Hacker News new | past | comments | ask | show | jobs | submit login
Firefox tracking protection decreases page load time by 44% (monica-at-mozilla.blogspot.com)
491 points by randomwalker on May 23, 2015 | hide | past | web | favorite | 288 comments

Man, ads are great. They allow content to be targeted towards people that could potentially not afford the content and towards people that might not necessarily use the product normally. The world is already significantly divided by wealth. Assuming someone poor even has access to a service like Google, imagine if it was behind a paywall. Could they afford it? If not imagine how much of a life advantage someone wealthier has over those would can not afford it. Your idealistic 'superior' ad free world is as alienating and as segregated as Silicon Valley is...

The whole point of ads is to convince people to buy things that they may otherwise not. That seems like the opposite of helping poor people. Also, if you are struggling financially, ad supported "content" is probably not a major concern in your life, and certainly not a solution to your problems.

> The whole point of ads is to convince people to buy things that they may otherwise not.

Is it? Or is it to make people aware of product existing? It's a subtle difference.

I don't own a TV anymore, but when I'm visiting relatives, I do watch it a bit on a rare occasion.

My first impression is that every show is hopelessly interspersed with frequent commercials. I don't understand why they put up with it. I am the master of my attention span, not the advertisers or the broadcaster. If I'm too frequently interrupted, I lose interest and find something else to do. Traditional TV has become a non-option to me, not the least because I don't want to arrange my life after the TV scheme.

My second impression is.. why the hell are they spamming me with their commercials? Yes, I DO know about the f* product, I already DO have a favorite brand, and a commercial is not going to make me switch.

But sometimes, extremely rarely, I do learn about a new product (through any kind of ad -- TV or web) that may interest me and then I look for more information or just buy it to test it if it's something cheap (like, e.g., a new coke edition).

I gave up on cable TV 8 years ago. Before that I would always mute commercials, I despise my attention being broken to sell me stuff I don't want. When we had company they would think it was odd at first but then realize how awesome it was to not have an announcer screaming about dirt, cars and fast-food. I have a serious problem now when going to someone's home and they don't mute commercials, but instead try to talk louder over them.

Side note, my wife lost 35 pounds after ditching cable. She noticed her cravings for fast-food and pizza subsided when she wasn't being bombarded with food adverts all day long. TV commercials are designed to tickle your insecurities and then sell you stuff to lessen those insecurities. That was how we were taught in advertising school. Being aware of the tricks still doesn't always work at lessening their impact.

Yea do you watch the show House of Cards? I find it to be very entertaining and I highly recommend it, however it's native ads fucking kill it for me sometimes. I kinda hate native ads with a passion lol... But they are proven to be highly effective. However they serve to harm the content and provide misinformation. grrrr

Poor people aren't robots. They can and do see adverts for things that they don't then buy.

Additionally ad targeting means they might see adverts for things they could afford and that's t be relevant to their life instead of things meant for rich westerners.

The whole mental confusion between advertising and privacy in the technical and media community is really irritating. What's the alternative to advertising? Direct payments. And how do you do those? Credit cards. And what do credit cards have on them? Your legal name and your physical address. And how do they work? You provide those details to the seller.

Good luck using Tor or even incognito mode on a an without adverts.

> Poor people aren't robots. They can and do see adverts for things that they don't then buy.

Ah, the grand delusion of advertisers put out again. Sure, people aren't robots, but if ads couldn't influence their behaviour no one would pay for them and there wouldn't be any.

It pretty amusing to see pro advertisement people argue that ads aren't predatory because they're not ACTUALLY effective you see..

That would truly be a foolish argument to make. However the argument I am making is, is ad supported content is one of the few monetary schemes which allows you to produce a product that allows for poorer people to part of the audience.

They are still paying for it with every product they buy because prices include the ad budgets. At best you could argue that poorer people are subsidized by richer people because they buy more and therefore pay for a larger share of the ad budget but ads certainly don't make stuff free for poorer people. Whether they would be better off with no advertising at all, i.e. if they still pay a larger share of the ad budgets than what the ad supported stuff they consume is worth, I can not tell.

Your argument supposes that you know the surplus earned by brands segmented by user wealth group (how much money users give to brands after using the service - how much they would without)

That's a strawman. (And wow, am I surprised to be able to say that to anyone on HN).

What's actually argued is advertisements aren't 100% effective, in that they can't force you to purchase a product as a mind-controller.

Ads let you know a product exists, may convince you that it's worthwhile or better than competitors, and offer reminders to keep the idea of the product on your mind. However, that's all the same things a carefully crafted in person sales-pitch could do, and sales pitches aren't mind-control even though they are far far more effective than any number of internet banner ads can be.

You're arguing with a straw man. I never said ads don't influence behaviour. Obviously they do. My point is they don't exert the kind of scary mind control power that some people like to pretend they do - adverts increase sales, but so does having a shop window with your goods on display, so does putting your products in specialised parts catalogues, whatever. There are lots of things you can do to increase sales and which can count as marketing of some kind.

My point is to claim poor people are exploited by advertising is nuts. It's the other way around. Advertising is why poor people can have exactly the same gmail account with all the same features as a rich guy can. Nuke advertising and you evict poor people into a ghetto web. These people at Mozilla don't seem to be thinking these things through at all and that's a problem ..... there was a time that I had a lot of technical respect for Mozilla and Firefox, but it seems every time I read about the projects these days they're doing something that I find to be kind of dumb.

Its definitely true ads are highly effective and one must admit highly effective on oneself as well. Look at Microsofts recent resurgence, their marketing budget has begun to rival that of Samsung and anecdotally I see their ads everywhere. However ads are not the end all. There are many deciding factors why someone buys a product outside of purely ads, but again ads are a very strong driving force. I don't think internet ads are nearly as effective at 'mind-influencing'(not being sarcastic) as the traditional mediums. I actually click on ads frequently on the web, because I see a product that might interest me. For example, I see an ad for Linode and it presents me a compelling price point so I go and investigate it. hmm I am not entirely sure what I set out to say in this response, but I don't think the point that ads are what keeps people poor is very accurate. I believe a lack of access to resources particularly relating to education and opportunity are what keep poor people poor.

In my world, Microsoft started to turn hate into, "I will take a second look at what you are offering--maybe--if I'm in a good mood." Their advertising is still just noise, and a huge waste of money in my world.

I started to turn when they offerd some products for free.(I still don't use the products they offered, but it was a nice gesture.) The best Ad I heard was on here. A guy commented, 'I like my Surface. I use it to take notes in class.' I started to think about the possibilities this devise could offer over Apple's products.

I still have some healing to do though--I was in Costco today and looked at a Surface, but just pushed one key and walked away. Do a few more acts of kindness Microsoft, and get that Surface price as low as possible; I will seriously think about giving you money again or at least push a few more keys. I don't think I will ever pay for your OS though--just on principle. As to ads, I think Microsoft is wasting money. Manufacture good hardware, and keep giving away software--people will notice.

You have barely used their hardware, but you believe it to be good hardware. Seems like effective ads to me. Have you actually used the device? Its kb is terrible and its touchpad is a joke. MS natives ads have dominated news feeds for the last few months. A/ws these points are meaningless. Just observing trends.

MS paid amd gave a ton of Surfaces to the NFL to use on TV... They were used as iPad stands for the first week , until MS clarified the contract requirements.

"If I were starting life over again, I am inclined to think that I would go into the advertising business in preference to almost any other. The general raising of standards of modern civilization among all groups of people during the past half-century would have been impossible without that spreading of the knowledge of higher standards by means of advertising."

- Franklin D. Roosevelt

That was a time before modern communications technology made it very easy for knowledge of higher standards to spread naturally, and a time of much less dangerous advertising. Advertisers today literally use brain scanners to design adverts that manipulate people most effectively. See: https://en.wikipedia.org/wiki/Neuromarketing And advertisers have the ability to test and refine their ads far beyond what advertisers of Roosevelt's time could do, using tracking that would be considered stalker behaviour if an individual did it. If advertising reverted to 1930s level there'd be much less need to defend yourself from it.

"By the way, if anyone here is in marketing or advertising...kill yourself. Thank you. Just planting seeds, planting seeds is all I'm doing. No joke here, really. Seriously, kill yourself, you have no rationalisation for what you do, you are Satan's little helpers. Kill yourself, kill yourself, kill yourself now. Now, back to the show. Seriously, I know the marketing people: 'There's gonna be a joke comin' up.' There's no fuckin' joke. Suck a tail pipe, hang yourself...borrow a pistol from an NRA buddy, do something...rid the world of your evil fuckin' presence."

