What is Google Analytics doing that it can't be replaced by anything that's not quite as ruthless with your visitor's data? (I really want to ask "is it that hard?" but I'm gonna assume there's something hard about it that I'm not thinking of)
Personally I'm afraid the reasons are dumb and shameful. I suppose Google Analytics is providing some additional details and data that it just happens to be unable to provide unless it tracks the everloving shit out of your visitors and accumulates this data on, say, Google servers. And people don't want to give that up, because weeeeell if it's spying on everybody and combining and keeping data anyway, they might as well get a slice of that pie, right? Flawed reasoning that work very well in unscrupulous people's heads.
And then you get someone complaining that the UX of the alternative isn't top notch. Which really tells you everything you need to know someone is willing to even begin thinking about sticking out a limb for.
I get this sinking feeling that in large parts of this industry there's less than 5% of people who actually think about and critically look at the ethics of what THEY are building, and they're probably listened to even less. It's probably even less, I've been talking to people that I consider very responsible engineers whose principles just wither as soon as you ask where the analytics data goes ... usually pointing at the client's choice. Except they're working on it and it's built into the infrastructure of the company and they provide it.
So easy to get the top thread in this comment section arguing fervently against any and all forms of tracking ... and then you get this massive back peddling when someone dares to suggest not using GA.
In this particular case I find it very dishonest: they talk about net neutrality and privacy protection but use Google Analytics. It does not matter if GA or Matomo is the best solution, they made the decision to use GA and thus don't seem to value their customers data that much.
What is it with this all-or-nothing attitude? GA provides objectively superior data and they probably get a lot of value from it, otherwise they wouldn't be using it - value which allows them to grow their business which ultimately benefits their users.
(at least for me) Considering the value of their service, GA on their marketing page seems like a very small compromise. If you don't like it you are free to block it - hell, they literally provide a service to do so.
> GA provides objectively superior data and they probably get a lot of value from it
Which is why everyone uses it and we just sit back and accept the consequences. You can't be expected to be taken seriously if you simultaneously argue that other's shouldn't do something while yourself use it for precisely the same reasons everyone else does.
This is not about all or nothing. This is about being dishonest in my opinion. It's like a doctor who recommends you to stop smoking because it's bad, but smokes on its own.
Consider a doctor that smokes during consultations subjecting you the patient to the ill effects of their secondhand smoke whilst simultaneously recommending that you give up. Perhaps a more accurate analogy. Would you trust the doctor in this scenario?
There is no dishonesty there. Merely acting inconsistent to one's advice. It's not a serious deficiency.
BTW, in a number of countries a large percentage of doctors smoke. It's a cultural thing: They pick up the habit during the stress of medical school. Would you suggest that a large percentage of doctors in those countries not inform patients that smoking is bad for them?
As a politician recently complained about: Purity tests are usually a bad idea.
It's fair to criticize. It's silly to reject their word/work because of it.
Except there's no doctor-patient discrepancy, most people in this thread are in the business and actually do have to make these choices based on their own expertise in the field.
It's a lot more like if all doctors were telling each other they should wash their hands before surgery, but many of them don't really because the tap water is cold and kinda too far away and everybody is doing it and what's the harm really and at least I'm not actively sneezing into the wound, you know?
Sure thing, but the gigantic Google Analytics machine is hardly a small compromise versus all the other ubiquitous tracking.
I don't even consider it a compromise, because literally no one arguing to use GA anyway seems to be able to present both sides of the scale considering the compromise.
Sound like you're not arguing against Matomo but arguing that you really in fact do want to share data with a third party to extract information that your users very much did not consent to.
It's terrifying what comes out of the wood works sometimes.
The age, gender, etc. distributions of the people who visit your website. I don't know anything about GA, but I'm guessing they'd know this from the currently signed in Google account.
It's indicative of a lack of respect for their users.
> GA provides objectively superior data and they probably get a lot of value from it
That's certainly true. Also, that's orthogonal to the point. Being very valuable to website operators doesn't make its use any more acceptable to others.
> Considering the value of their service, GA on their marketing page seems like a very small compromise.
It's not a compromise until you consider the value of both sides of the equation. Please do elaborate on that, with some details on the negative externalities of blindly sharing your tracking data with Google.
Otherwise your argument just became "superior data has got some value to me, which is more than none, so yeah I got mine".
It's not less of an all-or-nothing attitude if you fail to seriously consider the other side of the supposed compromise.
What do you mean drilling down beyond one level? I use Matomo and find it just as useful as Google Analytics. Actually, I like their interface better than Google's.
To see what content is popular, to see what countries users are coming from, to how long a given page is retaining a visitor... all of this lets a business know what they need to change/offer/stop to better serve their customers and attract more customers.
I had a very niche ecommerce site for a couple of years, for ease I was only shipping to U.S. customers. I noticed that something like 20% of my traffic was coming from Canada so I decided to enable shipping to Canada but added a 5$ premium on top of the actual shipping cost. I had a sale to Canada the first hour of enabling it in my cart and Canada ended up being roughly 10% of my orders, even after I raised the premium/handling fee to 10$.
Looking at my GA page once caused more money to be going into my pocket and filled a need for Canadian customers. I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.
My question then would be, why do you need to use especially Google Analytics for that? Stats like "visitors per country" are a core feature of all major analytics suites. I set up analytics for many site on my job and I never experienced a use case where GA offered that specific feature no other software had.
GA is free and takes seconds to set up. Not everyone knows how to code, not everyone is a professional web dev or CS ninja, not everyone has piles of VC money to throw at such things. GA works, is well organized, and is often integrated with a lot of cart/web builder services where you simply have to plug in a short string and pop over to the GA website.
I needed a vegetable knife recently. I could have (and I do have the skills, and have made many knives over the past 25 years) purchased some appropriate steel and made one myself in 3-5 hours and had it incredibly sharp but I opted to buy a Mercer stainless steel one on Amazon for 20$~ because it required much less effort.
I also couldn't care less about Google or the NSA or Lectroids from another dimension tracking me so I don't rush to go "I'd better cater to the small percentage of my potential customers that want to leave zero trace on the internet, there are countless tools out there they can use to minimize that trail of breadcrumbs. This data is usable to me and Google makes it easy" and I imagine, even the company in question was like "some people want privacy but those that are concerned can easily block this with a browser extension, in their hosts file, and/or at a hardware level so we'll go ahead and use it and save a bunch of time".
> GA is free and takes seconds to set up. Not everyone knows how to code, not everyone is a professional web dev or CS ninja, not everyone has piles of VC money to throw at such things.
Imagine if restaurants had this attitude about hygiene.
I mean not everybody is a professional cleaner ninja or has money to hire them. Just wiping the counter a little is all everybody sees anyway, and everybody can do it.
If you're simply not skilled to do it properly, does that mean you get to earn the profit of doing it over your customer's backs anyway?
Your attitude really reminds me of, say, street food carts in some places. Because some of people just didn't receive food hygiene training, and they only have to get out there with a cart and something that looks edible.
