Mastodawn

Thomas Krajacic Mar 4

You're paying AI companies a monthly subscription fee to be fingerprinted like a parolee.

I got bored and ran uBlock across Claude, ChatGPT, and Gemini simultaneously.

Claude:

Six parallel telemetry pipelines.
A tracking GIF with 40 browser fingerprint data points baked into the URL, routed through a CDN proxy alias specifically to make it harder to block.
Intercom running a persistent WebSocket whether you use it or not.
Honeycomb distributed tracing on a chat UI because apparently your conversation needs the same observability stack as a payments microservice.

ChatGPT:

proxies telemetry through their own backend to hide the Datadog destination URL from blockers.
uBlock had to deploy scriptlet injection — actual JS injected into the page to intercept fetch() at the API level — because a network rule wasn't enough.
Also ships your usage data to Google Analytics. OpenAI. To Google. You cannot make this up.
Also runs a proof-of-work challenge before you're allowed to type anything.

Gemini:

play.google.com/log getting hammered with your full session behavior, authenticated with three SAPISIDHASH token variants, piped directly into the Google identity supergraph that correlates everything you've ever done across every Google product since 2004.
Also creates a Web App Activity record in your Google account timeline. Also has "ads" in one of the telemetry endpoint subdomains.

When uBlock blocks Gemini's requests, the JS exceptions bubble up and Gemini dutifully tries to POST the error details back to Google. uBlock blocks that too. The error messages contain the internal codenames for every upsell popup that failed to load.

KETCHUP_DISCOVERY_CARD.
MUSTARD_DISCOVERY_CARD.
MAYO_DISCOVERY_CARD.

Google named their subscription upsell popups after condiments and I found out because their error handler snitched on them.

All three of these products cost money.
One of them is also running ad infrastructure.

Touch grass. Install @ublockorigin

#infosec #privacy #selfhosted #foss #surveillance

David W. Jones Mar 2

@k3ym0 @ublockorigin And how do you block all that in uBlock? Thanks.

@dancingtreefrog @ublockorigin download the browser extension! it will work with the default config :)

David W. Jones Mar 2

@k3ym0 @ublockorigin I have uBlock Origin, been using it for many years. I didn't know it blocked all that LLM stuff. Thanks.

Maddad ☑️Mar 3

@dancingtreefrog @k3ym0 @ublockorigin

This will help a lot too.. Its an AI block list.

https://github.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist

GitHub - laylavish/uBlockOrigin-HUGE-AI-Blocklist: A huge blocklist of manually curated sites that contain AI generated imagery for uBlock Origin & uBlacklist.

A huge blocklist of manually curated sites that contain AI generated imagery for uBlock Origin & uBlacklist. - laylavish/uBlockOrigin-HUGE-AI-Blocklist

GitHub

Cairo Braga Mar 3

@maddad thank you for sharing this!

@dancingtreefrog @k3ym0 @ublockorigin

@dancingtreefrog @ublockorigin so long as you're using the LLM stuff within a browser, it's all the same ;)

David W. Jones Mar 3

@k3ym0
Well, I don't use LLM stuff anyway... So I guess I never met it.
@ublockorigin

Olivier Burnier Mar 2

@k3ym0 @ublockorigin What about Mistral ? This is the one I use.

@OlivierBurnier @ublockorigin

Mistral: two blocked requests.

Cloudflare Insights ("is the site up") and a single Intercom beacon POST that didn't even retry.

that's it. no Statsig. no tracking GIFs. no Google Analytics. no distributed tracing. no proof-of-work challenge. no KETCHUP_DISCOVERY_CARD. nothing.

a French AI company nobody talks about is running the cleanest frontend in the entire field by a factor of roughly 150x and we're all sleeping on it

les français ont tout compris

#mistral #privacy #infosec

cloud – DAB+ Certified Mar 2

@k3ym0 @OlivierBurnier @ublockorigin they also have a better data handling policy because they are based in the eu, iirc they don't share your chats with third parties under any circumstances (well police and government you know how they work) and if they identify any personal informations in your chats they don't process it for training

@k3ym0 @OlivierBurnier @ublockorigin that's because they have to comply with EU laws. I use LLMs very rarely but when I do I use Mistral.

