The TikTok pixel is not actually a pixel like in the old days. It is not a 1x1 transparent image loaded from their servers. It is executable javascript code. All you have to do to stop 99% of the corporate spying is disable unsafe remote code execution.
It's hard to believe I have to say that after the many decades of people getting it drilled into their heads "Do not open random email attachments" but here we are in a dark future where everyone is going to say not automatically running untrusted code is stupid and not a real option. It is. And it works.
I really really wish that I could convince Web Developers that not every website needs to be a web app.
I keep bringing up that I don't want JS to execute random code, even if it's sandboxed, it's mostly unnecessary, and I always get the same sort of replies.
Everyone calls me out of touch, I'm downvoted to oblivion, everyone suggests that I'm a unique case and everyone wants JS, they say that they don't want fragmentation and want life to be easier for them.
I get it, their pay check literally depends on them using JS, it adds a lot of flexibility.
I'm going to make the additional, controversial, guess that most web-developers don't really know what they're doing either; I would surmise that they lean on frameworks and if those frameworks are ever under threat (from people like me requesting progressive enhancement) then they need to defend the frameworks to defend themselves.
Of all things that can be complained about, JS sandboxing is actually really hardened. I think the issue is the cross site wild west we have today. Cookies, requests etc go all over the place, when it should be isolated to same origin unless specific interactions are needed (and then they should probably be user facing and blockable).
I think the real answer to why this hasn't been toothfully patched yet is ads and the billions of dollars behind it. Not JS developers.
I was talking on a podcast yesterday about a wiki project I’ve been involved in and one of the things that was eye opening for the audience was just how insane those requests can be. We literally pulled up a page that showed a single wiki page making >500 ad server requests.
CDNs were a huge mistake, they are the slow point of many websites and people don't even second guess importing fonts, images and libraries from half a dozen different providers. The pros are grossly overstated and the cons are many.
> Of all things that can be complained about, JS sandboxing is actually really hardened.
It's still very useful for people who want to run arbitrary code on your CPU. Both AMD and Intel have severe flaws, called "speculative execution CPU bugs", that can be exploited to extract credentials, encryption keys, session keys etc. from your computer - even information living in other applications or [hardware layer] VM's.
Sales and management aren't going anywhere though, so we can expect web apps to continue to be user-hostile and better off avoided by anyone who doesn't want their privacy and security compromised.
I agree with you. As a user, I want web developers to have as little freedom as possible. The freedom they enjoy today implies the potential for abuse and boy do they abuse it. Tracking and fingerprinting everywhere, anti-patterns everywhere, sites that are painful to use because they use javascript for everything and even the back button doesn't works properly, sites that don't even render at all without javascript enabled.
This actually pushed me to scrape some websites. I essentially reverse engineered the site and created my own custom client for them just to ensure only my code ever runs. I don't have time or energy to do this for every site though...
To be fair, users expect websites to do a lot now. That is because brands pushed so much for interactivity. I do agree with you, but if we take away JS we would still want to enhance the web with interactivity.
I do recall building completely JS free eCommerce applications and in all honesty they were lightening fast compared to todays SPAs and still just as complex as applications. But we can do much better for user experience of complex applications with a sprinkle of interactivity.
If web developers had freedom, there would be minimal amount of tracking, fingerprinting or anti-patterns. If you want to assign blame, you have to look higher in the food chain
I was thinking that you could embed the 3rd party code in your wasm file, but also you can do it in js, so I‘m also curious what was thinking GP, because everything goes through the browser then you would just block the request to certain domains as we do now.
> Everyone calls me out of touch, I'm downvoted to oblivion, everyone suggests that I'm a unique case and everyone wants JS, they say that they don't want fragmentation and want life to be easier for them.
If they sat down with real users, then they'd know that most people get very frustrated when web apps make their phones slow, which happens relatively often.
If they cared, they'd also be frustrated, because they have the background knowledge to understand just how unnecessary such poor user experiences are most of the time. I've seen simple mailing address forms slow phones down. That doesn't need to happen.
> I really really wish that I could convince Web Developers that not every website needs to be a web app.
I'd say it's more that not every website needs to be written in JavaScript from the bottom up. There are web apps that I use that are tasteful and reserved with their uses of JavaScript, if they even use it at all.
You don't need to make web apps using using dynamic code for every little thing, like even building static HTML elements with JavaScript.
And not everything needs to be a SPA, nor does everything need to be built using nine layers of frameworks and abstractions.
Blaming web developers for this is so out of touch.. since when are the developers in charge of product? It's like blaming a construction worker for the poor architecture of a building. Come on..
> I keep bringing up that I don't want JS to execute random code, even if it's sandboxed, it's mostly unnecessary, and I always get the same sort of replies.
I mean having done front-end and back-end. I gotta say, the way a SPA framework lets you re-use front-end code is probably why such frameworks are selling like hot cakes. I legit feel like someone needs to spec out a back-end layout that is generic and implementable in any language, but supports some of the concepts like containers and such.
What options will you suggest for web developers instead? How can you develop a convenient user experience without js? Even the most simple things require it, and will likely use a third party framework.
As someone who blocks JS by default, don't depend on remotely hosted JS. If I go to example.com and I think it seems truthworthy I might allow scripts to run from that domain and that domain only. If the site doesn't work after that, I'll just close the tab and move on. The simple stuff doesn't need bloated frameworks.
Don't obfuscate your JS either if you can help it. If I'm not sure if I should be trusting your site I'll be looking over your JS to see what's doing, but I'm not spending more time than it takes to glance over it either.
a convenient user experience to me, is one that fails gracefully without JS. Displaying text/images shouldn't need JS at all. I'll accept that it won't be as fancy without it, and I won't hold it against you for having JS as a fancy default, but a site should still be mostly functional without JS. Content at least should remain accessible.
Displaying pictures is one thing. But how are you going to create a dashboard that updates every short interval without JavaScript?
Let's say a website serves React from its own domain, so no 3rd party references are used (which in this case it'll be very easy for them to serve you a modified version of the framework), they'd rightfully want to save bandwidth and minimize it! Which means obfuscation as a byproduct.
I understand where you're coming from and I do a fair share of blocking myself, but I also see why things are the way they are if you want to develop an online product.
For somethings you really can't help but depend on javascript. I don't really mind it if it's something ambitious enough, it's the display of basic content breaking that bugs me most.
A dashboard may still work if you can just display the current data and add a note that because JS is disabled the page must be refreshed manually to pull updated values. You don't even have to throw in a refresh button since the browser's already got one. If I go to a website without JS enabled I expect things to take a bit more work on my part.
Minified JS is a problem I run into a lot. Most of the time though, I err on the side of caution and just move on. There's so many interesting things worthy of my attention that if the site full of inscrutable javascript is just a random article/blog post or something shared as a general "hey look at this cool/fun/impressive site" it can easily be abandoned for something less troublesome.
For sites I actually do need to access for some reason I can take the time to analyze it properly, but most of the time those kinds of sites are already familiar/trustworthy, and I've got other options too like firing up a less restricted browser in a VM.
I certainly don't expect developers to give up using JavaScript for the sake of the few users like me, but the better a site does at keeping content accessible without it the less likely I am to just move on to the next tab.
I was converted once I discovered that amazon.com still works with javascript disabled. You just do things the old fashioned way, form submissions that change the session state on the server and generate the html for the next page. I use "redmine" for project development / issue tracking and that works without javascript too.
The different form input elements do a lot of work for you, and are very platform-agnostic, unlike javascript, which will fail silently as soon as someone is on an out-of-date android/ios version.
We had lots of convenient user interfaces on the web without JS.
"The most simple things" absolutely do not require it. Simple things can be done in pure HTML. That's what the web has always fundamentally been about.
You should TRY building a site without JS. Just try it! You'll be amazed.
The “simple things” like displaying a document don’t need JS. Why does every knowledge base system is JS when they are literally just showing a document? Or discussion forums when you’re JS reading them?
I could have said chat clients, games, maps or other things that absolutely require JavaScript. I said upvote on HN to illustrate that even the most basic site still needs some JS to create a sane experience. Having the page reload every time you upvote a comment is not a good alternative.
It's been working for me for years just fine without JS. As for chat clients and games, those things absolutely do not belong in the slow pile of abstractions that is a web browser. They should be native applications and they are on my computers.
But you're right about maps. They're extremely well suited to being viewed in a browser with javascript.
What of the most simple of things require JavaScript or a third-party framework?
Modern CSS can handle a lot on the visual side, and modern HTML allows you to do form validation, dynamic lazy-loading and resizing of images, dialogs, collapsible elements, etc without JavaScript.
Look, I do run uBO. It doesn't even completely block JS, yet it still routinely breaks very basic pages, and I have to use a lot of webdev and industry knowledge to even try to unbreak them without entirely turning off blocking. So no, for most people who want to use mainstream websites, just turning off JS is not a real option. That this is a dystopic scenario does not change the practical reality.
I never have to turn off uBO to get pages to work. Am I just visiting really boring sites, or is there a default setting I should change to be more strict amd break more pages?
I don't know, I guess it could be that turning on the "I know what I'm doing" matrix features made it more strict? It seems like every e-commerce site and most blog/news sites want to host all their images offsite (mostly CDNs I assume) in some weird JS-mediated way. Anything with a captcha breaks. Any purchase checkout process that involves other domains, which is almost all of them, can be counted on to break. If someone can tell me I'm just misunderstanding what's going on, I'd love to spend less time messing with websites' guts and still be reasonably protected.
uBO can break sites, but in my experience doesn't to the degree that you're describing. Perhaps you should clear all settings and re-install the extension once and see if that helps?
Do you maybe have other content blocking extensions running at the same time as uBO that are causing 'clashes'?
For me uBO breaks 3D-secure, so it does in fact break every e-commerce checkout that uses it. I just disable the entire extension before I buy something, but it’s rather awkward.
That “enter just your web password here” thing? Don’t seem to for me. Amazon checkout seems to be breaking from something recently but likely not uBO filters.
I'll probably give this a shot. The only settings changes I can remember are allowing things, but I could be wrong. No other content-blocker extensions, I believe.
In that mode you can make it much more strict, such that it loads no js at all by default, and/or loads only first party scripts by default.
I think out of the box with the default blacklist mode very few things are broken, but the trade-off there is that you're running way more code. I do imagine the default list would block this specific nonsense from tiktok, although I haven't verified that assumption.
I block all scripts initially with ubo and slowly allow what I need to make a site function (or just close tab on sites I deem unworthy of the effort). This is certainly more than you could expect from a normal user.
this may be daydreaming too shallowly, but I wonder if basic Javascript UI patterns could be identified by some tool. Something along the lines of a new pane showing up in the Developer Tools that semantically identifies the roles of certain Javascript.