- Bill Hicks

You know people once thought tobacco was good for their health too.

I don't know if this quote is true but advertising in Roosevelt's times was really different. It was not a creepy tracking business tracking everything you do and traditional advertising was much less present everywhere back then.

Yes, the purpose of ads is to convince people to buy things that they otherwise may not. But shouldnt that be a positive thing, more often than not? Traditional reasoning would suggest that someone buys something because it improves their lives, so selling it to them is a positive act.

I had a startup that made PowerPoint collaboration software, and we advertised on Google for terms like "work on presentation at the same time" and "PowerPoint collaboration." We got almost all of our users from Google, and most of these users were thrilled to find our software which they wouldn't have been able to find without targeted ads.

Of course ideally, the country would provide some form of no questions ask aid. But I live in the US and its a very 'touchy' subject. So I must always seek a solution that embraces corporatocracy, believe me I am very much for tax supported wealth redistribution. It has been shown to be highly successful, but its basically a sin in my country.

A/ws even people struggling financially like to relax and enjoy 'content', should this just be a privilege of the wealthy? Without ads it seems like it would be even more so. As for being a solution to their problems, its not ads, but the type of services ads can support. Using a Search Engine as an example again, they are a way to educate and empower oneself. I used a search engine to teach myself programming and I now am a developer. While of course most poor people could never dream of doing such a thing, for numerous reasons. Making content only accessable behind a pay wall acts to strength someone's,without means, ability to compete in the modern world.

I agree, advertising is very important for the web. I think adblock is a step too far. If companies cannot generate revenue through advertising then they will need to start charging for their products which would be a negative for most people.

I would like to see Mozilla take the lead on bad advertising. Ads which cripple browser performance and page load speeds. These ads would then be automatically blocked by the browser. It would be similar to when apple decided to disallow flash on ios.

Just as apple encouraged a move away from flash, this would encourage content providers and advertising companies to create lighter, less intrusive ads.

Basically it would look at blocking ads which are known to track, ads which take a long time to serve, ads which prevent the page from loading till the page loaded (this might be difficult) and full ad overlays (again, could be difficult to identify)

"Advertising has us chasing cars and clothes, working jobs we hate so we can buy shit we don't need." -Tyler Durden

Or, as I drummed into my kids heads, "If they have to advertise it, it is almost certainly not good for you."

Why not? The world is not wholly evil. I know plenty of ads which accurately demonstrate what is good about a product. It seems like you should teach them, "Learn to think for yourself, even if someone says something or believes in something it is not inherently true." But that is a scary thing to teach a child, as an effective teaching of such would invariably lead to them thinking differently than you.

Oh, we certainly tried to teach our kids to think for themselves, too. I believe we were moderately successful. They frequently disagree with me on a whole range of stuff, and nobody finds it scary or threatening.

Nevertheless, I do not believe that any good whatsoever comes from advertising. It is all, without exception, an attempt to propagandize. If nothing else, the underlying agenda is, "Consume, comsume, consume! You don't live up to <impossible image>. You're inadequate and hopeless until you buy <stuff>." Not a healthy message.

Ah quote from a movie made by privileged ppl for angsty privileged ppl to think they are smarter than the other ppl in their society. A guaranteed formula for success. :) A word of advice quotes without arguments do not truly mean anything, particularly quotes from box office successes. Watch out I might start quoting Rihanna or Eminem at you! ;D

However addressing the quote directly. If Tyler Durden truly had that simplistic of a view of modern human life, than he sadly lacked any empathy for his modern man. As the character in the film suffered from some form of Bi Polarism that would make sense. Dealing with his ego over shadowed his ability for him to comprehend others. Didn't really like the film tbh.

You didn't address the quote directly. You launch an ad hominem attack at the film creators (privileged ppl), the film viewers (angsty privileged ppl), and finally you criticize the Tyler Durden character. Your post is completely devoid of substantive criticism. Does advertising not have us chasing cars and clothes? Does it not influence us to buy things we previously didn't know existed? You won't say.

If there are specific words or phrases in the quote you disagree with, point them out. If you have compelling, relevant quotes from Rihanna or Eminem, feel free to share them and add to the discussion.

To address the quote directly, I don't see how advertising has us working jobs we hate (unless you work for an ad agency and don't enjoy it).

Who pays for the content? Noone, ads make it free!

Who pays for the ads? Companies.

Who pays the companies? The customers.

When I check out at the grocery store, I pay for all the ads of the store, the suppliers, the factories and all the tools and services they use.

If I could deduct all these fees for all my purchases, I would gladly distribute that money directly among content providers of my choice. It would likely be shocking to learn how many google searches that would pay for.

The point is the ads provide "liquidity". By viewing the ads on their site, you're doing basically exactly what you said except you don't need to subscribe to 40+ different sites.

I get really frustrated by paywall sites, even those I have subscriptions to (journals) when I need to enter my credentials. People complain ads are disruptive while looking for information, I find the process of logging in or not being able to access something I want because I need to get a subscription a lot more disruptive.

Also - a side effect of paying for every site you go to is selectivity. You'll end up locking yourself into a bubble. I'd only be willing to pay for more conservative news sources since that's the majority of what I read/enjoy. It's healthy for me to get alternative perspectives from sources like The Guardian or I'll never challenge my own opinions.

  tracking != advertising

advertising hosted on the same domain as the website might not track you beyond the domain itself. But since most websites share common ad networks those ad networks can effectively track you while showing their ads.

How would they do that without the ability to use the same cookie? The only way I can think of is to track you by ip address.

Well, for one, they could fingerprint your browser: https://panopticlick.eff.org/

Is that really done to any real extent? The majority of users will have a standard configuration anyway.

Yes and no. In my tests with live traffic (fingerprint,ip) tuple was as good as standard tracking cookie. Sometimes even better because I could match "incognito" modes as well. This was however only for desktop browsers. Mobile has much higher conformity and yielded mostly false positives.

YMMV of course but for my purposes it was not worth it.

I imagine ipv6 would drastically reduce the chance of false positives for collisions.

Yes and No. The client could hop over a bunch of ip6-addresses, since there would be an abundance of them.

Used to work in paywalls (think New Yorker), we used both Supercookies and Fingerprinting.

Most good paywalls that support metering will now use some kind of fingerprinting at a minimum.

Follow the link if you haven't already. You'd be surprised how unique the "standard configuration" is. For example, my desktop PC with a fresh install of Firefox is unique among the data that site has collected.

by IP address may be good enough per session and each session could be tied to per more persistent IDs in cooperation with the sites embedding the ads, e.g. via the javascript loading some parts of the ads. So even if you block cookies to the ad network's domain they could still store cookies on any site that embeds their JS directly.

Clearly, but the Blog post is also about ads.

They demand attention I don't want to give. They track my browsing and take information about me without my consent. They try to run code on my computer without even asking permission.

No thankyou.

They obtained your permission to run code when you directed your web browser to load the page.

Of course they didn't. I requested a document from them, they obligingly sent it. It's entirely up to me how (or even if) I render I it.

And they lost my permission when I blocked the ad URL.

How much would a Google search cost me if it wasn't ad supported?

If google started taking money for searching they would quickly be marginalized.

How exactly? I thought we are assuming that advertising would become worthless if everyone was blocking the ads...

Yea but the question is impossible to answer. Google would have had to balance many differ factors, both of which would have changed as they grew larger.

Consider alternatives such as DDG or YaCy and their cost structures.

The alternative need not replicate all of Google's infrastructure.

Ads allow for a form of market segmentation that no one has been able to do so far. Offering a free version with ads and a premium version without ads is just about as far as we have gone so far.

A working advertisement market doesn't require to have advertisements forced onto everyone they can. People can opt-in by members ship cards, news letters, and subscriptions, which that mean people who receive it has a positive association rather than negative one. At that point an ad blocker do not serve any purpose, as users would turn them off.

You're trying too hard.

Before Google the Internet was more useful. Smaller and more content focused. I'd gladly go back to hotbot or whatever to get away from Google and their ilk.

A combination of disconnect, Adblock pro, and self destructing cookies gets me there.

"Before Google the Internet was more useful" Wow, could not disagree more. It's order of magnitudes easier for me to find a good answer for virtually any question. Not to mention how much better gmail is than mail clients of old. Or google maps, my lord how it has simplified my life.

Google isn't solely responsible for this, but them and other ad-financed companies played a crucial part in building the web as we know it to day. And for me, and everyone I've ever met, the web is a lot more useful today than 15 year ago.

"It's order of magnitudes easier for me to find a good answer for virtually any question"

And as a result your ability to retain the knowledge fades. You outsource your memory and ability to think at your own peril, my friend.

