Mastodawn

mcc Jul 12, 2024

So this, from Firefox, is fucking toxic: https://mstdn.social/@Lokjo/112772496939724214

You might be aware Chrome— a browser made by an ad company— has been trying to claw back the limitations recently placed on ad networks by the death of third-party cookies, and added new features that gather and report data directly to ad networks. You'd know this because Chrome displayed a popup.

If you're a Firefox user, what you probably don't know is Firefox added this feature and *has already turned it on without asking you*

Lokjo - EU's Gmaps replacement (@[email protected])

Attached: 1 image Firefox is just another US-corporate product with an 'open source' sticker on it. Their version 128 update has auto checked a new little privacy breach setting. If you still use a corporate browser, at least do some safety version! We mainly use @[email protected] based on firefox. (yes, we know, a stable european or even non-US browser is still considered 'futuristic' in europe) #eu #browser #firefox #meh

Mastodon 🐘

mcc Jul 12, 2024

This is weird & bad for so many reasons. But what I focus on is:

1. I believe, morally if not practically, this tracking is *worse* than the old 3rd-party cookies. This is because 3rd-party cookies were a legitimately useful tech that could be misused for ads. This tech is *designed* to benefit advertisers from word go, yet is installed on *your* computer, like Malware.

2. Firefox is *worse than Chrome* in their implementation of ad snitching, because Chrome enables it only after user consent.

mcc Jul 12, 2024

Now to be clear, the disclosure Chrome provides to users is not *adequate*. Their wording of the "Ad Privacy" feature popup is highly disingenuous and the process to disable once notification is given is too complex and must be performed on a per-profile basis. But at least they *do it*, and to my knowledge don't track/send the data until the popup is displayed. Whereas Firefox just snuck this in in a software update, checked by default and you're probably learning about it now, on social media.

mcc Jul 12, 2024

Other, loose angles to consider this from:

- Google/Firefox claim their tracking features are not "tracking" because they use something called "differential privacy". I don't have room to explain this class of technology, but I sincerely consider it to be fake. Without getting into the details, they provide *less* information to the advertisers than a cookie would have. But I'd prefer they provide none. Steps are taken to anonymize the data, but what is anonymized can often be de-anonymized.

mcc Jul 12, 2024

- The language Google/Firefox use to describe their ad snitching policies just makes my blood boil, an insult on top of the injury of the features themselves. Google uses the label "Ad Privacy" for a feature group that strictly decreases privacy over doing nothing. Firefox calls it "Privacy-preserving ad measurement". You know what would preserve my privacy more? *Not measuring*. I understand why Google is lying to me to protect their own business, but Firefox is supposed to be a nonprofit. WTF.

mcc Jul 12, 2024

- Firefox's "Privacy-preserving" ad tracking has other interesting issues. In another way the new ad snitching is worse than the old tracker cookies, Firefox doesn't *tell* you what data it's collected or reported, and unlike with cookies doesn't give you the ability to delete recorded "impressions".

Also interestingly, the feature is not available to *all* advertisers currently, only a "small number" of partner sites. *Firefox doesn't disclose who they are*, again making this worse than $GOOG.

mcc Jul 12, 2024

- This event seems to tie in with other confusing developments around Mozilla as a company/"Foundation". I do not know enough about these issues to comment on them intelligently. I know only that Mozilla has, inexplicably for a nominal nonprofit, recently bought an advertising firm: https://mastodon.social/@jwz/112650295543215212

and that I have seen… let's say "criticism" of recent changes to the board makeup: https://www.spiceworks.com/tech/tech-general/news/mozilla-cpo-sues-company-over-disability-discrimination/

Mozilla CPO Sues Company Over Cancer-Related Disability Discrimination

Mozilla’s product chief is suing the company over alleged discriminatory practices stemming from his cancer diagnosis.

Spiceworks

mcc Jul 12, 2024

Anyway, I guess that's a lot of typing. The TLDR is:

- There is now a feature labeled "Privacy-preserving ad measurement" near the bottom of your Firefox Privacy settings. I recommend turning it off, or switching to a more privacy-conscious browser such as Google Chrome.

