- Nick Craver, Architecture Lead at Stack Overflow
It's ridiculous. It's a text-based ad. At worst, it's a clickable image. At what point did it become okay in your minds to let advertisers run arbitrary code?
I've left ads turned on specifically on StackOverflow because 1) I want to support StackOverflow, and 2) I trust them not to run malicious ads.
I don't even care that they're running ads network-wide. But if they're going to be running these kinds of ads anywhere on the site, they're going right on the ad block list along with everyone else.
> To the people confused why ads need to run their own Javascript (even ones that are just static images): The short answer is that Ad Networks do not and cannot trust website operators. They need to run their own JavaScript served from their own servers in order to verify that a real user saw the ad and for how long, and they can't trust the website operator to tell them. And these pieces of JavaScript tend to be more invasive and privacy-destroying than the website's JS because they care, far more than the actual website does, that the "user" is not a bank of iphones in a sweatshop in China.
[1]: https://meta.stackoverflow.com/questions/386487/why-is-stack...
Could we require advertisers to sign their ad code to have a trail of where it came from, prevent tampering, and make it easier to pull the plug on bad actors?
The people bearing the costs of the internet ad economy aren’t the people in any position to do anything about it. So there’s very little pressure to fix anything.
Maybe if the US government started threatening to enact something like GDPR unless the a democratic industry gets its shit together.
https://feature-policy-demos.appspot.com/
https://developers.google.com/web/updates/2018/06/feature-po...
"The ad is attempting to use the Audio API as one of literally hundreds of pieces of data it is collecting about your browser in an attempt to "fingerprint" it... Your browser may be blocking this particular API, but it's not blocking most of the data."
Seems like killing the audio is the metaphorical putting a finger in the dyke of serving arbitrary JavaScript to your users.
Are you really aware of the issue? The issue people have here is not the fact that the ad is trying to access the audio api per se but that it is trying to fingerprint the users.
This is not just ads, but about fingerprinting and tracking users somehow or the other by third parties. It's plain evil, and not a decent thing to continue foisting on your unsuspecting users after you've known it. Tell management to take an ethical stance and preserve the reputation of SO.
The only time they'd do that is if the marketing team decided that the value-add from taking ads off cancelled out the profit loss from taking the ads off.
- Stack Overflow makes a blog post about not using dynamic ads.
- Dynamic ads found on Stack Overflow, with aggressive fingerprinting.
- Architecture Lead doesn't know how this happened and is getting serious.
I have so many questions. I hope this gets a post-mortem.
Perhaps you should stop doing that.
If you're serious about this, I've built tools for the publisher side for stopping exactly this.
My email address is in my profile.
It's hard to read the obfuscated code and be sure what's being done with the browser environment information. This script seems to generate some hash and put in some global variables, presumably for some other script to consume. I don't know whether such scripts send it to a server, compare it locally to a previously-known value, or ignore it.
This library is very popular.
https://github.com/Valve/fingerprintjs2/blob/master/fingerpr...
Google has is currently as far away from their previous world famous "don't be evil" corporate culture.
Other examples are AMP where Google wants to make it harder to de-individualise URL's. This is being driven to an extend where Chrome on Android makes it harder to edit the URL.
Or games like Egress or PokemonGo, which in my opinion helps Google constantly update their WiFi SSIDs-To-GPS-location database.This database is rhen furthermore being used to track users location through a little permission called "WiFi Control", which also can not be found in the regular App Permissions settings entry.
To me WiFi-Control sound nothing like location tracking. But I have to admit, I am not a native speaker. Therefore I might be misunderstanding something.
It would be interesting to see where we are in ten years.
There is some discussion of the technical cat-and-mouse game he has to play as advertisers try to make their content avoid detection and blend in with the regular programming. In this version of the future, the ad blockers eventually win and network television is destroyed. (The book also features networked computers and email ("telefax"), but the concept of ads appearing on them was still too futuristic for 1985.)
https://books.google.com/books?id=Q6o51-W_z8MC&lpg=PP1&dq=go...
Adnix and Preachnix were the essence of capitalist entrepreneurship, he argued repeatedly. The point of capitalism was supposed to be providing people with alternatives.
"Well, the _absense_ of advertising is an alternative, I told them. There are huge advertising budgets only when there's no difference between the products. If the products really were different, people would buy the one that's better. Advertising teaches people not to trust their judgment. Advertising teaching people to be stupid. A strong country needs smart people. So Adnix is patriotic. The manufacturers can use some of their advertising budgets to improve their products. The consumer will benefit. Magazines and newspapers and direct mail business will boom, and that'll ease the pain in the ad agencies. I don't see what the problem is."
Adnix, much more than the innumerable libel suits against the original commercial networks, led directly to their demise. For a while there was a small army of unemployed advertising executives...
I love utopian visions of the future.