I'm not sure how you can have this opinion unless you've only ever used google search as a basic calculator or spell-checker.

I don't find Google results to be noticeably different from other search engines. For many types of questions wolframalpha is a much better option.

The way I see it, the Internet has had three major business models:

1. Academia. Money is obtained from teaching and grants, which requires researchers, which requires publications, which can be made on the Internet.

2. Ads. Content and services attract users, ad networks pay for pixel space / clicks / views.

3. Payments. Users pay for content and services directly. They are otherwise in the deep web.

There are combinations (such as Premium, which is a mix of Ads and Payments), and marginal other models (such as donations, which are typically for free content and (yet rarer) services).

Considering I am running a successful donation-supported service, I can tell you it does not pay the bills. It merely sustains itself. Projects such as app.net show that even payment-based projects can be challenging.

I remember very well the Internet before Google. It was a cesspool of junk, with banner ads being very common. You must have been living in a different world back then.

I am trying to hard?

What, no one has ever criticized you for overblown rhetoric?

I feel like I present a pretty sound argument. This is done via rhetoric of course, but what isn't. In what way is it overblown? I am not taking it to an extreme, I am actually pointing out the extreme the blog poster has taken.

"To enable Tracking Protection in Firefox 35 and later, visit about:config and set privacy.trackingprotection.enabled to true"

Edits -

This quote from the article is interesting, especially considering Google the worlds biggest advertising industry company also has a browser.

"That Firefox is first and foremost a user-agent, not an industry-agent"

Way to butcher the quote. In full it has nearly the opposite meaning and it's far more intriguing -

  I believe that Mozilla can make progress in privacy, 
  but leadership needs to recognize that current advertising
  practices that enable "free" content are in direct conflict 
  with security, privacy, stability, and performance concerns 
  -- and that Firefox is first and foremost a user-agent, not 
  an industry-agent.

I don't see how that's opposite

The author's point is threefold:

1) Firefox should be software that serves its computer user's interests.

2) The Mozilla corporation is pressured (to whatever degree) to turn Firefox into software that serves the entertainment and advertising and surveillance industry's interests.

3) Sometimes Mozilla bends to industry interests rather than user interests. This is a bad thing.

When you excerpted that quote, you changed the author's statement into:

"Firefox serves the interests of computer users, rather than industry titans."

Understand? :)

#2 comes from your own mind or other sources (DRM standards), not from the quoted material.

#2 comes directly from the quoted material:

"[Mozilla's] leadership needs to recognize that current advertising practices that enable "free" content are in direct conflict with security, privacy, stability, and performance concerns..."

Not to be crass, but read between the lines. All statements have context. That one sits in the context of a world where browser makers have spent many years removing infoleaks from their browsers, much to the chagrin of advertisers and surveillers.

Conflict arises because content isn't truly free. Someone pays of their free time or gets paid to produce by advertising or subscribers. Tools that deliver the content while bypassing payment will drive payment elsewhere or erode the incentive to produce.

The thing I don't understand: why not just make the "Do Not Track" switch set this, as well as sending the eponymous header? The user has stated an intent to not be tracked... so help them accomplish that!

(In the same sense, I'm surprised that "incognito browsing" windows don't implicitly download a Tor "component" and route through it, the same way DRMed <video> elements implicitly download the Adobe DRM component.)

The GNU IceCat web browser (derivative of Firefox) does that with Tor.

There are many caveats* to consider when routing through Tor. It would be a bad idea to just silently do so when the user engages private mode. Incorporating Tor as a 'super-private' mode or whatever would be great, but it should be possible to use normal private mode without it.

*In particular the information that you share with the exit node. Especially if you're not aware you're using Tor, it would be easy to share identifiable information.

I think it may still be in development so they haven't added a preference to the about:preferences dialog yet.

Seems like a nice feature. I just enabled it and there's some overlap with ublock origin.

That is, when I load some pages with tracking protection and ublock, the number of requests blocked by ublock is smaller (but still far from 0).

After looking at Firefox log, it doesn't seem this feature blocks anything that was not blocked by ublock. But this might be wrong, I only tested a few sites, and I have no idea about the internals of these tools.

More knowledgeable info would be appreciated.

Yep, people looked and it's using filter lists, just less of them.

It's interesting to think of this as a nuclear option for Firefox. The only incentive they have not to turn it on immediately is that it could poison relationships with site owners such that they stop testing their sites on Firefox or outright block Firefox users, but if Firefox market share ever diminished to the point where site owners were already neglecting Firefox then I see no reason why Mozilla wouldn't damn the torpedoes, start aping Chrome's UA, and turn this on by default. It would be a compelling value proposition at the expense of a lot of mysteriously broken sites (though I wonder how many of those sites would be just as broken for Chrome users running AdBlock). It's also literally the only feature that Chrome can never, ever, ever, ever gain, due to obliterating Google's revenue model (which, actually, makes it intriguing to entertain the notion of Microsoft and Apple following suit for precisely this reason).

Mozilla could also implement shims, to make sites continue to work. So if a site breaks because it makes a call to a tracking library but that's now throwing an error, just provide that same tracking library's functions, but obviously they won't do anything.

This would at least fix sites that aren't going out of their way to break things.

While the shim idea is interesting, I suspect we could get a lot of privacy and working websites by hard-caching anything that even remotely looks like jquery and all the other well-known js libraries. (and do the same thing for fonts).

It's trivial to implement - just ship a list of hashes for every published js library on all the popular CDNs (+ anywhere else that comes to midn), and if a HTTP request returns a file that matches one of those hashes, put that URL on a hard cache list. (it would be worht experimenting if wildcarding all query strings is feasible)

The only UI change needed would be a menu option to flush the cache for any files associated with current page, so the user can simply reload any website that hasn't figured out how to version their js files.

This method wouldn't fix everything, of course, but it would cover a lot. Additionally, it's easy to use, no copyright is violated (the user still downloads any cached file at least once - firefox would only ship hashes). and it would be trivial to extend in the future.

Wouldn't lying be a better option to protect from finger printing ? Like: "what font's do you have" and just return a generic list ?

There isn't much to fingerprint when you cache a font or javascript library approximately forever. Of course it is a huge data leak to ever let the remote server enumerate fonts, but my ideas is attempting to accommodate the idea that interesting fonts can be used, while the only extra network traffic should be the font down load on first request.

I acknowledge that it isn't perfect. Someone who is really determined could (and will) send HTML with unique URLs for every javasscript/css/whatever, effectively making a cache useless. That takes proactive effort on their part, though, and in the meantime there is a lot of low-hanging-fruit.

For example, currently Google can track those of use that ban google-analytics at the router when we load any non-Google page that requests jquery fron Google's CDN. Limiting that to "about one" load to fill the cache would be easy and help in the short term..

That's a cat-and-mouse game, and the Firefox release cycle is bound to be much slower than any website interested in tracking users. The owners of the site can tweak the JS slightly, the FF devs have to get notified that the website stop working, go back to see what changed, and stage the necessary changes for the next update. And then wait for users to update, of course.

It's very impractical.

It's not an arms race for the sites that aren't purposefully breaking. Shims would fix accidental breakage, and reduce "mysteriously broken" sites. Intentional breakage, at least in my limited experience, is accompanied by some warning text about adblockers.

I also wonder how ad providers with a greater scope than just advertisements would react to this. For instance, take Facebook—their ecosystem encompasses ads, social features, and login/identity management at this point. If we get into an arms race at some point, I could see this getting ugly if these other features become collateral.

The idea of the "new" Microsoft standing by user rights and privacy is interesting...

They would gain a lot with such a move, but I still doubt they'd do that, because I think they still believe they can become big players at the advertising industry.

For those wondering what Firefox tracking protection is - https://support.mozilla.org/en-US/kb/tracking-protection-fir...

From my, very quick, tests it appears to work quite well as a poor man's adblocker as well. Nice!

Just last week I opted in to Firefox's multiprocess branch, and one of my biggest complaints is that this breaks pretty much every extension. I eagerly welcome this if it can replace Ghostery.

Out of curiosity, which extensions are broken for you?

I've been running multiprocess Firefox as well, and every extension that I use regularly still works. The only exception was Vimperator, so I had to write my own extension to give Vim keybindings[0], since none of the others support e10s.

I'm curious which extensions have given you trouble, since Ghostery, NoScript, and uBlock all work for me (at least for the most part).

EDIT: I forgot that some extensions may need to be disabled/re-enabled the very first time after enabling e10s[1].

[0] https://github.com/ChimeraCoder/electrovim

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=947030

Ghostery's icon was still showing up in the UI, but the number always read 0 and it was clearly not blocking anything.