* This block of code ensures these UI elements are synched among each other.
* This block of code sends this UI data to this server address.
Something that gives a rough & coarse data tracing dependency analysis of inputs and outputs. There may be techniques to defeat this but I think some general patterns would become established where web designs could begin to be shifted to compartmentalize different functionality to streamline such a tool being able to to pare off the insignificant and safe parts of JS and enable folks like yourself to zero in on the interesting and questionable parts.
Even without that tool, HTML continues to evolve and add common “components” that people have used JavaScript to create for decades, which work without (or with minimal) JS. For example, <details> and <summary>, <dialog>, <datalist>, and more.
That’s interesting so your saying when developers offload to the html standard typical UI workflows that have been baked into certain html tags then there’s less innocuous JS to have to wade through in the first place. That’s amazing actually and very welcomed.
I use uBO with JavaScript on and almost all the filter lists it ships with enabled. Never had any problems with web functionality.
I just tried adding tiktok.com to "My filters", but it seems like ads.tiktok.com is still accessible with that rule -- how can I block all tiktok subdomains simultaneously?
Seems like automatic loading of resources (hosted by third parties) by popular web browsers is beyond question.
I access the www everyday using a browser that does not auto-load resources. It would be dishonest to claim it is not useful.
I recall a brief period of time in the early www where web pages could contain "Java applets" and the browser would prompt the user if they wanted to run the code.
Web developers have become so dependent on all this control they have been given over unsuspecting computer users, how would they react to removing/reducing any of these "features".
The "modern" web browser feels like a Trojan Horse.
Is it really a good idea to automatically send resources to a client that has not explicitly requested them. It is behaviour that takes control away from the client. (Needless to say, this behaviour is open to tremendous abuse and can be wasteful.)
Auto-fetching took this to a new level. (I always disable this behaviour, either within the client or outside it.)
Going even further, HTTP/2 server push has IMO only highlighted the questionable nature of this behaviour. Its justification is "performance" but it still removes control from the client. Will push be removed from Chrome.
Not only that, but at least since 8 years ago give or take, your cookies/other identifying info can be matched to an offline traceable tender such as credit card / loyalty program.
8 years ago, I could very much target viewers (no click needed) who have bought XYZ using a credit card or on the attribution end, know you saw a specific ad and went into the store and bought it.
Javascript and browse behavior added much resolution to that.
Source: Am in the advertising industry and worked on accounts in the Fortune 5.
Yeah, but uMatrix still works. It's kind of a finished product. It still received a security update since support ended. I use it all the time and am fascinated at the amount of third party scripts so many websites use. I always appreciate a site that loads everything from their own domain, which is rare. As for social media tracking scripts, I block them all. Google/gstatic is the only one that gets a free pass, otherwise too many sites won't work.
> It's hard to believe I have to say that after the many decades of people getting it drilled into their heads "Do not open random email attachments" (...)
You need to take a step back and figure out what you're failing to understand before going into these "everyone is a fool" rants.
One of the reasons people don't understand the risks is the fact that, by design, these risks don't exist at the eye of the end user. No one knows, not even you, how many servers are being hit when you click on a link.
You're opening emails, you're clicking a link, and hundreds of requests are flying out of your browser right under your nose to God knows where. How many of them are requesting useless images you never saw? How many if them are reporting telemetry data on how you're using a website? You do not know. Why are you whining about other not knowing as well?
Privacy is a hard problem because everyone is using a system explicitly designed to transfer information around without any control or supervision. Up until now the best tool we have at our disposal is a set of laws that require companies to disclose and delete data they collect on us.
Blaming the end user for clicking links is victim blaming, and demonstrates a colossal amount of ignorance about the problem domain.
Shouldnt this have been rendered impossible with Apple and Google’s crackdown on third-party cookies? Whether it a 1x1 tracking pixel or a full-blown Javascript, Apple’s ITP protection would seem to render it unables to track people across websites.
The key word is SEEM. I have no idea regarding all the contradictory news coming out of all the camps. I posted a question on StackOverflow with a significant bounty that expires in 5 hours and so far no one has even showed up to answer it:
I can shed some light on this maybe, don't have a SO account. You're completely right about "SEEM". It does do enough that it significantly lowers the resolution of data and ability for systems to infer your behaviors / persona. It will force more of the ad ecosystem to server to server data pass through: https://developers.google.com/tag-platform/tag-manager/serve...
I mention it in a post above, but data brokers have existed for a decade, which don't really care about any of this. Your email/phone/credit card + purchase behavior for instance, is likely sent to 3rd parties (as md5/sha hashed values) It boils down to sample resolution and sample size. Javascript made it really easy for literally every website to collect browse behaviors. ITP makes the skill ceiling / investment to collect this data much higher.
ITP doesn't conceal the IP & user-agent, which is enough to track someone reliably since most connections still have a persistent-enough IP address. It only breaks down if you're behind NAT (sharing the public IP with lots of other people) and have a very common user-agent such as the one of the latest version of a mainstream browser.
The only way to defeat this is to 1) have all browsers standardize on a single user-agent that never changes going forwards and 2) per-origin VPNs so that the public IP seen by each origin is different.
ITP is with Safari, and most people using it will have the latest version, so will blend into the Apple user crowed that way. And private relay is pretty much a VPN.
First of all, the subdomain can redirect to google.com and back, loading it in a first-party context, and then redirect to your main domain page. I guess Google here would be a “second party”. https://learn.microsoft.com/en-us/azure/active-directory/dev...
Second way is that subdomain can load an iframe from google.com and the iframe will send a postMessage to the enclosing page, which will send a request to the server to set a cookie.
As long as you logged in ONCE in google (let’s say in a popup, or maybe using ITP’s click-to-login) then it will store the session cookie this way. And after that it can meep a cookie around for 10 years and track this guy across all the subdomains where he signed in once.
All you have to do to stop cross-site tracking is to disable third-party cookies in your browser. That's really it. This misfeature should've never been invented in the first place.
Yeah I had to implement this once because we ran a handful of ads on TikTok, so they wanted access to all of our traffic. I protested, saying they didn't need all traffic to do analytics for people who click through.. just tell me how to identify the traffic you need. This is fair, if somebody clicks on an ad then analytics would be expected.
Yeah no, they didn't allow their advertisers to do that. I ended up getting permission to remove from the site when their pixel was found to be causing a performance impact for users. But without good monitoring for that they would have still been running, possibly for forever. I'm sure this is basically how they get to be everywhere.
> You can’t stop data collection from the tech industry altogether, but with a few simple steps you can make a dent in the amount of information that’s being collected.
> Use privacy-protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by the company that performed our TikTok investigation. The Disconnect extension shows you how websites are trying to track you and blocks a lot of that data collection. Privacy experts often recommend uBlock Origin, as well.
> Change your browser’s privacy settings. A lot of browsers have built-in controls you can use to block trackers, including cookies, pixels, and other technologies. Open your browser’s preferences or settings, and you’ll usually find the controls in the privacy section.
> Try a more private browser. Google Chrome collects a lot of data on behalf of Google. The Consumer Reports Security Planner recommends Firefox and Brave as more privacy-focused options.
Case closed when you use uBlock Origin preferably with Brave or Firefox. As an extra measure I disable JS Unless it's really needed, and surf in a private/incognito session to stop cookies building up.
Shame uMatrix is dead, but I use it to allow javascript for the local domain, and disable for third-party domains by default. It allows me to use at least some websites without too much fiddling with the uMatrix settings.
I use all of them along with vimium-ff and midnightlizard, but uMatrix is by far the best idea for managing what is run for better privacy and performance of browsing.
I use it daily too and it's on my list of essential plugins, but gorhill archived the repo and development has halted as best as I can tell [0] which leads to complications [1].
I am also still using it and haven't run into any issues so far. But it is unmaintained for quite some time now last I checked so I assume that eventually it will just stop working.
It's quite nice though. I have it set to disable any and all third party resources by default and from there it's generally fairly easy to permit the necessary things the first time I visit a site. And if it proves to be difficult I generally just decline to use that website at all.
As long as firefox maintains the API it should work just fine. But the day the don't a lot of people will be unhappy. I always figured some bored javascript wizard would eventually pick it up since gorhill archived it, but I don't think anyone has
I so wish umatrix maintenance was restarted. Hopefully someone capable will. I'd donate money to that effort. While ublock origin is nice, umatrix is so much better.
I’m reading this using iCab Mobile on iOS, which is a browser apparently no-one on HN has ever heard of, as I need to mention it every time this tired old and inaccurate assertion is trotted-out again.
This browser allows you to define your own blocking lists, including filters for every conceivable combination of JS, CSS, cross-site, cookie-based and URL tracking.
AdGuard on iOS works in Safari and all in-app browsers that use Safari View Controllers (unfortunately a lot of malicious apps such as social networks don't use it for this exact reason).
It's not a perfect replacement for UBO as the underlying filtering API isn't as powerful but it does a good enough job most of the time. It still uses the same filter lists as UBO (though again it's not able to make all rules work, due to API limitations).
I'm not familiar enough with iOS, does Apple still allow apps to use a different web view that the filters do not apply to? If so is there any reason they shouldn't require Safari View Controllers for App Store submission?
> does Apple still allow apps to use a different web view that the filters do not apply to
The web views the filters don't apply to have different use-cases such as customizing/hiding the browser UI elements, injecting Javascript, etc. There are legitimate reasons to use it in some cases (in case you need to display server-side-rendered content as if it was native).
Of course, Apple could decide on a case-by-case basis and reject usages of the legacy web view when the new implementation is appropriate, but they won't just like they don't do anything for apps that lie on the "privacy nutrition labels" about the data they collect or various other breaches of the App Store guidelines.
> surf in a private/incognito session to stop cookies building up.
Rather than do this, you should install Cookie Autodelete. It simply clears all cookies when a site is closed, while incognito only clears when all incognito windows are closed.
This is mostly true however Brave Shields do not support the $removeparam operator so it is unable to remove url based tracking. You still need uBO or the ClearURLs extension to do that. https://github.com/brave/adblock-rust/issues/166)
When you share a video link on TikTok, it’ll append a bunch of tracking data to know who opened it and notify you. That’s not really a surprise, but what’s more sneaky is they shorten the “shared” video links into a few unique characters without visible tracking data and parameters in the URL (AFAIK they used to visibly expose tracking data on the URL a few years ago but recently started using a URL shortener).
What seems like an inconspicuous and universal URL for a video actually sends a lot of advertising and tracing data back to TikTok’s servers about your friend/you.