You're essentially saying that violating your users' privacy is OK because not everyone has the skill or money to do it the right way?
In this case would you also say it's OK to be stealing in stores because it's cheaper than getting things the correct way by paying for them, and that stores concerned about theft should just do a better job at preventing you from stealing by using the real-life-equivalent of a hosts file to prevent you from entering the store?
I think his point is that he doesn't consider it a violation of privacy and that the people who do usually are better at controlling the data that is leaving their computer anyways.
>You're essentially saying that violating your users' privacy is OK
I'm not holding a gun to their head and telling them to visit my site. If I walk into a business, or someone's house, I assume I'm being monitored. Websites are the same thing.
> I didn't need to learn a programming language or spend tens of hours trying to figure out, through articles, how to copy paste a bunch of code together to recreate something comparable.
Tens of hours, people. THIS is what your privacy is worth to some.
You forget that, while doing the unethical thing might seem a lot less hard, simply NOT doing the thing is also not hard at all! So that's not an excuse.
You seem to think you have a right to the earnings of the difference between those two, over the backs of your visitors' privacy.
THAT is the argument you have to explain. Not the part of how you managed to get fancy analytics for free by selling out your visitors.
This is an honest, detailed answer from an end user. Basically, he values simple demographic information about his visitors and doesn’t care about privacy. This is what countless other GA users have said here on HN and elsewhere.
If you want more privacy then build a better GA (from the typical end user perspective, recall the famous comment here that no one will use Dropbox because they can instead just run some Unix commands).
I am out of that game. Once upon a time, I labored over WebTrends for about a hundred different sites. It was not a great time.
I am not sure what would be a good replacement for Google Analytics these days but I had an absolutely terrible time with WebTrends and server-side logs. I was pretty doubtful about the results produced, as well.
Or with a couple of mouse clicks it can be done with GA. Most people don't want to stare at lines of code, write cod, and fiddle around in logs for hours and hours. I have literally no idea how to extract that data in a comparable fashion and it would likely take me many hours of reading and trying to copy paste random bits of code I find in articles together to attempt to do the same. Obviously the company in question should have someone capable of doing that but most smaller companies and small business website owners don't, hiring someone to create that would cost money.
Stuff like GA you can copy paste an identifier or line of code, make it live and you're done. You now have a bookmark you can go to and see lots of actionable data in a nice visual form.
Most people don't care about a website tracking their OS/location/time spent on change etc so why would I, or someone else, put a bunch of extra work into fashioning something from scratch when there's a perfectly usable product that takes seconds to deploy and is easily blocked by those that don't want you to easily access that information about them?
If you need a knife most people would buy a knife. They would not buy a length of steel, cut it to rough shape, file or grind it down to the final shape, then spend an hour or more putting an edge on it with wet stones. Besides, the people that don't want tracked by Google are probably already blocking google via software and/or hardware solutions.
It seem like most people have forgotten that before Google Analytics, we all just looked at our server logs.
Sure, you can't get the exact same information, but you can get enough to do capacity planning and some basic stats.
I've started to wonder why people care about Google Analytics, what does it tell you that you actually need to know. Again capacity planning is useful, but other than that, isn't sort of pointless?
you could actually get more from plain old log parsing in some cases. First of all with GA you can't access the raw data. With logs you can create new type of stats/metrics/charts and apply them on past data.
Also, IIRC GA uses random sampling - only a % of connections are recorded and the data being shown is extrapolated from those samples. While I'm not arguing that given the vast amount of data at disposal, huge capacity and great engineers they can make those extrapolations very accurate, I'm not entirely convinced it is precise for (very) small traffic websites. And since a small traffic logging requires both small storage space and small processing capacity the resources needed for keeping and processing your own logs are insignificant while the results might be useful.
Some of the larger website builders/hosting , e.g. Wix don’t even give you access to server logs.
Sure you can setup and run your own site and CMS easily enough, but running even hourly bulk log ingestion is usually not as straight forward and the information you can derive is very limited comparative to js based tracking.
Matamo ( formerly Piwik) is decent but still takes some time to setup and get right.
The main thing that the analytics tells you if you are promoting anything, is which of those promotions is actually working and driving visitors to your site.
>Some of the larger website builders/hosting , e.g. Wix don’t even give you access to server logs.
I don't think it's unreasonable to require them to provide you some sort in insight into your traffic data in that case.
You can to promotion tracking with just log parsing, depending on how your system is built. There's a large number of sites that handle that by simply having unique URL for each promotional partner.
> what does it tell you that you actually need to know?
Have you actually used Google Analytics? Doesn't sound like it.
First, being able to get stats on real traffic and not bots/crawlers is very important and GA does an excellent job of this.
Google Analytics also allows you to see how people actually use your site. Stats like how long, what their visit path looks like, and when they leave your site. It also lets you see demographic info, like age group and gender.
I've only touched the surface of what GA does. Yes, it is equally frightening and amazing how it tracks users.
And none of these offer the ease of setup, ease of analysis, or ease of recognizing what actions to take that GA offers for $0 license and no hosting fees. These on the list are all admirable (esp. Snowplow) but all assume savvy users to be able to get things that are out-of-box with GA.
However beware that it's not a "set and forget" solution.
Example: This morning I did my occasional sweep of what I've blocked where, and to see if there's a new allowed domain in top N that should've been blocked. What I found is that ocsp.int-x3.letsencrypt.org.edgesuite.net is blocked by "kowabit.de - bl*cklist of death". I've added that to my whitelist now, I want certificate revocation to not be blocked.
Ok, but by paying you basically hand them your personal information which they can now tie to your internet access patterns. So now, besides your ISP, there's one more party with this info.
EDIT: they accept cryptocurrencies, so the problem is slightly less critical.
Pricing is surely very reasonable, but I'm not comfortable with the idea of paying for not getting something.
The whole system is flawed and building businesses on a flaw is a step in the wrong direction if we want to fuel motivation to solve that flaw.
The city of flint has a lot of water theyd like to sell you, it comes with extra so it follows your model. You should also love basic Hulu, they sell you a version that comes WITH added ads, such benefit.
In reality there are plenty of places you are paying for refined or filtered products. Organic or pesticide free foods, gas (you or your supply chain use it), higher end CPUs (less defects), it goes on and on.
I'm sorry for my ignorance, but how does NextDNS compare to 1.1.1.1 by Cloudflare?
I've been using 1.1.1.1 for some time. For me it has worked fairly well in the USA where my connection speed is ~200mbps. While I was in India, 1.1.1.1 caused substantial slowdowns, in some cases made a few websites unusable. Typically I had it disabled. I'm unsure why this was happening because the website says it makes web browsing faster--I do not have the technical chops to understand this, so would anybody be kind enough to explain in a layman's language? Would NextDNS and 1.1.1.1 differ in terms of speed?
I dont think the increase in speed is a result of you getting responses to DNS queries any faster, it's simply that if you only need to load the content you want and none of the content you dont (ads and whatnot), then the stuff you do want to see has that much more bandwidth available.