The other two that were broken were FindBar Tweak (highlights ctrl+f results in the scrollbar like Chrome) and TileTabs.

Everything's broken for me too, I didn't realize it was the multiprocess thing, but it makes sense. Everything from Lastpass to Vimperator to Ghostery is behaving erratically.

I guess that's why pages have just decided to take four times as long to load.

http://arewee10syet.com/ Ad blockers, password managers, and download helpers seem to be the most commonly broken.

ublock origin and umatrix work fine.

It seems that their protection is based on Disconnect. Does that mean I can get the same level of protection with this feature instead of using Disconnect?

Good question. And a corollary: is Disconnect redundant with this feature turned on?

> Advertising does not make content free. It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like Superfish, infect 1 in 20 machines with ad injection malware, and create sites that require unsafe plugins and take twice as many resources to load, quite expensive in terms of bandwidth, power, and stability.

That's a good point. Reminds me of "coal energy is cheap"...except for the millions of people it's killing or the billions of dollars paid in healthcare costs. And that's without mentioning coal is usually heavily subsidized by taxpayer money.

In the same way advertising that's more and more focused on monitoring everything you do or say online (thanks to all the companies that don't want to enable end-to-end encryption in their IM's - Google, Microsoft, etc) is causing a lot of harm as well.

What harm is targeting causing?

Users constantly complain that ads are not relevant, so it's either/or...

Objective harm, I don't know of any. But there's a long list of people out there with a relation of everything I brought on the last few years... Still, they mean me no harm... today... and the data is useless for attacking me... today.

Anyway, now I can think about some harm. Since they got their data, ads have become less relevant (yes, those people are extremely incompetent). But that isn't much of a trouble.

Social networks like Facebook keep far more information than any ad network. Most networks usually purge data beyond 30-60 days because it is no longer relevant for targeting. And Facebook doesn't have to scrape any info since people supply it willing.

My point: Privacy issues are somewhat pointed at the wrong institutions who really aren't a threat.

Having something worse around does not make ad networks better.

Yes, Facebook is a bigger problem. State level universal surveillance is even bigger. Fighting any one of the three is worthwhile.

I think you skipped the part that ad networks only keep about 30-60 days of data. Keeping things forever doesn't help when targeting ads to user intent, which changes pretty frequently. It's also anonymized and we don't have personal information like names or addresses. You're also discounting the value it brings to lots of consumers, marketers and website publishers alike to have relevant messages.

I really dont understand this argument of privacy as if everyone was living off the grid somewhere. What is the impetus here? And in context of web publishers, if you dont want ads then you'd have to pay for content directly, which is no more private and in fact reveals even more info.

The reason you use a credit card and not cash during real transactions is because you care more about value and convenience than privacy, so why are ads online such a target of all this?

Look, I'm one of those few people that likes ads. I get how ads subsidizes free things, but well, it doesn't really matter because I like good ads by themselves.

Yet, I block ads on most sites because I don't like being tracked. The argument is quite simple. I don't know you (ad network), and I don't want you to watch everything I do. I'm pretty sure you won't do anything bad with that data, but I don't like it anyway.

I'm quite ok with my bank knowing what I spend money on, because I do know them, I have a choice on what bank to use, and because the service they provide me does require that data. None of that is exactly true for ads.

wait, what? How does custom tailored ads based on your usage patterns harm you? there is an awful lot of adtech hate because its easy to see how poorly implemented adtech can hinder performance, but i dont see how it is malicious in nature.

The fact that an ad is custom tailored to you is concerning in and of itself...

but people whine when they see ads that are not to their interests either. there is no way to win.

There is: a browser switch/standard: "ask ad-providers to personalize ads" / "use generic ads". Getting anyone to honour that is going to be a big problem though. So we have to implement that on the client side, by privacy protecting measures. (Not sure how at the moment.)

There is also something that keeps being lost in this: identity and tracking are different things. Opt-out is a preference setting of an identity, and networks store this preference just like they store history and interests. By disabling 3rd party cookies and scripts, it disables the saving of any opt-out status as well, which btw, is actually mandated by certain laws and regulations so it's not all wild west here.

For anyone who wants an opt-out, here it is: http://www.youradchoices.com/

That's quite the false dichotomy you have set yourself up there, i bet it provides all the justification you need to track people without their knowledge or consent.

That's quite a big inference you made from just a few words. Where am I proposing tracking without knowledge or consent?

The dichotomy is either you have generalized ads or they're targeted closely to you. What is false about this?

no, your false dichotomy was "either we track people or they complain about irrelevant ads".

Note the juxtaposition of imagined agency on part of the user, they supposedly complain a lot about it and want it changed right? So the solution is tracking!

Also some vauge language burried 40 pages into a EULA isn't knowledge or consent.

You're attaching your opinions to something I never wrote. If you read my first comment and it's parent again, you'll see that the generalized vs targeted situation is exactly what I'm talking about and no more or less. There is no falsity there, you can have one or the other.

How this is actually implemented is not something I ever wrote about nor is HN really the place for it. There are some contextual based options other than tracking user behaviors but at the end of the day, yes tracking is how you get to the most targeted information. This is used in more than just ads by the way, everything from your search results to emails to music/video services to any other place you get recommendations is personalized to you. And the vast majority of the population has time and again shown they have more interest in the end result of better content for them than the collection of anonymized information.

Do you have a better solution? How would you provide targeted ads that match people's interests and intent without any tracking? And please don't say you just don't want ads or that sites should just figure out a different way to get paid. This is a serious question because it's not like the industry has just been sitting around wondering, so if you have a better idea it would be helpful and there are lots of companies willing to hear it.

Last thing re: EULA. I'm sorry but I have to disagree. Legal agreements do not become void because you signed a big contract and then claim it's too long or you didn't actually read it. And yes, signatures are not required for agreement and acceptance to be binding. These documents do not exist for convenience and the long length with all the complex edge case wording is precisely because standard language is so often contested by anyone who suddenly feels like they no longer want it to apply.

advertise me computer shit cuz I'm on HN. don't store all my data and track me and store it in insecure databases which you handover to despots.

Ad networks only store about 30-60 days of data. Beyond that it's not relevant and sometimes cookies have already been lost so it wont match up anyway. Either way, you're just a randomized ID number with some interest categories attached.

If you're worried about your entire history being used, I'd point to social networks like Facebook/Twitter/Google that have far more info, including personal details, and keep it permanently. If you are worried about privacy, read the ToS of those services very careful and either opt-out or delete your information because that's a whole different level to what most ad networks have.

As a user of NoScript + Firefox and as a developer of a browser with an express goal of "privacy by default"[1], I am thrilled to see this getting more attention. The more people use privacy features, the more will website developers ensure that their products degrade gracefully when, for example, third-party scripts are disabled. Which will enable even more users to migrate towards a "privacy by default" configuration. And hopefully, this will be a positive feedback cycle.

1: https://gngr.info/doc/introduction.html

I use ublock with firefox. I worry the opposite will happen:

When a website doesn't work, you can look at the specific blocked domains and types of content and selectively unblock for the current domain, or you can be lazy and just turn off ublock for the current domain.

I worry that if tracking/ad blockers become very popular, then websites that don't work will be rewarded with all the tracking/ad blocking being turned off by most people.

I used to just use flashblock for click-to-play. I like the simplicity of that - it attacks the biggest problem in a totally generic way, and if the main content is flash, you can almost always just click on it.

for powerusers µMatrix may be a better choice than µBlock, it allows you to selectively allow/disallow specific content types from 3rd party domains.

E.g. this thread's article requests a lot more than what it needs to be readable:


A better option, and easier for users, would be for them to subscribe to a privacy setting upstream which configures popular sites for them. This would have to be non-canonical, such that popular upstream options that get influenced by advertisers can fall out of favor.

I would love for Mozilla to find other means of funding online content besides advertising. In either case I'd love to see them take a hard stance on privacy and against tracking.

They should block trackers that have no effect on website features and restrict and monitor the ones that do effect features.

...and this is another reason Mozilla needs to have their own search engine. They could have much greater influence on these this things if they had the ability to punish bad behaving websites.

Do you think Mozilla has the resources to compete in that space, regarding Google's dominance?

It seems that even Bing is unable to gain meaningful market share.

No. (At least not the way Google and Bing do it.) But they don't have the resources to compete with them in operating systems either and yet they are still trying because they see it as integral to their strategy to strengthen the Web.

There is already a privacy respecting search engine, DuckDuckGo

What does that have to do with my post? (Other than the phrase "search engine")

Unless, DuckDuckGo plans on punishing websites that heavily use tracking cookies and/or they're a nonprofit that aims to advance the web they aren't actually relevant to what I was saying.

