Back

This is weird & bad for so many reasons. But what I focus on is:

1. I believe, morally if not practically, this tracking is *worse* than the old 3rd-party cookies. This is because 3rd-party cookies were a legitimately useful tech that could be misused for ads. This tech is *designed* to benefit advertisers from word go, yet is installed on *your* computer, like Malware.

2. Firefox is *worse than Chrome* in their implementation of ad snitching, because Chrome enables it only after user consent.

Now to be clear, the disclosure Chrome provides to users is not *adequate*. Their wording of the "Ad Privacy" feature popup is highly disingenuous and the process to disable once notification is given is too complex and must be performed on a per-profile basis. But at least they *do it*, and to my knowledge don't track/send the data until the popup is displayed. Whereas Firefox just snuck this in in a software update, checked by default and you're probably learning about it now, on social media.

Other, loose angles to consider this from:

- Google/Firefox claim their tracking features are not "tracking" because they use something called "differential privacy". I don't have room to explain this class of technology, but I sincerely consider it to be fake. Without getting into the details, they provide *less* information to the advertisers than a cookie would have. But I'd prefer they provide none. Steps are taken to anonymize the data, but what is anonymized can often be de-anonymized.

- The language Google/Firefox use to describe their ad snitching policies just makes my blood boil, an insult on top of the injury of the features themselves. Google uses the label "Ad Privacy" for a feature group that strictly decreases privacy over doing nothing. Firefox calls it "Privacy-preserving ad measurement". You know what would preserve my privacy more? *Not measuring*. I understand why Google is lying to me to protect their own business, but Firefox is supposed to be a nonprofit. WTF.

- Firefox's "Privacy-preserving" ad tracking has other interesting issues. In another way the new ad snitching is worse than the old tracker cookies, Firefox doesn't *tell* you what data it's collected or reported, and unlike with cookies doesn't give you the ability to delete recorded "impressions".

Also interestingly, the feature is not available to *all* advertisers currently, only a "small number" of partner sites. *Firefox doesn't disclose who they are*, again making this worse than $GOOG.

- This event seems to tie in with other confusing developments around Mozilla as a company/"Foundation". I do not know enough about these issues to comment on them intelligently. I know only that Mozilla has, inexplicably for a nominal nonprofit, recently bought an advertising firm: https://mastodon.social/@jwz/112650295543215212

and that I have seen… let's say "criticism" of recent changes to the board makeup: https://www.spiceworks.com/tech/tech-general/news/mozilla-cpo-sues-company-over-disability-discrimination/

Anyway, I guess that's a lot of typing. The TLDR is:

- There is now a feature labeled "Privacy-preserving ad measurement" near the bottom of your Firefox Privacy settings. I recommend turning it off, or switching to a more privacy-conscious browser such as Google Chrome.

- I have filed two bugs on Firefox about this, which I am choosing not to link to dissuade brigading. If I have not been banned from the bug tracker by next week I will file another bug about the ChatGPT integration in nightly

Update 2: I didn't know this, but it turns out Apple Safari is *also* spying on what ads you view and click on, and sending that info (with some anonymization) directly to advertisers via a backchannel?

https://www.apple.com/legal/privacy/data/en/safari/#:~:text=You%20can%20disable%20Privacy%20Preserving,off%20Privacy%20Preserving%20Ad%20Measurement.&text=When%20you%20are%20in%20an,Pay%20enabled%20on%20that%20device.

It's worse documented than the Firefox/Chrome versions, and like Firefox (unlike Chrome) there is no clickthrough consent. I don't expect better of Apple, but this *grates* given they're running big "A browser that's actually private." billboard ads in my neighborhood.

@dmarti @mcc I think "advanced" is just another name for "don't you worry your pretty little head over it, darling".

@darkling @dmarti @mcc
I'll let "The Tallest" explain this one.
https://www.youtube.com/watch?v=inR02pEesCQ

@JetForMe @dmarti My read is that unchecking it will cause safari to send less data, and leaving it checked will cause safari to send more.

@meduz @mcc wow, seems like you might be able to file a complaint
https://commission.europa.eu/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en

@emilsit @dmarti It turns off the ad measurement.

@hub i mean, as far as i know they actually do have good cameras. that advertisement was probably accurate.

@soypunk Saying something on a blog really has nothing to do with disclosing to users. Mozilla *also* mentioned "ad measurement" in a release notes post, but I did not see it, because I don't download my browser from a release notes page, it's automatically updated for me in the background by my OS. the same would be true for safari users.

@aardvark @soypunk it tracks browsing behavior and reports about it to advertisers without the user's knowledge

@mcc @soypunk I read it carefully and see that it does something pretty arm’s-length from the “tracks browsing behavior” characterization. So I’m seriously curious where folks find fault with what it does. Where does a person’s privacy come into play?

