Firefox, one of the first “Do Not Track” supporters, no longer offers it
- Thread starter JournalBot
- Start date
I suggest it get replaced with a "submit random data to trackers" option instead.
Upvote
22
(22
/
0)
Yes, real legislation is the ideal answer. But with the US activity changing back to feudalism, I don't see much hope for legislation that doesn't benefit the nobility.
What I like about data poisoning is it changes the arms race so that it harms both sides. When trying to avoid tracking their data stays safe, it is only it the users are being violated or not. With sending bad data their data set takes damage too while they try to dind news ways to violate the user's privacy.
Upvote
17
(19
/
-2)
Recommend Cookie Autodelete extension over icognito/private mode web browsing.
Fully configurable to keep or delete cookies based on criteria you define (and automatically delete cookies after leaving a web site).
otherwise, private mode gets annoying with having to re-login to sites all the time on your private computer.
Fully configurable to keep or delete cookies based on criteria you define (and automatically delete cookies after leaving a web site).
otherwise, private mode gets annoying with having to re-login to sites all the time on your private computer.
Upvote
17
(17
/
0)
TheMolesRevenge
Ars Praetorian
Quite recently I visited a new website and when the GDPR popup appeared, it mentioned sharing data with over 800 "legitimate interest" partners. I decided I could probably find the same information elsewhere, and left.
Upvote
27
(27
/
0)
NoScript is a pain for sure. It would be nice if you could default to trust for first-party scripts.
I occasionally fall back on a different browser. But I accept that as a cost of having most of this garbage blocked. Still, I would not recommend NoScript to the average user.
Upvote
6
(6
/
0)
Apparently the DNT request was itself a data point companies were using to fingerprint browsers. Using a combo of privacy extensions might too, since unless they're 100% effective, rare combos of extensions is a great fingerprint data point.
Also, how is the system level DNT on iOS different, if at all? I know the prompt says "ask not to track" not "block tracking" but unclear if it being at the OS level means Apple is able to enforce it any better than a browser can.
Also, how is the system level DNT on iOS different, if at all? I know the prompt says "ask not to track" not "block tracking" but unclear if it being at the OS level means Apple is able to enforce it any better than a browser can.
Upvote
3
(3
/
0)
The problem is that cookies aren't the only thing that tracks you. A 3rd party marketing company can put a 1x1 pixel on a page with a script. If your browser goes to a page and the browser downloads the pixel, now the marketing company knows which page you went to, where you may have come from, what your IP is, and a whole bunch of other data.
Cookies, especially 3rd party cookies, haven't been super relevant for a long time, so only addressing cookies doesn't reduce your risk that much.
Upvote
28
(29
/
-1)
Upvote
1
(1
/
0)
Upvote
-15
(1
/
-16)
Ventured over to Tumblr in-browser once, and when attempting to Reject All I followed the link to their legitimate interest list. I fell down that rabbit hole and really wished I hadn't afterwards. You could turn the allegedly legit interests off, but there was no select all option—each one had to be toggled off individually. There were 1400 "legitimate interests."
Upvote
20
(20
/
0)
Yes. Incognito mode doesn't correct any of that either. I was just suggesting an alternative to incognito mode cookie protection.
Upvote
6
(6
/
0)
the entire premise relied on all companies to honor a user's request to not track them. Anyone who thought this could work was well.... lets just say they didn't understand corporate america
Upvote
11
(11
/
0)
There is no fix as long as there is a profitable market for your personal data. GDPR helps greatly for EU folks but the US is the obvious problem. If we’d follow their lead, there would be no viable market for this data aggregation and the issue would be greatly mitigated. The odds that the US Congress will do anything is laughable though.
Upvote
12
(12
/
0)
Either my NoScript is really good at preventing all those scripts for properly tracking me, or all those guys are absolutely terrible at using this information to figure out what to advertise at me, because the (hardly any) ads and offers that make it past uBlock are definitely waaaay off the mark.
Upvote
8
(8
/
0)
So where are we on the implementation of RfC 3514? That would solve all these problems.
Upvote
2
(2
/
0)
In my case, I have the browser clear all cookies before closing - except for specific sites. THOSE sites can track me. But other than those sites, they get dumped and a new cookie has to be sent to be tracked.
That means I have to sign into most sites I visit except for a mostly trusted few. And when its window gets closed, the cookies it sent are deleted.
Like most folks here, I've known the "do not track" setting was aspirational more than real. But if one regularly purges the cookies of untrusted sites (which are most of them), the new ones should only record a first arrival. It's still tracking, but it's following a very, very broken trail.
Upvote
3
(3
/
0)
More clicking, or wayy less clicking... these are the options I guess.
Upvote
2
(2
/
0)
Assumption: most sites are using one of a limited number of "GDPR privacy popup" providers, and those providers are all incentivized to push tracking as far as they can get away with, likely with at least implicit pressure from Google.