I believe ams6110 meant that there is no need for Mozilla to build their own search engine from the ground up when they could simply partner with DuckDuckGo.

What is this "content" you speak of, that must be funded through advertising? I checked the internet, and have been able to find very little worthwhile ad-supported content.

You must be very selective. I'm curious how you'd feel if it turned out most of Ycombinator's successful ventures depended upon advertising; thereby supporting this very site and community.

DropBox? AirBnB?

What content do you consume that isn't funded through advertising? Unless you don't read any blogs, news websites, use any free services etc.

Apple is supposedly getting into the search engine business. It'd be great if they and Mozilla got together, both companies believe in user privacy and could complement each other in getting things down

IMO DuckDuckGo is the obvious choice of who to partner with. DDG already focuses on privacy as a defining feature, its why I use then as my primary search engine.

Seems like a win win for both Mozilla and DDG.

Mozilla needs the money, DDG doesn't have it

Rev share on searches that come through Firefox?

I think they already do. I know they rev share with distros that ship it as the default search engine in their browser packages.

Unfortunately they lack a lot of the features that make Google useful.

Like limiting by when the page appeared.

Almost nobody uses those features, useful though they may be.

Do you know that for sure?

It seems like an essential feature to use for software developers, since you can sidestep irrelevant posts.

I use that feature almost every day.

Apple believes in user privacy.

Your naïveté is touching.

Well, Apple makes most money with hardware. Unlike Google who makes most money with ads. So at least in theory Apple can more easily invest in privacy.

EDIT: Check their last quarter's results, Apple makes only 6% of their revenue with online services: https://www.apple.com/pr/pdf/q1fy15datasum.pdf

There was a reddit post where OP works for a third party company that Apple send Siri voice to. People complained that users didn't read the EULA or whatever. Anyway OP said it was very specific too and crazy. So it doesn't sound like Apple being the champion of privacy.

This is the thread: http://www.reddit.com/r/technology/comments/2wzmmr/everythin...

Apple is using third parties to help make Siri better not to make money.

And let's be clear we don't know the contract between Apple and these companies. Given Apple's track record it should have numerous privacy conditions.

>Given Apple's track record

Well Apple collaborate with the NSA, so that immediately disqualifies them from giving the slightest shit about privacy.

The government sets the rules, companies just play the game. Changing the laws an tax rules are the most direct way to influence the behaviour of businesses.

What's the alternative for any company? Leaving the US?

Challenge the law, like Microsoft does.

I think they actually get most of their revenue from the App store and iTunes--and in neither of those cases is privacy good for business.

> Huberty said that Apple's online services are underappreciated by investors because they accounted for less than 6 percent of the company's revenue over the last 12 months.


Revenue is a useless metric when comparing across markets. Hardware and software are different. What are the profit margins?

Ah, interesting.

Instead of condescension, please provide some sources and state your beliefs in a productive way.

I think that was more or less the point of the GP minus the condescension bit. Making unqualified statements about what you believe about a large corporation is roughly on par with contesting that particular belief.

Then again Apple has a track record and APIs to put forward. Just about every API in iOS puts privacy first. If you want e.g. location data, the API asks the user's permission -- including with Apple's own apps.

That's no different from every other major mobile platform. The other ones do one better and build their own apps entirely using the same APIs that third parties have access to, which is why Firefox exists on those other platforms.

iOS permissions give users far more control than Android. Internet Advertising now an unrvokable permission on android.

You must be confused. There is no "Internet Advertising" permission on any mobile platform.

How do I install any API from apple without providing Apple (and whoever else) with my credit card?

The OsX machine at my office is mystifying, am I supposed to provide my personal credit card to apple to get security updates? That is more secure and insures more of my privacy than not entering my credit card into a system I don't trust?

I view Apple as insulting my intelligence with promises of "convenience" that amount to being able to give them money on impulse.

"Create an iTunes Store, App Store, or iBooks Store account without a credit card or other payment method" https://support.apple.com/en-us/HT204034

Which leads to: https://support.apple.com/en-us/HT203905 " If you're using the iTunes Store or App Store for the first time If you're using the store for the first time with an existing Apple ID, you must provide a payment method. After you create the account, you can change your payment information to None."

I've always end up back in UX loops wanting my credit card since I seem to need a new version that is free but in the app store to get security updates..

Its a weird secret option, but here's how you do it (I used to work for them.)

Make an account - does not require payment option

Buy a FREE app in the store

None will be a payment option as one of the possible credit cards (as you dont have to pay for a free thing)

You don't need to use the App Store to get security updates.

They have been always been available for download from the Apple site:


Apple accounts are free. You can't use iTunes with a free account or get the premium developer offerings (i.e. iOS developer certs) but you don't need to pay to use the OS or get updates.

You seem to be under the impression that you can create one of those "free accounts" without apple tracking those activities. Privacy is not having anybody be able to log your activity, not "everybody but one company I like".

Apple's walled garden approach to everything makes apple one of the worst offenders with regards to not just privacy, but freedom as well.

That's a great area to discuss but not relevant to what we were talking about. The point I was referring to was the specific claim that you needed to give Apple a credit card to use OS X.

I'm not looking for free as in beer, I am looking to not share data that conveniently uniquely identifies the private me to random foreign 3rd parties like Apple just to do my job. Buying media via cash+reimburse or through company ordering is not my money and is often the solution for using commercial OSes with personal privacy outside my employer remaining similar to the unbanked. (But I can't tell if that is a waste of time with Apple, since I obviously need follow whatever procedures for security updates until the next purchasable media.)

From other comments, it sounds like I can dance around to make it possible on OsX, but every other OS (except ebooks?) that I have ever installed either makes opt out a transparent (though smaller button/font) process or has no registration process at all.

I don't like that the machine will be in a very small group of opt-out OsX systems compared to reasonable percentages of other Oses. By not sharing my personal details, I might be risking my coworkers having lower than normal privacy when using OsX machines.

And your condescension is irritating.

Apple seems pretty solid on the protection of users' privacy. Devices are encrypted by default, for example, and there are robust protections from rogue applications in place.

Is there are specific practice that Apple engage in that makes you think they are particularly reckless regarding users' privacy?

He's comparing Apple to Google. In that respect, Apple comes out looking pretty bad. Google's devices are also encrypted by default and have much more robust protections against rogue applications in place (both static and dynamic automated analysis of apps for malware, vs. just a human eyeballing it).

Android devices aren't encrypted by default, Google backtracked on that.


Google devices are, as I said. Mentioning that other Android devices aren't is like saying other Linux distros don't use RPM in response to a statement that Redhat does.

So are iOS devices that have a passcode and are running iOS 8, and with fingerprint scanning a lot more people have password locked devices. Good article on the subject is here:


New ones are, I think. The Nexus 6 is. Older devices don't necessarily get upgraded. It's a hardware/software issue, not a philosophical issue.

And yet, with all that wonderful "automated" malware checking Google is also now manually reviewing App.


How does the addition of manual checks against the distribution policies change the fact that Google's malware checking is better than Apple's?

I don't understand what makes you say that Google's malware checking system is superior to Apple's. Do you have a source for that? Do you have a source to the way Apple in general does their app vetting, or Google for that matter. At this point you are basically saying: "Google is better because I said so." Do you have evidence that Apple does NOT run an automated virus and malware scan, resource analysis, or any other automated malware detection on their apps before adding them to the queue to also be manually checked. Just because Apples does manual checking it does NOT mean that they completely forego automatic checking. Just like the fact that Google did automatic checking did not prevent them to also implement a manual checking system.

Nowadays both companies do a pretty good job vetting App submissions, though Apple also filters on quality (sometimes) where as Google does not, but that's within each companies respective philosophies, and can be considered a strength or a weakness, depending on your own philosophy.

Do you have evidence that Apple does? They have made no claims that they do, instead continuously pointing to human vetting as their filter on malware, which is laughable. We all know that unskilled contractors stepping through some policy checklist aren't a legitimate protection against malware, but it's enough to fool people like Gruber, many bloggers, and you 14 hours ago before I pointed out your mistake.

If the only thing Apple does is simply pay people to poke around the app on an iPhone for a few minutes, then by that assertion there should be a stunning amount of Malware on the AppStore. I mean, all you have to do is place a time delay code, or a server side activation procedure, and you would be able to bypass all manual checks. What on earth makes you think that Apple does NOT use malware scanning. I mean, it's easy to setup, easy to implement, and cheep. This is why Google went to manual scanning first, and only later on went to human and AI assisted checks, which are harder and more expensive to setup.

