12 Comments

Summary:

Last week, the Electronic Frontier Foundation released Privacy Badger, an extension for Chrome and Firefox. It’s an important piece of software in the struggle for internet privacy from a group with different motivations than other ad-blocker makers.

EFF_Stickers

It would be great if internet users could tell the websites they visit that they don’t want to be tracked by advertising groups unrelated to the webpage they’re viewing. In fact, in 2009, a group wrote a standard so that web browsers could do just that. But the standard was poorly adopted because many of the biggest advertising companies on the internet aren’t crazy about such an idea. There wasn’t a real enforcement mechanism — until the Electronic Frontier Frontier released Privacy Badger, which lets users opt out of tracking across the internet.

Privacy Badger, an extension for Firefox and Chrome, disallows cookies from certain third-party domains. When someone clicks on a site, they request information from domains that aren’t necessarily the site they asked to visit; that’s just the way hypertext — the “HT” in “HTTP” — works. For instance, if a blog has an embedded Facebook Like button, that widget makes it so you can easily like that page, but it’s also tracking your activity across the internet. That’s what privacy wonks like to call a “third-party request,” and it’s what Privacy Badger seeks to block.

Privacy Badger is different from other blockers, however, and not just because it’s developed by a nonprofit. Previously, blockers have used a centralized blacklist approach. Blockers download a list of bad domains from a remote location out of the box, which is the blacklist most users settle on. Privacy Badger’s blacklist is user-generated: instead of blocking sites, Privacy Badger blocks objectionable behaviors. As you browse, if it detects the same third-party domain tracking you across three different sites, it blocks it.

Aren’t there already several ad blocking extensions?

There are several companies and people actively developing privacy tools for web browsers. Some of these are called ad blockers, which is more of a marketing distinction than anything. The end user hears about the tangible benefit — they don’t have to look at annoying ads on the web – as opposed to the more nebulous concept of privacy protection. Because most invisible third-party scripts and cookies are from advertisers, many of these extensions effectively block most ads.

Ad blockers are widely downloaded. Adblock claims it is the most downloaded extension on the Chrome Web Store, and both it and Adblock Plus have millions of downloads.

Screen Shot 2014-05-09 at 4.30.36 PM

From left to right: Privacy Badger, Disconnect, Adblock Pro, Adblock, HTTP Switchboard, Ghostery

Ghostery makes money by tracking the trackers while blocking them and selling data about third party trackers, which it calls Ghostrank. Disconnect takes a pay-what-you-want approach, but it is still developed by a for-profit company founded by a former Google engineer. Adblock is donation-supported, but many users confuse it with Adblock Plus, which has generated controversy for having advertisers pay to land on a whitelist. While Adblock and Adblock plus allow users to add upload their own blacklists and whitelists, Ghostery and Disconnect do not even allow users to add new filters.

The salient difference between Privacy Badger and the other extensions is that Privacy Badger’s blacklist is generated through heuristic blocking, which means it gets better the longer it is used. Out of the box, Privacy Badger won’t block nearly as many third-party requests as the commercial options, but as you use it more, it will learn more and more hosts to block, although it does come with a built-in whitelist for things like Google Maps and Paypal, which are needed to browse the web normally. This approach is a major change.

What’s the best blocker?

The difference between Privacy Badger and the other blocker extensions is not an issue of effectiveness. For the most part, all the blockers currently on the market do a pretty good job of blocking third-party requests. Developer Raymond Hill, who has been working on a excellent privacy-oriented developer extension called HTTP Switchboard, is able to run what he calls a “browser session benchmark,” checking to see how many requests get past the various blockers.

His methodology is to visit 15 well-trafficked sites several times, and average the number of requests that slip through.


As you can see, the Ghostery and Adblock numbers are very similar, with Disconnect trailing slightly behind. Privacy Badger is run on a fresh installation, and does not block nearly 3rd-party requests as the commercial extensions, but that’s by design. A benchmark run on a well-primed Privacy Badger should have significantly lower numbers.

It’s about the principle of the matter

The key to Privacy Badger is that it is run by the EFF, a well-funded non-profit dedicated to “defending civil liberties in the digital world.” Considering that blocking tracking cookies and third-party requests is as much about the principles at hand — your browsing history shouldn’t be collected by companies you’ve never heard of — as eliminating annoyances from the web, it’s unlikely that the EFF would ever reduce its effectiveness because of commercial considerations.

Adblock Plus has been accused of extortion-like practices because of its Acceptable Ads program, which reportedly has companies offer money in exchange for preferential whitelist treatment. According to the Guardian, Google pays for this treatment, and shortly after Twitter’s IPO, Adblock Plus posted an open letter to Twitter inviting the company to get in touch. And while Adblock Plus released an “Acceptable Ads Manifesto” earlier this month, it does not mention privacy or data leakage at all. This doesn’t necessarily mean Adblock Plus is a bad tool; Privacy Badger is based on the Adblock Plus source code.

Ads are the backbone of many digital business models, and if everyone blocked all third-party requests there would be a lot of sites in trouble. The EFF understands that there’s a balance to be struck, and they’ve made it clear to website publishers how to whitelist their ads: publishers must respect Do Not Track guidelines, effectively allowing Privacy Badger users to opt-out from tracking. It’s an enforcement mechanism for DNT, which is a great idea but has had significant difficulties with adoption.

An uncertain future for privacy blockers

It’s heartening to see the EFF produce its own privacy blocker, because it makes me hope they’ll tackle blocking on mobile devices, which faces several challenges. Considering the metadata transmitted from a phone could be more personal than that from a laptop, as the volume of mobile browsing overtakes browsing on the desktop, the inability of smartphone users to meaningfully block third-party requests will become even more glaring.

It’s difficult to imagine Apple allowing enough access to iOS to ever implement any kind of privacy blocking on the iPhone or iPad. But Google isn’t opening the floodgates either. Google removed AdBlock Plus from the Google Play store last year, forcing users to sideload it. But this deters most users from considering installing it, and even after it is installed it is hamstrung by restrictions built into the Android APIs.

It’s understandable from a business standpoint that Google wants to restrict Adblock Plus on Android – it’s made by a for-profit company providing a way for users to evade Google’s primary business.  But to remove an ad blocking extension from a nonprofit, like EFF, would be a clear signal of hostility towards blockers in general. The lack of respected privacy blockers on Android has also led to a proliferation of low-rent alternatives, many of which do not work as promised, and may actually be compromising user privacy.

Privacy Badger isn’t perfect; it’s in beta, and it breaks a lot of websites, including some of the most popular news sites on the web. But its interface is very user-friendly, and it clearly lists all third-party requests — blocked or not. If you’d like to to know more about a third-party tracker, its color-coded sliding bars makes it easy to identify which domains are blocked, and even unblock them if desired.

Screen Shot 2014-05-09 at 4.59.28 PM

Considering that using a blocker is somewhat of a political statement about privacy — users don’t opt-in to third-party tracking, and by running Privacy Badger can they opt out — it’s more than good enough, and its relative “purity” compared to the others on the market should make it the cypherpunk’s choice.

Top image by Robert Nelson/Creative Commons

  1. Apple already blocks third-party cookies by default in iOS so it doesn’t really need these extensions.

    Reply Share
  2. We run a much more comprehensive comparison on this site: http://www.areweprivateyet.com/

    Privacy Badger lands just slightly ahead of Disconnect, but obviously, it needs training to be effective.

    Reply Share
    1. Thanks for sharing.

      Reply Share
  3. The “Your Personalized List” feature of Internet Explorer’s Tracking Protection List capability provides a similar heuristic-based mechanism. Few know about it and fewer still turn it on.

    Reply Share
    1. Who uses Internet Explorer?

      Reply Share
      1. I’ve been using the blocker built into IE for years. It prompts you for each tracking cookie which can be a little annoying, especially at the start when any innocent looking web page has 10 tracking cookies on it. I have a list now of more than a thousand sites that are blocked that I can export and import into other computers. I think it is a good solution because it is personalized – we don’t all want to block or allow all the same sites for tracking, but it isn’t perfect because I sometimes block sites when I am getting a 3rd party cookie from them, but want to allow them as a 1st party cookie. Example is facebook. I don’t mind a facebook cookie when I am on facebook.com, but I don’t like facebook tracking me on thousands of other sites.

        Reply Share
  4. So the EFF, who lives off sucking Google’s cash teat – with maybe other sucking involved – is going to protect us from the worlds largest third party tracking network which is… Google? (also the world’s largest abuser of third party cookies seeing how they rammed through Safari users’ privacy settings)

    That’s a great joke.

    You don’t have to be very cynical to see the motivation here: install this plugin to worsen the effectiveness of ad tracking networks who are not friends with the EFF (i.e. everyone except Google).. this of course then benefits Google in the eyes of advertisers – and all done in the name of your privacy, so no pesky anti-trust issues.

    If someone (e.g. a ‘pesky’ regulator) does come looking under the cover there’s always the ‘heuristics’ excuse. Quite how ‘heurestics’ always seem to clear Google of any manipulation or wrong doing is another matter.

    I have to admit it’s a great plan, as usual from Google.

    Reply Share
    1. Google is a contributor to EFF, but nowhere near one of the largest, and I’m not sure whether $10000 (Google’s official contribution in 2011) is enough to betray EFF’s mission and enter into a grand conspiracy.

      Reply Share
      1. A quick search on the Web finds that Google paid over $1 million to EFF in 2011:

        “In fact, Google (GOOG) did transfer $1 million to the EFF last year, but the money did not have to be, and wasn’t, reported as a corporate donation.”

        Look for a CNN article titled “Google and Facebook’s new tactic in the tech wars”.

        I’m willing to be the contributions in 2012 and 2013 were even higher. Those amici curiae don’t come free.

        Reply Share
  5. Howard Lee Harkness Monday, May 12, 2014

    Did you realize that one of the ads in a widget in the right sidebar on your site is broken? It displays a bunch of improperly-formed HTML gibberish.

    My irony meter just pegged.

    Reply Share
  6. What’s the effect of having multiple DNT tools operating? Is there any synergy or is it only as good as the best?

    Reply Share
  7. Privacy badger breaks pages and makes it a lot harder to figure out how it broke them.

    Reply Share