Personal opinion: Laws are needed to make what advertisers are doing illegal. Advertisers are spying on people to the extent where if the government did it they'd need a warrant.
Kind of like how https://old.reddit.com/r/gaming/ is just a sequence of ads being flawlessly delivered to an ad-averse demographic that eats the ads up.
Savvy users will continue to block on machines that aren’t walled gardens and through pi-hole style blocking.
I think the cat and mouse aspect will be completely overshadowed by tech giants continually neutering their users ability to block ads.
Safari on iOS allows for content blocking, and Firefox for Android allows users to install extensions.
At the very least, though, eventually advertising agencies will hopefully figure out that this sort of tracking is pointless; "newspaper-style" ads are more likely to actually engage with the people encountering those ads (since said ads would be selected based on the page content rather than the person reading that content). This is how DuckDuckGo's ads work; the sponsored results are selected entirely by the actual search query. If content-driven ads (plus affiliate links, but I somehow doubt that's enough of DDG's traffic to be a deciding factor here) is enough to pay for enough computational power (and the development team to run it) to serve up 30+ million queries a day, then there's no reason it can't be enough for any other site.
Security-wise, I think the best we can hope for is more and more OS-like sandboxing and isolation, capability-based security, and other defense-in-depth measures.
Privacy-wise, for defeating tracking and the like, ideally I'd hope for technical countermeasures to win the battle, but if we do end up having rely on legal measures, they have my full support, GDPR and CCPA included.
(Random idea for a technical countermeasure against fingerprinting: have you heard of those projects trying to defeat behavioral tracking where, whenever you visit a page, it simultaneously opens a bunch of other random pages in the background, hidden from you, and simulates activity on them, the idea being that Facebook has no idea what actual websites you like to visit because it's lost in the noise? What if instead, whenever you visit a page, your browser or a plugin or a proxy or whatever opened the same page simultaneously in a bunch of hidden background windows, with a random configuration of audio enabled/disabled, user agent, screen resolution etc fingerprinted characteristics?)
You can't build apps without turing complete code. We would be back to downloading and executing applications/programs.
They've already won.
This issue is cross domain tracking like we see with ad network that profile you over many different sites.
[0] https://arxiv.org/abs/1412.1897 [1] https://arxiv.org/abs/1710.08864
This encapsulates the entire problem with the current state of digital advertising in 1 simple sentence.
I've been playing around with ideas about more ethical analytics and advertising, and I think they're pretty easily built platforms. But the question is are they marketable? Would GloboCorp and MarketingCo give up the ability to track consumers so closely in favor of a more ethical approach, or has it been too valuable for them to give up?
I'm not fully up to date with how these things are usually set up - is there anything in the web security model that prevents "ads" from exfiltrating arbitrary information from any page that they're on? Could an ad read my keystrokes, or scrape private messages?
I run NoScript with all JS blocked by default and only whitelist the domains I want. On most sites you can get by with no JS or just scripts from the same domain whitelisted. Maybe a CDN from time to time
And they certainly do contribute a massive amount of value to our community -- and as far as I can tell, they've always tried their very best to be good folks.
I'm not going to tell you how to think, but they have built up a lot of trust and goodwill in my book over the past decade.
I believe them when they say they'll work hard to do the right thing.
Considering the alternatives, that sounds really appealing for me. I'd also buy it for my less tech-literate parents.
Besides disabling JavaScript you can put hosts file blocklists.
Simple corporation block list (e.g. Facebook, Google) https://github.com/jmdugan/blocklists/tree/master/corporatio...
"Someone Who Cares" list http://someonewhocares.org/hosts/
Ultimate Hosts Blacklist: 1 million blocked domains (once in a while you might need to unblock something) and also a bonus known hacking IP blocklist. https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist
It’s not harmful, as long as you’re not one of the people who gets tricked. But it does indicate that they want to do you harm, and try to. That they failed doesn’t make it all better.
That's why I think the idea of running each site in a container is so effective.
And while we're at it the container should just spit out random shit like different resolution, audio api, user agent, once in a while (unless the user turns it off) to thwart such attempts.
Unfortunately when the creator and maintener of 67% of all browsers is an ad company who is exploiting this in the firsr place, then there is no chance that this could happen
Wouldn't that break the legitimate feature-detection uses for these APIs? Asking the user to identify and whitelist each call is impractical, especially since the fail-case in this scenario would be subtle (you'd still see the page but it might randomly be in the wrong mode, or images might be scaled incorrectly, etc). At that point you might as well just turn Javascript off.
That way, the page displays correctly for you, but the server has no idea your actual fingerprint.