In any case, you made an assertion that Apple does NOT run automated scans, unlike Google. I asked for proof. Now you demand proof from me that they do. It doesn't work that way. You made an assertion first, you back it up.

My proof is in the result. AppStore has next to no malware on it. PlayStore (now) is also very clean and safe. Google achieved this through combination of automated and manual vetting. Apple is notoriously silent about their process, other than advertising their one USP, which is no longer unique, but given if we use logic, we must assume that both companies use similar tools to achieve similar results.

Your assertion that Apple is far less secure would suggest much more malware being live on the AppStore, and yet in my search on google I was only able to find a few older articles about researches being able to smuggle in custom written malicious code onto AppStore. Meanwhile, while searching for malware on iOS, google presented me this in a search result at some point:


That's just one example from 2015. I don't think it's fair to check back to 2014 and prior, as back than Google Play Store was basically Wiled Wiled West.

You've made so many mistakes of logic and fact, it's hard to figure out where I should begin. First, itself "wild" and not "wiled". Second, Apple doesn't allow "virus scanners," which is why you'll never hear companies like Sophos talking about malware on iOS -- they have nothing to gain. If you are in the right circles, you know there is plenty of malware on the App Store -- it's significantly easier to get it on the App Store than it is to get it on the Play Store. The main deterrent to malware on both platforms is the requirement that the app publisher have a credit card, which the stores both verify. If a publisher behaves badly, their identity is already known through their bank. Finally, you seem to be confusing manual scanning, static analysis, dynamic analysis, and human review to the point where it's hard to even figure out what you're claiming. Google implemented dynamic analysis long before 2014 (your "wiled west"), which Apple very clearly still hasn't done.

> First, itself "wild" and not "wiled".

Thank you for the correction, and I am guessing you mean "it is" rather than "itself" in the above correction of my spelling.

> Second, Apple doesn't allow "virus scanners," which is why you'll never hear companies like Sophos talking about malware on iOS -- they have nothing to gain.

1. Until recently Apple did allow virus scanners on iOS. However, those programs were largely useless for 2 reasons. First, because without a jailbreak you can not run unsigned code on iOS, unless you have found a jailbreak vulnerability that can be exploited directly on the device, but I haven't see those since iOS 3 or 4. Second, because iOS jails each app, so one app can not scan the file system or any of the other apps on the OS. Conversely, one app can not maliciously attack or install unsigned code on the OS without a jailbreak.

2. Sophos would have a lot to gain from exposing wide spread malware in the App Store. Such news would pressure Apple to reconsider their decision and allow virus scanners into the App Store, or at least clean up their act. One way or another, it would be a lot of GOOD pub for Sophos.

3. Given that there are many jailbroken iPhones, and that it's trivial to access app files on a jailbroken iPhone, it would be easy for Google to run their own Malware scanners on AppStore submissions. Considering that they would most certainly (according to you) find hundreds, if not hundreds of thousands, instances of Malware, it would be a wonderful PR story for Google, once and for all proving the undeniable superiority of the Android OS. And yet, I have yet to read that story. Forget Google, HTC, Sony, LG, and any number of other manufacturers would have direct pecuniary interest in discrediting Apple by proving to the world that the AppStore is teaming with Malware. I guess all of the above mentioned companies are operated by utter idiots, if we are to believe your assertions.

> If you are in the right circles, you know there is plenty of malware on the App Store -- it's significantly easier to get it on the App Store than it is to get it on the Play Store.

What are these "right circles?" Links, facts, anything to backup the above statement?

> The main deterrent to malware on both platforms is the requirement that the app publisher have a credit card, which the stores both verify.

Use a prepaid VISA card, put any name and address you like. Works like a charm, you can register an account like that on either store.

> Finally, you seem to be confusing manual scanning, static analysis, dynamic analysis, and human review to the point where it's hard to even figure out what you're claiming.

You are confusing the meaning of such terms as manual scanning, static analysis, dynamic analysis, and human review. There, we both made utterly unsubstantiated claims, now we are even!

> Google implemented dynamic analysis long before 2014 (your "wiled west"), which Apple very clearly still hasn't done.

1. Thank you yet again for pointing out the SAME typo in my previous post for the second time in your reply. To return the curtesy, I would also like to point out that "itself" and "it is" do not have the same meaning in the english language. I do understand that this page is frequented by many people from other countries, who may speak different languages. I, for instance, speak fluently 2 languages, in addition to English. So I do apologize ahead of time if you are indeed an ESL person, but to improve your knowledge of the English language I felt the need to point out your mistake yet again.

2. Could you please provide any proof what so ever to your claimed assertion that Apple does NOT conduct dynamic analysis.

3. Please refer to this article [0] which details utter inaptitude of PlayStore's dynamic analysis tools in 2014.

[0] http://www.syssec-project.eu/m/page-media/3/petsas_rage_%20a...

Well then be cynical, and let's say that Apple is greedy but believes user privacy is a selling point for its hardware products, just like its accessibility efforts. The result is the same. My iPhone randomises its MAC address when scanning for Wi-Fi, Apple's APIs to ask for user permissions are improving with every release, and iMessage is as secure as a closed-source IM platform can be.

I must have missed the HN discussion when Mozilla announced they plan to sell [ads based on] browsing history... I'm not sure how that fits in with putting privacy first.

It sounds like user info is the only things worth selling!

My understanding of how the ads work is that the browser downloads a list of ads tagged by category, and chooses one to display based on browsing history that never leaves your computer.

Huh? Mozilla has $307 million a year in revenu. Of that $300 million comes from Google in exchange for being the default search bar. So I'm not sure what you're talking about exactly.

Edit: ok, revenue is from Yahoo now. That doesn't make me any less confused as to what parent reply meant though.

That $300 million is coming from Yahoo now, actually.

Does it really take $300 million dollars per year to develop a browser? Ok, fine, a browser, an OS, and a programming language? I am more curious than anything, are there other things that Mozilla does that I am missing?

I've also struggled with understanding what Mozilla does with that much money. It's a staggering amount.

As for someone else's reply to you, same question. What in the world do they do with 1000 people?

And yet they can't develop something useful, like e.g. an improved alternative to Certificate Patrol? That way TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (first certificate in my browser) can't compromise my browsing in the USA. Fine to use them for someone browsing to a website in Elbonia, not so fine for anything that I would ever do.

Edit: just to be clear, Turktrust actually did abuse their privileged position, and Mozilla did get rid of them. But why were they there in the first place, and what about the 100 or 1000 other certificates that Firefox comes with?

They have over 1000 employees.

That deal is over. It's Yahoo! now.

This is no news to anybody that ever tried an ad blocker, a proxy/content filter or even a generic hosts file. The difference is very noticeable. In fact, it's the main reason I run such filters. The difference is not only in traffic saved/lower latency, but also much lower cpu usage.

However, this it would be a bit hypocritical for Mozilla (and probably the reason why the filter is off by default). Firefox is not much better than Chrome when it comes to phoning home and privacy invading features. Heck, on mobile it's even worse.

What about disabling by default "beacon.enabled" for a start? Contrarily to massive ad blocking, nobody would notice. Err, maybe these ad networks would? Oops.

At every new Firefox release I do a tour of new settings/flags and it's saddening how many times I have to switch something off.

Can you elaborate further on the various ways Firefox phones home? I'd like to take steps on my machine to disable if possible. Thanks.

I don’t have Firefox open now, but I remember there are three such options in Preferences > Advanced > the second tab from the left. I think two of them are checked by default – they involve sending anonymous usage information. You can uncheck the checkboxes to disable them.

On the second launch after a new install or new profile creation, Firefox shows a notification bar about these settings with a button to quickly change them. I don’t remember how long ago those settings were added, nor whether they showed the notification bar for those updates.

Google says that ad blockers make the websites slow, due to the way they interact with the DOM (and of course google doesn't provide more efficient APIs for ad blocking)

Been using Noscript in Firefox for years now.

Sometimes the number of domains that gets loaded in the background on certain sites is mind numbing.

Personally I use Ghostery on Chrome right now but with this development by Mozilla, I'm inclined to switch. Feels good to use a browser with no corporate interests, and a simple feature to stop abuse of cookies by ~70% is just crazy. Too crazy to not be a built-in browser feature. Maybe I'm disrupting how news sites intend to work, but they're disrupting how the web was intended to work.

Anyway, ... I got sidetracked. I meant to say that what's even "funnier" is that if I disable Ghostery for some domain temporarily, the number of trackers usually skyrocket even further, since now the scripts get to run more scripts.

Yes, it's insane and honestly out of control.

Yep, i have noticed those "matryoshka" scripts from time to time. Enabling one script domain in Noscript result in 2+ more waiting to be enabled after page reload.