But at the current time I feel CloudFlare has more reputational skin in the game, that they're merely selling off spare capacity as opposed to making a separate business model work, and they don't offer logging as a service although they can certainly break their promises at a reputational risk.
In time NextDNS can build up their reputation perhaps to a point even exceeding CloudFlare, but right now I feel those who are joining early are "paving the way" via risk to their privacy.
They're most likely referring to the provider reselling your data (basically you're trading scattered tracking on many providers to NextDNS getting all your DNS lookups, which can be resold without your knowledge)
I do something similar by running CoreDNS on a pi with a bunch of blocks on domains. Works very nicely with caching as well, and the data stays where I expect it.
As a fallback for standard UDP DNS over IPv4, they do use your IP address in a rather clever way: they have multiple IPv4s so you can have different rule sets for different devices under the same IPv4 and they identify which ones by linking the two addresses together (NET1->DNS1 gets RULES1, NET1->DNS2 gets RULES2, etc.).
1. You can a share your config across all your devices. Also works on desktops (AFAIK Blokada is just for mobile)
2. You can create multiple configs and easily switch between those
3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)
4. On my smartphone Blokada regularly stopped, probably because I use an energy saving profile. I could never keep it running for longer than a few days, no matter what I tried. NextDNS seems to work fine so far, had it running for some weeks without a single crash
>On my smartphone Blokada regularly stopped, probably because I use an energy saving profile.
I had an issue with it stopping every couple of minutes, recently I figured out it was Google Fi's VPN causing it to stop after noticing it was only doing it on my phone with a Fi sim and not on my device with a Sprint sim. At some point Fi updated it so that the VPN is always on instead of only turning on when it finds an unsecured wireless network and automatically connected you (which is extremely rare where I live).
> 3. Works everywhere (Pi-hole is very cool but only works within the local network you set it up, AFAIK)
I run a PiHole on an AWS EC2 instance, then VPN to it on my phone. The VPN is configured so that only DNS requests get sent to it and all other traffic just goes straight through the LTE connection so that I'm not paying for all the traffic through AWS.
Could you please elaborate on your setup. How do you achieve sending only DNS traffic over VPN? What do you do when your phone is connected to your home WiFi network?
> What do you do when your phone is connected to your home WiFi network?
Nothing. The phone still uses the PiHole in AWS. I don't run a PiHole on my home network, as I use uBlock Origin to block ads on my desktop. I make my phone use a PiHole to prevents apps that aren't my web browser from getting ads, such as Google Now.
I do the same and together they work the best I find. Ad-blockers act at a different level than DNS blockers so can catch things that the DNS didn't (DNS only had domain, while ad-blockers have the full path)
NextDNS is great. However with these tools, problems appear when you specifically want to display your Firebase dashboard etc. directly going to a service from the "tracker" itself = analytics.google.com
Marking at domain level is too generic to wrestle with this problem.
Thank you for sharing this! I have never heard of them before, but I switched from Cloudflare to it after reading your comment and I’ve been a very happy user for the past 4 days :-)
> founded [..] in Delaware, USA by two French founders
This sets off my spidey sense. Delaware is known to be a hot bed of fly-by-night corporations and front companies used exclusively for shady dealings[1]. I'm not saying that's the case here, but proceed w/ caution.
Delaware is used as the base for a lot of corporations of all stripes. It's because they provide an enormous tax advantage.
I actually had an argument with my business attorney about this many years ago. He wanted me to incorporate in Delaware for the tax benefit. I wanted to incorporate in my own state because that's the right thing to do.
and what prey, does a global pi-hole grid give that an actual RaspPi and pi-hole can't? What does it add?
Given they are based in Delaware, USA my starting point is far below zero privacy trust: Nextdns are gathering maximum possible data from everyone's DNS queries and selling it, or proposing to use it for advertising soon(tm). Enough independent reviewing and auditing might eventually persuade me that's unfair, maybe. If they actually cared for privacy why not incorporate in the EU and proudly wear full GDPR compliance? Or CA's upcoming privacy legislation?
> 1. We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity.
Which is easily said. Whereas their pricing page tells a different story:
Which is great, because then you can configure your Android to use nextdns as the private DNS provider and thus all adverts and tracking in your mobile apps and websites are covered too, even when you're away from your home network.
It would work off of your network. If you are using their DNS it would work when you took your laptop to a coffee shop or when your phone switched to 4G/5G. That seems like a big benefit to me.
Reliability, speed, accessibility, ease of use, more secure defaults... Enough?
The founders appear to live in the US so a US company is a lot more convenient for them, and Delaware has some very nice benefits for companies that AFAIK don't have any privacy drawbacks. Your assumption that they "are gathering data [...] and selling it" is beyond baseless.
EU users are protected by the GDPR anyways and despite what ProtonMail etc. would like you to believe, founding your company in Switzerland or whatever does not make you magically trustworthy.
From where I see it, they deserve no more and no less initial trust than any other company.
> Reliability, speed, accessibility, ease of use, more secure defaults... Enough?
Very glib, but not helpful nor accurate. Reliability of a web service? Speed faster than local network or local VPN tunnel? Convenience appears to be the top and bottom of it from other replies.
> assumption that they "are gathering data [...] and selling it" is beyond baseless
Not at all. US freedom of information goes far beyond everyone else's and leaves the expectation that personal data is collected, shared, sold, misused and abused, and that's been the case since long before the web. Personal data that most places consider private and inappropriate to share, and often have laws for, is frequently easily available in the US.
The web just brought it further into the gutter.
Europe has had freedom of information with constraints on personal data. Data protection has been around since the mid 90s, and prior to that there were other restrictions on certain types of data collection. The discrepancy between the two approaches has been there for probably seventy years, perhaps more, and it's widening not narrowing.
Those national norms set starting point of expectations, and what each nation tends to take as axiomatic. For a typical European, for the reasons mentioned, US privacy provision and expectation starts negative. Certain industries and categories get very antsy about data going, even briefly, to the US as a consequence of that. If it's any consolation I start with the presumption every company is untrustworthy.
Given numerous examples from the past this is what "no trust" equals to. I'm not advocating publicly accusing them of being evil without evidence, but assuming they are when deciding if and how to use their services is at least reasonable.
In other words in public my opinion on them is "neutral" until I have some information/data/signs to form/change my opinion, but internally I assume they are doing[0] something evil until proven otherwise.
[0] or at least assume they are capable of doing something evil and there is a non-zero chance that they will engage in evil-doing. (but again, not accusing them publicly until there are reasons to do so; I'm just describing internal thought-process)
True, but my point was that incorporating in Delaware doesn't prevent the GDPR from applying to you (for EU customers). It's true that taking action against a non-EU company for GDPR violations is harder, but not impossible.
What really grinds my gears: they do the same thing when you're a paying subscriber.
I'm with the nyt for two years now, and I can vividly remember seeing the first ad that was displayed despite me being logged in. How is that okay?! And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours. I appreciate the times for their journalism, but their business practice with respect to selling their customers data is beyond inacceptable. I'm already paying you money, get your act together please...