- I have filed two bugs on Firefox about this, which I am choosing not to link to dissuade brigading. If I have not been banned from the bug tracker by next week I will file another bug about the ChatGPT integration in nightly

Two updates to this thread.

Update 1: In this thread I complain Mozilla does not provide specific technical details about this feature. It turns out there *is* a document with the technical details, on Github:

https://github.com/mozilla/explainers/tree/main/ppa-experiment

It also explains (https://wiki.mozilla.org/Origin_Trials) which sites are participating in the feature.

I am linking this document because I believe the first five words do more to discredit what Mozilla is doing here than anything I could say:

"Mozilla is working with Meta"

explainers/ppa-experiment at main · mozilla/explainers

Explainers from Mozilla contributors. Contribute to mozilla/explainers development by creating an account on GitHub.

GitHub

mcc Jul 14, 2024

Update 2: I didn't know this, but it turns out Apple Safari is *also* spying on what ads you view and click on, and sending that info (with some anonymization) directly to advertisers via a backchannel?

https://www.apple.com/legal/privacy/data/en/safari/#:~:text=You%20can%20disable%20Privacy%20Preserving,off%20Privacy%20Preserving%20Ad%20Measurement.&text=When%20you%20are%20in%20an,Pay%20enabled%20on%20that%20device.

It's worse documented than the Firefox/Chrome versions, and like Firefox (unlike Chrome) there is no clickthrough consent. I don't expect better of Apple, but this *grates* given they're running big "A browser that's actually private." billboard ads in my neighborhood.

Legal - Safari & Privacy - Apple

Data & Privacy

Apple Legal

mcc Jul 15, 2024

Above I object to Firefox and Apple's labeling of ad snitching features as "Privacy-Preserving Ad Measurement" on framing grounds. But what I've since discovered is people are being *actively mislead* by this wording. I keep speaking to people who believe, or are concerned, that disabling "Privacy-Preserving Ad Measurement" will have the effect of, rather than disabling measurement, disabling *privacy preservation*. I'm told the French & Dutch translations of Apple's UI are even more misleading.

RRB Jul 15, 2024

@mcc It is the "new normal":

https://www.deceptive.design/

They AB test everything to find the best way of tricking you into doing whatever is the opposite of your best interest/wishes.

If tech companies could be more evil, they would already be doing it.

Deceptive Patterns (aka Dark Patterns) - spreading awareness since 2010

The original website about deceptive patterns (also known as “dark patterns”) - tricks used in websites and apps that make you do things that you didn't mean to, like buying or signing up for something.

Reiner Jung 🇬🇱 🇺🇦 🇪🇺Jul 14, 2024

@mcc Well it is privately spying on you. The others do it publicly. Or something like that. I would like to have a law that makes tracking illegal.

mcc Jul 14, 2024

@prefec2 Unlike Chrome it doesn't disclose to you that it's spying on you, so that makes it "private".

punIssuer Jul 16, 2024

@mcc private as in "privately owned"
@prefec2

Don Marti Jul 14, 2024

@mcc lol I just checked on Apple Safari and it turns out you have to go to Settings, Safari, then scroll all the way down to "Advanced" to find and turn off "Privacy Preserving Ad Measurement"

(TIL participating in a market economy without leaking an information advantage to counterparties is considered "Advanced" now)

(edit: it's a little different on Apple iOS and Mac OS -- https://blog.zgp.org/turn-off-advertising-measurement-in-apple-safari/ )

turn off advertising measurement in Apple Safari

Hugo Mills Jul 14, 2024

@dmarti @mcc I think "advanced" is just another name for "don't you worry your pretty little head over it, darling".

Sekhen Jul 14, 2024

@darkling @dmarti @mcc
I'll let "The Tallest" explain this one.
https://www.youtube.com/watch?v=inR02pEesCQ

Invader Zim-Gir is "Advanced"

YouTube

Chip Collier Jul 14, 2024

@dmarti @mcc Jesus tap dancing Perez! I had no idea. Thanks for sharing all of this.

Zimmie Jul 14, 2024

@dmarti I hadn’t noticed that anti-feature. Hiding it like that is ridiculously trashy behavior on the part of Apple and the Safari team.