Observed pattern over the course of "early GDPR": most sites have all the consent options on by default with a way to turn them off -> some sites start having a specific "Google" section of the privacy popup with everything marked as "legitimate interest" -> most sites have all the consent options off by default but a less-easy-to-find "legitimate interest" section with everything on by default. Assumption: they are getting the tracking they want from things they believe they are allowed to claim as "legitimate interest", so they're toggling consent off by default because they no longer think they need it, and they think it makes them look more privacy-friendly.
What exactly "reject all" does is not entirely clear in most cases. In some cases, that button is explicitly marked something like "I do not consent". You will note the standard wording is "withdraw consent" for the normal setting and "object to legitimate interests" for the LI settings. This makes me assume that "I do not consent" does not "object to legitimate interests", which on the assumption that all the various popup providers are reading from the same playbook (which may or may not have been written by Google...), suggests that "reject all" generally only covers consent, not legitimate interest.
My rough, very-not-a-lawyer, very-haven't-actually-read-it understanding of GDPR is that this should all be illegal under the intent of the law, but my assumption is that Google think they have a firm enough case that they're acting in good faith that they can get away with doing it this way until a court tells them to knock it off.
My assumption for why some sites don't have "legitimate interest" options is that those sites don't make enough from ads (it usually seems to be smaller sites) that it's not worth their upgrading the popup to the latest "claim legitimate interests and capture everything" version. I don't think I've ever seen a large, ad-supported site (but I repeat myself) without LI buried in there somewhere (and on-by-default). My assumption is that, one way or another, Google pays more if you're willing to take the Legitimate Interests Pledge and send them all the data, and because "everyone else is doing it" and "Google says it's legal", all the big sites take the Pledge.
Final note, for people saying "remove legitimate interests completely", there is a need for it for certain things. Like, if you offer a service that users have to sign up for, but they opt out of all GDPR data collection... how do you create an account for them? There's a point at which you need to be able to - particularly for users of intermediate technical savvy - rely on the implicit consent that they're proactively signing up for your service and therefore probably are OK with you storing their account details.
It's just that Google et al have - probably illegally - trojan-horsed that into full tracking on the basis of "well they're using the site and the site is supported by ads and the ads only make money if they're tracking everything all the time so really, when you think about it, they are implicitly consenting to us tracking everything just by visiting the site so it is a legitimate interest". And it's bullshit, and they know it's bullshit, but they can (following Facebook's recent playbook) make a few billion doing something obviously illegal while they fight it out in court, and then switch to another obviously-illegal approach, spend a few more years fighting that out too, make another few billion in the meantime, rinse and repeat.
Upvote
15
(15
/
0)
Great, thanks for this! My desktop, Firefox on Linux w/ubo and blocking hosts file, has partial protection. Although one of the critiria noted around video card was incorrect. DuckDuckGo on my mobile has strong protection. Might need to look into the unique fingerprinting though.
Upvote
2
(2
/
0)
Privacy/Incognito browsing doesn't protect you from tracking, it mostly just doesn't save browsing history/data to your device. From Google:
How Chrome Incognito keeps your browsing private
Upvote
9
(9
/
0)
It actually does have that option! I agree, though, that it's definitely for more advanced users. One thing I haven't heard mentioned, though, is how incredibly fast Noscript makes the web. Most sites load in literally <1 second. If you're an Ars reader, you definitely have the knowledge to use it. Give it a try for a week, and I bet most people won't go back.
Attachments
Upvote
16
(16
/
0)
caution live frogs
Ars Centurion
I hit a website recently that included the EU-required "here are all the permissions we are requesting" banner. Said banner prominently included a statement touting the site's support for my privacy and how the site would respect my choices. The options presented were "accept all cookies". There was only that one button.
It's a site I need to access for work. I was not impressed.
It's a site I need to access for work. I was not impressed.
Upvote
19
(19
/
0)
Incognito modes are usually per session, not per tab. All tabs across all incognito windows share a session, which doesn't end until all are closed. So to prevent cross-site cookie tracking you'd need to close all incognito windows before going to the next site.
Upvote
6
(7
/
-1)
Those are the same that us with tracking also see... There is practically no reliable evidence that extreme targeting and ad auction do anything other than increase profits for advertising middlemen and provide shiny presentations as to why websites should stay inside those networks. The real solution here is economical, not technological.
Upvote
6
(6
/
0)
Staying logged in. I am on a few forums which I know for a fact aren't doing any data sales, and so there's no advantage to not having a login cookie.
Upvote
13
(13
/
0)
We expected laws to make it mandatory at least in the US.
Not sure which is the greater failure, DNT or the plethora of ineffective privacy policy popups from the EU attempt.
Upvote
5
(5
/
0)
There is no such thing as “Reject All” if you read the fine print (at least in the EU). That option always enables what are considered “essential cookies”, which include unique identifiers that can be used for tracking.