It annoys me too, but I'm playing devil's advocate to reason it out.
When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.
Perhaps there are two possible ends of the spectrum. On one side, you have to pay for all news that you access and there is no advertising. The news will be expensive, so only the wealthy will have access. The government can subsidise it, but that runs the risk of politicising it.
At the other, there is only advertising-supported news. The content you see is decided by whoever bids the highest.
A blended subscriptions plus advertising model tries to find a middle ground. I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?
>I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies.
Honestly: no. I'd rather pay more than selling my attention, because that's what ads are doing. My time is more valuable than whatever margin they're making by showing me ads, and I'm very confident that I'm not alone with this position.
>Is that even possible now? Would advertisers pay if they didn't get that information?
This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?
A sliding-scale subscription model would be nice, where I could say "I'll pay $100 per month and have no adverts at all" or "I'll only $5 per month, and I'm happy to have a lot of adverts".
But the advertisers probably want access to the kind of people who are prepared to part with a lot of money to avoid advertising. You see this in the FT and Economist where it's more expensive to advertise to subscribers, because the advertisers know those people have higher disposable income. If all they can have access to is lower-paid people, I guess there’s a risk a lot of the advertisers will not bother.
Maybe there's just an inherent problem here. News can be good quality, independent from government, free from advertising, and available to all. But it can't be all of those things at the same time at a national level.
>"I'll pay $100 per month and have no adverts at all" or "I'll only $5 per month, and I'm happy to have a lot of adverts".
there is another problem with that model. As long as ads revenue is a significant portion of publisher's income there is a risk of advertisers influencing the content. At $100/month you won't see the ads, but the news themselves could still be influenced by advertisers in some way. I'm afraid that this would need all or nothing approach to be effective.
I am afraid there is a high probability in that $100 wont work. And the question is a little more complex.
This is not about I am willing to paid $100 to get rid of ads as the OP stated, it is how many are willing to paid $100. Or more precisely, we need X ( Say 10 ) monthly million revenue form customers to sustain the business. Are there enough customers to share the $10 million expense. We could price it at $50, are there 200K customers wiling to subscribe, and if not, how many more paying the $5 + Ads will make it sustainable. Given the Ads money with the $5 subscription will be lower since the subscribers of $5 are likely not worth anywhere as much as the $50.
Like you said most of the high paying subscribers are already concentrated in FT , Economist or WSJ. And precisely the reason why Apple news didn't include any of those three. They still dont get it. It might work for casual, gaming, sports magazine. Not Quality Daily news.
> This is a really good question, and adding to it: how hard-wired are these mechanisms into modern websites such as the nyt's? I'm pretty sure that there is no simple on-off switch, but how much work would it be to implement one?
After Ars Technica's most recent revamp/relaunch of their pay-for subscription, it took them a few additional weeks to clean it up to remove all third party domain calls for paying user.
> I'm very confident that I'm not alone with this position.
You are not alone. There are plenty of services I pay to eschew ads. The moment they start inserting advertising, they'll lose me as a customer. I don't have cable, don't listen to FM or AM radio, and I don't have satellite radio, all because they have ads.
> The news will be expensive, so only the wealthy will have access.
I think this is correct, although HN readers may have some bias to disagree. I think the HN crowd is generally fairly well off financially (but not rich) and cares more about privacy than other groups.
> When you buy a print copy, it also has adverts. The price you're paying is subsidised by the adverts, it doesn't completely cover the costs.
For print and online the advertising covers the cost and the subscription is just a bonus on it, same thing you said but from the end users perspective. Why pay a bonus for nothing?
Print ads don't call home with your identity when you see them, they don't tell a dozen different companies who you are. The magazine may have some general statistics on it's customers (maybe differentiated by region?), but they certainly don't give the advertiser enough information to uniquely identify every person who sees an ad, along with individual demographic information and information on what ads the reader has seen elsewhere. The print customer database is (probably, hopefully) not linked into other third party databases that list what your hobbies are, what shelves you look in at the store, and what other publications you subscribe to.
If online news only had static first-party ads that were the same for every customer (or possibly every customer in X region), uninformed by Amazon/Google/other browsing, I'd be more than happy to turn off my ad blocker.
If the newspapers produced a daily epub, I'd be happy to pay for it. Even then, epubs can contain references to third party images and other resources (not sure about PDF, I despise PDF for lack of text reflow). My personal ideal for online subscriptions would be an OPDS catalog that I could subscribe to; this supports login-based access, and I could use fbreader or any other app to read.
> I guess the argument is that advertising would be OK, if it didn't track your every movement and share that information with thousands of scummy companies. Is that even possible now? Would advertisers pay if they didn't get that information?
They would, if they had no choice. Thay have to be forced, both technically and legally, to advertise without using that kind of fidelity. Simple as that.
For the FT specifically, I get the impression that a pretty large portion of subscriptions are corporate/paid for by employers so I'm not sure how true that really is.
This. Also, some of those eyes are going to belong to people who make purchasing decisions on the behalf of their employer. Those people are exceptionally valuable to advertisers.
I pay for NY Times (as well as several other papers, like the WSJ).
NY Times runs giant banner "subscribe" ads even if you're a paid, logged-in member. I still need ad blocking on!
I wouldn't mind ads equivalent to what you see in the real paper -- a Macy's ad at the end of an article, etc. But they should be in the page, and not popping up on top, on the bottom, or over the article.
> And btw: I wanted to cancel my subscription afterwards, but apparently you can't do that via web from the EU (or not for my subscription type?) - so I need to cancel on the phone, during american business hours.
There's existing NL law (maybe based on EU regulation?) that makes this impossible. Basically: the way you cancel should be as easy as you subscribe. Meaning, if you could subscribe online, you must be able to cancel the subscription online. If subscribing was utterly difficult, then cancelling can be utterly difficult.
If there's EU regulation behind it, usually you can force any foreign company to abide by this. Unfortunately it was difficult to figure out if this NL law was based on any EU regulation (e.g. Consumer Rights Directive from https://ec.europa.eu/info/law/law-topic/consumers/consumer-c...).
I had the same experience with the Globe and Mail in Canada. You get ads regardless of whether or not you're a paying subscriber, and while you can sign up online, you can't cancel. It was a total pain in the ass to do that over the phone, and it's a glaringly-obvious (and misguided) retention tactic.
I'll never subscribe to them again. What a short-sighted way to optimize for revenue at any cost.
It explains why there's so much fear-mongering and misinformation regarding the GDPR and how they're trying to make users hate it (by using non-compliant and annoying by design "consent" prompts). There are literally billions being invested in all that cancer called adtech/martech that's been made illegal by the GDPR.
JFC! Maybe if they didn't whore themselves out, they wouldn't need the money they're whoring themselves out for because their hosting and web dev costs would go way the fuck down.
It's easy to install, full-featured, ships with lots of lists to pick from, auto-updates lists, doesn't need an additional device, and you will benefit from router features shipped as part of OpenWrt and probably unavailable in your router's proprietary firmware. Much recommended.