I’ve been wondering how TikTok knows to suggest me friends of friends of friends with me having the most basic profile with no connections and my friends not actually having Tik Tok. But now it makes sense, and apart from evil, it’s brilliant.
I did check to see if that resulting URL after the first redirect is also a redirect. It is not, but also returned an HTTP 403 response ('Forbidden'), when submitted without cookies that had been added.
When you run that curl command, TikTok already knows your IP, which is a very valuable piece of information. Unless you maintain a server that has its own IP and does nothing except de-personalizing TikTok links, and always visit the tracking-free URL from another computer with a different IP, something like that. While it is possible, I am pretty sure most people, including most people here, don't want to do that.
Sounds like a new SaaS to remove TikTok tracking. Some way to redirect any TikTok link w/o the tracking. You could then do the most SV thing to offer it for free and store the same tracking info yourself and/or deliver ads from your accounts
On the other hand, I don't think most people consider a public IP address to be private or protected information. If you're interested in finding the "root" content URL, which lives on a TikTok domain, then you've already implicitly signaled that you accept them knowing your public IP address.
You can disable the link tracking thing in settings, bit buried but settings > privacy > suggest your account to others > people who open or send links to you
Even then, you can never be certain that a service isn't providing you with a URL for something that is unique to you. For example, if HN wanted to go evil there's no reason it couldn't hand out a unique URL to every single visitor for every single page visited and invisibly map them to the appropriate resource on the backend. And they could even perform a redirect to a different unique URL each time one was loaded to reduce overlap between different parties (since most people wouldn't bother to counteract the redirect when resharing something).
And it's not even resource intensive to do something like this. It can all be done in a purely stateless manner by concatenating an internal ID with a counter and encrypting it to derive the URL that gets served to the user.
The moral of the story is, you should really download and share things yourself.
Just use NoScript, uBlock and/or a VPN with a PiHole server as a primary DNS and stop whining.
Of course I do hate it that the only way to make money on the web today is though ads and trackers. Of course I hate it to be monitored by sneaky pixels, even if I don't use the app. But the solution to the problem is quite simple: does my browser actually render and run the Javascript? If the answer is no (because the tracking script is either stopped by NoScript, or by uBlock, or by the DNS itself that resolves the tracking domain to 127.0.0.1), then I have no problem.
Let's stop whining of IT products tracking every single aspect of our digital lives: almost 30 years down the line, and the Internet hasn't yet figured out a way to make money other than ads and trackers, and it's not going to change any time soon. Instead, let's just make sure that the change happens faster: let's educate people to block all the trackers on all of their devices, so these companies are FORCED to come up with better ways of making money, or they just go burst.
That's harder to do on mobile devices. Good system-wide, every-network adblocking on Android requires root. It's hard to obtain root on some devices, and Google is actively aiding app makers to block rooted devices with SafetyNet. I lack experience with iOS, but I assume the situation is worse there.
As a practical matter, this means that while I can tell my mother to install uBlock Origin on her desktop browser, it isn't practical for me to tell her to root her phone and run Adaway on it.
Of course, most people use smartphones much more than they do PCs lately.
It's doable when without root. In my case I simply run PiHole on a server and use it as the default DNS for my VPN. Install Wireguard on the phone, connect to the VPN, and there you go - all of your DNS requests now go through PiHole.
iOS is better than you think. allows limited adblocking in Safari, think of it as 'uBlock lite'. Due to limitations regarding size, etc, not everything can be blocked, however, do not track provides a bit more in this sense. Beyond that? Yattee blocks 100% of Youtube ads + sponsorships (I personally do not have an issue with sponsorships, but YouTube can eat it with their ads), Apollo does not show ads for Reddit, etc. (Note that Apollo is the absolute best way to view Reddit on the internet. period.)
I suspect Apple will improve things in the future. Media/News companies have attempted to vilify Apple by saying they are 'getting into the ad business', however I suspect that Apple will (as usual) take a user centric approach with expanding their ad business. I am absolutely not the person to defend Apple 24/7, however their privacy practices have been great.
I have a VPS with a Wireguard VPN that runs a PiHole DNS on it. Just toggling the VPN switch on Android is sufficient to get all the DNS requests to tracking domains flushed down the sinkhole - no root required.
Granted, it takes some technical skills to set up, but once it's set up other people can easily connect to the same VPN and have the same level of protection - my wife's and my mother's phones are also connected to the same VPN.
> I lack experience with iOS, but I assume the situation is worse there.
I use NextDNS (sort of "Pi-hole-as-a-Service"), which provides a "configuration profile […] that will make your device use NextDNS natively using the Encrypted DNS feature". I can't imagine it being any easier, really.
You don't need to root your device to set the DNS. MiUI does hide the setting, but stock android has it in the settings. You can then set your DNS to dns.adguard.com or create a nextDns account. Then you can block ads system wide.
No surprise. Every company with an ad platform uses a pixel. Meta, Google, Reddit, Microsoft. Advertisers add it to their site to get access to things like tracking of performance if their ads, and custom audiences for retargeting or look-alike audiences. In exchange, that ad platform gets your browsing data.
It's not great, but everyone is doing it so I wouldn't consider the fact that TikTok, one of the biggest social media platforms, does it too as news.
I basically want a browser list that bans specific 'big providers' systematically and then access those providers via a provider specific sandbox limited to just them. Kind of like firefox account containers, with a premade set, without the bad perf / bugs of firefox.
Apple News and Stocks: The topics and categories of the stories you read and the publications you follow, subscribe to, or turn on notifications from.
Advertising: Your interactions with ads delivered by Apple’s advertising platform.
Apple’s advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.
If this were the case, it would be a huge lawsuit, given they state the opposite:
You can turn off Personalized Ads on your iOS or iPadOS device by going to Settings > Privacy & Security > Apple Advertising and tapping to turn off Personalized Ads. On Mac, go to System Settings > Privacy & Security > Privacy, click Apple Advertising, and deselect Personalized Ads. The Personalized Ads option may be unavailable if you are a minor, have a managed account, or are in a location where Apple does not deliver advertising to its apps.
Do all the ad companies require this pixel on every page of your site? In other words, could you not have an ad platform specific page that embeds the pixel and acts as the landing page for any of your ads?
If so, I don't see any problem with that. The only customers accessing that page would be incoming ad clicks.
No. They don't even require it at all, but they encourage you to do so to get access to certain things.
Without the pixel, the platform sees a click on their side. But if you wanted to pay for other conversions, eg a purchase, you'd need to send an event back (either via pixel or via API).
As an other example, if you wanted to retarget, you'd also need the pixel. Let's say you wanted to target users who added an item to their cart but never purchased, the pixel would fire a "added to cart" event.
Finally, if you want look-alike audiences, you'd want to pixel as many users as broadly across your site as possible. As an example of this last one, you might want to tell the ad platform to show your ad to people who seem to resemble people who have made purchases on your site. Having the pixel let's them build that list of users who purchased on your site, then try to target users who seem to have similar interests/location/browsing habits. The funny part about this is the platform might implicit learn to target your ad to people who have visited a competitor. But since you add the pixel too, they show the competitor ad to people who visit you. So the ad platform is really a weapons dealer here.
So Yea, you could decide to only use the pixel in a limited way, or not use it at all, but you'd miss out on better targeting, optimization, and reporting.
TFA:"Consumer Reports found that the company uses some of the same techniques as Google, Meta, and other companies to collect personal data" It's even the article byline!
So I have a pi hole for my home network, and a wireguard connection back to it when I'm out and about. I run ublock on everything, block all the javascript, all the stuff.
But I do it because ads are annoying -- I don't like how they look and I don't like how they slow down every experience. I...don't really care about the tracking aspect? As far as I can tell, nothing bad happens to people because some faceless entity is tracking all your browser history.
Is there some secret malice that I'm not aware of that I should be more concerned about? Near as I can tell all this vast tracking infrastructure is really only there to more precisely target me with ads and doesn't really do anything else.
As far as privacy goes, I'm much more weirded out by the fact that my property tax records are public. Or that cell providers have the ability to fairly accurately track my location if they want to. Facebook seems pretty benign compared against that.
The argument goes, that if they can target you for ads they can also correlate this with political beliefs, your ethnicity, your financial situation and so one.
If you want a credit and you are friends with people who don't pay back their debts you are also a risk for the bank and get a higher rate.
If you want an insurance and you are a extrem cyclists you won't get one.
If you open a shopping side and they know you can afford it, they mark up the price. (Udemy is ridiculously doing this)
Yes, this is death by a thousand paper cuts.
What could the Chinese Government do with the data? Lower or rise your social credit score? Stop you from visiting China. Throw you in Jail for watching Winnie Poo?
All the other tech giants were in the US and so we didn’t have to worried about this. At least if you weren't a terrorist or behaved like one. Now China has a totally different agenda.
Is it okay to be LGBTQ in China? What happeneds if you watch a TikTok with this theme?
Yes, I am very aware of all the potential dangers, which contributes to my blocking everything in the first place. I am curious if, in the United States, there are any realized dangers to these privacy violations.
The Udemy thing is interesting, but it's also (as far as I can tell) just doing stuff with first party cookies and region lookups. Nothing at all the level of sophistication that is being observed from Meta or Tiktok.
I'd love to hear stories of people who got screwed because of facebook or Google's broad web of surveillance, but as near as I can tell, nobody is actually being harmed.
Google and Facebook coin it as violation of their terms. Just watch HN and you will get the next story every other month.
But the most chilling quote is "we kill people based on metadata":
As NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.”
I'm not entirely sure what you're hinting at. Are you saying that the US military and intelligence agencies use metadata to track down and kill people that they deem as enemies? And that Meta/Google/etc. are in cahoots with them to do this?
Can you link me example of this happening? Is there credible evidence that an ordinary citizen (like myself) is in more danger from state actors because of the information harvesting that large corporations engage in? I feel like if the government wants to track down and kill me they already have my address, cell phone records, etc. No need to contact Meta or Tiktok.
If they had no need for contacting Meta and Microsoft and Google, why did they do so?
How could would this put an ordinary citizen at risk? I don't know. All the data is run through an AI and if it labels you terrorist, who is to question it?
They sure kill a lot of people in Pakistan based on this data:
If your goal is to limit tracking, this does help, however it won't stop any server to server (versus client browser to server) data pass through. Any events the advertiser/publisher deems important, they can first-party collect the relevant tracking data and pass it from their server to the ad server (i.e. TikTok, Google, MS, FB etc.)
You're right most are doing the simplest things as most marketers do not have tech experience to understand the advanced methods. As more people try to prevent Javascript, you'll start to see more and more companies adopt these methods.