Rick Jul 14, 2024

@dmarti @mcc If I turn that off, does Safari send more or less data out?

mcc Jul 14, 2024

@JetForMe @dmarti My read is that unchecking it will cause safari to send less data, and leaving it checked will cause safari to send more.

meduz'Jul 15, 2024

@dmarti @mcc In French, the setting is phrased in a misleading way. It basically translates to “protect privacy during ads measurement”, which I initially understood as a privacy prevention feature that I kept enabled.

Don Marti Jul 15, 2024

@meduz @mcc wow, seems like you might be able to file a complaint
https://commission.europa.eu/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en

What should I do if I think that my personal data protection rights haven’t been respected?

Actions you can take if your data protection rights under EU law haven’t been respected, including involving the national Data Protection Authority.

European Commission

Emil Sit Jul 15, 2024

@dmarti @mcc does this turn off the “ad measurement” part or the “privacy preserving” part?

mcc Jul 15, 2024

@emilsit @dmarti It turns off the ad measurement.

Claude Gohier Jul 21, 2024

"But look, you found the notice, didn't you?" "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard."

Aral Balkan Jul 14, 2024

@mcc @hub All the better to preserve your privacy with, my dear.

gkrnours Jul 14, 2024

@mcc the same ads in in the entrance of a lot of subway in paris. :(

Badibulgator Jul 15, 2024

@gkrnours @mcc The French version of the name of this feature (“Protection de la confidentialité lors des mesures publicitaires”) is horribly misleading since it appears to mean that turning it off will disable the privacy preservation rather than the ad measurements!

mcc Jul 15, 2024

@badibulgator @gkrnours yes, I have seen people struggling with the English text in the same way

Badibulgator Jul 15, 2024

@mcc @gkrnours Oh ok. But imagine instead of “Privacy Preserving Ad Measurement” it said “Preserving the privacy of ad measurements”. That’s what the French version is like… 😕

mcc Jul 15, 2024

@badibulgator @gkrnours oh yikes :(

Badibulgator Jul 15, 2024

@mcc @gkrnours Yup. 🤷‍♂️

Anyway, I’ve now disabled that thing. Thanks for the heads up!

wim Jul 15, 2024

@badibulgator @gkrnours @mcc same in de Dutch translation. It literally translates to “protect privacy in ads”. That’s misleading enough it looks like a data protection law violation to me.

Hubert Figuière Jul 14, 2024

@mcc I have seen a similar billboard many time. Alas as I’m driving didn’t get a shot. It replaced the one about their camera….

mcc Jul 14, 2024

@hub i mean, as far as i know they actually do have good cameras. that advertisement was probably accurate.

Joseph Szymborski

@mcc this is a great time to remind folks that if this is an issue that bothers them, they should consider contributing code or funds to @servo according to their ability to do so :)

mcc Jul 14, 2024

@jszym oh yeah. thanks for reminding me, i was gonna boost today https://ordinary.cafe/@technobaboo/112781970993978577

Nova🐧✨ (@[email protected])

Given the Firefox stuff that's happening and the announcement of ladybird, I think it's a good idea to mention a browser project that's got no controversy I can see but could use time and money, @[email protected]. Servo is a browser engine made in Rust, it was made to be an experimental engine by Mozilla but the Linux Foundation is hosting it now. What I especially like is how modular it is, compared to other engines I feel I can make a better browser with it and its components help other projects too! If you want to see a browser that can be maintained in pieces instead of monolithically it's worth checking out! they need serious CSS/flexbox help to get up to par with other browsers but the webGL and WASM is top notch. #servo #ladybird #firefox #chrome #privacy #safari #browser #foss

ordinary.cafe

KarlE Jul 15, 2024

@mcc I've seen your tirades about the ad handling in the different browsers. I totally agree that the way Firefox is phasing in this experimental stuff is awful and dishonest.
But have you actually looked at what Firefox (and ISRG, the non-profit who brought&bring us letsencrypt) is trying?