If that sounds attractive and it sounds like a good opportunity to change your crumbling unpatched router, the question "what's today's good cheap router running OpenWrt without trouble?" is frequently answered by https://www.reddit.com/r/openwrt/ :) .
This isn't any better on the NYTimes mobile site. Everyone should be running Firefox for Android with uBlock extension enabled. Bonus: it reduces the network traffic so dramatically, it's like getting a new phone.
I used to be conflicted about using ad blockers on sites I frequent and enjoy and used to actively maintain my block list. After all, I want them to earn money.
But almost all websites are getting out of control and I no longer have the time and energy to do that. So Firefox+uBlock all the way
>But almost all websites are getting out of control
And they don't care if you're a paying user! I susbcribed to the NYT, paying them fair money every month for a couple of years now, just to be subjected to the same mess regardless.
It's infuriating. Why should I even pay for the service when they still bombard me with ads and tracking?!
I used to feel that way too, until I got redirected to scam "you won an ipad" sites from mainstream sites I respected. They served me a bad ad, so I blocked and never looked back. Who knows how many times they silently tried to serve me malware?
I use Firefox Focus. It's great for things like reading news articles because there no tabs. Just one page at a time. It has built-in tracker blocking but doesn't support extensions like ublock.
Normal Firefox for iOS with "Strict" setting enabled in the "Tracking Protection" section of Firefox's in-app settings menu reduces nytimes.com advertisements on the front page for me to basically 0. In my experience, it's just as good as Firefox Focus for blocking trackers and ads.
I use both on iOS. I generally open in Focus because it actually tends to be stricter. I find that if I open something in Focus I can, from there open in Firefox if blocking is too strict and sometimes it works. Another plus to using Focus, if a site is completely broken, I can just disable all blocking and not worry much about it because nothing gets persisted when I leave and blocking is automatically re-enabled the next time around.
Same workflow is pretty much possible without it, but it does make ephemeral browsing a bit easier.
You can make fast, light-weight websites without AMP. In fact, it's easier to make a fast, light-weight website than to make the modern request-heavy monstrosities you see today.
Just stop using 20 trackers and 10 ad networks, and stop loading so many parts of your page asynchronously. A news article should require zero JavaScript.
I prefer using a browser on Android that has integrated ad blocking with no extension needed. As with ad blocking extensions, browsing becomes lightening fast.
Ublock origin uses public, transparent, editable block lists, I can not say the same about built-in ones and browser vendors could always have ulterior motives, be strongarmed into whitelisting exceptions and so on.
Brave on android also broadcasts your phone model in the user agent, unlike FF. They've said they would fix this and then let the GitHub issue languish for at least a year at this point.
Ads have gotten to the point I'm once again getting the feeling I'm on IE with 80% of the page blocked by toolbars. But this time it's ads and video's blocking any content I want to consume.
Blockers are a valuable thing to simply be able to read or watch anything on most sites now a days. I also happily pay for proper media, but not when you complicate this by blocking parts of this action with ads to begin with.
It also deals with 1st party cookie tracking. It clears cookie/storage on every page load as long as it detects that you're not logged in to the website (still buggy) using machine learning (NLP).
The next minor version (under development) will also allow you to block websites/domains from appearing from google search results, facebook feed, twitter feed and basically the entire internet.
It also blocks cookie/gdpr banners on websites.
(Signup on mobile does not work for now)
You can also add summaries/TL;DR for any link on the internet (right click) so others dont have to click.
For people that are fine with a manual whitelist there's also Cookie Autodelete: https://github.com/Cookie-AutoDelete/Cookie-AutoDelete. It removes all cookies when you navigate away from a website after a (customizeable) grace period. Usually this works fine, you just need to be careful when you tell it to erase cookies when the domain changes (rather than when the tab closes), some 2-step sign in procedures need the cookies from the original webpage to work.
I want a browser that allows first-party cookies, but auto-expires them if I don't visit the domain for an hour. It should also only allow one level of requests (i.e. if a site requests a resource, that resource cannot request additional resources from other domains).
The latter part won't prevent bad behavior, but it will force that behavior to be proxied -- which carries technical, financial and legal implications that will cause companies to be more careful about their downstream redirects.
Nah, we just need enforcement so people actually have a way to opt out rather than being fobbed off with dialogs like "apparently we have to display this annoying popup to tell you we are using cookies because this is how the internet works now. [whatever, just take me to the page]", or "more options" buttons that take you to a never-ending maze with no actual way to opt out.
Actually stamp down on the sites taking the piss. Without teeth, GDPR is useless, but so would any other toothless solution be.
Many sites actually do follow it properly, i.e. they have the popup tell you that tracking ads are all OFF and if you want you can ENABLE them to get more relevant ads, but you are free to just dismiss it.
Once one of the big players that don't do this and instead have it e.g. opt-out are actually fined, I suspect more sites will begin to behave correctly.
I think it worked wonders with GDPR which exposed all this pus. Unfortunately, there EU has been too slow acting on it. Only British Airways has been slapped with a significant fine so far.
The problem with fines against Google (and Facebook, too) is that it's peanuts for them. They just factor this in the same category as "legal costs", and it never affects them even remotely.
Cause at this stage opting out included navigating many stages of dark pattern and deceptive pages, including semi hidden links and fake slow progress bars. Even on the biggest sites.
If, and I say If, these gangsters ever get hit with major fines, and we get the simple yes/no option that a few pages have, then it will be better.
Right now, the ad industry (or should i say Mafia) is trying to actively circumvent this legislation
I rarely see opt in GDPR popups, it's typically "accept tracking" or "more options...", the latter seemingly sending you down an infinite rabbit hole. Well, now that I think about it, this might count as opt in, but this is definitely a dark pattern.
The other thing I often see is an "accept tracking" button, and a tiny "more options" link that just goes to a page explaining how to switch off cookies on your browser. I'm pretty sure that's not OK with GDPR as well.
IANAL, but this is not entirely true. Under GDPR data can be used by claiming "legitimate interest" [0]. In the case of legitimate interest, the user needs to opt-out rather than opt-in.
If legal action would be taken, shouldn't browser have the controls regarding tracking preference? Setting up each page (provided that 'No' would still load page in either full or stripped-down variant) on each devices owned and/or reapplying choices whenever browser cache is cleared would be frustrating.
Maybe DNT should return as respected feature within browser and user choice shouldn't affect the access to the content but only its form.
Those who abuse it the most will just move to a jurisdiction where it is allowed. Or they'll do it anyway, since many of the worst threats on the internet are already criminal. On the internet, technical solutions > legal solutions.
There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.
Tracking only pays if you can track a huge number of people and sell ads to a huge number of advertisers. The profit per tracked user is too small to pay for running a criminal enterprise.
Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
> There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.
True, most illicit ads tend to be non-targeted. But some criminals do things like blackmail, fraud, espionage, etc. using tracking data.
> Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
That all depends on the specific business model, business partners, and their presence. Regardless, what I describe is not conjecture, many companies are shuffling around data to avoid GDPR rather than comply.