Yes, if you’re lazy or you want to quickly switch some services on/off, I suggest you the great app: Pi-Hole Remote (https://rocketscience-it.nl), there's a handy list with all of the privacy intrusive services (regex) that you can turn on/off with a switch (screenshot https://ibb.co/fNDyq36)
That's ok, DoH firewall rules to the rescue! You can get lists of all known DoH servers and just load them up on a router, drop anything going there, and you're done.
If you don't use TikTok, and you happen to live in the EU, UK, California or Brazil, send them a data deletion request. Here's an easy way: https://yourdigitalrights.org/d/tiktok.com
Plenty of comments here talking about using uBlock [Origin], piHole, disabling JS, and so on, but it doesn't look like anybody has bothered to ask specifically how TikTok is actually doing the tracking. And TFA doesn't explain the method(s) in any technical detail.
I visited several of the sites mentioned in TFA, and uBlock didn't show any connection requests being made to any tiktok-related URLs. Nor were there any unfamiliar websites commonly shared amongst these sites in case TikTok was using a proxy service to hide behind.
I just tried the United Methodist Church website [1] after disabling UBo and accepting cookies. It then GETs an events JS file from tiktok.com, which runs and GETs a main JS file from tiktok.com that then makes a POST request to tiktok.com containing my device, page url, referrer, session ID, useragent and timestamp.
If you are running uBlock then you are probably blocking google tag manager that initiates these calls.
Thanks for this. I hadn't considered googletagmanager.com but that appears to be the likely culprit as it is the common denominator between these sites.
Apart from being a disgustingly deadly teenage trap it is a privacy leech at the same time. It's time people realized how useless and distracting these social media apps are, and that they are not really necessary for any functioning of the society. Real knowledge could come from reading books and sites like Wikipedia. Tiktok is good for nothing other than trapping tennagers to make them get viral by doing some really nasty/dangerous stuff.
I would say fuck ad-supported social media. TikTok is no different than Facebook, Twitter, etc besides some China-related fear-mongering (which may be true or not, but the point is, nobody should be stalking people on the internet, regardless of whether the stalker is American or Chinese).
analytics.tiktok.com. googletagmanager.com has a script that gets the analytics JS from tiktok, so if you're blocking Google Tag Manager, then you'll never even see an attempt at loading from tiktok.
somewhat related, one time someone mentioned that reddit’s analytics runs off the main domain such that one wouldn’t be able to block analytics without blocking the site and its content itself.
does anyone remember the comment or article that mentioned it? it seems like this tactic will be increasingly useful for companies whose revenue is entirely ad dependent. somewhat related, do any ad blocker extensions block POST/PUT but not GET?
I have js disabled by default on my PC's and laptops. If I need (or want) to use a site that require js, I do so in a VM, and I use that VM only for one or a few related sites (like Hacker News and Slashdot). Each VM has different screen sizes and operating systems / Linux distributions. If I research a subject that is even slightly controversial, I use the Tor browser from a VM or Tails.
But mostly, I just ignore companies and organizations that don't know how to make a website work without js.
That sounds like a lot of work for what could be covered by self-destructing cookies, spoofing your user-agent, and in the worst case using Tor (which for me is a keyboard shortcut in Brave). I really don't think the extra hassle of VMs is worth it -- these are ad companies trying to fingerprint you, not state actors using zero-days on you.
Personally, I dream of a future where 90% of content is delivered over RSS or similar and the middle man (bloated web pages) are cut out entirely.
This is the same technology used by Google, Facebook, Linkedin, Pinterest, Snapchat, and Twitter. There are other services like Clearbit that offer just the data part of this, without the social media network attached. Every major ad network does this.
There is nothing unique about TikTok's tracking implementations other than how much data they attempt to take in.
Yes, since its a JS script that will get blocked automatically.
And you don't need UBlock with Brave, Nrave shields do the same thing while being faster(rust and integrated in the browser itself) and not being dependent on any extension updates.
There is a noticeable performance hit when using uBlock + shields.
It depends what you're trying to solve. I would say it will lower the resolution of any "profiles" built on you in aggregate, but it does not stop a profile being built.
Thanks for posting this! Ok as a web dev who actively cares about user privacy—- can these things accidentally sneak onto my page through npm deps? Or would I need to install them deliberately? If so —— how are they on gov websites??
Wild guess: they're part of a default "share buttons" repository that includes the "Share on Twitter, Facebook, Google+" buttons for the page, or something very similar to that.
Couldn't you just try out your webpage in your browser and see what network calls are being made? That way you can see if you're calling Tiktok or not.
I just wrote the most scathing review I could, and ads pop up for the product. Gee. Thanks. So Every time, I click through and minimize. I know its junk.
That's not the point. No one said other companies didn't do similar things. I assume they all want to get as much info as possible without breaking the law. I think the elephant in the room however is that they also send a copy to the Chinese Communist Party databases as well.
It can be worded so that collecting any specific information pre and post-processed (to cover ML) about a person who is not a consenting user of your service allows individuals to sue for punitive damages and in exteme cases make it a felony.Any information, even anonymized information about individuals will be prohibited. However, if you use Google for example and agree to their ToS they can do whatever they want within reason, so long as the activity being tracked is related to the user explicitly interacting with a google service. So tracking cookies and all the weird shit they do is fine for their users, they just can't track users if the user visited hn.com and they did not explicitly consent to being tracked by google analytics, the hn.com admin can let you know it wants to allow the 3rd party service google to track you and get your consent.
This stuff is possible, I despise all the fatalism. Us, the people that understand this at any depth just need to agree on it and speak very loudly and convince our peers, being defeated and hoping politicians figure out tech some day is silly. That's why I am trying to discuss this here.
The TikTok pixel is not actually a pixel like in the old days. It is not a 1x1 transparent image loaded from their servers. It is executable javascript code. All you have to do to stop 99% of the corporate spying is disable unsafe remote code execution.
It's hard to believe I have to say that after the many decades of people getting it drilled into their heads "Do not open random email attachments" but here we are in a dark future where everyone is going to say not automatically running untrusted code is stupid and not a real option. It is. And it works.
I really really wish that I could convince Web Developers that not every website needs to be a web app.
I keep bringing up that I don't want JS to execute random code, even if it's sandboxed, it's mostly unnecessary, and I always get the same sort of replies.
Everyone calls me out of touch, I'm downvoted to oblivion, everyone suggests that I'm a unique case and everyone wants JS, they say that they don't want fragmentation and want life to be easier for them.
I get it, their pay check literally depends on them using JS, it adds a lot of flexibility.
I'm going to make the additional, controversial, guess that most web-developers don't really know what they're doing either; I would surmise that they lean on frameworks and if those frameworks are ever under threat (from people like me requesting progressive enhancement) then they need to defend the frameworks to defend themselves.
Of all things that can be complained about, JS sandboxing is actually really hardened. I think the issue is the cross site wild west we have today. Cookies, requests etc go all over the place, when it should be isolated to same origin unless specific interactions are needed (and then they should probably be user facing and blockable).
I think the real answer to why this hasn't been toothfully patched yet is ads and the billions of dollars behind it. Not JS developers.
I was talking on a podcast yesterday about a wiki project I’ve been involved in and one of the things that was eye opening for the audience was just how insane those requests can be. We literally pulled up a page that showed a single wiki page making >500 ad server requests.
https://pagexray.fouanalytics.com/q/pathofexile.fandom.com%2...
What in the actual f, that is an insane amount, and really well visualized too! Why? What was the podcast?
It’s all about the history of the wiki and how we went about forking it from Fandom.
https://m.youtube.com/watch?v=kqENNDKd2nw
CDNs were a huge mistake, they are the slow point of many websites and people don't even second guess importing fonts, images and libraries from half a dozen different providers. The pros are grossly overstated and the cons are many.
> Of all things that can be complained about, JS sandboxing is actually really hardened.
It's still very useful for people who want to run arbitrary code on your CPU. Both AMD and Intel have severe flaws, called "speculative execution CPU bugs", that can be exploited to extract credentials, encryption keys, session keys etc. from your computer - even information living in other applications or [hardware layer] VM's.
"toothfully patched"?
A "web app" can be a web app without including crap like this. Policies like these are usually set by sales and management.
Sales and management aren't going anywhere though, so we can expect web apps to continue to be user-hostile and better off avoided by anyone who doesn't want their privacy and security compromised.
I agree with you. As a user, I want web developers to have as little freedom as possible. The freedom they enjoy today implies the potential for abuse and boy do they abuse it. Tracking and fingerprinting everywhere, anti-patterns everywhere, sites that are painful to use because they use javascript for everything and even the back button doesn't works properly, sites that don't even render at all without javascript enabled.
This actually pushed me to scrape some websites. I essentially reverse engineered the site and created my own custom client for them just to ensure only my code ever runs. I don't have time or energy to do this for every site though...
To be fair, users expect websites to do a lot now. That is because brands pushed so much for interactivity. I do agree with you, but if we take away JS we would still want to enhance the web with interactivity.
I do recall building completely JS free eCommerce applications and in all honesty they were lightening fast compared to todays SPAs and still just as complex as applications. But we can do much better for user experience of complex applications with a sprinkle of interactivity.
If web developers had freedom, there would be minimal amount of tracking, fingerprinting or anti-patterns. If you want to assign blame, you have to look higher in the food chain
And it’ll get worse with wasm.
Why will wasm make 'it' (security?) worse?
I was thinking that you could embed the 3rd party code in your wasm file, but also you can do it in js, so I‘m also curious what was thinking GP, because everything goes through the browser then you would just block the request to certain domains as we do now.
> Everyone calls me out of touch, I'm downvoted to oblivion, everyone suggests that I'm a unique case and everyone wants JS, they say that they don't want fragmentation and want life to be easier for them.
If they sat down with real users, then they'd know that most people get very frustrated when web apps make their phones slow, which happens relatively often.
If they cared, they'd also be frustrated, because they have the background knowledge to understand just how unnecessary such poor user experiences are most of the time. I've seen simple mailing address forms slow phones down. That doesn't need to happen.
> I really really wish that I could convince Web Developers that not every website needs to be a web app.
I'd say it's more that not every website needs to be written in JavaScript from the bottom up. There are web apps that I use that are tasteful and reserved with their uses of JavaScript, if they even use it at all.
You don't need to make web apps using using dynamic code for every little thing, like even building static HTML elements with JavaScript.
And not everything needs to be a SPA, nor does everything need to be built using nine layers of frameworks and abstractions.
Blaming web developers for this is so out of touch.. since when are the developers in charge of product? It's like blaming a construction worker for the poor architecture of a building. Come on..
If you are asked to make a news website, and you reach for multiple JS frameworks and heavy analytics engines.
