NoScript doesn't mess around, it is hardcore and paranoid. I run it with the non-recommended "Temporarily allow top-level sites by default"/"Base 2nd level Domains" option in order to ease the pain a little bit. Still, sometimes I can't figure out how to watch a video, or leave a comment, or some other interaction. But I will suffer the pain, for the web is a brutal, unforgiving no-man's land. I think NoScript has saved me from some spear-phishing attacks. I hope. You just can't let strangers run code on your machine, no matter the sandbox. It's the reality that we live in.
It's a damn shame that it's not available for Chrome. There are various rip offs, with confusingly similar names, but the real deal is not available. Last I checked Chrome doesn't have sufficient hooks to block scripts early enough
the opt-in could be more transparent. I just installed Ghostery and the option says[1]:
> Help Support Ghostery by sending anonymous statistical data back to Ghostery HQ.
It is only when you click more information that you find out this information can be sent to other companies "Ghostery community..", and then only when you click on the FAQ and read the section about Ghostrank is it clearer how this information is being shared [2] and with whom.
No mention of ad networks as clients. No mention of helping ad networks better target ads, infact their FAQ explicitly states:
> Evidon doesn’t work to allow advertisers to be more invasive.
Ghostery market to the privacy community. Their Twitter account[3] has been on top of the recent NSA story and other privacy stories and they promote their product as a solution for the privacy conscious. The way they have co-opted the community, funneling new users into their product via user ad tracking fears, while at the same time selling the data via a vague opt-in feels disingenuous to me.
I think the 'fix' here could be as simple as acknowledging third-party sharing in that initial opt-in screen, and then updating the language in the FAQ to include clarification on how it is shared.
I don't remember where I read about it, but I've known about it for a while. I was never particularly upset- I understood it to be aiding ad networks in targeting, which I think is a good thing.
You seem to think this line implies they are not improving targeting:
> Evidon doesn’t work to allow advertisers to be more invasive.
But this says to me they don't help advertisers shoehorn ads in more places, not anything about targeting.
I'm indifferent to it, I knew they were collecting data, I didn't know where it was going from there.
I have never used or recommended Ghostery because I don't believe blacklisting tracking targets is the solution.
The 'more invasive' line isn't clear - it isn't a term that you find in other privacy policies. It would be difficult to be 'more invasive' than tracking with third-parties on the web the way it is today.
I think they may be forced into expanding and clarifying that line and parts of the FAQ is this becomes a popular issue.
I read that entire section and can't figure out what they do or don't do ..
Ghostery claims 8 million users are opted in to "share" their data. From the informal polling I've done of Ghostery users (I work on an anti-tracking alternative called Disconnect), I believe less than 1 in 10 of those users know Ghostery is selling their browsing data to advertisers.
If Ghostery cared about being more transparent than the ad industry, they'd have to do a lot more than fix their FAQs. They should opt out all of the 8 million users who opted in without being told their data would be sold. Then Ghostery should re-onboard these users with accurate messaging. Quite frankly, Ghostery should also send checks to the 8 million users for all the money Ghostery made off their data.
Unless I am mistaken, saying that "Ghostery is selling their browsing data to advertisers" is wrong, at least to common understanding of those terms.
I have ghostery installed and I do knowingly opt in to the anonymous data sharing. From their FAQ (http://www.ghostery.com/faq#q16) my understanding is that there is nothing personally identifiable about this data, they are just using my interaction with the web to say "Tracker X appeared on website Y". I see nothing wrong with this.
I'm happy to let them gather this information and profit from it - they are providing me with a useful service and selling that aggregate, anonymous data lets them stay in business and continue to provide me with their service. If I am misunderstanding something, and this data can be used to identify me as an individual, I would welcome an explanation.
Nick, this isn't something new that Ghostery started doing this has been in the addon since day 1, even before Evidon purchased Ghostery. There are multiple articles "exposing" this find, and its not something we've been hiding. The feature is opt in
As far as the use of data, some of the products Evidon is now making are so new that the GhostRank information panel has not needed an update. We'll be modifying the wording to be clearer, but just to make sure, we never collect or use PII info, just the trackers information to use in products such as this: http://www.evidon.com/trackermap
Ghostery does other shady stuff. I have to frequently go to my settings page to disable tracking of all trackers because every time it updates its list, it won't automatically block the new trackers. As far as I know, it doesn't have an option to enable this, nor does it notify me that the list has been updated and several trackers are still unblocked.
