Mozilla officially started supported Tracking Protection in Private Browsing mode with Firefox 42, which launched a couple of weeks ago. Congratulations to everyone who worked on the launch! The onboarding looks awesome and the unified UI is a nice touch, although I have to admit a preference for the original, engineer-designed marketing aesthetics pictured below.
Even outside of Private Browsing mode, you can still take advantage of Tracking Protection by going to about:config and turning on privacy.trackingprotection.enabled. This behavior has been supported for over a year since Firefox 34, so it's great to see Mozilla making this more usable by turning it on in Private Browsing mode.
I hope that Mozilla continues to use its products to challenge the notion that we owe our eyeballs, our computing resources and our entire browsing history to the ad industry, with no questions asked.
Thursday, November 19, 2015
Thursday, May 28, 2015
Advertising: a sustainable utopia?
Advertising generates $50 billion annually in the US alone, but how much of that figure reflects real value? Approximately ⅓ of click traffic is fraudulent, leading to $10 billion in wasted spending annually. Counting revenue due to fraud towards the value of advertising is like counting money spent on diabetes treatments as part of the GDP -- if those figures went to zero, it would reflect a healthier ecosystem, or healthier people in the diabetes case. For people making money on advertising, it is difficult to accept that a reduction in annual revenue can mean that things are better for everyone else.
Even when ads are displayed to real people, they often create little to no value for the ad creator. According to Google, half of ads are never viewable, not even for a second. In addition, adblocking usage grew by 70% last year, and 41% of people between 18-29 use an adblocker. The advertising industry responds to these trends by making ads increasingly distracting (requiring large amounts of resources and unsafe plugins to run), collecting increasingly large amounts of data, and creating more opportunities for abuse by government agencies and other malicious actors. As Mitchell Baker put it, do we want to live in a house or a fish bowl?
There has to be a better way. Why can’t a person buy and blank out all of the ad space on sites they visit at a deep discount, since targeting machinery would no longer be relevant? Why aren’t subscriptions available as bundle deals, like in streaming video? Solutions like these are hypothetical and will remain so as long we maintain the fiction that the current advertising revenue model is a sustainable utopia.
Even when ads are displayed to real people, they often create little to no value for the ad creator. According to Google, half of ads are never viewable, not even for a second. In addition, adblocking usage grew by 70% last year, and 41% of people between 18-29 use an adblocker. The advertising industry responds to these trends by making ads increasingly distracting (requiring large amounts of resources and unsafe plugins to run), collecting increasingly large amounts of data, and creating more opportunities for abuse by government agencies and other malicious actors. As Mitchell Baker put it, do we want to live in a house or a fish bowl?
There has to be a better way. Why can’t a person buy and blank out all of the ad space on sites they visit at a deep discount, since targeting machinery would no longer be relevant? Why aren’t subscriptions available as bundle deals, like in streaming video? Solutions like these are hypothetical and will remain so as long we maintain the fiction that the current advertising revenue model is a sustainable utopia.
Thursday, May 21, 2015
Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015
Edited to add: I wrote a followup post to address comments here and elsewhere that advertising is working as intended. This paper has been reported incorrectly in several places as being about cookie blocking. Tracking protection blocks all traffic, not just cookies.
My paper with Georgios Kontaxis got best paper award at the Web 2.0 Security and Privacy workshop today! Georgios re-ran the performance evaluations on top news sites and the decrease in page load time with tracking protection enabled is even higher (44%!) than in our Air Mozilla talk last August, due to prevalence of embedded third party content on news sites. You can read the paper here.
This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable "free" content are in direct conflict with security, privacy, stability, and performance concerns -- and that Firefox is first and foremost a user-agent, not an industry-agent.
Advertising does not make content free. It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like Superfish, infect 1 in 20 machines with ad injection malware, and create sites that require unsafe plugins and take twice as many resources to load, quite expensive in terms of bandwidth, power, and stability.
It will take a major force to disrupt this ecosystem and motivate alternative revenue models. I hope that Mozilla can be that force.
My paper with Georgios Kontaxis got best paper award at the Web 2.0 Security and Privacy workshop today! Georgios re-ran the performance evaluations on top news sites and the decrease in page load time with tracking protection enabled is even higher (44%!) than in our Air Mozilla talk last August, due to prevalence of embedded third party content on news sites. You can read the paper here.
This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable "free" content are in direct conflict with security, privacy, stability, and performance concerns -- and that Firefox is first and foremost a user-agent, not an industry-agent.
Advertising does not make content free. It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like Superfish, infect 1 in 20 machines with ad injection malware, and create sites that require unsafe plugins and take twice as many resources to load, quite expensive in terms of bandwidth, power, and stability.
It will take a major force to disrupt this ecosystem and motivate alternative revenue models. I hope that Mozilla can be that force.
Thursday, April 2, 2015
Some links about tracking and security
A roundup of links on tracking, advertising and security. These are not complete or even representative, but may be useful to somebody.
Attitudes towards tracking and surveillance
- 91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies (http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/)
- 64% believe the government should do more to regulate advertisers, compared with 34% who think the government should not get more involved (ibid)
- 40% of teen social media users say they are “very” or “somewhat” concerned that some of the information they share on social networking sites might be accessed by third parties like advertisers or businesses without their knowledge (http://www.pewinternet.org/2013/05/21/teens-social-media-and-privacy/)
- 81% of parents report being “very” or “somewhat” concerned about how much information advertisers can learn about their child’s online behavior (ibid)
- 17% of the adults who have heard about the government surveillance programs say they have changed their privacy settings on social media in an effort to hide their information from the government (http://www.pewinternet.org/2015/03/16/how-people-are-changing-their-own-behavior/)
- Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising (https://www.andrew.cmu.edu/user/pgl/soups2012.pdf)
Advertising and fraud
- Malvertising abuses RTB, using fingerprinting and microtargeting to do things like spearphish (https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840)
- Doubleclick used to spread malware (https://blog.malwarebytes.org/malvertising-2/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/)
- Doubleclick and Zedo used to spread malware (https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/)
- Too many to count: https://blog.malwarebytes.org/?s=advertising
- Malvertising doubles every year since 2011 (http://money.cnn.com/2014/10/15/technology/security/malvertising/)
- 67% of bot traffic comes from residential IPs. Bot traffickers remotely control home computers to generate ad fraud profits. 19% of retargeted ads are consumed by bots, and even higher in video (http://www.whiteops.com/botfraud, well worth downloading)
- 56% of ad impressions are never seen, not even for a second (http://think.storage.googleapis.com/docs/the-importance-of-being-seen_study.pdf)
Bugs
- Facebook personal information leak from shadow profiles (https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766, http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html)
- Google accidentally collects data from unencrypted WiFi (http://www.pcworld.com/article/2048541/google-loses-appeal-in-street-view-privacy-lawsuit.html, http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html)
- Apple keeps 3G location log (http://blog.chron.com//techblog/2011/04/why-is-apples-ios-logging-location-information-updated/)
Tracking
- NSA uses Google cookies to pinpoint targets for hacking (http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/)
- Facebook cookies and EU law, similar to Facebook Beacon complaints (http://www.theguardian.com/technology/2015/mar/31/facebook-tracks-all-visitors-breaching-eu-law-report)
- How Target figured out a teen girl was pregnant before her father did (http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/)
- Acxiom: the company that knows if you own a cat or if you're right-handed (http://www.telegraph.co.uk/finance/newsbysector/retailandconsumer/5231752/Acxiom-the-company-that-knows-if-you-own-a-cat-or-if-youre-right-handed.html)
Some privacy litigation
- Google broke Canada’s privacy laws with targeted health ads according to The Office of the Privacy Commissioner of Canada (http://www.theglobeandmail.com/technology/tech-news/google-broke-canadas-privacy-laws-with-targeted-ads-regulator-says/article16343346/)
- Google loses Safari cookie tracking case and also loses on appeal (http://appleinsider.com/articles/15/03/27/google-loses-uk-appeal-in-safari-cookie-tracking-case-could-face-trial)
- Facebook Beacon lets third party sites publish events to people's feeds (http://www.pcworld.com/article/184029/facebook_halts_beacon_gives_9_5_million_to_settle_lawsuit.html)
- Google Buzz privacy lawsuit (http://mashable.com/2010/09/03/google-buzz-lawsuit-settlement/)
- Suit dismissed against Jetblue and Acxiom for using customer data without their knowledge (http://www.aviationpros.com/news/10433407/ny-federal-judge-dismisses-lawsuit-against-jetblue-acxiom)
- Suit against Acxiom for buying driver data from Arkansas DMV (http://ivebeenmugged.typepad.com/my_weblog/2010/01/dppa-class-actions.html)
Tuesday, March 31, 2015
Two Short Stories about Tracking Protection
Here are two slide decks I made about why online tracking is a privacy concern, and a metaphor for how tracking works.
Thursday, March 19, 2015
How do I turn on Tracking Protection? Let me count the ways.
I get this question a lot from various people, so it deserves its own post. Here's how to turn on Tracking Protection in Firefox to avoid connecting to known tracking domains from Disconnect's blocklist:
- Visit about:config and turn on privacy.trackingprotection.enabled. Because this works Firefox 35 or later, this is my favorite method. In Firefox 37 and later, it also works on Fennec.
- On Fennec Nightly, visit Settings > Privacy and select the checkbox "Tracking Protection".
- Install Lightbeam and toggle the "Tracking Protection" button in the top-right corner. Check out the difference in visiting only 2 sites with Tracking Protection on and off!
- On Firefox Nightly, visit about:config and turn on browser.polaris.enabled. This will enable privacy.trackingprotection.enabled and also show the checkbox for it in about:preferences#privacy, similar to the Fennec screenshot above. Because this only works in Nightly and also requires visiting about:config, it's my least favorite option.
- Do any of the above and sign into Firefox Sync. Tracking Protection will be enabled on all of your desktop profiles!
Wednesday, March 18, 2015
Tracking Protection talk on Air Mozilla
In August 2014, Georgios Kontaxis and I gave a talk on the implementation status of tracking protection in Firefox. At the time the talk was Mozillians only, but now it is public! Please visit
Air Mozilla to view the talk, or see the slides below.
The implementation status has not changed very much since last August, so most of the information is still pretty accurate.
Subscribe to:
Posts (Atom)