That is not products fault. Take some responsibility.
Terrible argument. You're talking about marginal behavior, not average. Sure, there's a % that will do that, but that applies to everything.
> I keep bringing up that I don't want JS to execute random code, even if it's sandboxed, it's mostly unnecessary, and I always get the same sort of replies.
I mean having done front-end and back-end. I gotta say, the way a SPA framework lets you re-use front-end code is probably why such frameworks are selling like hot cakes. I legit feel like someone needs to spec out a back-end layout that is generic and implementable in any language, but supports some of the concepts like containers and such.
What options will you suggest for web developers instead? How can you develop a convenient user experience without js? Even the most simple things require it, and will likely use a third party framework.
As someone who blocks JS by default, don't depend on remotely hosted JS. If I go to example.com and I think it seems truthworthy I might allow scripts to run from that domain and that domain only. If the site doesn't work after that, I'll just close the tab and move on. The simple stuff doesn't need bloated frameworks.
Don't obfuscate your JS either if you can help it. If I'm not sure if I should be trusting your site I'll be looking over your JS to see what's doing, but I'm not spending more time than it takes to glance over it either.
a convenient user experience to me, is one that fails gracefully without JS. Displaying text/images shouldn't need JS at all. I'll accept that it won't be as fancy without it, and I won't hold it against you for having JS as a fancy default, but a site should still be mostly functional without JS. Content at least should remain accessible.
Displaying pictures is one thing. But how are you going to create a dashboard that updates every short interval without JavaScript?
Let's say a website serves React from its own domain, so no 3rd party references are used (which in this case it'll be very easy for them to serve you a modified version of the framework), they'd rightfully want to save bandwidth and minimize it! Which means obfuscation as a byproduct.
I understand where you're coming from and I do a fair share of blocking myself, but I also see why things are the way they are if you want to develop an online product.
For somethings you really can't help but depend on javascript. I don't really mind it if it's something ambitious enough, it's the display of basic content breaking that bugs me most.
A dashboard may still work if you can just display the current data and add a note that because JS is disabled the page must be refreshed manually to pull updated values. You don't even have to throw in a refresh button since the browser's already got one. If I go to a website without JS enabled I expect things to take a bit more work on my part.
Minified JS is a problem I run into a lot. Most of the time though, I err on the side of caution and just move on. There's so many interesting things worthy of my attention that if the site full of inscrutable javascript is just a random article/blog post or something shared as a general "hey look at this cool/fun/impressive site" it can easily be abandoned for something less troublesome.
For sites I actually do need to access for some reason I can take the time to analyze it properly, but most of the time those kinds of sites are already familiar/trustworthy, and I've got other options too like firing up a less restricted browser in a VM.
I certainly don't expect developers to give up using JavaScript for the sake of the few users like me, but the better a site does at keeping content accessible without it the less likely I am to just move on to the next tab.
I was converted once I discovered that amazon.com still works with javascript disabled. You just do things the old fashioned way, form submissions that change the session state on the server and generate the html for the next page. I use "redmine" for project development / issue tracking and that works without javascript too.
The different form input elements do a lot of work for you, and are very platform-agnostic, unlike javascript, which will fail silently as soon as someone is on an out-of-date android/ios version.
We had lots of convenient user interfaces on the web without JS.
"The most simple things" absolutely do not require it. Simple things can be done in pure HTML. That's what the web has always fundamentally been about.
You should TRY building a site without JS. Just try it! You'll be amazed.
> Even the most simple things require it
The “simple things” like displaying a document don’t need JS. Why does every knowledge base system is JS when they are literally just showing a document? Or discussion forums when you’re JS reading them?
CSS works just fine without any javascript at all.
Here's a really obvious example: https://nextspaceflight.com/
Every single link on this page requires javascript to work, when they could be actually just proper href links.
Do you have some examples of things that require JS to do?
Upvoting a comment on Hacker News.
actually that doesn't require javascript.
Up voting is done via a link.
https://news.ycombinator.com/vote?id={id}&how=up&auth={auth}
https://news.ycombinator.com/item?id=11307758
While true you can use HN just fine with JS disabled.
I could have said chat clients, games, maps or other things that absolutely require JavaScript. I said upvote on HN to illustrate that even the most basic site still needs some JS to create a sane experience. Having the page reload every time you upvote a comment is not a good alternative.
It's been working for me for years just fine without JS. As for chat clients and games, those things absolutely do not belong in the slow pile of abstractions that is a web browser. They should be native applications and they are on my computers.
But you're right about maps. They're extremely well suited to being viewed in a browser with javascript.
What of the most simple of things require JavaScript or a third-party framework?
Modern CSS can handle a lot on the visual side, and modern HTML allows you to do form validation, dynamic lazy-loading and resizing of images, dialogs, collapsible elements, etc without JavaScript.
When I typed that I didn't mean showing a picture or serving a text file. Anything that's not a static page will probably require JavaScript.
I’m upvoting you. Congrats.
Look, I do run uBO. It doesn't even completely block JS, yet it still routinely breaks very basic pages, and I have to use a lot of webdev and industry knowledge to even try to unbreak them without entirely turning off blocking. So no, for most people who want to use mainstream websites, just turning off JS is not a real option. That this is a dystopic scenario does not change the practical reality.
I never have to turn off uBO to get pages to work. Am I just visiting really boring sites, or is there a default setting I should change to be more strict amd break more pages?
I don't know, I guess it could be that turning on the "I know what I'm doing" matrix features made it more strict? It seems like every e-commerce site and most blog/news sites want to host all their images offsite (mostly CDNs I assume) in some weird JS-mediated way. Anything with a captcha breaks. Any purchase checkout process that involves other domains, which is almost all of them, can be counted on to break. If someone can tell me I'm just misunderstanding what's going on, I'd love to spend less time messing with websites' guts and still be reasonably protected.
uBO can break sites, but in my experience doesn't to the degree that you're describing. Perhaps you should clear all settings and re-install the extension once and see if that helps?
Do you maybe have other content blocking extensions running at the same time as uBO that are causing 'clashes'?
For me uBO breaks 3D-secure, so it does in fact break every e-commerce checkout that uses it. I just disable the entire extension before I buy something, but it’s rather awkward.
That “enter just your web password here” thing? Don’t seem to for me. Amazon checkout seems to be breaking from something recently but likely not uBO filters.
I'll probably give this a shot. The only settings changes I can remember are allowing things, but I could be wrong. No other content-blocker extensions, I believe.
Sometimes 'Enhanced Tracking Protection' built into Firefox can break sites too. Click on the shield in the URL bar to toggle.
In that mode you can make it much more strict, such that it loads no js at all by default, and/or loads only first party scripts by default.
I think out of the box with the default blacklist mode very few things are broken, but the trade-off there is that you're running way more code. I do imagine the default list would block this specific nonsense from tiktok, although I haven't verified that assumption.
I block all scripts initially with ubo and slowly allow what I need to make a site function (or just close tab on sites I deem unworthy of the effort). This is certainly more than you could expect from a normal user.
I just had this problem today when trying to book a flight at American Airlines. The purchase button would simply not work when uBO was on.
this may be daydreaming too shallowly, but I wonder if basic Javascript UI patterns could be identified by some tool. Something along the lines of a new pane showing up in the Developer Tools that semantically identifies the roles of certain Javascript.
* This block of code ensures these UI elements are synched among each other. * This block of code sends this UI data to this server address.
Something that gives a rough & coarse data tracing dependency analysis of inputs and outputs. There may be techniques to defeat this but I think some general patterns would become established where web designs could begin to be shifted to compartmentalize different functionality to streamline such a tool being able to to pare off the insignificant and safe parts of JS and enable folks like yourself to zero in on the interesting and questionable parts.
Even without that tool, HTML continues to evolve and add common “components” that people have used JavaScript to create for decades, which work without (or with minimal) JS. For example, <details> and <summary>, <dialog>, <datalist>, and more.
That’s interesting so your saying when developers offload to the html standard typical UI workflows that have been baked into certain html tags then there’s less innocuous JS to have to wade through in the first place. That’s amazing actually and very welcomed.
That's what LibreJS does.
https://www.gnu.org/software/librejs/
It is not terribly useful.
That is behavior based malware analysis.
I use uBO with JavaScript on and almost all the filter lists it ships with enabled. Never had any problems with web functionality.
I just tried adding tiktok.com to "My filters", but it seems like ads.tiktok.com is still accessible with that rule -- how can I block all tiktok subdomains simultaneously?
Seems like automatic loading of resources (hosted by third parties) by popular web browsers is beyond question.
I access the www everyday using a browser that does not auto-load resources. It would be dishonest to claim it is not useful.
I recall a brief period of time in the early www where web pages could contain "Java applets" and the browser would prompt the user if they wanted to run the code.
Web developers have become so dependent on all this control they have been given over unsuspecting computer users, how would they react to removing/reducing any of these "features".
The "modern" web browser feels like a Trojan Horse.
Is it really a good idea to automatically send resources to a client that has not explicitly requested them. It is behaviour that takes control away from the client. (Needless to say, this behaviour is open to tremendous abuse and can be wasteful.)
Auto-fetching took this to a new level. (I always disable this behaviour, either within the client or outside it.)
Going even further, HTTP/2 server push has IMO only highlighted the questionable nature of this behaviour. Its justification is "performance" but it still removes control from the client. Will push be removed from Chrome.
https://groups.google.com/a/chromium.org/g/blink-dev/c/K3rYL...
More than feels -- it is a Trojan horse.
More and more of our lives are conducted interacting through the web. The vast majority of the tooling is focused on eye candy.
What is given up completely if we leave javascript? Or, how can we lock down browsers to stop this nonsense without completely disabling it?
Not only that, but at least since 8 years ago give or take, your cookies/other identifying info can be matched to an offline traceable tender such as credit card / loyalty program.
8 years ago, I could very much target viewers (no click needed) who have bought XYZ using a credit card or on the attribution end, know you saw a specific ad and went into the store and bought it.
Javascript and browse behavior added much resolution to that.
Source: Am in the advertising industry and worked on accounts in the Fortune 5.
It's a shame uMatrix is no longer actively supported because it was the silver bullet for this kind of shit.
I think uBlock Origin can do the same things with uMatrix.
Yeah, but uMatrix still works. It's kind of a finished product. It still received a security update since support ended. I use it all the time and am fascinated at the amount of third party scripts so many websites use. I always appreciate a site that loads everything from their own domain, which is rare. As for social media tracking scripts, I block them all. Google/gstatic is the only one that gets a free pass, otherwise too many sites won't work.
uBlock has all the functionality of uMatrix and more, FYI.
