1. 38
  1.  

  2. 13

    Probably a new method for fingerprinting your browser based on audio support?

    1. 4

      Got it in 1!

      1. 1

        whaaa?!

        1. 2

          The expression “got it in one” means that your first guess was the correct one.

          1. 1

            Hooray! Also, dammit.

    2. 16

      And this is why ad networks are a cancer and need to die in a fire.

      1. 4

        Too bad they’re literally the financial underpinning for the modern internet…

        1. 5

          Advertising was financially underpinning a lot of things long before the internet in the form of <img src="/ad.png"> or, on TV, as <video src="/ad.mp4"></video>. You don’t need all this tracking to display ads.

          1. 2

            There was tracking, in the form of “number of issues sold / subscribed”, and “number of viewers per show” (per outfits like Nielsen.

            As the old saying went: “Half of the money I spend on advertising is wasted, but I don’t know what half”. The internet promised to change that. You would only serve golf ads to middle-aged men in the Sunbelt, not vegan women in Portland[1]…

            The only thing stopping this stuff now is legislation. CPM almost always drops, more and more people are using adblock, ads are actively hurting the consumer by consuming power for not other reason than to enrich the advertiser, there’s rampant fraud.. it’s a zero-sum race to the bottom where everyone is a loser, but no-one in the industry dares leave money on the table

            [1] or to serve specifically to the few who also golfed

            1. 3

              There was tracking, in the form of “number of issues sold / subscribed”, and “number of viewers per show” (per outfits like Nielsen.

              This is very different. The Nielsen ratings was essentially an opt-in polling system: you could register to become a “Nielsen family” and then everything you watched for tracked, which works very different from the current internet, which tracks everyone.

              The internet tracking is also much more intimate. Nielsen tracked whether you watched Star Trek, Magnum P.I., or The Bold and the Beautiful. The internet touches on practically every aspect of our lives.

              1. 2

                It’s a difference in degree ,not in kind. But I agree with you, and so do many more people, that it’s gone too far.

                But legally it’s just the same as tracking ads in the “old” way.

                1. 1

                  Differences in degree can be so vast that they become differences in kind, IMO. Too, I think that there’s a self-defeating aspect to the race towards ever finer advertising discrimination – as the tools to measure get better, it is becoming more and more obvious that advertising doesn’t really work at all; and that is going to make it harder and harder to justify spending money, which will lead Faceboogle to become ever more intrusive chasing marginal returns. I think the attention economy is deep into its death spiral.

                  1. 2

                    I’d prefer to pull up before Western society collides with a mountain made of surveillance data.

                    What’s interesting to me is that the debate in the 1970s and 1980s in Sweden about the risks of government agencies knowing too much about citizens is almost entirely forgotten, now that it’s multinational corporations that know all about us.

                    1. 1

                      Oh, sure. And it’s not like Faceboogle is going to go quietly into that good night if their business model started to collapse.

                      1. 2

                        Nope. Expect intense lobbying to protect the revenue stream from any legislation threatening it…

            2. -1

              Same shit, different way.

              1. 1

                This is getting marked as incorrect, but the formula is surely obvious and unchanging.

                1. Release new API in Chrome representing static-per-machine, but dynamic-per-user devices (let’s be real, probably with Google’s intent)
                2. Leverage output from that API to (Serving an image, WebGL rendering, USB in your browser, MIDI, whatever)
                3. Identify and create a hash representation of individual characteristics and fingerprint.
                4. Link fingerprints together when they match by user profile, or leak content between each other.
                5. Repeat.

                Doing this with the audio API now? Same shit, different way. It’s just another characteristic to improve the individual fingerprinting of users.

            3. 1

              They don’t have to be, though. :)

              1. 1

                Nope! I’m happy to pay for services instead of the service provider relying on ads/selling my personal info.

            4. 3

              But more seriously, I am really disappointed in Stack Overflow, I thought they were better than this. They’re a high quality site visited by lots of great developers that companies should be willing to kill for to reach with ads, they should be able to set up a more premium and self-hosted ad service than those el cheapo user-hostile Google ads.

              1. 2

                Even if it were what they intended to do, SOF can’t perfectly police everything in a timely fashion, I’d wager.

                1. 4

                  I don’t see how they would need to police anything if their own ad platform did not run arbitrary JavaScript. Also, their terms of service could disallow certain things that are considered not okay and ban whoever violates the rules. Preferably forever. Now they’re just left to whatever rules Google has (if any).

                2. 1

                  They don’t choose their ads. Once they choose to go use ads in general, they throw a “slot” into their site, and some ad network analyzes their pages and publishes ads that are “relevant” to users who are “relevant” on pages that are “relevant”.

                  1. 1

                    Yeah but that’s kind of pointless considering the audience is more or less the same: we’re all developers. Besides, SO has more data to know what’s relevant to a user than some iframe does.

                    1. 1

                      Ad platforms target specific content on a per-page basis. StackExchange is a lot of sites, and isn’t only for developers.

              2. 8

                Don’t trust anyone: Firefox > uBlock Origin > uMatrix > anti-fingerprinting addons > disconnect from the internet forever > burn any electronic device > move into a cave

                I’m at the 4th stage right now.

                1. 4

                  Here’s some advice: Don’t try too hard. I burned myself out trying to “protect” myself from tracking and now can’t bring myself to care past using adblock.

                  1. 2

                    I go on and off on blocking Javascript. It’s a privacy and security apocalypse and you can’t responsibly run it, but blocking it breaks too much of the web, and even trying to do harm-reduction leaves stuff I really need to work broken. (I was trying to book hotel rooms in Europe and the standard payment form setup involved cross-origin iframes in such a way that having uMatrix installed caused it to silently fail. Toggling all the enforcement off wasn’t enough to make it work, but disabling it at the browser level did.)