A different company without a physical presence or business partner in the jurisdiction in question, might have little to no incentive to follow the law.
In the end, even if companies are breaking the law, or even if they are fined, your data won't be protected unless they actually change their behavior as a result. Calculated non-compliance is a commonplace strategy for corporate legal compliance.
I don't dispute any of that. But what it means is merely that compliance will never be perfect. Companies will always test the limits of the law and look for loopholes.
Like with tax compliance, this will always be an arms race. But if the law raises the bar, they will jump a little bit higher on average.
It doesn't have to be perfect. Privacy is not black or white, and trackers themselves are anything but perfect.
I recently looked at the list of what Google thinks I'm interested in. It's funny. Supposedly, I have a particularly strong interest in vehicles and buying cars. In fact I don't even have a driving licence, never owned a car, never will.
The list goes on and on like that. They must have rolled the dice to come up with things like "Flowers" and "American Football". I feel my privacy is completely safe with these geniuses :)
For sure, mass marketers prefer quantity to quality. Google/Facebook are not doing anything particularly novel in the realm of what is possible, nothing more than is needed to get accurate enough across a large number of users.
It's the more targeted uses of fingerprinting and data collection that are scary. If you're a person with lots of money or influence, there's already someone out there who is specifically trying to collect data about you in particular. Those people and organizations are looking at the data in much more detail than mass marketers.
Exactly. That's how we ended up with the terrible cookie warnings. The funny thing is that GDPR has language about respecting the DNT but no one cares.
It's also one of the reasons why people have become so acutely aware of the problem. When the umpteenth site asks you to consent to over 200 ad providers/trackers, there's clearly something wrong.
I'm very curious on how 1st party cookies will be used for tracking.
How can they connect one website's cookies to another's?
All I can think of is fingerprinting, but afaik you can't really be sure "who's that" since fingerprinting filters people out, and isn't good enough to target a single individual.
I guess they can improve it, but there are ways to work around it too, it will probably be easier to fix fingerprinting than blocking 3rd party cookies.
Its seems that if 1st party cookies were as good they would have switched to it by now.
I run uBlock for the sake of not getting bogged down by resource heavy ads/cryptominers and to mitigate the threat of malware, not so much tracking. I would assume most major ad companies have already vastly improved fingerprinting and will be able to track unique devices despite all conventional trackers being blocked. Add to that how more and more sites require you to be signed in to be functionally useful that ad tracker blocking is becoming less useful as time goes on.
In any case ad personalisation does work with me as I never click on any ad, personalised or not.
My "objection" with having some things ONLY on the browser, is that there are other applications that speak with the internet (e.g. Windows Telemetry).
I didn't see anyone mentioning this, a very useful site for Browsers' filters: https://filterlists.com/
The interesting thing to me is that despite having 5M domains in their blocklist, they only have 8.2% of requests blocked. My dashboard currently says 36% of requests are blocked while having 125k blocked domains.
You might want to check if it's Firefox, VSCode or some other telemetry that's getting blocked. I had a similar percentage blocked until I disabled those apps phoning home.
Yeah, on our Pi-hole 45% of the blocked domains are only four domains. Three Microsoft at about 35% and one Google at 10%. But we also have uBlock on everything that accesses internet so that lowers the amount of google lookups.
pi-hole shows blocked DNS requests, it doesn't show the the number of the AJAX/Static request your browser tried to make, which is going to be quite larger and that may match your 36%.
If this is your website, please make the table header sticky, so it stays in view as you scroll down. Having to scroll up to check it is a bit annoying. Also, another column for Firefox (with it's default tracker blocking enabled) would probably be useful.
The advanced metrics page should also have a css media query for screen size; either split the table rows into a list or set a min-width on the table as a whole. On my phone, the first column has only 1-3 characters per line, and other columns seem to only show part of the contents (even the 0 is only half-visible).
I cannot endorse the app but it is made by dnscrypt-proxy enthusiasts. Had been removed from AppStore and brought back thanks to support of German incubator
That’s quite interesting. I’ve used DNS Cloak in the past, but I’ve never tried the blacklists or whitelists. How would one get started with it? I mean, from what sources would one populate it and how?
Go to advanced options. You can generate your own list and load as a file on iPhone, you can also set forwarding and cloaking.
But I think it is more practical for your personal fine tuning of DNS behavior. For larger lists it is easier to point to a DNS servers that already has some block lists on.
Personally I point to my personal doh/dnscrypt server which is refreshing blacklists twice a day with cron job.
I have quite a raspberrys around now but they seem kind of flimsy and unreliable. When you really need your "server" to just work for 5 or 10 years in a closet without worrying about it, you'd want something that isn't fed by a 5V transformer that is prone to dying once a year.
I'd happily pay $100 or even $200 for an "industrial" raspberry(-compatible) device. Something in a sturdy case with a reliable power supply.
I’m a bit reluctant to add another one to my closet as a 24/7 server until I find a solution to the reliability issue. I don’t want to run a proper big server because of the electricity cost either. I want something under 15W, preferably passive, with high reliability.
Proper USB power supplies don't just randomly die once a year, that's utter lunacy.
And what exactly is stopping you from getting any 5V power source or even just rigging up an old PSU with a 10W resistor on the 12V rail and splicing the 5V onto a USB cord?
This is a non-issue.
Edit: wrote this before your edit, but still stands. If there's anything to worry about reliability-wise in that timeframe it's SD card corruption, but there's plenty ways around that, whether by limiting writes or using other media.
Edit 2: hostile tone not intended, just perplexing seeing something almost akin to concern trolling done in this manner.
I just don’t like tinkering. I want what you describe but I what to pay with money, not time. Simply a raspberry with a good case, a good psu researched and tested by someone else. They aren’t that easy to find. The market for those of us who are happy to pay $50 for a case and $50 for a psu to house a $30 computer is slim I suppose.
But the pi does have a bit of a dual personality problem where it is made cheap enough to be a toy or hobby thing but people often want to run them unattended for years.
I’m not trolling I’m genuinely looking for advice on more recommended psu’s, cases, raspberry clones etc that don’t require any modding and still makes a 5 year uptime server from a pi.
Any case and any old original iPad charger will do you fine, seriously :) I'm just saying, if you want something really sturdy nothing stops you from either investing in or tinkering up whatever your fancy.
And don’t forget a pi-hole is just a MITM dns server, so if anything should blow you'll just fall back to 8.8.8.8 or ISP default or whatever...
Most cases for rpi are $3 plastic shells around the board. With a stiff cat6 cable you can’t even make it sit on a flat surface but it will hover above your shelf (good for cooling but feels a bit flimsy). That’s what my closet looks like now. Tiny boxes suspended by their tangle of cables. Disconnecting one always feels like a risk of disturbing another.
Just a bigger/heavier case, or one with good wall mounts, or a half with rack tray where you can bolt one (or more) raspberries would be perfect to get some order in the closet.
Googling around now I see a lot of DIY rack mount (stacked vertically in 2U seems to be the popular choice). Just need to find someone selling that commercially.
Using iDevice chargers are a good idea.