Except the easy GUI UX
> It's hard to believe I have to say that after the many decades of people getting it drilled into their heads "Do not open random email attachments" (...)
You need to take a step back and figure out what you're failing to understand before going into these "everyone is a fool" rants.
One of the reasons people don't understand the risks is the fact that, by design, these risks don't exist at the eye of the end user. No one knows, not even you, how many servers are being hit when you click on a link.
You're opening emails, you're clicking a link, and hundreds of requests are flying out of your browser right under your nose to God knows where. How many of them are requesting useless images you never saw? How many if them are reporting telemetry data on how you're using a website? You do not know. Why are you whining about other not knowing as well?
Privacy is a hard problem because everyone is using a system explicitly designed to transfer information around without any control or supervision. Up until now the best tool we have at our disposal is a set of laws that require companies to disclose and delete data they collect on us.
Blaming the end user for clicking links is victim blaming, and demonstrates a colossal amount of ignorance about the problem domain.
Shouldnt this have been rendered impossible with Apple and Google’s crackdown on third-party cookies? Whether it a 1x1 tracking pixel or a full-blown Javascript, Apple’s ITP protection would seem to render it unables to track people across websites.
The key word is SEEM. I have no idea regarding all the contradictory news coming out of all the camps. I posted a question on StackOverflow with a significant bounty that expires in 5 hours and so far no one has even showed up to answer it:
https://stackoverflow.com/questions/73794780/what-exactly-do...
I can shed some light on this maybe, don't have a SO account. You're completely right about "SEEM". It does do enough that it significantly lowers the resolution of data and ability for systems to infer your behaviors / persona. It will force more of the ad ecosystem to server to server data pass through: https://developers.google.com/tag-platform/tag-manager/serve...
I mention it in a post above, but data brokers have existed for a decade, which don't really care about any of this. Your email/phone/credit card + purchase behavior for instance, is likely sent to 3rd parties (as md5/sha hashed values) It boils down to sample resolution and sample size. Javascript made it really easy for literally every website to collect browse behaviors. ITP makes the skill ceiling / investment to collect this data much higher.
How would third parties track you across websites now? Given any skill level?
I can think of only one: convincing websites to add a CNAME to point subdomains to their servers.
I don't work in the ad space, but it's my understanding that that's where things are going.
See here for Facebook, but I'd expect other providers to do the same.
https://developers.facebook.com/docs/marketing-api/conversio...
ITP doesn't conceal the IP & user-agent, which is enough to track someone reliably since most connections still have a persistent-enough IP address. It only breaks down if you're behind NAT (sharing the public IP with lots of other people) and have a very common user-agent such as the one of the latest version of a mainstream browser.
The only way to defeat this is to 1) have all browsers standardize on a single user-agent that never changes going forwards and 2) per-origin VPNs so that the public IP seen by each origin is different.
ITP is with Safari, and most people using it will have the latest version, so will blend into the Apple user crowed that way. And private relay is pretty much a VPN.
CNAME wouldn’t work because then the cookie is bound to that domain. So the identity doesn’t travel from website to website.
Well, yes and no
First of all, the subdomain can redirect to google.com and back, loading it in a first-party context, and then redirect to your main domain page. I guess Google here would be a “second party”. https://learn.microsoft.com/en-us/azure/active-directory/dev...
Second way is that subdomain can load an iframe from google.com and the iframe will send a postMessage to the enclosing page, which will send a request to the server to set a cookie.
As long as you logged in ONCE in google (let’s say in a popup, or maybe using ITP’s click-to-login) then it will store the session cookie this way. And after that it can meep a cookie around for 10 years and track this guy across all the subdomains where he signed in once.
All you have to do to stop cross-site tracking is to disable third-party cookies in your browser. That's really it. This misfeature should've never been invented in the first place.
> disable unsafe remote code execution
... cue the WHATWG cronies shreiking "but but but but you will BREAK THE WEB"
Non techie here. Can you explain the difference please?
A web browser is an application that safely executes untrusted remote code. It sounds like you don’t want to use a web browser.
Is it really safe when a company - such as TikTok - is executing arbitrary code on properties they don’t own or operate, without user consent?
That doesn’t seem safe to me.
Then I'm sure you wouldn't mind running this cryptominer in your browser for me. It's safe.
Yeah I had to implement this once because we ran a handful of ads on TikTok, so they wanted access to all of our traffic. I protested, saying they didn't need all traffic to do analytics for people who click through.. just tell me how to identify the traffic you need. This is fair, if somebody clicks on an ad then analytics would be expected.
Yeah no, they didn't allow their advertisers to do that. I ended up getting permission to remove from the site when their pixel was found to be causing a performance impact for users. But without good monitoring for that they would have still been running, possibly for forever. I'm sure this is basically how they get to be everywhere.
Why not use the "server to server" api for conversion events?
Egress and runtime restrictions made that difficult at scale, just didn't have extra time.
> You can’t stop data collection from the tech industry altogether, but with a few simple steps you can make a dent in the amount of information that’s being collected.
> Use privacy-protecting browser extensions. You can add extensions to your browser that will do a lot to protect your privacy. One is Disconnect, made by the company that performed our TikTok investigation. The Disconnect extension shows you how websites are trying to track you and blocks a lot of that data collection. Privacy experts often recommend uBlock Origin, as well.
> Change your browser’s privacy settings. A lot of browsers have built-in controls you can use to block trackers, including cookies, pixels, and other technologies. Open your browser’s preferences or settings, and you’ll usually find the controls in the privacy section.
> Try a more private browser. Google Chrome collects a lot of data on behalf of Google. The Consumer Reports Security Planner recommends Firefox and Brave as more privacy-focused options.
Case closed when you use uBlock Origin preferably with Brave or Firefox. As an extra measure I disable JS Unless it's really needed, and surf in a private/incognito session to stop cookies building up.
Shame uMatrix is dead, but I use it to allow javascript for the local domain, and disable for third-party domains by default. It allows me to use at least some websites without too much fiddling with the uMatrix settings.
Ublock origin advanced mode with some other setting I can't remember can get you filtering similar to (but not quite as advanced as) umatrix.
Edit: After setting advanced mode, hit ctrl twice in the popup to get the green/gray/red filtering. https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu...
What do you mean umatrix is dead?
I'm using it now, and it's IMO hands down *the absolute best extension I have ever used*.
uMatrix >> (uBO | noScript | privacy badger | cookie ninja | cookie autodelete | etc)
I use all of them along with vimium-ff and midnightlizard, but uMatrix is by far the best idea for managing what is run for better privacy and performance of browsing.
I use it daily too and it's on my list of essential plugins, but gorhill archived the repo and development has halted as best as I can tell [0] which leads to complications [1].
[0] https://www.ghacks.net/2020/09/20/umatrix-development-has-en...
[1] https://www.ghacks.net/2021/07/15/umatrix-has-an-unfixed-vul...
I am also still using it and haven't run into any issues so far. But it is unmaintained for quite some time now last I checked so I assume that eventually it will just stop working.
It's quite nice though. I have it set to disable any and all third party resources by default and from there it's generally fairly easy to permit the necessary things the first time I visit a site. And if it proves to be difficult I generally just decline to use that website at all.
As long as firefox maintains the API it should work just fine. But the day the don't a lot of people will be unhappy. I always figured some bored javascript wizard would eventually pick it up since gorhill archived it, but I don't think anyone has
I so wish umatrix maintenance was restarted. Hopefully someone capable will. I'd donate money to that effort. While ublock origin is nice, umatrix is so much better.
What improvements do you think should be made to it?
The github repository is archived, last update was June 20, 2021 https://github.com/gorhill/uMatrix
AFAIK uMatrix creator made uBlock origin. He hasn't worked on uMatrix for a while now. That's just something for you to look into.
The documentation of uBlock Origin is worth reading.
With iOS you’re SOL. No extensions. And they allow in-app browsers. I wish it would be banned.
> With iOS you’re SOL. No extensions
I’m reading this using iCab Mobile on iOS, which is a browser apparently no-one on HN has ever heard of, as I need to mention it every time this tired old and inaccurate assertion is trotted-out again.
This browser allows you to define your own blocking lists, including filters for every conceivable combination of JS, CSS, cross-site, cookie-based and URL tracking.
So which part do you want to ban exactly?
[0] https://apps.apple.com/us/app/icab-mobile-web-browser/id3081...
AdGuard on iOS works in Safari and all in-app browsers that use Safari View Controllers (unfortunately a lot of malicious apps such as social networks don't use it for this exact reason).
It's not a perfect replacement for UBO as the underlying filtering API isn't as powerful but it does a good enough job most of the time. It still uses the same filter lists as UBO (though again it's not able to make all rules work, due to API limitations).
I'm not familiar enough with iOS, does Apple still allow apps to use a different web view that the filters do not apply to? If so is there any reason they shouldn't require Safari View Controllers for App Store submission?
> does Apple still allow apps to use a different web view that the filters do not apply to
The web views the filters don't apply to have different use-cases such as customizing/hiding the browser UI elements, injecting Javascript, etc. There are legitimate reasons to use it in some cases (in case you need to display server-side-rendered content as if it was native).
Of course, Apple could decide on a case-by-case basis and reject usages of the legacy web view when the new implementation is appropriate, but they won't just like they don't do anything for apps that lie on the "privacy nutrition labels" about the data they collect or various other breaches of the App Store guidelines.
> surf in a private/incognito session to stop cookies building up.
Rather than do this, you should install Cookie Autodelete. It simply clears all cookies when a site is closed, while incognito only clears when all incognito windows are closed.
You dont need UBlock with Brave, brave Shields do what UBlock does while being faster(rust) and integrated in the browser.
This is mostly true however Brave Shields do not support the $removeparam operator so it is unable to remove url based tracking. You still need uBO or the ClearURLs extension to do that. https://github.com/brave/adblock-rust/issues/166)
Brave already removes tracking parameters from URLs
https://brave.com/privacy-updates/5-grab-bag/
When you share a video link on TikTok, it’ll append a bunch of tracking data to know who opened it and notify you. That’s not really a surprise, but what’s more sneaky is they shorten the “shared” video links into a few unique characters without visible tracking data and parameters in the URL (AFAIK they used to visibly expose tracking data on the URL a few years ago but recently started using a URL shortener).
ie. https://www.tiktok.com/t/ZTRmqkW4N
What seems like an inconspicuous and universal URL for a video actually sends a lot of advertising and tracing data back to TikTok’s servers about your friend/you.
I’ve been wondering how TikTok knows to suggest me friends of friends of friends with me having the most basic profile with no connections and my friends not actually having Tik Tok. But now it makes sense, and apart from evil, it’s brilliant.
It just like twitter, but even more sneaky.