                    What I want—which I don’t think exists—is not to block loading from certain origins, but to block features globally. No timing more accurate than a second. No timeouts. No keyboard, mousemove, or scroll events. Throttle to 1% of available CPU capacity after the first second. Basically prevent it from fucking things up while still allowing it to run so it can load and render page content. Browsers used to provide configuration for some of that (I remember going into Opera’s settings and unchecking all the “allow scripts to” options), which mostly seems to have gone away, and I haven’t seen any extensions offer anything similar (and I’m not sure they even could technically).

                    1. 1

                      I use Safari with tons of stuff disabled as my browser, and Chromium in private mode for e.g. logging into Amazon or visiting sites I’m not familiar with. It’s a pain, but honestly, making the shitshow that is the modern web harder to use has benefits. It’s a harm reduction strategy because I’m too chicken to pull the plug entirely.

                    2. 1

                      Well, I’m not that easy to give up.

                      uMatrix is already in my workflow for visiting pages and if websites really don’t want to cooperate with Firefox (more than you’d imagine), I just use Chrome on a similar setup.

                      But if I’m avoiding the bad stuff in my day to day routine and “allow” less protection in some rare circumstances, I’m kind of ok with it.

                      1. 1

                        I haven’t used Chrome in over a year. Where do you go that doesn’t support Firefox? I wonder if it’s just an addon making things less functional.

                        1. 1

                          As someone who hasn’t invested the time and energy into anonymyzing my browser, I’m curious how much the effort pays off. Would you indulge my curiosity to see what your fingerprinting score / percentages are on AmIUnique? https://amiunique.org/fp

                          1. 2

                            I think the purpose of the fingerprinting techniques is to randomise the values, so your fingerprints will still be unique but not traceable?

                      2. 2

                        Add a stage of “exclusively use gopher rather than the web” in between anti-fingerprinting addons and disconnect from the internet.

                        1. 1

                          I think you only need uMatrix if you are trying to block specific cookies on some sites. If you are just blocking JavaScript uBlock Origin can do that, and Firefox itself can do cookie bans by domain.

                          1. 2

                            uMatrix gives you a full picture of how each pages behaves and works, to me that’s invaluable. I can decide if I want the captcha to load, the video to be fetched or anything else.

                            To me that’s better than a mysterious addon which does everything automatically but I don’t know what’s letting through.

                            With uMatrix I know page doesn’t do anything bad unless I trust it sufficiently enough to enable its core components, one by one.

                        2. 5

                          Initially, the main point of Google Adwords was that they were against banners (commonly with gif or Flash animation), popups and similar traditional web advertising forms at that time. They’ve been promoting unobtrusive text-only ads tightly related to page content.

                          Now they show mostly javascript ads, with level of annoyingness of Java applets. Text ads are completely gone, I can’t remember seeing any recently. I can’t remember, when this change happened and don’t understand why silly flashy banners won again.

                          1. 4

                            Response from Stack Overflow’s Architecture Lead: https://meta.stackoverflow.com/a/386499/459877

                            We are aware of it. We are not okay with it.

                            1. 1

                              And think of all the sites that are either not aware of it or completely okay with it. StackOverflow serves programmers, a group that is much more likely than the regular population to care or even just know about tracking. I doubt Facebook gives a damn about Google’s ads fingerprinting users–or even a small site like Bulbapedia (to pick a random example, no offense Bulbapedia.)

                            2. 2

                              If someone was trying to sneak in audio detection for fingerprinting purposes, allowing it to be run on ads from Microsoft on StackOverflow was incredibly dumb. If there’s one area of the net where this would be a) detected and b) discussed, it’s there.

                              No doubt this has been implemented widely already and this is the first time anyone has noticed at all. Scary.

                              1. 1

                                Personally, I don’t really care much about “tracking” per se. I don’t like it very much, but it seems like a reasonable compromise with getting easy-to-access content on the cheap, it’s not like humans are looking at most of the data they gather anyway, and most of the big problems are present in other cases. I’d be more worried about someone looking at my email inbox than I would at the ad profile.

                                What pisses me off about online ad networks is the lack of accountability or security. You get ads that pretend to be operating system dialogs, ads that are simply dishonest about where they lead, ads that integrate Monero miners, ads that include zero-day exploits, ads that ship PUPs, and ads that simply break the page they’re in. Even if I was actually interested in something that was advertised, I’d never actually click it anyway, because I’d be scared it would lead to a Vsearch install or worse.

                                The kind of crap that ad networks carry would never be tolerated if they weren’t getting money in exchange for running them. Online adverts should not be able to include anything that wouldn’t be allowed by GitHub-Flavored Markdown. There are ad networks that work like this, such as the Hiveworks banners (pure images), the older version of AdWords, and sponsored posts on The Orange Site.

                                More than that, ad servers need quality control. In a simple, ideal, case, sites that serve false or malicious ads should suffer legal consequences.

                                1. 2

                                  I disagree with it being a reasonable compromise. In most other business transactions, we’re aware of what we’re paying for the service or product and what we get in return.

                                  The transaction, in this nature, is so heavily skewed towards the advertisers and consumers of that data it’s grossly unfair.

                                  We are not aware of what they are collecting, as this post itself indicates in the identification process alone, nor the true cost of it.

                                  Whenever we give up data we pass the rights of disclosure, along with the data, to whatever company collected it. It’s not just that small amount of data, it’s the right to share it with whoever they choose.

                                  What they collect, how the collect, and who they share it with (the cost) is largely hidden from one side of the transaction. This is intentional and not representative of how most fair transactions occur.