It *does not* enable sites to do behaviour tracking so they can personalize ads.
It does relay *aggregate* info about which ads lead to site visits ("conversions" in web marketing speak). 1/x @koehntopp

mcc Jul 15, 2024

@KarlE I've written a response but the 1/x makes me think I should wait for you to finish lol

KarlE Jul 15, 2024

@mcc (thanks for your patience) thing is, due to privacy mechanisms (that we want), the info chain which ad lead to a site visit no longer works. but the site that had the ad wants to get paid for annoying their readers with it. just displaying it pays nothing, the only reliable measure for its success and worth paying is conversions, i.e. the reader then clicked it to come to advertizer's site and read marketing blurb, do some shopping or whatever. 2/x
@koehntopp

KarlE Jul 15, 2024

@mcc we like the web to have content, preferably well researched information and not garbage, that costs effort. we don't want to pay with our data, we don't want to be tracked. we don't want to pay money for a subscription (which also implies giving our data, as by proving we have paid we must identify and are also trackable). so how should the site cover their costs? context based, non personalized ads - but advertizer must find it worth paying, by seeing conversions. 3/x

KarlE Jul 15, 2024

@mcc I think what ISRG have come up with is worth looking at critically but constructively. they need to reveal what sites displayed the ad leading to visits, without enabling them to learn about the behaviour of their individual visitors. they also need to prove, or at least make it plausible to visitors that they do not perform profiling themselves, as being a central agency would make them ideally positioned to do so. That's where this splitting of information comes in. 4/x

KarlE Jul 15, 2024

@mcc now, I'm not a protocol expert to tell whether the half here half there submittion of data is suitable to ensure privacy, and in any case we have to trust the agency to only recombine after aggregation and without keeping tabs on identifiable user info. But I think the bigger hurdle will be to convince the advertizing industry that the mechanism and they as an agency are trustworthy to base their ad payments on. 5/x

KarlE Jul 15, 2024

@mcc fact is, getting revenue from ads had become very difficult. I am member of a nonprofit society that runs a special interest web community (now 28k YAU, peeked at 130k years ago), we used to pay servers and a fraction of staff salary with ad revenue a decade ago. now we decided to scrap them because the payout is negligible. we can do this because we are funded by membership fees and donations and no longer have paid staff, only volunteers.
A business would go bust. 6/x
@koehntopp

KarlE Jul 15, 2024

@mcc so I think, of the various ill-conceived things Firefox has been doing and said they are planning (I could rant at length about that - why not stick to providing a decent piece of software, rather than operating cloud services, buying companies etc.), here they botched the way of introducing this privacy ad thingy, but the mechanism itself deserves some credit (unless someone takes it apart and shows that it is flawed), and is far better than what the others are doing. 7/7

mcc Jul 15, 2024

@KarlE @koehntopp I have some (limited) infosec background and I would put math-inflected infosec into two categories. Category one would be something like PKI encryption, where you can prove the math can't be broken in the lifetime of the universe, and finding a shortcut would require solving a Millenium Prize problem.

Category two is stuff like Tor and DRM: An arms race. You have an adversary, and the winner is *whoever is better at math*. I would place differential privacy in category two.

mcc Jul 15, 2024

@KarlE @koehntopp Category Two tech is sometimes *worth using*. Tor is worth using. There is differential privacy tech I personally use (in one of my web browsers, no less). But I don't see it as the kind of tech that can make hard, 100% promises. It's a technology that lowers risk— lowers, not eliminates. I see no reason to accept *any* risk just because ad companies wish they could track on which websites their ads are being seen. That is not my problem.

Marc Etienne Jul 15, 2024

@KarlE @mcc @koehntopp I used to work for a company that made conversion tracking software, and the metaphor was a department store measuring which door customers used, if poster A at door B increased sales, how many window shoppers bought something on a return visit, and so on. Individuals were uninteresting, so no actual personal data was wanted. We didn't want the liability. That was the mentality.

Stephen J. Anderson Jul 15, 2024

@KarlE @mcc @koehntopp The claim is that this doesn’t enable personalised ads, but what it’s looking to do is extremely fine-grain automatic market segmentation, which is damn near personalised.