@aardvark @mcc Your are right that if PCM works as designed then the user details _are not leaked_ to the advertiser because of how it strips out identifiers and randomly delays the relaying of the click tracking to further prevent the advertiser from aligning the click tracking info to their own internal data. On paper it should work but it has to be out in the wild to determine if the spec is actually doing what it is designed to do.

@aardvark @mcc The issue up for discussion is how Apple communicated PCM to end-users and whether it should have been made opt-in. The sad reality is making it opt-in would have made advertisers “opt-out" and we are back to the same place we were before - playing whack-a-mole with advertisers over privacy. PCM was a bargain that if advertisers could get some data to measure effectiveness of ad campaigns then maybe we could find a balance. (I loathe ads as much anyone but here we are.)

@soypunk @aardvark I'm gonna object to the framing there: It's not a "bargain" if you make it on someone's behalf without telling them. That's just theft.

And it looks to me like the advertisers have kept playing whack-a-mole anyway, so apparently nothing was achieved. Fingerprinting tech for example didn't stop just because Apple started snitching on its customers directly

@mcc @aardvark 100% - just so we are clear I totally get where you are coming from.

My ideal world is one in which advertisers get 0 data from me and ideally don't even exist. I don't get the concept of ads at all, they don't appeal to me, and I don't want to help them.

Sometimes things come into existence as an iterative step to a better place. If the ad world rejects or works around things like PCM then implementers can tell the ad world they've violated it and can further restrict access.

@aardvark @soypunk I believe that learning a piece of information about my browsing sessions— which ads I saw— actually is a concrete privacy impact whether or not that information is specifically correlated with me as a person. There is more than one problem here.

@jszym oh yeah. thanks for reminding me, i was gonna boost today https://ordinary.cafe/@technobaboo/112781970993978577

@KarlE I've written a response but the 1/x makes me think I should wait for you to finish lol

@mcc we like the web to have content, preferably well researched information and not garbage, that costs effort. we don't want to pay with our data, we don't want to be tracked. we don't want to pay money for a subscription (which also implies giving our data, as by proving we have paid we must identify and are also trackable). so how should the site cover their costs? context based, non personalized ads - but advertizer must find it worth paying, by seeing conversions. 3/x

@koehntopp

@mcc I think what ISRG have come up with is worth looking at critically but constructively. they need to reveal what sites displayed the ad leading to visits, without enabling them to learn about the behaviour of their individual visitors. they also need to prove, or at least make it plausible to visitors that they do not perform profiling themselves, as being a central agency would make them ideally positioned to do so. That's where this splitting of information comes in. 4/x

@koehntopp

@mcc now, I'm not a protocol expert to tell whether the half here half there submittion of data is suitable to ensure privacy, and in any case we have to trust the agency to only recombine after aggregation and without keeping tabs on identifiable user info. But I think the bigger hurdle will be to convince the advertizing industry that the mechanism and they as an agency are trustworthy to base their ad payments on. 5/x

@koehntopp

@mcc fact is, getting revenue from ads had become very difficult. I am member of a nonprofit society that runs a special interest web community (now 28k YAU, peeked at 130k years ago), we used to pay servers and a fraction of staff salary with ad revenue a decade ago. now we decided to scrap them because the payout is negligible. we can do this because we are funded by membership fees and donations and no longer have paid staff, only volunteers.
A business would go bust. 6/x
@koehntopp

@mcc so I think, of the various ill-conceived things Firefox has been doing and said they are planning (I could rant at length about that - why not stick to providing a decent piece of software, rather than operating cloud services, buying companies etc.), here they botched the way of introducing this privacy ad thingy, but the mechanism itself deserves some credit (unless someone takes it apart and shows that it is flawed), and is far better than what the others are doing. 7/7

@koehntopp

@KarlE @koehntopp Category Two tech is sometimes *worth using*. Tor is worth using. There is differential privacy tech I personally use (in one of my web browsers, no less). But I don't see it as the kind of tech that can make hard, 100% promises. It's a technology that lowers risk— lowers, not eliminates. I see no reason to accept *any* risk just because ad companies wish they could track on which websites their ads are being seen. That is not my problem.

@KarlE @koehntopp I do not accept your premise that if ad-supported content corporations can get paid more for ads, that they will put that money into content. Rather, I think they will fire the writers making the content, replace them with "AI", and simply keep the additional ad revenue. This seems to be the space the writers I know are in (sometimes the corp skips the "AI" step and just fires people).

@KarlE @koehntopp You mention donation/"Patreon" style funding models. The writers I know meeting with success seem to largely be moving to this model. I'm not convinced ad-funded content has a place in the future of the Internet, and if we get an opportunity to intentionally exclude it from that future — for example, by making the advertising less profitable — I think that opportunity is at least worth exploring.