There's some trickiness to get this to work right; the collection of fake fingerprints would have to have a certain amount of persistence, because if it was regenerated every pageload, the server could probably tell that only one fingerprint kept showing up repeatedly. Maybe each fake fingerprint should have a completely realistic-seeming browsing session, happening in parallel with your real one, with half the collection continuing on browsing even after you're done? Except wait, ads could just separately target every fingerprint, and it doesn't matter if 99% of them are fake as long as its accuracy for your real one is still good. To defeat that you need the randomized activity using your real fingerprint.
The ideal would be if this was done through a proxy server, which would then know every fingerprint ever sent to a website. It could then provide you with a random collection of past fingerprints that have actually visited the same website, so every visitor gets a collection of fingerprints randomly drawn from the same "bag", rendering visitors indistinguishable.
that sure would keep me up at night.
obviously, i know google does more, but it seems like a large chunk of their revenue must be dependent on shady technical tricks like these working.
[1] https://en.m.wikipedia.org/wiki/Usage_share_of_web_browsers#...
Other options would be that if you are a content distribution company, e.g. youtube, google, facebook, twitter, instagram, etc. then you cannot have any control of the client side applications that consume the content. Trustbusting would come into play here.
Or legal obligations to follow a user's desire not to be tracked with real criminal fines and jail time applied to executives, managers, and developers who failed to follow the law.
If you want to buy advertising online you're probably gonna end up dealing with them either directly or indirectly.
How We Make Money at Stack Overflow: 2019 Edition: Taking money from Microsoft and Google fingerprinting our users 100+ ways
source: https://stackoverflow.blog/2016/11/15/how-we-make-money-at-s...
1. Text based ads only (no third party js)
2. HTML based ads but no js (run it through DOMPurify https://github.com/cure53/DOMPurify)
3. Look for a js sandbox -- this _will_ break arbitrary js, will not be supported in all browsers, and will require dev work on your side:
.png){kind=link}
* Google Caja https://github.com/google/caja
* MentalJS https://github.com/hackvertor/MentalJSI think using a sandbox iframe is not going to be able to defeat browser fingerprinting, because the sandbox control options are not rich enough. You would need to block all JS.
Or use iframe.sandbox, which was designed for it. https://www.w3schools.com/tags/att_iframe_sandbox.asp
Audio feature detection isn't even a novel techique.
I've seen trackers look at download stream patterns to detect whether or not BBR congestion control is used, I have seen mouse latency based on the difference between mouse ups and downs in double clocks and I have seen speed-of-interaction checks in mouse movements.
Just checking for the constructor of something an ad might legitimately use (like audio) is relatively benign to be honest and it is naive to expect ads to not do this and it is why I use an ad blocker even on sites without annoying ads
See also the recent decision to allow animated banner ads on various Stack Exchange network sites.
[1]: https://meta.stackexchange.com/questions/329763/were-testing...
https://meta.stackexchange.com/questions/329763/were-testing...
which is being prominently announced in a yellow "featured on Meta" box you can read:
"If you see any ads that are inappropriate or have any questions about this experiment, please let me know by starting a new question and tagging it with advertising"
and
"If you wish to report an advertisement, please take a screenshot of the ad and paste the URL (if possible) along with the site where you saw it to a comment or answer. I'll report it to the ads team and we can track it down to investigate."
Screenshots? Start a new question with a tag? Track it down? Shouldn't you cut to the chase and have a "report this ad" button built-in so you can immediately be alerted to malware/abusive/inappropriate ads? Perhaps it's not moderators who have the power here. As a non-moderator/employee I couldn't care less what you call the people who do it; it seems entirely inadequate. Run the ads now and if enough people complain or it gets embarrassing - like google and/or microsoft spying on users - then publish a theatrical apology. No, that doesn't work for me.
No, my ad-blocker is never coming off.
It's not ironic at all if you think about it a bit.
>>annoyingly aggressive,
Volunteer labor from nerds who expect you to match their idea of perfection
>> ad moderation is annoyingly permissive
Done by employees so it costs SO money.
The most likely use-case here is ad fraud detection anyway.
I'm not so sure. There's a lot of market value in knowing that User 2341423 went to Site A, then Site B, then bought this item, etc.
I don't have enough info to quantify the amount of data blocked though.
I have a tweet in my timeline which illustrate this: https://twitter.com/gorhill/status/934474012377444352
This would get rid of the greasy ads, and Google could focus on making tools that allow site owners to filter by "features used in ad", and ad developers could actually return to delivering ads, rather than collecting fingerprints?
They already invented that: https://github.com/google/caja
"Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data."
Eh, that's like 10x average CPM nowadays. And advertisers usually are paying per click, not impression.
1) Measured by analyzing the traffic I got from Google Ads 2) That's what I get from Google ads as a publisher, but you used to get a lot more in the epoch, like $5-10 CPM
integralads is guilty of developing and selling this technology. Microsoft is guilty of buying it and using it Google is guilty of serving it. And why not also StackOverflow is guilty of offering that space to advertisers without enough vetoing of their ads.