Advertisers could just target based on content, like they do with print and TV. Sure, personalised ads are more effective, and sure, they want to use them, they want higher conversion rates, but wanting a thing does not entitle you to that thing.

mcc Jul 15, 2024

@KarlE @koehntopp Addressing this point separately because it really is separate from the fact I simply *do not consent to Firefox doing this*:

If you tell me that an adtech company or advertising network wants thing X, my reaction to that news is, *I want to do whatever I can to keep them from getting thing X*. Even if X itself is not very important to me. The fact ad co's want the thing, is enough by itself to make me want them to not get it. This is what I choose to do with my free will.

mcc Jul 15, 2024

@KarlE @koehntopp I do not accept your premise that if ad-supported content corporations can get paid more for ads, that they will put that money into content. Rather, I think they will fire the writers making the content, replace them with "AI", and simply keep the additional ad revenue. This seems to be the space the writers I know are in (sometimes the corp skips the "AI" step and just fires people).

mcc Jul 15, 2024

@KarlE @koehntopp You mention donation/"Patreon" style funding models. The writers I know meeting with success seem to largely be moving to this model. I'm not convinced ad-funded content has a place in the future of the Internet, and if we get an opportunity to intentionally exclude it from that future — for example, by making the advertising less profitable — I think that opportunity is at least worth exploring.

Corn Woman 🌽Jul 15, 2024

@KarlE @mcc @koehntopp did the Referer header stop working?

mcc Jul 15, 2024

@KarlE @koehntopp Okay. So. First off:

Hi, yes, they're quite clear about that. I understand there is technology in place to inhibit reconstructing the behavior of an individual user.

What I do not understand is (post continues):

mcc Jul 15, 2024

@KarlE @koehntopp

- Why I should believe that the math they're using to obfuscate things is better than the math that marketing firms (or nation-states), will be using to de-obfuscate it?

- Why this is the point I should be caring about? They tracked what I was doing on my own computer. They relayed information about it to advertisers without my knowledge. That's unacceptable by itself. They then tell me they relayed *less* information than they *could* have. Literally, so what?

mcc Jul 15, 2024

@KarlE @koehntopp The violation was that Firefox surveilled me and relayed information from that surveillance to a third party. My objection did not concern *what* the information was or *how much*. My objection was that they did it.

As far as the involvement of the ISRG goes— yes, I did see that, I find it alarming and disappointing, and I think they should face hard questions about why they're collaborating with the infosphere equivalent of industrial polluters (advertisers)

Martijn Faassen has moved Jul 15, 2024

@mcc
@bert_hubert

Yeah, I went through a giant Singapore mrt station full of those ads.

@mcc I never understood how Apple managed to convince people who know nothing about privacy so badly that I at some point just gave up fighting with Apple fans about that! Every single one of their "privacy" moves was a shitty lie and the biggest of them was straight up abusing their monopoly to give their own ad network an unfair advantage and convince people it's good for them at the same time!

mcc Jul 15, 2024

@gamey "Every single one of their "privacy" moves was a shitty lie"

I mean, I don't think I'd say "every". But I do think a lot of their privacy moves are more motivated by personal interest (for example anticompetitive desire to deny revenues to their business rivals) than they are by a principle-based interest in privacy. It's just some of those moves *also* in practice provide concrete benefit to the user. That is how I would frame it.

Chris Gervais 🎸🥁💻Jul 15, 2024

@mcc I didn’t even know about that Safari setting (shame on me) but it’s set to On for me across my devices. Maybe I turned it on years ago and it’s synced everywhere?

mcc Jul 15, 2024

@chrisgervais As far as I can tell from my research it is on by default. There was a small disclosure added to Apple's privacy policy in 2021 recording this, which I guess is how you were supposed to know.

mcc Jul 15, 2024

@chrisgervais You reread the privacy policy and T&Cs cover to cover every time they update, right?

Chris Gervais 🎸🥁💻Jul 15, 2024

@mcc 🤦🏻‍♂️ did not. That's extremely stupid

mcc Jul 15, 2024

@chrisgervais …Yeah

moondog548 Jul 14, 2024

@mcc
Simply put: 😬