This doesn't look good for ghostery but hypothetically both of these statements can be true.
They may be referring to the idea that they don't sell an individuals data, only massed results, so no one can be singled out. This is how census data is used, the data itself is never sold but companies can ask for certain queries to be done on the data which are then performed by the census bureau and returned to the client.
Companies don't keep promises. No company that buys another is going to be bound by something some developer said three years prior.
I wonder if small startups doing popular things for geeks are heading towards a similar backlash against "selling out" that the alternative music scene had in the 80's and 90's.
I think this is a good analogy. I was involved with indie bands in the 90s and startups now (disclosure: I work on Disconnect, a Ghostery alternative) and have been saying how much the scenes are alike.
But the band - I mean, startup - has to take some responsibility. In this case, I think they have to take a lot of the responsibility. When you sell your startup to a company called Better Advertising (Evidon's name before switching), can you really be surprised when the company starts selling your users' data to advertisers?
As the author of that post 3 years ago, nothing has changed:
- Ghostery does not collect user info, just tracker info.
- Evidon sells reports like this: http://evidon.com/trackermap and not actual data sets.
Ad blocking is already beneficial for the ad industry. The sort of people who install ad blocking are also the type who never interact with ads. The net result is an improved CTR/CPA because ad impressions are not being wasted on someone who would not convert in the first place.
Brand awareness campaigns and media buys would be the sort of exception you're talking about and you're absolutely right. Or if you're a company who buys a ton of fraudulent traffic in order to inflate your Alexa/Quantcast/Hitwise/etc rankings, then every impression counts as well.
However, if the advertiser is like the bulk of online advertising (e.g. one of the many for-profit online-degree-mills or someone pushing the latest weight loss pills) they tend to very aggressively optimize towards a desired CPA and eliminating non-converting traffic is always the goal. A better CVR creates happier advertisers which leads to higher bids & budgets and then higher publisher payouts.
It's possible for advertising to have negative value.
There are brands / stores / products I've avoided specifically because of the advertising, whether it was annoying, disgusting, insulting, belittling, bigoted, or whatever. I've got several examples in mind as I speak.
They do only have value when somebody pays attention to them and I am not ever going to buy a no-operation solution for my none existing male pattern baldness, nor am I interested in "losing weight using $N wierd tips discovered by a serial rapist victim".
The truth is ads mostly don't have value -- but the worse your product is the more you need ads.
I have always wanted to make an extension which would use a random cookie (from any of the users) instead of just blocking ads. This would totally mess up their targeting and reports. It would not help the ad industry at all.
Given that I have spent years working in the ad industry and writing ad servers, this is somewhat ironic.
That's already been implemented. With the shift to CPC, there are people who write that kind of software and sell to sleazy publishers. On the other side, ad servers have a fraud detection module that looks for those random clicks.
You assume that everybody stores the visitor data in the cookie. Nowadays only the visitor ids are stored there, identification is made also by all the info you and your browser provides and the rest of the data which actually contains the user's interests and visited sites is in distributed NoSQL/SQL replicated databases.
I work in the ad industry, specifically real time bidding and I am thinking it would be kind of pointless.
While browser/device fingerprinting has made great strides, if this was really pointless, you wouldn't see so much of hue and cry over some mozillas decisions to block third party cookies. (http://www.iab.net/mozilla).
Flashcookie and localstorage based techniques are hardly legal. Store user profiles server side, but you will still be fooled by a different visitor id in the cookie (and fingerprint for that matter), won't you?
Yup. So many work arounds. Simply the IP+UA alone contains enough entropy to uniquely detect the majority of users already, you don't need to store anything at all.
ETag cookies work quite well too and don't require any additional software or "hacking"-esque approaches.
You just totally blew my mind. I had never considered that blocking ads could ever be beneficial for an ad network. Are there any numbers of this sort published by the industry?
If your CTR is twice what it would have been you can command half the eCPM but as you also have twice the inventory it all just factors out... like, if this matters, then the math is broken somewhere. Even more clearly, in the usual CPC case, anyone not clicking on the ads is effectively irrelevant.
Its weird that nobody mentioned Disconnect[1], which is an open source alternative to Ghostery. I've used it in the past, but shifted back to ghostery because it was buggy.