Wow that’s scary. Is there a way to share a video without that?
It appears to just be an HTTP 301 redirect, so you could use something like curl to unroll it:
produces: Trim off the GET params (the bit after the ? in the URL) and you get <https://www.tiktok.com/@spencer.sebastian.yang/video/7149578...>. That appears to load in a browser for me.I did check to see if that resulting URL after the first redirect is also a redirect. It is not, but also returned an HTTP 403 response ('Forbidden'), when submitted without cookies that had been added.
When you run that curl command, TikTok already knows your IP, which is a very valuable piece of information. Unless you maintain a server that has its own IP and does nothing except de-personalizing TikTok links, and always visit the tracking-free URL from another computer with a different IP, something like that. While it is possible, I am pretty sure most people, including most people here, don't want to do that.
Sounds like a new SaaS to remove TikTok tracking. Some way to redirect any TikTok link w/o the tracking. You could then do the most SV thing to offer it for free and store the same tracking info yourself and/or deliver ads from your accounts
That's an excellent point.
On the other hand, I don't think most people consider a public IP address to be private or protected information. If you're interested in finding the "root" content URL, which lives on a TikTok domain, then you've already implicitly signaled that you accept them knowing your public IP address.
Of course nobody could consider an IP address private information, similar to how a license plate can be read by everyone wherever you go.
But that doesn't mean it's not protected by privacy legislation. Your plate or IP isn't secret, but tracking everywhere it goes still impacts privacy.
Maybe use a proxy/private frontend? Proxitok.
https://github.com/pablouser1/ProxiTok
Download the video and send it the old-fashioned way, is really the only option.
You can disable the link tracking thing in settings, bit buried but settings > privacy > suggest your account to others > people who open or send links to you
The fact that they let you disable it is a miracle
The miracle would be that disabling suggesting your account (as an account to follow) would disable the tracking. And I don't believe in miracles :p
Even then, you can never be certain that a service isn't providing you with a URL for something that is unique to you. For example, if HN wanted to go evil there's no reason it couldn't hand out a unique URL to every single visitor for every single page visited and invisibly map them to the appropriate resource on the backend. And they could even perform a redirect to a different unique URL each time one was loaded to reduce overlap between different parties (since most people wouldn't bother to counteract the redirect when resharing something).
And it's not even resource intensive to do something like this. It can all be done in a purely stateless manner by concatenating an internal ID with a counter and encrypting it to derive the URL that gets served to the user.
The moral of the story is, you should really download and share things yourself.
Just use NoScript, uBlock and/or a VPN with a PiHole server as a primary DNS and stop whining.
Of course I do hate it that the only way to make money on the web today is though ads and trackers. Of course I hate it to be monitored by sneaky pixels, even if I don't use the app. But the solution to the problem is quite simple: does my browser actually render and run the Javascript? If the answer is no (because the tracking script is either stopped by NoScript, or by uBlock, or by the DNS itself that resolves the tracking domain to 127.0.0.1), then I have no problem.
Let's stop whining of IT products tracking every single aspect of our digital lives: almost 30 years down the line, and the Internet hasn't yet figured out a way to make money other than ads and trackers, and it's not going to change any time soon. Instead, let's just make sure that the change happens faster: let's educate people to block all the trackers on all of their devices, so these companies are FORCED to come up with better ways of making money, or they just go burst.
That's harder to do on mobile devices. Good system-wide, every-network adblocking on Android requires root. It's hard to obtain root on some devices, and Google is actively aiding app makers to block rooted devices with SafetyNet. I lack experience with iOS, but I assume the situation is worse there.
As a practical matter, this means that while I can tell my mother to install uBlock Origin on her desktop browser, it isn't practical for me to tell her to root her phone and run Adaway on it.
Of course, most people use smartphones much more than they do PCs lately.
It's doable when without root. In my case I simply run PiHole on a server and use it as the default DNS for my VPN. Install Wireguard on the phone, connect to the VPN, and there you go - all of your DNS requests now go through PiHole.
iOS is better than you think. allows limited adblocking in Safari, think of it as 'uBlock lite'. Due to limitations regarding size, etc, not everything can be blocked, however, do not track provides a bit more in this sense. Beyond that? Yattee blocks 100% of Youtube ads + sponsorships (I personally do not have an issue with sponsorships, but YouTube can eat it with their ads), Apollo does not show ads for Reddit, etc. (Note that Apollo is the absolute best way to view Reddit on the internet. period.)
I suspect Apple will improve things in the future. Media/News companies have attempted to vilify Apple by saying they are 'getting into the ad business', however I suspect that Apple will (as usual) take a user centric approach with expanding their ad business. I am absolutely not the person to defend Apple 24/7, however their privacy practices have been great.
I have a VPS with a Wireguard VPN that runs a PiHole DNS on it. Just toggling the VPN switch on Android is sufficient to get all the DNS requests to tracking domains flushed down the sinkhole - no root required.
Granted, it takes some technical skills to set up, but once it's set up other people can easily connect to the same VPN and have the same level of protection - my wife's and my mother's phones are also connected to the same VPN.
> I lack experience with iOS, but I assume the situation is worse there.
I use NextDNS (sort of "Pi-hole-as-a-Service"), which provides a "configuration profile […] that will make your device use NextDNS natively using the Encrypted DNS feature". I can't imagine it being any easier, really.
https://apple.nextdns.io/
You don't need to root your device to set the DNS. MiUI does hide the setting, but stock android has it in the settings. You can then set your DNS to dns.adguard.com or create a nextDns account. Then you can block ads system wide.
Brave + a VPN with DNS block for ads get you pretty far.
On iOS VPNs are a joke, and everything is a limited WebKit reskin.
No surprise. Every company with an ad platform uses a pixel. Meta, Google, Reddit, Microsoft. Advertisers add it to their site to get access to things like tracking of performance if their ads, and custom audiences for retargeting or look-alike audiences. In exchange, that ad platform gets your browsing data.
It's not great, but everyone is doing it so I wouldn't consider the fact that TikTok, one of the biggest social media platforms, does it too as news.
I basically want a browser list that bans specific 'big providers' systematically and then access those providers via a provider specific sandbox limited to just them. Kind of like firefox account containers, with a premade set, without the bad perf / bugs of firefox.
Apple has an ad platform. Do they use this?
They don’t need to do this if they’re routing all your traffic through their servers
Apple's ad platform does not track users or their behavior.
Lol yes they do: https://www.apple.com/legal/privacy/data/en/apple-advertisin...
Here are a couple:
The be precise:
Apple’s advertising platform does not track you, meaning that it does not link user or device data collected from our apps with user or device data collected from third parties for targeted advertising or advertising measurement purposes, and does not share user or device data with data brokers.
They do and unlike a browser you have no control over it
If this were the case, it would be a huge lawsuit, given they state the opposite:
You can turn off Personalized Ads on your iOS or iPadOS device by going to Settings > Privacy & Security > Apple Advertising and tapping to turn off Personalized Ads. On Mac, go to System Settings > Privacy & Security > Privacy, click Apple Advertising, and deselect Personalized Ads. The Personalized Ads option may be unavailable if you are a minor, have a managed account, or are in a location where Apple does not deliver advertising to its apps.
That's up to you to believe that yeah (also the wording isn't very clear on what is still included either), I prefer just cutting off the data.
Do all the ad companies require this pixel on every page of your site? In other words, could you not have an ad platform specific page that embeds the pixel and acts as the landing page for any of your ads?
If so, I don't see any problem with that. The only customers accessing that page would be incoming ad clicks.
No. They don't even require it at all, but they encourage you to do so to get access to certain things.
Without the pixel, the platform sees a click on their side. But if you wanted to pay for other conversions, eg a purchase, you'd need to send an event back (either via pixel or via API).
As an other example, if you wanted to retarget, you'd also need the pixel. Let's say you wanted to target users who added an item to their cart but never purchased, the pixel would fire a "added to cart" event.
Finally, if you want look-alike audiences, you'd want to pixel as many users as broadly across your site as possible. As an example of this last one, you might want to tell the ad platform to show your ad to people who seem to resemble people who have made purchases on your site. Having the pixel let's them build that list of users who purchased on your site, then try to target users who seem to have similar interests/location/browsing habits. The funny part about this is the platform might implicit learn to target your ad to people who have visited a competitor. But since you add the pixel too, they show the competitor ad to people who visit you. So the ad platform is really a weapons dealer here.
So Yea, you could decide to only use the pixel in a limited way, or not use it at all, but you'd miss out on better targeting, optimization, and reporting.
If you put the pixel on a lan
Facebook and Google let marketers re-target audiences using on-site activity.
TFA:"Consumer Reports found that the company uses some of the same techniques as Google, Meta, and other companies to collect personal data" It's even the article byline!
So I have a pi hole for my home network, and a wireguard connection back to it when I'm out and about. I run ublock on everything, block all the javascript, all the stuff.
But I do it because ads are annoying -- I don't like how they look and I don't like how they slow down every experience. I...don't really care about the tracking aspect? As far as I can tell, nothing bad happens to people because some faceless entity is tracking all your browser history.
Is there some secret malice that I'm not aware of that I should be more concerned about? Near as I can tell all this vast tracking infrastructure is really only there to more precisely target me with ads and doesn't really do anything else.
As far as privacy goes, I'm much more weirded out by the fact that my property tax records are public. Or that cell providers have the ability to fairly accurately track my location if they want to. Facebook seems pretty benign compared against that.
The argument goes, that if they can target you for ads they can also correlate this with political beliefs, your ethnicity, your financial situation and so one.
If you want a credit and you are friends with people who don't pay back their debts you are also a risk for the bank and get a higher rate.
If you want an insurance and you are a extrem cyclists you won't get one.
If you open a shopping side and they know you can afford it, they mark up the price. (Udemy is ridiculously doing this)
Yes, this is death by a thousand paper cuts.
What could the Chinese Government do with the data? Lower or rise your social credit score? Stop you from visiting China. Throw you in Jail for watching Winnie Poo?
All the other tech giants were in the US and so we didn’t have to worried about this. At least if you weren't a terrorist or behaved like one. Now China has a totally different agenda.
Is it okay to be LGBTQ in China? What happeneds if you watch a TikTok with this theme?
Yes, I am very aware of all the potential dangers, which contributes to my blocking everything in the first place. I am curious if, in the United States, there are any realized dangers to these privacy violations.
The Udemy thing is interesting, but it's also (as far as I can tell) just doing stuff with first party cookies and region lookups. Nothing at all the level of sophistication that is being observed from Meta or Tiktok.
I'd love to hear stories of people who got screwed because of facebook or Google's broad web of surveillance, but as near as I can tell, nobody is actually being harmed.