And sometimes you have to dig 3+ layers into the nesting to get the site to function at all...

I find the second part of the post especially interesting. Money makes the world go round. Mozilla as we all isn't immnune to this. The problem however is the huge amount of control the handfull of big global players have gained and still gain. Small local businesses have no chance. Top pick at Google wins. Trend scouting and more importantly trend creation get's customers. Advertising works through our unconcious mind. We can't decide to ignore ads, they will influence us. Also, Mozilla will or if the deals are signed has already lost it's independence irreversibly.

See also this small thread about the new advertising through suggested tabs.


If you want to turn on (enable) tracking protection in FF, hit the following link https://support.mozilla.org/en-US/kb/tracking-protection-fir...

Or do this:

1. in the address bar type about:config, press return

2. search for privacy.trackingprotection.enabled

3. change the value to true

4. all done

Thanks, this works on Mobile Firefox versions also!

In a not too distant future there will be a Mozilla browser with servo and a no tracking option. I'll leave chrome after several years and never look back.

I'm surprised that Mozilla didn't enable this feature by default. They're either serious about differentiating themselves on the privacy front, or not. It's the every day users who need this protection, not the more advanced users who probably already use an adblock extension.

They're very cautiously dipping their toe in the water given the holy shitstorm that happened a couple years ago when they announced they were going to block third party cookies by default. I imagine that doing it this way means they can show metrics that blocking in this way doesn't meaningfully affect bottom lines.

Still makes me wonder why Safari can block third party cookies by default, while Mozilla can't.

Safari doesn't. They advertise that they do but the policy is riddled with heuristic exemptions added in as they tried to fix broken websites. This (IMO dishonest) behaviour is what led to the Murdoch-driven blowup about Google and ad tracking a few years ago - Google was using one of these workarounds when the user had opted in to ad tracking and it ended up disabling more of the safari cookie blocking logic than they expected. This undocumented behaviour then became Google's fault somehow, although really Safari was just not doing what it claimed it would do.

Two reasons.

1. Because they always have. The precedence was set a long time ago.

2. Because Apple doesn't give a fuck what other people think.

Can anyone explain exactly what Firefox Tracking Protection does & doesn't do? The label "tracking protection" makes me think it might block analytics tools and retargeting/remarketing cookies, but this blog post seems to suggest that it might block advertising altogether.

Yes, it does block advertisements.

They just have a blacklist of sites that they block, it's not much more sophisticated than that from what I read. All of the localstorage, cookies, and other tracking across domains goes away if you filter requests like that. I'm sure they are doing more things, but they have to make sure it doesn't break a large number of sites, and if a site is broken it seems like an "all or nothing" allow/deny system, which is not ideal.

I use uMatrix and it defaults to blocking all 3rd party scripts unless they're globally trusted or have been trusted in the past. This creates lots of problems for many websites. Most new websites I visit I have to enable some 3rd party scripts, refresh, make sure there are not any critical javascript errors in the console, then I can properly use the site. Normal users cannot be expected to do this, they must have it work the first time or they will freak out.

Weird. If browsers can detect these trackers, could an alternative be to just de-prioritize the trackers, so they load last and won't slow down page load time (since I assume they're invisible anyway?)

This should be doable for well-written trackers like Google Analytics that use script tags with the "async" attribute. In fact, those are probably already likely to load after the main content.

For ads or trackers that are embedded as img or iframe elements, I think this is also viable and could speed up page load time.

For ads or trackers that use inline scripts or non-"async" script tags to load content, the web browser has to block while loading/running the script, or risk breaking the page. Otherwise things like document.write() would have incorrect results when the script runs later.

So does this FF mode that blocks them entirely also risk breaking the pages?

Yes, it does, though for slightly different reasons. Mainly, it can break pages with first-party scripts that depend on blocked third-party scripts. I've encountered and reported a few of these while testing the feature.

I wonder how difficult it would be to duplicate the Google Analytics object with blank functions for just such scenarios.

Rather than "ga is undefined" the ga.whatever function would just return without sending any data.

Do any third-party script blocking systems do this?

But it seems likes the data set used was that of top 200 news sites. Its my experience that media sites have around 60% of the http requests made to third parties and hence the reduction you see in load time

It will be interesting to run the same analysis on bank websites which typically have the least amount of third party

Is this more or is it less effective than a large /etc/hosts blacklist? It doesn't seem to be doing anything special like the Privacy Badger. The only relevant sections in the paper I saw were

  We implement an API based on Google Safe Browsing, a 
  mechanism for efficient URL-based blocklist updates and 
  lookups [9]. We use a subset of approximately 1500 domains 
  from Disconnect’s privacy-oriented blocklist to identify 
  these unsafe origins [10]. We update the blocklist every 45 
  minutes to minimize the effects of incorrect blocklist 

  Another open challenge is applying Tracking Protection only 
  to third-party content. We can avoiding cross-site tracking 
  by blocking content from high-volume sites such as 
  facebook.com without breaking them when visited directly. 
  Heuristics such as the Public Suffix List4 can help better 
  determine the set of domains that are considered first-
Would it hurt to copy their blacklist into /etc/hosts? I'd rather do it on the OS-level so I can use any browser I want, anyways.

I "did the /etc/hosts" thing for a long time. But it seemed like some things hung and tool longer sometimes. Overall /etc/hosts was a big improvement. Where are the good lists and what is the current thing you map all the bad hosts to (is it localhost, or something else?)?

It hangs because it waits to time out. It will fail faster if you set the IP to something impossible instead of merely unavailable. works well for that purpose since it's invalid as a remote address

This will generate a /etc/hosts or /etc/dnsmasq.conf from the two common lists: https://github.com/jakeogh/dnsmasq-blacklist

How does this compare to something like Privacy Badger[1]? I haven't done any benchmarking, but if it causes similar slowdowns, it isn't bothersome and the benefits are definitely worth it.

[1] https://www.eff.org/privacybadger

I'd also like a comparison with ublock and/or ghostery. It appears that this becomes enabled after the blocking plugins.

ublock is more about ads, and this is tracking.

While they usually come hand in hand, Facebook ads (eg: while on facebook) don't add additional tracking.

I specifically emphasize on the home page of the project [1]:

"uBlock Origin (or uBlock₀) is not an ad blocker; it's a general-purpose blocker."

It will report everything to the user -- including behind-the-scene network requests [2].


[1] https://github.com/gorhill/uBlock#philosophy

[2] https://github.com/gorhill/uBlock/wiki/Behind-the-scene-netw...

So this firefox feature is just a subset of what ublock does?

BTW, thanks for ublock.

If I remember correctly from the presentation (I was at W2SP where the associated talk was given) there were unspecified performance benefits over having this outsourced to the plugin architecture. I can't download the paper right now for some reason, but I'm sure it's detailed in there.

uBlock in 'Advanced User' mode[0] allows for significant, granular script and iframe blocking. 3rd-party default-deny mode, even in the absence of the EasyPrivacy list will give you a significant amount of control over external entities that are frequently used to track users across the web. It's also somewhat more intelligible than NoScript.

I would argue that with Dynamic filtering (enabled for advanced users) the goal of uBlock is not limited to ads, but to any undesired content on the internet. I guess you could say the same about Adblock, though, so I guess YMMV.

[0] https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu...

Depends on the list installed, If you have Easyprivacy installed then you're covering both sides.

So perhaps it's more like ghostery than an adblocker.

Ghostery does not report everything, only what is part of its internal database. uBlock does report everything -- and users can act on that information.

I tried Privacybadger for about 5 minutes: it was awful (significantly worse than ABP), - it's shameful that the EFF wasted donation money to finance a crap project like that, rather than support e.g. https://github.com/gorhill

Then you didn't read how PrivacyBadger works. PrivacyBadger is awesome. It doesn't work with fixed blocklists but with heuristics, and detects if you get tracked through different sites, subsequentially blocking this. It obviously doesn't work if you just visit one or a few sites with different trackers in 5 minutes.

https://www.eff.org/privacybadger#faq-How-does-Privacy-Badge...? Thanks for this EFF.

No, I only got to this part: Privacy Badger was born out of our desire to be able to recommend a single extension that would automatically analyze and block any tracker or ad that violated the principle of user consent; which could function well without any settings, knowledge or configuration by the user

And the part where I couldn't manually manipulate what was being blocked. Since apparently multiple pop-up adds on-click were not violating the user principle of consent...

You can measure the page load times on this webapp http://ba.net/util/ping/any1.html

Firefox: my new favorite browser.

I'm running noscript, ghostery, addblock, and a few others.

pages might load faster, but not every page loads. Ironically, the linked article is one of them.