I just mentioned Disconnect, but I make Disconnect. :-)
You should try the new Disconnect (Disconnect 2) which has a lot more features than Ghostery and is even rated higher by users than Ghostery is. We just launched Safari and Opera versions today (and are also available on Chrome and Firefox).
Hello! Love the tool. Dropped ghostery for it a while ago.
One criticism: It's not clear from the popup what the numbers mean. Are they counting scripts loaded, or scripts blocked? The same for the colouring. Are coloured icons blocked, and greyed ones allowed through, or vice-versa? And of course the tickboxes.
The numbers indicate requests (as in HTTP requests) attempted by the tracking companies. Green (or checked) indicates the requests were blocked. Gray (or unchecked) indicates they were allowed.
Ghostery has the option to block all trackers at once in a big list with 1490 trackers. Disconnect 2 doesn't provide this option, does that mean that all the known trackers are blocked by default?
Some pages I visit show 100+ requests but when I enter the add-on it only shows 2 advertising attempts and maybe 1 analytics request. Where do these other hundred requests come from and were they effectively blocked from communicating with its third-party provider?
Disconnect 2 basically replaces HTTPS Everywhere, which I find nice.
We saved you a click. :-) Disconnect blocks (2,000+ tracking sites) by default.
The number of requests in the dropdown menu should add up to the number of requests in the toolbar counter (we do group requests by company, which Ghostery doesn't do, so you will see less rows in Disconnect's UI if that's what you mean). Do you have a site where the two aren't equal?
The only thing I would like to do is block certain trackers manually. For example "geoplugin.com" is enabled by default in Disconnect while I can block it manually in Ghostery. And I became used to not seeing google +1's and tumblr share buttons etc. Isn't there the possibilty to block them even before I visit a page? Right now I need to disable them via the disconnect UI and the page needs to reload.
Yeah, I think later this week. (We actually had a Coinbase implementation before we launched, which we decided to pull last minute because we thought there was a little too much Bitcoin and Coinbase uncertainty at the time.)
And thanks for it! It's blocking is great and the interface is by far the most userfriendly of the bunch :) I switched to it when it was mentioned on HN a few months ago.
edit: Apparently it is free. Your website is incredible confusing and misleading. I read through it, saw the "Pay what you want" bit. Entered 0$ but nothing happened, no new button or something. So I assumed it was not available for free. I also did not see what browsers were supported.
I only found out that it works for Firefox on Github. That is also where I saw the GPL. And then I got curious what the "Get Disconnect" button might have done so I returned and clicked. And to my surprise it gave me an extension installation prompt...
The UI of the extension is completely opaque to me. What is "secure Wi-Fi"? I am not using Wi-Fi. What means "secure search"? No mouseover tips and https://disconnect.me/d2/help helps me nothing. I am not even sure what the things are that page talks about.
What are the Facebook, Google+ and Twitter counters/buttons for? I am not using those sites and I thought your extension would block their tracking. Why does it reload the current page if I click on those buttons?
I loaded a random page. There is a 8 on the DM icon but if I extend the dropdown it just shows 1 Analytics item. In the list that item has a ticked checkmark. Does that mean it is allowed? I do not want that tracker allowed. I thought you blocked automatically?
Please consider having a feature stop and work on the UI next. Right now I could not recommend this to my most technically versed friends because I am not understanding it myself.
Agree. I've been using ghostery for couple years.
I've installed disconnect and tried to compare with ghostery.
Disconnect does not remove counters from the page. At least, it doesn't remove google-analitics scripts.
With ghostery enabled(default settings) it disappeared from source html code.
Also, Disconnect has very confusing interface. There is content section with number which constantly counting allowed requests to trackers as I understood. Why? I installed this plugin to be not tracked or load any third-parties scripts.
I was very excited about new (for me) Disconnect plugin, but not now. Can't recommend as well.
> “Anything that gives people more transparency and control is good for the industry,” says Meyer, who says it’s fine with him that most Ghostery users opt not to share data with Evidon. Meyer points out that those who want to block online advertising are unlikely to respond to it, making Ghostery use good for both sides.
Can people really not tell the difference between 'my data is being sold' and 'an aggregate based on my data plus data from a million others is being sold'?
A company that only collects data when the user opts-in and sells innocuous products like market-share information and tracking tag audits for individual sites hardly deserves the ire. It's not like it's the federal government.
Apparently not. All tracking of all kinds even when completely anonymized is evil and bad and you should feel ashamed of yourself for even thinking otherwise /s
I'm not too surprised to read this story. Ghostery seems to have redone their UI recently and it looks like one of those form-over-function redesigns that happen when a company comes into some money, decides to spend it on looking pretty but forgets to spend any of it on usability analysis. Since it sounds like their revenue does not come from the users, making it look pretty but less useful doesn't really hurt them as long as there are no competitors.
In case anyone cares, when I say less useful I mean that the new layout makes it harder to individually enable/disable specific trackers in the cases where a tracker provides functionality necessary for the website to operate. The new layout is much more mouse intensive for anything but the trivial case of minimal trackers on a page. It's unwieldy to selectively enable trackers on sites with more than roughly 5 trackers on them because of the manual scolling-in-a-tiny-window layout and difficulty reading the list of trackers due to drawing lines through the text of their names.
I'm absolutely shocked that I don't seem to mind this or think that it's wrong. Turns out that my enemy isn't advertisers, it's being tracked all over the internet.
I wish there was a way to exclusively allow static, non-tracking ads that just rely on the content of the site to target, rather than the content of my life. It'd be just like magazines in ye olden dayes.
This is why I added an Adblock exception rule to allow ads from Project Wonderful. From what I can tell, PW's network only "targets" by matching sites to ads by category, which is decided by both the site and the advertiser.
Opt in for what? They say to "share" your data with Ghostery, but what they do is sell your data to advertisers. Shouldn't an anti-tracking solution be more transparent than the problem?
Brian, I understand that its beneficial to you as a competitor to Ghostery to bash Ghostery at this point, but please, refrain from looking stupid.
Ghostery collects tracker information and not individual users info. Ghostery requires an opt-in before any data is shared. Anyone wishing to dig deeper should read the source code since its not obfuscated unlike some of your disconnect's open sourced code. If you do however have ideas on how we should be more transparent, by all means, please share them.
Ghostery claims that 45% of their users (8 million out of 18 million) are opted in to send Ghostery their browsing data. I wonder if even 1% of those users know their data is being sold to advertisers by Ghostery. I have trouble believing the solution to online tracking is even less transparent than the problem.
I work on an anti-tracking alternative called Disconnect. We do this crazy thing where we ask our users to pay for our product. Oh, and lots of people also already happen to think Disconnect is better than Ghostery: http://lifehacker.com/the-best-browser-extensions-that-prote.... :-)
I like Disconnect (I only found it a few days ago), but I'm trying to find out more technical information about what it does without having to look through the code on GitHub. Basically, does it provide additional privacy features on top of ABP+Easylist+EasyPrivacy?
Also, why is it not listed on the Mozilla add-ons site? I barely found out about it. I think I was researching privacy extensions for Chrome and happened to click through to your website.
Thanks. Disconnect currently has the biggest list of tracking sites of any app (well over 2,000 sites). And our filtering engine is written differently than other apps (no slow regexes). In practice, we benchmarked the 1,000 most popular sites and found they loaded an average of 27% faster with Disconnect than without. I've also done some informal benchmarks of other apps (I should do a more formal study at some point) and can say Disconnect accelerates pages quite a bit more than them.
Mozilla's review process is too sluggish for us right now since we're still making changes to Disconnect 2 quickly. When things are more stable, we'll probably submit to AMO.
Disqus is in the Content category, which isn't blocked by default (reason: users seem unhappy when we block content-y things like videos, photos, and comments by default). But you can still check the adjacent box to block Disqus (your settings are remembered on a per-site basis).
OpenX, otoh, should be in the Advertising category and be blocked by default as far as I know. Is there a site where this isn't the case?
Ok, thanks. I prefer to block everything by default, so for me per-site basis is not very convenient. In the case of Disqus: on most websites I don't read the comments and I prefer to block all the requests (mostly 100+ if you include the gravatars).
With Ghostery I just block everything, but this is also not perfect because, as you mentioned, you sometimes don't see all the content. It would be nice if the add blockers could block content in the way Chrome blocks plugins: everything is disabled, by you have a placeholder which informs you that something was blocked, and when you click on it, it loads the content.