Google and Facebook coin it as violation of their terms. Just watch HN and you will get the next story every other month.
But the most chilling quote is "we kill people based on metadata":
As NSA General Counsel Stewart Baker has said, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” When I quoted Baker at a recent debate at Johns Hopkins University, my opponent, General Michael Hayden, former director of the NSA and the CIA, called Baker’s comment “absolutely correct,” and raised him one, asserting, “We kill people based on metadata.”
I'm not entirely sure what you're hinting at. Are you saying that the US military and intelligence agencies use metadata to track down and kill people that they deem as enemies? And that Meta/Google/etc. are in cahoots with them to do this?
Can you link me example of this happening? Is there credible evidence that an ordinary citizen (like myself) is in more danger from state actors because of the information harvesting that large corporations engage in? I feel like if the government wants to track down and kill me they already have my address, cell phone records, etc. No need to contact Meta or Tiktok.
You write this as if this wasn't common knowledge: https://en.m.wikipedia.org/wiki/Global_surveillance_disclosu...
If they had no need for contacting Meta and Microsoft and Google, why did they do so?
How could would this put an ordinary citizen at risk? I don't know. All the data is run through an AI and if it labels you terrorist, who is to question it?
They sure kill a lot of people in Pakistan based on this data:
https://arstechnica.com/information-technology/2016/02/the-n...
> At least if you weren't a terrorist or behaved like one.
Though sadly there are plenty of false positives here too...
Block the domain analytics.tiktok.com
If your goal is to limit tracking, this does help, however it won't stop any server to server (versus client browser to server) data pass through. Any events the advertiser/publisher deems important, they can first-party collect the relevant tracking data and pass it from their server to the ad server (i.e. TikTok, Google, MS, FB etc.)
Is this actual or just theoretical? I think most sites are doing the simplest thing. https://ads.tiktok.com/help/article?aid=9663
Actual. Tiktok: https://ads.tiktok.com/help/article?aid=10003669 FB: https://developers.facebook.com/docs/marketing-api/conversio... Google: https://developers.google.com/tag-platform/tag-manager/serve...
You're right most are doing the simplest things as most marketers do not have tech experience to understand the advanced methods. As more people try to prevent Javascript, you'll start to see more and more companies adopt these methods.
Exactly, with a Pi-Hole.
Regex blacklist:
Yes, if you’re lazy or you want to quickly switch some services on/off, I suggest you the great app: Pi-Hole Remote (https://rocketscience-it.nl), there's a handy list with all of the privacy intrusive services (regex) that you can turn on/off with a switch (screenshot https://ibb.co/fNDyq36)
Unfortunately, the TikTok app falls back on DoH if it detects domain blocking.
https://www.reddit.com/r/AppSecurity/comments/f422f3/tiktok_...
At least it'll stop people who don't have the TikTok app being tracked though.
That's ok, DoH firewall rules to the rescue! You can get lists of all known DoH servers and just load them up on a router, drop anything going there, and you're done.
If you don't use TikTok, and you happen to live in the EU, UK, California or Brazil, send them a data deletion request. Here's an easy way: https://yourdigitalrights.org/d/tiktok.com
Plenty of comments here talking about using uBlock [Origin], piHole, disabling JS, and so on, but it doesn't look like anybody has bothered to ask specifically how TikTok is actually doing the tracking. And TFA doesn't explain the method(s) in any technical detail.
I visited several of the sites mentioned in TFA, and uBlock didn't show any connection requests being made to any tiktok-related URLs. Nor were there any unfamiliar websites commonly shared amongst these sites in case TikTok was using a proxy service to hide behind.
I just tried the United Methodist Church website [1] after disabling UBo and accepting cookies. It then GETs an events JS file from tiktok.com, which runs and GETs a main JS file from tiktok.com that then makes a POST request to tiktok.com containing my device, page url, referrer, session ID, useragent and timestamp.
If you are running uBlock then you are probably blocking google tag manager that initiates these calls.
1. https://www.umc.org/
Thanks for this. I hadn't considered googletagmanager.com but that appears to be the likely culprit as it is the common denominator between these sites.
Fuck Tiktok.
Apart from being a disgustingly deadly teenage trap it is a privacy leech at the same time. It's time people realized how useless and distracting these social media apps are, and that they are not really necessary for any functioning of the society. Real knowledge could come from reading books and sites like Wikipedia. Tiktok is good for nothing other than trapping tennagers to make them get viral by doing some really nasty/dangerous stuff.
I would say fuck ad-supported social media. TikTok is no different than Facebook, Twitter, etc besides some China-related fear-mongering (which may be true or not, but the point is, nobody should be stalking people on the internet, regardless of whether the stalker is American or Chinese).
What is the source of the tracker? It can't be tiktok.com.
They must be using a different name domain.
analytics.tiktok.com. googletagmanager.com has a script that gets the analytics JS from tiktok, so if you're blocking Google Tag Manager, then you'll never even see an attempt at loading from tiktok.
Thanks. For some reason, I never gray listed that site. Now I know better
somewhat related, one time someone mentioned that reddit’s analytics runs off the main domain such that one wouldn’t be able to block analytics without blocking the site and its content itself.
does anyone remember the comment or article that mentioned it? it seems like this tactic will be increasingly useful for companies whose revenue is entirely ad dependent. somewhat related, do any ad blocker extensions block POST/PUT but not GET?
> The Arizona Department of Economic Security tells TikTok when you view > pages concerned with domestic violence or food assistance.
I mean, I understand a random site doing this sh*t, but this is a gov agency, right? What the hell any ad tracking is doing there?
No, they don't track me across the web ;)
I have js disabled by default on my PC's and laptops. If I need (or want) to use a site that require js, I do so in a VM, and I use that VM only for one or a few related sites (like Hacker News and Slashdot). Each VM has different screen sizes and operating systems / Linux distributions. If I research a subject that is even slightly controversial, I use the Tor browser from a VM or Tails.
But mostly, I just ignore companies and organizations that don't know how to make a website work without js.
That sounds like a lot of work for what could be covered by self-destructing cookies, spoofing your user-agent, and in the worst case using Tor (which for me is a keyboard shortcut in Brave). I really don't think the extra hassle of VMs is worth it -- these are ad companies trying to fingerprint you, not state actors using zero-days on you.
Personally, I dream of a future where 90% of content is delivered over RSS or similar and the middle man (bloated web pages) are cut out entirely.
> That sounds like a lot of work
It's a matter of principle. And once the VM's are created, they don't add much overhead.
This is the same technology used by Google, Facebook, Linkedin, Pinterest, Snapchat, and Twitter. There are other services like Clearbit that offer just the data part of this, without the social media network attached. Every major ad network does this.
There is nothing unique about TikTok's tracking implementations other than how much data they attempt to take in.
The title should be TikTok (like Google, Meta and other ad companies) now too tracks you across the web.
Side question: uBlock Origin + Brave should be enough for this type of tracking, right?
Yes, since its a JS script that will get blocked automatically.
And you don't need UBlock with Brave, Nrave shields do the same thing while being faster(rust and integrated in the browser itself) and not being dependent on any extension updates.
There is a noticeable performance hit when using uBlock + shields.
Everyday that passes without banning TikTok is a wasted day. Everyone knows that’s a China sponsored spyware, but that’s ok because it’s entertaining!
Tech savvy folks, is it enough to run Privacy badger and uBlock origin (on Firefox)? I also let Firefox use its enhanced tracking protections.
It depends what you're trying to solve. I would say it will lower the resolution of any "profiles" built on you in aggregate, but it does not stop a profile being built.
+ uMatrix or NoScript and you have a top notch setup Edit: and maybe something for cookies / cookie banners
https://archive.ph/RTsuG
Thanks for posting this! Ok as a web dev who actively cares about user privacy—- can these things accidentally sneak onto my page through npm deps? Or would I need to install them deliberately? If so —— how are they on gov websites??
Wild guess: they're part of a default "share buttons" repository that includes the "Share on Twitter, Facebook, Google+" buttons for the page, or something very similar to that.
Couldn't you just try out your webpage in your browser and see what network calls are being made? That way you can see if you're calling Tiktok or not.
I just wrote the most scathing review I could, and ads pop up for the product. Gee. Thanks. So Every time, I click through and minimize. I know its junk.
TikTok proxy, no Javascript required
https://proxitok.pabloferreiro.es/
Article talking about how tracking pixels are bad. Has Facebook, Twitter and Pintrest tracking pixels front and center above the fold.
No they don’t because I have AdGuard und my local network and on my phone. And I don’t understand why someone would not install this
As opposed to Google and Facebook, two companies known for their zealous defense of privacy?
That's not the point. No one said other companies didn't do similar things. I assume they all want to get as much info as possible without breaking the law. I think the elephant in the room however is that they also send a copy to the Chinese Communist Party databases as well.
s/without breaking the law/without getting caught or punished for breaking the law/
There is plenty of room in my heart for hate for all of them!
Except in the EU, I suppose?
My guess would be you just get an annoying banner and click "agree to all" on it by habit, then it does the same thing.
Why would they, considering nobody gives a shit about punishing GDPR breaches? Google and Facebook are still around and do the same.
So does everyone else. The question is what are they doing with it.
Do you think their ties to China make them doing it any more nefarious or no?
As european I don't assume either US or china has my interests in mind when regulating privacy-invading activity.
I make the same assumption about Europe and China as well. You can't be too careful
Anything we can toss into the HOSTS file to address this?
Nice. Thanks!
Typical practice for any ads-based companies
Make shadow profiles illegal.
That is a very realistic vision of how things work in this world.
It sort of is... you convince your peers and vote.
Can be something like, companies can’t store PII without getting explicit user consent.
They will do it without PII.
It can be worded so that collecting any specific information pre and post-processed (to cover ML) about a person who is not a consenting user of your service allows individuals to sue for punitive damages and in exteme cases make it a felony.Any information, even anonymized information about individuals will be prohibited. However, if you use Google for example and agree to their ToS they can do whatever they want within reason, so long as the activity being tracked is related to the user explicitly interacting with a google service. So tracking cookies and all the weird shit they do is fine for their users, they just can't track users if the user visited hn.com and they did not explicitly consent to being tracked by google analytics, the hn.com admin can let you know it wants to allow the 3rd party service google to track you and get your consent.
This stuff is possible, I despise all the fatalism. Us, the people that understand this at any depth just need to agree on it and speak very loudly and convince our peers, being defeated and hoping politicians figure out tech some day is silly. That's why I am trying to discuss this here.
GDPR would already outlaw those - the problem is that nobody is interested in enforcing it sufficiently to actually deter such behaviour.