> Advertising literally does make content "free", as in, you do not have to pay for it.

Advertising only makes content free monetarily; there's no money exchanged with the viewer. It instead costs you time, attention, memory. And sanity.

> $1000 per year seems like a reasonable charge for being able to search the web with the power of Google's search.

This shows the power of advertising in abusing our brain's ability to put realistic costs on our time and attention. Google has $50 billion in revenue minus profit, and there's a billion people in just the US and Europe, so more like $50 per year for everything Google does, not just search. If you are only using search and not Android or gmail or youtube or docs the cost would be far less.

Advertising is so insidious because its entire purpose is to prey on our foibles and weaknesses, and convincing us that our time is worth less... and that cigarettes are cool. Smoking pollutes your lungs with toxins, advertising pollutes your mind with jingles.

There are times and places where advertising is necessary, but it's never free.

Advertising is a tool which, like any other, can be used for good or evil. But it's a good point that it's not free to the consumer.

what's good in this case? enriching someone?

I justed visited https://www.mozilla.org/en-US/ and browsed the source, and they still have the Google Analytics tracking crap on their website. Strange for a company that claims to be "committed to your privacy."

Mozilla has an enterprise agreement with Google that limits what data is collected through GA and how it can be used. Quote:

    Our Google Analytics premium account is set to opt-out on all of 3rd party
    uses of the data and the only people who have access to the anonymous
    aggregated data is Mozilla Employees. This is not the normal Google
    Analytics setup that most people use on other websites.

    Also, to increase privacy we flipped the anonymize flag in the Google
    Analytics request [...] and don't do any cross-domain cookies within Google

If it's on Google's servers, then clearly Mozilla employees aren't the only ones with access to it, and the anonymization he's referring to is mere IP address anonymization, where the last octet of an IPv4 address is zeroed. The viability of browser fingerprinting as demonstrated by the EFF's Panopticlick shows cookies, cross-domain or otherwise, are no longer the only viable means to persistently tracking users.

Google obviously have systems in place to allow employee access for absolute emergencies - but alarmed in case of unauthorised access.

in any case, the analytics data is anonymised and as such cannot be used to identify you. google goes to huge lengths anonymising data to aggregate you as a user into groups of millions for advertisers to bid on, you are simply not a big enough fish for special treatment.

edit: an explanation for downvoting is customary.

I didn't downvote you, but...

> google goes to huge lengths anonymising data to aggregate you as a user into groups of millions for advertisers to bid on, you are simply not a big enough fish for special treatment

You're mixing different products and people here. That may be true of Google Analytics data (I don't know either way), but it's not true for their advertising services. Google purposely tracks individual people in a non-anonymous way in order to sell remarketing products, to e.g. show a banner of items currently in your Amazon shopping cart alongside an article you're reading at CNN through their AdSense/DoubleClick platforms.

is that not amazon sending cookies?


i don't how that is google tracking you individually. can you please elaborate?

And in case anyone is wondering, turning on Firefox's experimental Tracking Protection feature does block Google Analytics on Mozilla's own web site.

This again..

It's a valid objection. GA at this point is on most websites you visit. The data is forwarded to Google where it's processed and stored forever. GA is one of the biggest threats to privacy on the web, and any company claiming to care about your privacy should not be using it.

I agree with you that it's a valid objection. I disagree however, when you say " any company claiming to care about your privacy should not be using it." That's an easy accusation to throw around, but what is hard to is come up with a better alternative.

What is your suggestion, that they should abandon all analytics, or that they should build their own, or do you not have one? Are you willing to acknowledge that GA solves a real problem and provides valuable information?

In my judgement, it makes a lot of sense that Mozilla would use GA. I want them to use it because I believe in their mission, and I'm sure in the balance of things, it helps them maintain a stronger position as an organization.

>What is your suggestion, that they should abandon all analytics

Ideally, yes. Or at the very least don't use Google for it. Use something like Pwiki instead. Or perhaps try actually allowing your users to decide what if any information they feel comfortable sharing with you.

There are other non-profits like the Wikimedia Foundation and the Internet Archive whose websites still somehow manage to function despite not triggering any of the multitude of filter rules that plugins like uBlock ship with.

uBlock blocks Piwik, self-hosted or not.

Yep, and the easiest way to fix this is something like: @@||piwik-domain.tld^

One obvious and easy alternative to Google Analytics is Piwik. You host it yourself.


I'm sorry, "we need analytics therefore it's fine to violate privacy" is not good reasoning!

But Mozilla doesn't appear to have done that. "We need analytics, and we respect privacy, so we've come up with something that's better than most companies but still not good enough for some of our users".

It's easy to bash someone for hypocrisy when they're trying trying to do the right thing. It's a bit weird seeing this consternation at Mozilla considering just how scummy the other companies are.

They are definitely helping, but I do wish there was wider awareness of the implications of G-A everywhere.

I find it very, very hard to get outraged over analytics code on a web browser site. And as previously mentioned every time someone brings up this idiotic factoid, Mozilla's use of GA isn't exactly standard.

You find it very, very hard to get outraged because you either use GA yourself and do not wish to acknowledge your complicity in the matter or you've simply failed to make the obvious leap from analytics to clickstream data.

Google wants to know what web pages you visit, when, and how often, and a GA beacon that phones home that information placed on every web page is the easiest way for them to do it.

EDIT: there are either a lot of angry GA users in this thread or Google apologists. Either was, I do believe Google is now or will soon use GA for clickstream tracking. I also believe this is why they offer to host frequently requested assets like JQuery.

> why they offer to host frequently requested assets like JQuery

Let's not forget the Google Fonts, which exist to "make web beautiful". How adorable and altruistic. Yay! /throws-confetti

Yes, let's not forget the fonts and js libraries served on cookie-less domains for speed. Surely, these are part of a plan to create a New World Order. https://developers.google.com/fonts/faq#Privacy

Cookies don't matter when browser fingerprinting accomplishes the same task. Read the page you linked to:

"We do log records of the CSS and the font file requests, and access to this data is on a need-to-know basis and kept secure."

Just like every other Google Privacy Policy, it's insultingly disingenuous, couched in terms of protecting your privacy while actually reserving for themselves the right to violate it by collecting enough information on you for you to be uniquely identified and storing that information indefinitely.

Okay, WTF? Name a web server out there that doesnt keep logs.

Your constant projecting of ulterior motives, absent any evidence, on a throwaway account, is the very definition of worthless, gratuitously negative content. The guy upthread is complaining that requests are cached for a day.

I'm sorry, would y'all prefer that they not be cached?

Google's motive is to make money, and they do that largely through advertising. There's nothing ulterior about the motive I'm suggesting. More information on you means they can charge a higher price for the privilege of advertising certain products or services to you. Of course, the fact that the same information they sell to advertisers is also easily accessible by the government with a mere subpoena, if even that, is of little concern to Google, Eric Schmidt, or remarkably even to many HN posters in this thread.

I'm sorry, can you present a plausible scenario in which the government (or any other entity for that matter) cares which web browser I download?

And as to this: it's insultingly disingenuous - no, it really isn't. Every piece of web server software in the world keeps logs. Would you prefer they lied?

You seem hell-bent on damning Google for not doing anything particularly evil in this case. And it doesn't look like you're willing to have your mind changed, either.

From your link.

> Requests for CSS assets are cached for 1 day

Tracking font request "only" once per day is still spying.

Also, regarding your jump from Google's attack on our privacy to a larger to that "New World Order" reference is highly offensive. You're building a straw-man that was not stated, and perpetuating the belief that someone who complains about their privacy being attack must be some sort of "conspiracy theory nutter".

There are no cookies. Claiming that Google is "tracking" users for some nefarious "attack on privacy" with these properties is "highly offensive" to my bullshit detector.

It is very well known that cookies are not the only way to track activity. You insistence that Google somehow doesn't do the trivial step of JOINing a few tables together with any of the many possible candidate keys that browsers leak is laughable. Even plain apache logs have the IP address, which is all the "cookie" they need for those of us that have static IP addresses. Even with DHCP, Google only needs to do an INNER JOIN style query to associate that IP with any of the other requests made in the same time period to their servers such as google-analytics.

And all that doesn't even begin to touch "panopticlick" style entropy gathering.

In case you are interested in learning what how Google works, instead only looking at the facade they show you, I suggest watching the presentation[1] Aral Balkan gave at the same event that hosted djb's recent talk (which is also recommended). You won't like it - possibly violently - but maybe you can learn a bit about how the world actually works..

[1] https://projectbullrun.org/surveillance/2015/video-2015.html...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact