Block adblocker blocking

[jibe-b]

Some mechanisms exist which block access to a page if an adblock is active, such as https://blockadblock.com/ (only reason for citing this one is that I encountered it today).

There may be a need for a sandboxing mechanism, so that anti-blocking scripts be not aware of the blocking of API calls.

Otherwise, hiding a part of the browser fingerprint (in particular addons list) may help.

[ghostwords]

Related: #1444 (Washington Post), #804 (Wired).

I'm not sure we can solve this in an automated way. Making site-specific exceptions (don't block the following domains on wired.com to avoid the adblocking message) would work though.

However, Privacy Badger is not an ad blocker. Privacy Badger is an non-consensual tracking blocker. I would like to get the sites to work with us somehow, rather than play cat-and-mouse with their adblocker detectors.

[ghostwords]

We're thinking about the best approach for this internally at the EFF. Silently removing the message may not be the most effective course of action for Privacy Badger to take.

[bcyphers]

Another one I encountered today is Admiral. The site I found it on let me choose "continue without supporting," so it wasn't a big deal, but I still had to go through a guilt-tripping splash page.

Interestingly, they even have a form on their website where you can indicate that you're an aggrieved adblock user, and another GDPR-related survey where you can answer a few multiple-choice questions about how much you like being tracked. They list several ad blockers by name in the first form, but there's no mention of Privacy Badger.

[deisi]

@ghostwords you think there is any way of getting in touch with all these newspages? I fear it will get more and more quickly, since this is how they earn money. Also, from there point of view PrivacyBadger is an adblocker because it blocks their adds.

[ghostwords]

@deisi Yes! We were considering creating a call-to-action UI to make it easy for Privacy Badger users to contact the papers, and also tweeting (maybe) at the papers to point out that Privacy Badger is not an ad blocker (it's a non-consensual tracking blocker, privacy-respecting ads should be fine). @alanton @andresbase

[AramZS]

Hey @ghostwords I'd be interested in at least understanding if there's a balance between some of the blocking Privacy Badger does vs the requirements of publishers. Not speaking in any official capacity, but blocking-by-default the basic calls to the world's most popular ad server (pubads.g.doubleclick.net and securepubads.g.doubleclick.net) is basically an ad block. You can block a lot of the tracking tools and not block the calls to doubleclick and protect users from pretty much all tracking while still allowing publishers to make basic ad calls. Those URLs shouldn't be doing a ton of user tracking in and of themselves (if at all), they are mostly vectors to transmit such data, but if the 3rd party user tracking is blocked they will still call ads, just without the user data that would normally be attached.

Why not have them unblocked by default? I feel like this would effectively protect users while allowing ad calls so publishers can continue to make money and create the content that brought people there in the first place. If users disagree, they can always switch blocking those URLs on?

[ghostwords]

Hi @AramZS! We don't compile lists of domains for Privacy Badger to block; Privacy Badger learns to block by observing which domains appear to track you as you browse the Web. If the world's most popular ad server fails to respect your privacy, Privacy Badger should indeed block it.

I think you see the status quo as a necessary evil (?), while Privacy Badger sees it as something amenable to change. (Publishers ultimately don't have to use invasive ads/ad networks to make money.)

Am I missing your point though? How can we allow DoubleClick (a disturbingly prevalent third-party tracker) to function while disallowing third-party tracking?

[ghostwords]

A related thread: #1686.

[AramZS]

@ghostwords Here's the thing though, those particular DoubleClick URLs do not always themselves do tracking. Those requests are not just trackers but scripts and delivery mechanisms for ads that can carry trackers or tracker data. For example, in/for the EU many publishers switch Google to setRequestNonPersonalizedAds mode (see: https://support.google.com/admanager/answer/7678538?hl=en ), in which case DFP does no meaningful user tracking itself with requests coming from those URLs.

I agree, the direction of the web needs to move to eliminate unasked-for tracking, and I think tools like Privacy Badger are good for pushing publishers and advertisers towards a less-tracked environment on the web. I don't think the status quo need continue the way it is (I suspect we'll see regulatory action to force the situation in the US anyway), but at the same time: if Google turned off all tracking tomorrow (unlikely I know!), or if the the publisher has their system configured to not use tracking, Privacy Badger will still block completely non-invasive ad calls.

There are sites that actually do the work to turn off user tracking and they are being penalized for using particular software, which is non-optimal. If the goal is to incentivize sites to become more private, I'm not sure this helps.

I don't know what the options are here because I'm not familiar enough with your code, perhaps you could unblock the call to the gpt.js from this URL, or filter the requests to block out the elements that contain tracking data, or set the system to default to block cookies instead of the complete request, or otherwise detect tracking behavior outside of just a call to the URL. That said, if you're not even allowing the request to the core ad-call script (the gpt.js script) you aren't giving sites the opportunity to even decide if they want to respect DNT or user privacy, which is a shame.