OpenX is indeed blocked (I checked it with the chrome dev tools), but it doesn't show up in the Advertising category, e.g. http://www.openx.com/.
Not that this really does this, but I would be all for a better adblocking tool that did communicate back to whatever adhosting company presented ads on a page.
If I opt in to allow my browsing behavior to help improve the sites I visit, I am presented the ads.
When I click to disable an ad, I am presented some options:
* The content is not relevant to me or the topic
* The ad is intrusive or hurts my experience on the site
Then let me decide to block all ads on the site, just this ad, or these types (e.g. popovers) on the site.
The data can then be relayed back (again, I opted in) to the ad company and the site's owners and they might even be allowed to see browsing behavior that shows how much time you spend on the site.
It could be a clear message to advertisers and content providers about the amount of revenue they are missing out on and why.
With the merger of Easylist and Fanboy's Adblock Plus List, using various combinations of subscriptions (adblock/privacy/social/annoyance) can make the need for something like Ghostery extension a thing of the past.
In general, I'd suggest you don't "out" people. First, they might not want to be thrust into the spotlight. Second, it doesn't really add anything to the conversation when you do it like this.
I don't think there's any harm done here though, since they have mentioned it themselves in comments.
That's Disconnect's master tracking list. I'd say it bears an uncanny resemblance to Ghostery's tracker library, but then I'd be breaking all sorts laws tampering with encryption.[1]
Please feel free to browse Ghostery's source code. All our extensions[2] are zips of unobfuscated JavaScript.
--
[1] Nice take on the old "disable right-clicking on images". Not so nice to take tracker definitions from competitors and then brag about having the biggest library.
[2] IE is a bit special, as always, but that's out of our control for now (http://crossrider.com).
I installed Ghostery just a few days ago, and it is clearly indicated that it is opt-in. I don't see a problem here, looks to me a bit like an attack against Ghostery. But of course, open-source alternative with the same functionality would be better...
I find Ghostery as a good compromise for me; Noscript is too much hassle for a day-to-day use, and I also don't like to use Adblock for "philosophical" reasons. Ghostery does exactly what I think should be done - remove the tracking, since I didn't give permission to anyone to track me.
Isn't there a big difference between asking users to opt in to "share" their data with Ghostery (which is what Ghostery says) and asking users to opt in to have their data (what data, btw?) "sold" to advertisers (which is what Ghostery does)?
This thread like a lot of topics in this space is full of misinformation so let me dispel some common myths:
1. "I never click on ads"
Irrelevant and, more often than not, a lie. But let's assume it's the truth. Search advertising is an example of intent-based advertising. It's why it works so well. If you're searching for camera then a site that sells cameras (via an ad in the search results) is likely relevant.
Display advertising (which encompasses things like ads on the NY Times etc) on the other hand is not there specifically to drive a particular action. Brand awareness is a common use case.
Search advertising is sold on a CPC basis because it is intent based. Display advertising is by and large sold on a CPM basis. You don't get the impression and the publisher doesn't get paid. Some will label this "theft". Personally I find this like many real world analogies to be inappropriate in the digital world. Pejorative aside, it is taking money from the publisher and users have largely shown an unwillingness to pay for the content they consume directly.
2. "I don't trust [ad company X]"
The privacy argument. As this post shows, the temptation to resell your information, particularly by small players, is alluring. Frankly I'm more inclined to trust the Googles of the world than I am some guy who writes an extension. Google, for example, give you several options here.
- You can go to the Ads Preference Manager [1] and tailor your privacy settings.
- You can simply delete your cookies every hour/day/week/month/whatever.
3. "My ad blocking improves ads"
I don't know where this sprang from other than ignorance of advertising is bought and sold. No impression, no revenue. The marginal improvement in eCPC based on not showing you an ad is a) irrelevant because display advertising is often not action-based and b) no increase in revenue since it's a smaller pool of impressions.
Just today (still on the front page at the time of this post) is a submission about how people have a warped view of how much time others spend talking or thinking about them [2]. I believe the same distorted view of the world that most of us have also comes into play here.
As much hand-wringing as there is about privacy, when it comes to advertising, advertisers don't really care about you, the individual, as much as money seem to think. What advertisers care about is groups of people with a particular profile ("segment").