Upvote
4
(4
/
0)
Of course the Reject All simply refers to anything that can be rejected. That's not even hidden in the law. What's more, the site saving unique identifiers in first party cookies is also not a problem, staying logged in for example relies on a cookie and it's basic site functionality. But many sites go way further than that and simply save the cookies the moment you visit the site.
Upvote
4
(4
/
0)
Third party cookies is the only way for publishers to track someone across multiple websites. So removing them does what "Do not track" was supposed to achieve.
Another approach is to disable cookies entirely, or browsing in private mode - which let you keep the session cookie and delete it as soon as you quit.
The problem is, there are other ways to track users, known as fingerprinting which is harder if not impossible to fight.
Upvote
6
(6
/
0)
Advertising is a structural problem that needs a structural solution. IMO the best solution would be to recognize that excess advertising is fundamentally harmful to society and slap it with a “sin tax,” similar to what you often see on things like alcohol or tobacco. Non targeted advertising that supports content creation, like radio, television, and magazine ads, and YouTube sponsors could be taxed at a lower rate. Billboards, targeted advertising that uses collected personal information, and things like paid product placement that try and hide that they are advertising would all be taxed at higher rates.
Also, the companies that buy advertising need to be educated about the fact that they are in a Red Queen’s Race. No matter how much money they spend on advertising, they will never actually increase the amount of money consumers have to spend. As a result, spending ever increasing amounts of money on ever more privacy violating forms of advertising just shrinks their profits ever smaller as it swells the profits of the advertising companies.
If the companies who make actual useful products had any sense at all they would be screaming at the government to regulate advertising down to the bare minimum practical. Unfortunately almost all those companies are run by MBAs who are dumber than a bag of rocks and will sacrifice anything for one more quarter of increased profits.
Also, the companies that buy advertising need to be educated about the fact that they are in a Red Queen’s Race. No matter how much money they spend on advertising, they will never actually increase the amount of money consumers have to spend. As a result, spending ever increasing amounts of money on ever more privacy violating forms of advertising just shrinks their profits ever smaller as it swells the profits of the advertising companies.
If the companies who make actual useful products had any sense at all they would be screaming at the government to regulate advertising down to the bare minimum practical. Unfortunately almost all those companies are run by MBAs who are dumber than a bag of rocks and will sacrifice anything for one more quarter of increased profits.
Upvote
9
(10
/
-1)
I agree, I use most of these tools and also expect that the tracking is still very effective by non-relevant companies paying the site authors. In addition, with reCaptcha introduction, they are not disclosing to these tools, so I have been locked out of companies who use reCaptcha. I am back to paper/snailmail with the vendors. The most unusual release of privacy on a site I was excited use yesterday revealed 353 linked partners in Privacy Badger which was a rude reminder.
I respect in USA that Broadband is less expensive because not all of the content providers are direct connect to ISP wheere they would be required to have a subscription fee to defer the costs so they can pay the ISP for transport. Honestly, if we cannot afford broadband without tracking, should it really be a requirement that we have broadband resulting in non-relevant companies can track us?
Upvote
2
(3
/
-1)
I use privacy badger and uBlock origin on Firefox. Blocks most ads, including YouTube commercials.
Upvote
6
(6
/
0)
uesc_marathon
Ars Scholae Palatinae
Link: https://privacybadger.org/#How-does-Privacy-Badger-work
The short version is that Privacy Badger attempts to work similarly to antivirus software that does heuristic behavior scans. It looks for sites that appear to be using known tracking techniques on you like tracking pixels and also are not from the same domain as the site you are visiting, and blocks any more communication from those sites when it identifies them.
Upvote
10
(10
/
0)
Use a VPN to look like you're in the EU. There they have actual consequences for the website lying. Funny how consequences are the only thing that works.
Upvote
3
(4
/
-1)
Definitely relevant to me.
I use a combination of Privacy Badger + uBlock Origin on Edge - it seems to get rid of a lot of cruft. Notably, for sites like Ars and what not, I ensure that uBlock Origin is turned off - they're regular sites, they deserve the ad impressions I serve.
Notably, with Ars and only Privacy Badger, I still get occasional popups when accessing articles stating I have an Ad Blocker in place - which isn't true? But hey ho.
Upvote
0
(0
/
0)
So that's why. I noticed when my Linux update loaded a slimmer FF file, like 2/3 its usual size.
Upvote
-8
(0
/
-8)
The only problem is It's called "do not track", not "track me more". If some website or ad network uses DNT as a fingerprinting data point and it ever came out in a court case within the EU, it would lead to an instafine, as the GDPR says someone "may exercise his or her right to object by automated means using technical specifications", i.e. the DNT header.
Upvote
2
(2
/
0)
Do Not Track seemed like a good idea at the time, but so did Java and the DMCA. Ad trackers immediately figured how to circumvent DNT and with no enforcement there we are. Now if web tracking protections were like the Fair Debt Collection Practices Act and violations cost money things would be different. As it is ads have become so intrusive and affect site usability so much I run Blokada on my phone and ublock origin on all my computers
Upvote
-2
(0
/
-2)