Hartmut Goebel Mar 3

Claude, Gemini and all the other US-American AI services have to comply to GDPR to, since they are offering services to European citizens. They just don't give a shit on it, and EU law is not yet enforced.
@Fokeu @k3ym0 @OlivierBurnier @ublockorigin

hajovonta Mar 3

@kirschwipfel
there were already some penalties handed out which US government labelled as censorship.

@Fokeu @k3ym0 @OlivierBurnier @ublockorigin

@[email protected]#duckhange @OlivierBurnier @ublockorigin What is your take on duck.ai?
Further limiting user profiling by using the Tor Browser?

#chat #privacy #tor #duckduckgo

@k3ym0 @OlivierBurnier @ublockorigin How terrible is DeepSeek?

@k3ym0 I get no trackers and no fees with KoboldCPP. 🤪

@nazokiyoubinbou @k3ym0 Aehm!!!!!

@k3ym0 oh man, is all of this just in the js console? i wanna see :D

@Viss ask and you shall receive.

Luke Harby Mar 3

😱

@k3ym0 oh i was looking in the wrong place. i was swimming around in the inspector, not ublock. eeeeeeeenteresting!

Scott 🇨🇦🏴‍☠️Mar 2

| You’re paying AI companies a monthly subscription fee to be fingerprinted like a parolee.

No, I’m not.

Hiisikoloart Mar 3

@RodgeGrabTheCat @k3ym0
Same. You would not catch me dead using any of those theft and facist supporting slop machines.

I use Claude Code, which runs outside the browser. Do you think pihole can block disproportionate requests as well as uBlock blocks browser requests?

@siklist pihole can block requests by fqdn, but as you’ll notice, a lot of the third-party tracking infra was being proxied through other non-tracking infra to get around this. If Claude code is somehow loading in JS artifacts (idk if it can or not) it could bypass pihole.

.

MayaMayaMaya Mar 3

@k3ym0 @ublockorigin
> Also ships your usage data to Google Analytics. OpenAI. To Google. You cannot make this up.

I was working on an internal analytics dashboard at some other Very Large Company What Competes With Google and someone pushed a change to fetch and run an analytics package directly from Google servers. I had to spend almost a week ripping out their changes and redoing the analytics using a lib that wasn't directly sourced from our primary competition (also I'm pretty sure the way it was used violated it's license).

So yea my lack of surprise is palpable.

@k3ym0 can you translate for us older genx non computer folks? thanks

@sergiodomeyko every time you open one of these AI chat websites, before you type a single word, the website is secretly making hundreds of connections to other companies’ servers in the background.

those connections are sending those companies information about you — what browser you use, what computer you have, your screen size, your timezone, sometimes a unique digital fingerprint that can identify you specifically.

you’re paying a monthly subscription for these AI tools, and they’re ALSO selling information about how you use them to analytics companies, ad companies, and in Google’s case, adding it to the giant file they already have on you from Gmail, Search, Maps, and everything else.

uBlock Origin is a free browser extension that blocks all of this. it’s like a bouncer for your browser. Lmk if you want some help installing it :)

hope that helps. welcome to the modern internet - it’s a mess out here.

@k3ym0 thank you. For your explanation. I will look into it.

@k3ym0 @sergiodomeyko
🙏
Your simplified explanation is a godsend, thank you!🏆
Did I understand this thread correctly that Mistral also does the same "bouncer" function as UBlock origin, but with the added advantage of EU ethos?

@joseph11lim @sergiodomeyko

Did I understand this thread correctly that Mistral also does the same "bouncer" function as UBlock origin, but with the added advantage of EU ethos?

Not quite - it's not that Mistral is doing the same "bouncer" function as uBlock, it's that Mistral is built differently than the other AI websites in that it doesn't discretely spy on you.