So I respect the approach of being paranoid (or at least diligent/skeptical) when it comes to online privacy but, as far as advertising goes anyway, it's largely theater.
I question the ethics of shifting the cost burden of the Internet onto others (ie tragedy of the commons) just because an image of a pair of shoes offends your delicate sensibilities is an interesting choice. I don't really click on ads either but I don't really care that ads for the Westin follow me around after I've gone to their site either (that's called remarketing or retargeting BTW).
Whatever the case I'd rather Google have my browsing history than Ghostery any day of the week.
I should note that I strongly believe in blocking obnoxious advertising. This includes, but is not limited to:
- popups (actual browser windows or just HTML elements that block content until dismissed)
- any video on a Web page that auto-plays
- any sound on a Web page that auto-plays
- most if not all interstitials
- anything Flash based just because I don't want anything Flash based running on my computer
It tends to be the sleazier side of the Internet that employ bad advertising practices like this but not entirely. Auto-playing media is particularly bad.
Disclaimer: I'm a Google engineer in display advertising.
> just because an image of a pair of shoes offends your delicate sensibilities
I added an ad blocker because the ads I was served were all ugly pictures of old faces. It was ads for some regenerating skin snake oil. It was physically disgusting me.
I have no time to spare tweaking the filters, so I just block everything and all is well.
This is to show that the bad practices taint the less bad ones. If ads were only small text, not served more than once a week, neutral, never served to kids or other sensible segment, I'd say it could be ok. Until then I prefer no ads. (I don't watch tv for this reason)
>Search advertising is sold on a CPC basis because it is intent based. Display advertising is by and large sold on a CPM basis. You don't get the impression and the publisher doesn't get paid. Some will label this "theft".
Actually Google is the thief here. Advertising and JS/Client Side analytics/scripts suck up my CPU time and use up my bandwidth that I pay for. All the ad-block user does is block bits from showing up on his/her own personal machine. Blocking external data from unknown/untrusted sources is theft now? Also, since we already know that compromised ad servers contribute to the proliferation of malware, its also a good security practice. (Okay maybe not static image ads, but definitely flash ads)
>Frankly I'm more inclined to trust the Googles of the world than I am some guy who writes an extension.
That is true in the general case, but there are several opensource extensions. And people can find out what exactly happens with their data unlike Google.
This right here, this is the argument I simply cannot understand.
A business is offering a service in exchange for advertising to visitors.
You do not like the terms of that deal.
The _only correct_ action after this is: Do Not Use The Service. Don't reward a business practice you view as illegitimate. Just walk away. Boycott advertising-supported business models.
--
PS: the entitlement in this viewpoint is simply astonishing. "I don't like advertising, so the entire internet should change to accomodate me!"
There is no "deal." I'm not signing a contract or agreeing to an EULA to read a website.
My browser is requesting a website and choosing parts of it to display. Where is the problem? Is it a moral issue when people on phones browse with images turned off? It's how the internet was designed to work.
If the content is worthwhile, people will pay for it directly.
There was no advertising on the internet when I started using it. Then the entire internet changed to accomodate people who wanted ads.
Entitlement? Yes it's entitlement. If you're going to configure your server so that it will send me data when I ask for it, then I will ask for it if I want it. I am under no obligation to additionally request extra data you might hope I'd take, even if that's the default behavior of an unmodified web browser.
Adblock plus already handles Ads. Ghostery is for TRACKING. Your focus here is misguided. The whole point about Ghostery is: they want to collect data about the whole industry, which industry people want. So they design Ghostery to collect that data and have an opt-in anonymous feedback to them.
You can see that they are not trying to block the ads because the ability to block new trackers by default is absent from the setup wizard. You have to go to the advanced settings via the separate plugin settings to get that.
Again, Ghostery doesn't collect your personal browsing history unless you opt-in. The fact that it is proprietary means we can't absolutely verify this, which is a concern. But assuming it is as they say, it is much less an issue than you make it out to be.
And again TRACKING is a different beast than what the form of the ad we see is.
Can someone tldr this article? I tried to read it on my phone but the "view this on mobile" not only blocked all content but had an unreachable close button
I use Ghostery to see what is being tracked rather than block it outright. Call me foolish but I never realised that blocking ads was the primary intended purpose of the tool, I've always just used it to check for missing analytics tags and so forth.