Edit: googling further reveals this one too:
https://revolution.kunbus.com/revolution-pi-series/
DIN Rails! Situation has definitely improved a LOT and shows that there really is a demand for more "industrial" use.
Since the pi does have screwholes you can also just literally mount them straight on the wall :) me I like that asthetic out in the open but if they're in the closet anyways it doesn't really matter.
I'm running a pi 4 with 4GB RAM, a quality power supply and a fan as a desktop. It is hooked up to a 23" monitor running on an SDD. It is more reliable than my older iMac (2013). And yes, you need a quality power supply, but it has been rock solid for me as well as being dirt cheap.
I also have a PI 3 taped underneath the table for simple utilities and I forget it is there because it "just works" - for the last year.
Laptops are good for small size and low-ish power but their tiny fans tend to clog up or start making scary sounds after a couple of years. Would like a small box with a big fan - or no fan and a heat sink type case. For rpi (at least 3’s) passive should be fine even without an advanced case I guess.
Bonus points for a half width rackmount rpi case...
I use an adblocker in my browser and a pi-hole as well. I hate ad networks and it's been a long time since I've been redirected to a site letting me know I've won a free iPad.
But some sites do advertising right and my blockers are useless against them, and I'm OK with that. Take, for example, this site (and here's the owner writing about ad-blocking): https://css-tricks.com/discussion-around-ad-blocking/ (2015)
Their ads are all first-party content inserted into the page. It's not even an iframe. Just divs and svgs like the rest of the page with an anchor tag that links to the sponsor. It even looks kind of nice and fits cleanly with the site.
And most importantly, to me as a visitor, a link to a sponsored site is not going to redirect me to a scam the moment I land on css-tricks.com, because they at least always control what's on their own pages.
We need to pay better attention. Things like The Correspondant come along (https://thecorrespondent.com/), and they're lucky if they succeed. I threw some money at them specifically because of the problems of today's news (ads and bad journalism).
I wouldn't entirely be opposed to microtransactions, and I already send money to people on Patreon.
ETA: I pay probably half a dozen services to eschew ads. I've been paying Consumer Reports for years for online access. I feel that if you can't figure out a way to make money without screwing over your customers (with ads or invasion of privacy), your business deserves to die in a fire, the sooner the better.
Going in a big for-profit news paywall thingie that require I shut down anonymous browsing or ad blocking is to me the mental equivalent of picking up an unindentified pile of trash in the street. You know you'll have to wash hands afterwards.
Really, I think people will realize at one time that there is no way around simply forbidding advertisements to make internet sane again.
If 10% of the ingenuity spent in the ad/tracking system went towards microtransactions, instead of having to swim through a sewer of ads on any website, we would be rewarding each other with micro-dollars for insightful comments and giving 5% of it to the host.
I think the big problem is choice. I have no choice but to accept ads on every blippin’ website (if I use a vanilla browser setup) and be tracked. The choice is taken away from me/us and thats the core of the problem. The early internet was way more diverse in content, less converged, and one reason for that is there was no/less incessant need yet to ‘grab eyeballs’ and push for clicks.
That www hasn’t fully gone, but its just burried under the tons and tons of marketing fluff. Both content provider and user have become the poorer because of it.
Greedy people deceiving users... I hardly see micro-transaction as a solution.
Just like ad/tracking, we would be rewarding big corps and click baiters, not each other.
I think they would benefit from a more dumbed down FAQ/set up. For context I'm at the upper end of non technical people in some respects (I write pandas queries everyday etc) but know nothing about DNS and this lost me pretty quickly.
I'm still not sure whether this should be used in addition to or instead of ublock (which is what I use now). The setup page is also a bit intimidating given I don't understand what 99% of the things on it are.
Ad-blockers (like uBlock Origin) and pi-hole operate on two different levels.
The ad-blocker prevents your browser from ever requesting data (like the ads) from the place they come from in the first place.
Pi-hole on the other end works with DNS, or the Domain Name System. You set it up so your router sends all DNS traffic to the pi-hole, which will then drop any traffic that has a domain name it has blacklisted. So it only kicks in if something on your network actually requested something from one of those blacklisted domains.
It comes with many domains already included, but more can be added fairly easily and large user-made lists and regexs exist to expand it.
Ad-blockers can be used on mobile versions of browsers (like Firefox for Android) but for people using mobile apps (like the Youtube app) having a pihole is a lifesaver.
Yes that makes sense, mobile apps need it! Funny I wrote a node.js HTTP proxy like 5 years ago to run all my browsing sessions through. I downloaded a text file of ad domains, probably from adblock itself. So yeah the benefit is that you don't have to configure each browser.
Well it was an HTTP proxy and not DNS, so it did require some extra configuration on the client. But you don't have to install an extension at least.
But I stopped using it because it was a pain to administer and I didn't spend much time making the code solid. But I will look into pi-hole -- didn't know about it!
How does this compare to using something like Segment (or your own server) to proxy the information to the 3rd party analytics tools?
Seems better from a performance perspective. With the 3rd party cookie changes going on, is it equivalent from a tracking perspective? It also seems "unblockable".
I imagine the ad industry will kill DNS based ad blocking sooner or later. It's just too much of a cat and mouse game to have only the hostname/IP and a blacklist as your defense.
No in that it provides a nice user interface for automatically updating your blocklist, specifying which DNS to point to and how to encrypt your queries, you can temporarily disable the blocking (which you sometimes need to do), etc etc
For uBlock Origin, you should block 3rd party scripts, frames and 1st party scripts on NYTimes. It also has the unintended benefit of getting around the paywall.
correct me if I'm wrong, but couldn't a site easily defeat a pihole by return a page with links to ad assets that have IP addresses rather than hostnames?
Resolve the hostnames on the server and simply substitute them in the links/scripts/assets
Without actually digging into it, I would assume that nytimes loads js assets from a third party, that's the direct nodes from the center. The size of the more is the size of the js asset. That third party then injects yet another script onto the page. The next connected nodes represent these scripts and their size. And so on and so forth. These scripts ensure to the advertiser that their ad is actually being shown. The advertiser doesn't trust the hosting page to correctly display their ad, so the ad injects their own tracking script. That tracking script injects their dependencies. Thus this madness.
Every blob on the map is a loaded resource and an line connects every resource with whatever pointed to it. The reason you can get a tree is because of things like iframes that can then themselves request other resources. It might also be some 3rd party javascript requesting other third party resources.
This is obvious but I had Firefox containers & Decentraleyes enabled. This makes comparing the results to the output of the DevTools Network tab a little difficult.
Turn off all the protection to see the issues in the DevTools Network tab.
You could just stop reading the NY Times. They've gotten enough wrong that they shouldn't be the newspaper of record any longer. I'm a little partial to the LA Times - during the elections as I recall, they had less lean one way or the other.
Why do any of these people care about internet ads tracking them? Are they bored? Yes, random corporations and political groups are compiling personal dossiers about you. What is it you fear? That they'll be successful at selling you something? That "ominous entity" will do "bad thing" because they know "that thing about you that everyone else you know already knows" ?