In essence, there's very little (or nothing) for the bouncer (i.e. uBock) to do when you're using Mistral.

either way I highly encourage everyone to use uBlock :)

@k3ym0 @sergiodomeyko
Thank you so much, it's crystal clear now!🙏🙏
#instantfollow 😊

@joseph11lim @sergiodomeyko anytime, internet friend :)

Natanox 🇺🇦🇵🇸Mar 3

@k3ym0 @joseph11lim @sergiodomeyko Thank you for all this info!

CandlesARG Mar 3

@k3ym0 @ublockorigin lowkey curious about lumo ai by proton

@CandlesARG @ublockorigin just checked - lumo comes back clean - 0 blocked requests.

in case you want to check it out for yourself, here are the docs: https://github.com/gorhill/uBlock/wiki/The-logger

The logger

uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean. - gorhill/uBlock

GitHub

CandlesARG Mar 3

@k3ym0 @ublockorigin

Thank you :D

@k3ym0 @ublockorigin Fascinating and worrisome. For the less technically adept… would uMatrix be as effective? Or are these specific capabilities of uBO?

@QuercusMacrocarpa @ublockorigin uMatrix is unfortunately abandoned — development ended in 2021, same developer as uBlock Origin, he just stopped. there's also an unpatched vulnerability in it so I'd avoid it at this point.

uBlock Origin in medium mode covers most of what uMatrix used to do for this specific threat — it blocks third party scripts and XHR requests by default which is exactly what catches the telemetry pipelines I documented.

one important caveat though: if you're on Chrome, uBlock Origin was gutted by Google in late 2024 as part of their Manifest V3 changes. the full version no longer works on Chrome. for real protection you need Firefox or Brave with uBlock Origin installed. which, honestly, is probably worth a separate post.

@k3ym0 @QuercusMacrocarpa @ublockorigin

one important caveat though: if you're on Chrome, uBlock Origin was gutted by Google in late 2024 as part of their Manifest V3 changes. the full version no longer works on Chrome. for real protection you need Firefox or Brave

OR UngoogledChromium uBlock from
https://github.com/gorhill/uBlock/releases

Add localcdn or privacy Badger.

Do not use googles store, it is a pernicious tracker... and

Releases · gorhill/uBlock

uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean. - gorhill/uBlock

GitHub

Ansar Smagul Mar 3

@Kerplunk @k3ym0 @QuercusMacrocarpa @ublockorigin

We're building an open-source, system-wide ad-blocker called Zen.

It sits outside the browser, so it's unaffected by the artificial limitations of Manifest V3 (among other benefits), so I'd recommend it to anyone still using Chrome.

We're aiming for 100% feature parity with uBO and other ad-blockers (already 90% there). Check it out if you're interested: https://github.com/ZenPrivacy/zen-desktop

GitHub - ZenPrivacy/zen-desktop: Simple, free and efficient ad-blocker and privacy guard for Windows, macOS and Linux.

Simple, free and efficient ad-blocker and privacy guard for Windows, macOS and Linux. - ZenPrivacy/zen-desktop

GitHub

@anfragment @Kerplunk @QuercusMacrocarpa @ublockorigin this actually looks pretty interesting.

Looks like it’s essentially a local-run explicit web proxy doing MiTM/TLSI?

Ansar Smagul Mar 3

@k3ym0 @Kerplunk @QuercusMacrocarpa @ublockorigin

Exactly. It sets up a local MITM proxy, inspects the request/response flow, blocks or modifies requests, and also injects custom CSS and JS into pages to emulate features that would normally require browser extension APIs.

To preempt the question - all proxying is local. The app has to install a root CA, but it's generated on-device and doesn't leave it.

@anfragment @Kerplunk @QuercusMacrocarpa @ublockorigin looks like you’re allow-listing OpenAI in zen-https-exclusions/common.txt (line 117/118)?

Wouldn’t that mean that it wouldn’t provide protection while using ChatGPT via browser?

Don’t get me wrong, I think it’s a wonderful idea, and your implementation actually looks very solid, but it doesn’t look like it would protect privacy within the context of my original post (unless I’m misunderstanding something, in which case please do correct me and tell me to RTFM or GTFO).