After reading about integralads I'm not even sure if the purpose is to fingerprint, it seems to be more targeted towards detecting fraud, which does not require fingerprinting necessarily.
My point is that it's not as easy as pointing to one company and blaming them. This is a problem that concerns anyone on the Ad space.
Kind of makes sense why companies like Google and Facebook have invested so much in creating open-source front-end frameworks. The ROI is probably phenomenal.
I get that stackoverflow isn't an SPA, it just made me think of this point.
Side-note: you can block JS on stackoverflow and still view answers. That works for 98% of my usecase for the site.
... Then I move on. Those dorky little crapware widgets are basically never worth looking at in any case, and I do take that sort of strategic tooling decision as a signal that I probably don't want to accept the 'bargain' being offered.
They can track me through websites and I don't want that. Already using ublock origin.
I know Mozilla made an anti-fingerprinting announcement recently but IIRC all it does is check scripts against a blacklist: https://blog.mozilla.org/futurereleases/2019/04/09/protectio...
The fact that even people of a big site like stack overflow don’t know where it comes from instantly, is only further proof that using an adblocker is a resonable decision.
Maybe it is naive, but all ads should be in my eyes is a picture and something that counts the page views. And when you are a site that has ads as it’s main income you should have at minimum one employee who knows and tests each ad before it gets accepted and put onto your server.
Only then your customers will trust the ads you use and only then any reasonable person can even consider deactivating the adblocker for your site.
I am pretty sure somebody explored this idea before me, why doesn’t it work?
Ad URL: https://static.adsafeprotected.com/sca.17.4.95.js
JS Domain: adsafeprotected.com
Domain Owner: Integral Ad Science, Inc[0]
Google's recent stance on the matter of fingerprinting[2]:
>Chrome also announced that it will more aggressively restrict fingerprinting across the web. When a user opts out of third-party tracking, that choice is not an invitation for companies to work around this preference using methods like fingerprinting, which is an opaque tracking technique. Google doesn’t use fingerprinting for ads personalization because it doesn't allow reasonable user control and transparency. Nor do we let others bring fingerprinting data into our advertising products.
The important part being: _Nor do we let others bring fingerprinting data into our advertising products._
The same company advertises their fingerprinting capabilities:
>Browser and Device Analysis: We analyze the technological fingerprints of browsers and devices in order to uncover bots fraudulently posing as human users. We can validate what type of mobile or desktop device a browser is running on, providing additional context with which to identify fraud.
And it is this fingerprinting that gets them selected as a Google Brand Safety and Viewability Preferred Measurement Partner[1]
>New York, NY – Integral Ad Science (IAS) has been selected as a preferred partner in Google’s Measurement Program for both brand safety and viewability. Partners were selected after meeting rigorous standards for accuracy and using reliable methodologies to measure KPIs that matter for marketers. The program is designed to make it easier for advertisers to source trusted, third-party measurement providers.
The gist of it being that Google has heavy cognitive dissonance, with their advertising wing rewarding partners that fingerprint users (against their own policies), and the Chrome team barely managing to introduce some anti-fingerprint measures, which are clearly not enough.
[0]: https://integralads.com/capabilities/ad-fraud/
[1]: https://integralads.com/news/google-selects-ias-brand-safety...
[2]: https://blog.google/products/ads/transparency-choice-and-con...
Perhaps, but I think some of that behavior only appears dissonant. Like the NSA, Google often uses carefully constructed language that is designed to sound like a statement about a topic of concern without saying anything actually useful. For example:
> Google doesn’t use fingerprinting for ads personalization
The only reason to add "...for ads personalization" is if they are using fingerprinting for for other purposes. This could include other ad-related purposes like attribution.
Google claims about not using specific data for a specific purpose are probsabl7 true. They simply fingerprint (and probably correlate) everything else.
If you don’t use an ad blocker you should consider your computer compromised.
Honestly, how are still allowed to execute javascript at all?! I get it if the ad-manager still executed javascript, but how is it okay to let random 3rd parties run js on your website?
This practice could stop tomorrow if the best and brightest of us decided so.
I'm not so sure that education would help either, it's my impression that ethics is just individually set. Of the people that understand Kant's categorical imperative, some will act accordingly and others will ignore their knowledge because doing so gets them more money.
Anything involving javascript will do shenanigans for various reasons. Fingerprinting via any means possible is industry standard ad-network behavior at this point. No one in the industry could imagine doing any less - it's impractical, it's absurd. But targeting! But fraud! But the only fix is to just give it all up, go back to how it was done in the 90s.
There is no reason these ads should be anything other than a linked image.
e.g. Browsing to an arstechnica.com article, with speakers on but nothing else playing.
If so, what kind of rates can I get?
We need a real alternative - without stupid ads and master-slave karma-based community relations.