*Once again noting: not speaking in any official capacity here.

EDIT: Worth noting: I'm not trying to be critical of Privacy Badger here. I'm a fan. But DFP is pretty much the only option large swaths of the web have to serve ads, personalized or not. It would be great to have some sort of compromise here where sites can call ads but not track users using the software they have on hand and that for a lot of market-based reasons even outside of tracking it makes sense for them to use. Or a default option where users can block invasive trackers while still allowing basic ads from mainstream systems through.

Would be glad to go into more detail here if it helps.

[ghostwords]

There are sites that actually do the work to turn off user tracking and they are being penalized for using particular software, which is non-optimal.

Is this a continuation of your previous point (a tracker that amends its ways will remain blocked unless they put up the EFF DNT Policy; we're tracking this in #882)? Do you have any examples you could share?

[AramZS]

@ghostwords I mean specifically the activation of non-personalized ad mode in DFP's configuration script. Which doesn't implement any DNT policy transmission on behalf of Google's service, which is what I think would be needed under your current rules.

More an expansion on it. I think that there should be other ways than the DNT Policy from the EFF in theory to show compliance. Especially if the mechanism is mechanical.

As for examples, I can't think of any off the top of my head that don't require you to be coming off of an EU IP, but if you turn on something like Tunnel Bear and set yourself coming from an EU state you can see the tech in action on the NYT's site, for example. I'm sure there are a number of smaller sites out there that have it set, especially if they are based in the EU.

Also, I haven't tested it myself but I know @dmarti put together a plugin that tries to switch sites into the non-tracking mode that might be useful to look at as well - https://github.com/dmarti/trans-europa-express

I don't know what the best solution is here, but I do think it is worth noting that there's an option to call the DoubleClick URL and show ads without doing tracking that's being blocked. If it wasn't, perhaps it would encourage more sites to use that non-tracking mode.

[dmarti]

@AramZS So ideally you would want to be able to do something like this...

• if the page has Google Tag Manager, inject JS to put all the Google scripts on that page into no-tracking mode

• Google scripts cooperate and don't do anything that makes them look like a tracker to PB.

• PB doesn't block Google because it's not detected as a tracker.

It would be great to see that work, but it looks like Google scripts are still going to try to set a cookie that will get Privacy Badger to block them entirely.

"Although these ads don’t use cookies for ad personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse." -- https://support.google.com/admanager/answer/7678538

So if users can't get the ideal behavior because Google in "non-personalized" mode is still detected as a tracker, what about:

• If a page has Google Tag Manager, inject JS to try to put it into "non-personalized" mode

• If you can successfully switch on "non-personalized" mode then yellow-list Google for the site where it succeeded.

[AramZS]

@dmarti Yeah, I agree, the cookie-setting in non-personalized is perhaps more tracking than people would prefer and I understand that. I think that would be significantly more useful both as an incentive to sites to move more towards privacy and also match user expectations of a privacy tool.

Or, alternatively, if PrivacyBadger feels uncomfortable attempting to switch GTM to non-personalized mode from the browser, it should be detectable in the setup script on-page or in the googletag.cmd queue and if it is detecting non-personalized mode as active then yellow-list?

I think in either case it would be a nice alternative for those sites that are actually trying to respect user privacy out of interest in that cause or for cases like GDPR (arguably a stronger privacy setup than the standard DNT configuration) to have the opportunity to show ads when they are doing so. I think, especially from an incentive setting standpoint, it would be better than total blocking the basic ad call as right now Privacy Badger basically has shut down even the option for the many sites that use DFP.

Basically, the main thing here that I'm trying to get at is that if a site detects a privacy tool like Privacy Badger (which this ticket seems to be a clear indicator they are doing) or a DNT setting they should at least be given the option to both serve ads and respect that user preference, whereas the current default settings do not give them that option.

[dmarti]

@AramZS There's an item in the FAQ: I am an online advertising / tracking company. How do I stop Privacy Badger from blocking me?

Another question is: "I am using a 3rd party service that has both super-creepy and low-creepy modes. How do I get Privacy Badger to yellow-list that service on my site if I promise to only use them in low-creepy mode?"

[Mikaela]

Happening to visit The Windows Club from search results ( https://www.thewindowsclub.com/presentation-settings-in-windows-7 ), I was surprised by their prompt asking me to disable my adblocker and even more when it gave me instructions for many ad blockers including Firefox Tracking Protection and especially Privacy Badger.

Is this a common phenomenon or becoming more common?