Hacker News new | past | comments | ask | show | jobs | submit login
Collusion: A browser addon to demo how websites track you online (toolness.org)
125 points by abhinavsharma on July 8, 2011 | hide | past | favorite | 28 comments



i used to browse with firefox's cookie prompting on, so every time i would visit a new site, i'd have to manually allow it to set cookies. i'd usually deny them for everything and only allow certain sites to set cookies, to avoid tracking like this site is describing. denying cookies broke quite a few sites and the prompt became annoying.

now i just browse with cookies enabled, but the "keep until" setting is "i close firefox". now every time i close firefox, all the transient tracking cookies and other bullshit are erased. for sites that i actually want to stay logged into, like hacker news, or that need to store long-term cookies for authentication like banking sites, i use the "cookie monster" add-on and just click its icon in the corner and tell it to allow cookies for the current site and no other 3rd party hosts. my current firefox cookie list is small, and only has cookies for sites that i know about.


Just cookies isn't enough - there is DOM storage and LSOs - install "better privacy" plugin to delete other nonsense on browser shutdown (or every X hours).


yes, i'm already using that, along with flashblock.


Give the "Cookie Monster" extension a try. You can browse with a default "no-accept-cookies" policy, but at browse time decide to (based upon the domains of the cookies):

1) temporarily allow cookies from some domains; 2) permanently allow cookies from some domains.

Gradually you can build up a whitelist of just only those sites where you will allow cookies, even while blocking their own advertisers/trackers from setting cookies, while keeping everything else off.


did you read my comment? i'm using cookie monster.

blocking by default and only allowing the current domain breaks quite a few sites that refuse to work without an active session cookie. some break subtly and some throw you into a redirection loop. that is why i accept all by default, but firefox marks them as session cookies so they don't survive across browsing sessions, and using cookie monster i whitelist a few domains.


I take a simpler approach. Just deny all third-party cookies, allow them for current host.


Very nice illustration. I'm a big fan of using Ghostery to block everything, it's ridiculous how much shit is on some pages:

http://www.ghostery.com/

I've also started using Better Pop Up Blocker because either networks are getting smarter or Chrome's crap at blocking popups:

https://chrome.google.com/webstore/detail/nmpeeekfhbmikbdhlp...


Am I imagining things or is Ghostery starting to auto-whitelist some trackers?

Remember, the plugin got sold a year or two ago to a commercial company selling advertising services.

I rolled back to the 2.4.2 version and no auto-whitelist.


ck2, I work on Ghostery. Ghostery does not auto-whitelist.

If you'd like to see for yourself, feel free to look around. Firefox/Chrome/Safari/Opera browser extensions are mostly written in JavaScript.

If you are having issues with Ghostery, please post on the support forum at http://www.ghostery.com/feedback.


Any idea where I can find the whitelist? I've poked around (Google, fgrep, etc.) and nothing is jumping out at me.


Came here to mention it. I've been using Ghostery for ages now, on all my browsers.


If you're not paying for something, you're not the customer; you're the product being sold.

I've seen this quote around a lot lately, and it makes me very uneasy.

I understand the idea it is expressing, and as a phrase it is attractive because it is short and simple.

The problem is that the sentiment behind it ("advertising corrupts companies to put advertisers instead of users first") just isn't true. Not only have newspapers and TV stations been dealing with this for years, but there are numerous other examples.

For example, Sebastian Vettel is paid by Red Bull. Does that he (or the Red Bull F1 team) prioritizes selling Red Bull above winning races?

Media organisations are interesting - there are numerous cases of newspapers publishing stories that are against the interests of their advertisers.

There are also many cases of media organisations holding back stories that are detrimental to their advertisers. But is this any worse than product companies selling goods that are unreliable because of cost savings made during manufacture? What about a case like BP, where an oil spill directly damaged their customers, but BP acted in the interest of its shareholders instead of its customers.

Saying something like "company culture is the critical factor" sounds like some kind of management-speak way of avoiding the issue. Yet - to me at least - it is the only explanation that matches the behaviours we see in the market.


To quote another phrase, "there's no such thing as a free lunch".