@k3ym0 @anfragment @QuercusMacrocarpa @ublockorigin

Wouldn’t that mean that it wouldn’t provide protection while using ChatGPT via browser?

Thank you for heads up. will look in to the allow listings and have added

https://github.com/Stevoisiak/Stevos-GenAI-Blocklist/

I have
0.0.0.0 chat.openai.com

in etc/hosts as a belt and braces approach.

GitHub - Stevoisiak/Stevos-GenAI-Blocklist: Filter list for uBlock Origin to hide website features that use Generative AI

Filter list for uBlock Origin to hide website features that use Generative AI - Stevoisiak/Stevos-GenAI-Blocklist

GitHub

Ansar Smagul Mar 4

@k3ym0 @Kerplunk @QuercusMacrocarpa @ublockorigin

We added those exclusions because the desktop ChatGPT app complains loudly about MITM, and we'd rather avoid people disabling Zen completely out of frustration.

On the telemetry endpoints: thank you for flagging ab.chatgpt.com - I've added a scriptlet similar to uBO's to our filter list and the requests are now blocked: https://github.com/ZenPrivacy/filter-lists/commit/1a1b3c045138abc66d0b47a900f9ed071461d244

Requests to GA were blocked already. Going through other ones in the original post as well.

Ansar Smagul Mar 4

@k3ym0 @Kerplunk @QuercusMacrocarpa @ublockorigin

Also, just to clarify - the exceptions control hosts traffic TO which gets allowlisted. Outbound requests FROM an allowlisted host still get filtered through Zen.

@anfragment @Kerplunk @QuercusMacrocarpa @ublockorigin I saw your PR! Thanks so much for tagging me - you're a legend :)

Honestly I stumbled across it by mistake bc I was curious how you handle exemptions.

At this point I just want to know how I can help support what you're doing :)

Ansar Smagul Mar 8

@k3ym0 @Kerplunk @QuercusMacrocarpa @ublockorigin

Thank you! Dropped you a message on Signal.

@anfragment @k3ym0 @QuercusMacrocarpa @ublockorigin

Zen, looks good, working on the same principal as NetGuard on android which is very effective, not always easy to setup though.

I will be testing Zen on antiX 26 Multi Init beta.
Will also put an info post on antiX forum
sometime soon.

@k3ym0 @ublockorigin

This is really helpful information - thank you!

From Firefox + uMatrix on Windows, currently in process of becoming a Windows refugee on MacOS; had started with Safari, but leaning toward shifting to Firefox (more privacy protections?)… and apparently with uBlock Origin based on what you mention.

Might also be worth a separate post to explore the “why” of the devious telemetry obfuscation - e.g. no ads for ChatGPT Plus, so why hide Datadog etc…?

@QuercusMacrocarpa @k3ym0 @ublockorigin

but leaning toward shifting to Firefox (more privacy protections?)…

No, pls consider LibreWolf, it is latest firefox but does not fleece the user.

Use a privacy respecting DNS provider, never cloudflare or google 8.8.8.8 that signifies Heil h twice for nazis.

@Kerplunk @k3ym0 @ublockorigin

Thank you for mentioning LibreWolf… had not been on my radar. Took a look and it is appealing that it apparently has uBO bundled in!

The only downside of uBO I’ve run across since installing is that something (am presuming blocking of Google Fonts) causes odd characters in the menuing for some sites (like Google Maps but also non-google sites that must use their fonts).

And thanks for the reminder about DNS, have been meaning to switch to Quad9…

NotFrenchJack Mar 3

I only use the free models on offer by duck.ai, and do it sparingly and in a self-contained manner. I decided that if those models are not enough for a problem, then I would probably be better off seeking a source with real authority and intelligence. They can track my anonymous private (network and browser) sessions all they want 😎, if they wish to.

(And that annoying non-cross-poster can go fuck itself. I’m deliberately posting this here because of it. So, Mission Accomplished!)

Gabriel H. Nunes Mar 3

@k3ym0 @ublockorigin What about Lumo from Proton?