If you have a real reason for serious concern for your safety, I get that. If you're just afraid of people knowing things about you, yikes.
Ever since an iOS update last year Firefox (well, the Firefox-branded Safari browser for iOS) doesn't block ads for me anymore. I really noticed that my mobile data usage spiked since then.
There's all these adblocker apps in the app store, but they seem rather scummy and the few I've tried don't appear to be working with Firefox anyways.
It's ridiculous considering Apple is declaring itself the champion of privacy. I might really have to rethink if I get another iphone next time I'm buying a smart phone. Not that Android isn't equally terrible for different reasons..
Uh, what? Content Blockers on iOS aren't scummy, they can't track you because all they do is provide filter lists to the OS, which then runs them against your browser traffic. They work just fine in Firefox. Firefox Focus provides its tracking protection list as a Safari Content Blocker, which is nice. Other than that, I use AdGuard because it's free and lets you choose which filter lists to use.
You have to enable content blockers in Settings → Safari → Content Blockers. Just downloading the app without following the instructions is not enough.
I'm sorry, but that's nonsense. AdGuard doesn't have any scummy stuff like "acceptable ads", they make money by providing a fully functional free ad-blocker and selling a version that has more features. That's as un-scummy as it gets. (I have no relation to them. I use the free version. It does everything I want.)
FOSS Android really isn't that bad, and probably the main thing stopping me from switching to iOS is that Firefox for Android has basically full extension support. uBlock Origin's UI is just slightly wonky since it's designed for the desktop browser, but it works great and stuff doesn't really seem to slio through. It's great to be kinda in control, even if it's not perfect.
Availability of alternative business models doesn't matter. They'll just make advertisers pay even more money to reach an audience with disposable income and willingness to spend it. The fact is some executive is always going to show up and say "think of all the money we could be making if we just served ads and sold our user data in addition to our current business model!"
The answer is to make ads unprofitable. When someone pays for advertising, they must get no return on their investment. Only then will ads disappear from the web. In order to achieve this, all ads must be blocked automatically and by default, no exceptions must be made, and the blocker software must be pre-installed for all users.
Newspaper ads don't have tracking. TV ads don't have tracking. Why should web ads?
They don't have a right to a business model. I do have a right to privacy. If they can't come up with a viable business model that respects privacy, they don't deserve to exist.
It's like when people claim Google can't afford decent tech support. If that's the case then Google shouldn't exist.
Yeah, but this ad cancer has spread everywhere. My Samsung TV just yesterday started showing ads for chocolate in the home hub, the TV that I bought full price, not subsidised, no nothing, started showing ads in my living room for chocolate. I saw threads on reddit about this some time ago this, but never experienced it,. Now, happening to me, it felt so weird and wrong, like my home was being invaded by a big Mondelez brand that I would never in my life buy.
You can present ads without serving thousands of cookies and tracking every movement of every customer, no problem. Magazines and newspapers did that for the 20th century, no problem.
Advertisers are overpaying for a more "targeted audience" but I suspect in the end the point is moot.
Simple case: ads that retarget you to something you googled previously (but they don't know you just bought it or gave up on buying it)
These kinds of sites are already behind a paywall for most of the content you'd want to see, as Graham notes. I do not understand why sites like the New York Times, which generate massive amounts of traffic as far as I know, cannot use other real estate on their websites to serve static ads with zero nefarious tracking enabled. The model already exists for their physical product. I fail to see why we can't have a version of the Internet that ports over that previously successful system.
I don't work in Internet ads; I work in hardware. So maybe someone here can help me understand why what I would otherwise assume to be a simple implementation is viewed as impossible. I'm obviously missing something.
I also don't work in Internet ads, but my assumption would be that advertisers are unwilling to pay for a static ad to be displayed to e.g. 100k users when they could instead pay for ad that uses tracking to display only to the 500 users that might actually be interested.
And from NYT (or other publisher) perspective, 20 of the later is presumably more lucrative than 1 of the former
https://www.theatlantic.com/business/archive/2014/06/a-dange... I suppose the explanation is that classic ads can be easily served by a multitude of agents and there will be no billion-dollar business. Nowadays, invested vendors have created a smokescreen so thick, noone ackknowledges that most of their ads are having 0 effect...
I think I get that "classic" ads are ineffective relative to installing a surveillance apparatus that has designs on influencing your behavior. So, perhaps you're right that it's investors that are causing this, who are demanding higher returns every quarter.
Media advertising really started about 1850-1860, when there were mass-market goods produced that required advertising to create a market. Yes, there were earlier ads, largely of the classified variety, selling one-offs (often real estate).
You didn't have advertising without mass production, mass literacy, and mass media.
Hamilton Holt wrote in 1909 of the effects of advertising on his industry in Commercialism and Journalism, a short, easy, but highly informative read:
Yes, there were earlier ads, largely of the classified variety, selling one-offs (often real estate).
People were not literate.
Printing and publishing were expensive.
There were very few mass products.
Wikipedia: "The history of advertising can be traced to ancient civilizations. It became a major force in capitalist economies in the mid-19th century, based primarily on newspapers and magazines."
Barkers, criers, the odd promotional papyrus or clay tablet, a shop signboard, are not the mass advertising of the latter 19th, 20th, and early 21st centuries.
Mass advertising, such as it might be thought to exist, was largely propagandistic, in that word's original sense.
Humans have always been experimental and some of us have never hesitated to use shady practices to increase profits. For instance, back in the day empires tried their best to restrict foreign products in their territory, no matter how much inferior their own products were.
”Block ads, trackers and malicious websites on all your devices. Get in-depth analytics about your Internet traffic. Protect your privacy and bypass censorship. Shield your kids.”
All you do is point your DNS at it. (Or let one of their apps point DNS for you.)
But I really like the ethos:
”NextDNS was founded in May 2019 in Delaware, USA by two French founders Romain Cointepas and Olivier Poitrey. Olivier has been working on Internet infrastructures for the last 20 years. In 2005, he founded Dailymotion, the largest video sharing service after Youtube and the most popular European website in the world at the time. He is currently Director of Engineering at Netflix, working on Open Connect, Netflix's home CDN also known as the CDN moving about 30% of the total US Internet traffic. Romain and Olivier closely worked for years at Dailymotion on many different projects. Romain ended up leading the mobile & TV department.”
”We are true supporters of the net neutrality and Internet privacy. We believe that un-encrypted DNS resolvers operated by ISPs are detrimental to those two principals. Alternative solutions like Google DNS or Cloudflare DNS are great, but we think more actors need to step up and provide alternative services to avoid centralization of powers.”
In ~8 months it’s gotten mom proof while also being something I can recommend to techos. For me, it’s been more reliable than the enterprise Zscalar DNS filtering, and more configurable than other filters, particularly in allowing ad blocking and custom block lists and white lists along a rich set of built-ins.
I’m at 7% blocked out of 4 million queries in last couple months.
I should note that I don’t use Facebook, Spotify, Messenger, Snapchat, or Twitter.