Free-to-air TV is only "free" because the TV network is selling your eyes to someone else. Radio is only free because they're selling your ears to someone else. Even my own site "fivesecondtest.com" is only free because you help us do user testing which we can then charge other people for.

The point is, if there is money changing hands, and it isn't coming FROM you, then you can be sure someone is paying FOR you.


You don’t think newspapers and TV stations hesitate before publishing anything their advertisers wouldn’t want people to hear!?


It depends on the firm.

Given that there is a term for avoiding this (Chinese Wall[1]), many companies go out of their way to make sure this doesn't occur.

[1] http://en.wikipedia.org/wiki/Chinese_wall#Journalism


It's funny. I don't see anything at all. And I have no adblocker plugins whatsoever; I hate adding more junk and extensions to my browser.

I use this: http://someonewhocares.org/hosts/

Quality of life significantly improved.


I'm amazed so many people and companies are focussed on trying to manage/limit peoples exposure to tracking technologies. Everyone is looking at this problem backwards. I say this because the vast majority of these technologies are javascript based and simply read cookies and execute simple image requests to send information back to tracking servers. If someone was to invent a plugin that allowed these technologies to still function, but randomly scrambled the data being sent (along with sending extra dummy requests here and there), it would be over...

Tracking companies rely on clean data, they even report on exact numbers coming out of these systems, so instead of people trying to avoid being part of their clean data, it would be far more effective to make their data dirty so they can't trust it (or sell it).


I think Chrome will get much better cookie controls sometime in the future. They call it non-modal cookie prompt.

The German Chrome team mentioned this in a blog post a short while back. But unfortunately the announcement was very vague and doesn't have many details. The changes don't seem to have landed in the canary build yet. If I understand the blog post correctly they are in the middle of building the feature.

This is the (German) blog post I'm referring to. http://google-produkt-kompass.blogspot.com/2011/06/chrome-ma...

I don't think Google Translate can be of much help here, because even the German version is very vague about this feature. Also, the post is mainly about other things, they only mention the new cookie prompt in one sentence.


Did you see how prevalent the doubleclick (Google) cookies were in the demo? Google also is refusing to implement Do-Not-Track, unlike all other major browsers. My faith in them improving in this particular area is weak.


I just want to point out that as we further diminish returns on advertising most internet business models die. The people who click on ads are subsidizing most of the internet for the rest of us. It's easier for me to pay with alleged personal information than with money.


There are a few things I don't understand. It seems that a lot of websites are tracking behavior at toolness.org. Why? Is it reversed, i.e., the add-on from toolness.org is tracking these websites, or do these sites have sort of counter-measures to see when people use privacy tools? Can they actually read in information from non-https sites? Also, twitter seems to be tracking behavior on a number of sites. Is it because of those small twitter widgets everyone uses on these sites, or is twitter actually trying to collect data on what I like to browse?


It doesn't properly understand national domains; bbc.co.uk, for example, is shown only as co.uk.

Lovely idea though, but I imagine the author is himself collecting the stats on my browser testing habbits :)


Your data isn't being sent out of your browser. The source code is here:

https://github.com/toolness/collusion

As with all Firefox addons, you can right-click + save-as the xpi file, run "unzip addon-name.xpi" and look at the source.


This co.uk issue was just fixed in github and a new version should be on it's way.


Why doesn't the browser keep cookies organized by the website in the address bar? That way a cookie from a doubleclick resource received while browsing cnn.com is kept separate from a doubleclick cookie received while browsing imdb.com.

I guess I can answer my own question by saying it doesn't matter. If browsers did this, websites would be written so that an ad provider's resources are loaded with a querystring that identifies the user. So much for not being aggressively tracked.


RequestPolicy is a great addon for stopping this sort of tracking (amongst other things). Takes a little while to get it trained on the sites you visit most, but it's a lot safer to use the web with it than without.


It is what I use too.

It just blocks everything which comes from an external domain.

So in most cases it will also block malware, because malware authors seem to wait to use a 2-stage system.

They let different hacked websites point to one where the malware will be downloaded from.


Cool, I meant to create something like this for years :-) Glad somebody finally did.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: