Interview With Mozilla's Ryan Merkley: Tracking the Trackers 165
colinneagle writes "Among the eye-opening statements in his recent TED talk, Mozilla CEO Gary Kovacs said, 'Privacy is not an option, and it shouldn't be the price we accept for just getting on the Internet. Our voices matter and our actions matter even more.' After you download and install Collusion in Firefox, you can 'see who is tracking you across the Web and following you through the digital woods,' Kovacs stated. 'Going forward, all of our voices need to be heard. Because what we don't know can actually hurt us. Because the memory of the Internet is forever. We are being watched. It's now time for us to watch the watchers.' I've been using Collusion for some time now and it is jaw-dropping to watch all the sites that still stalk us across the web even with DNT and privacy add-ons. The Collusion page states: 'The Ford Foundation is supporting Mozilla to develop the Collusion add-on so it will enable users to not only see who is tracking them across the Web, but also to turn that tracking off when they want to.'"
Re: (Score:1)
And they'll only adhere once the settings are legally enforceable.
The trick to actually being the first post is to not spend any time being cute about it. FAIL.
I wouldn't bee too sure of that. Look at that farce they named "Do Not Call". The teleslimeballs aren't afraid and the government doesn't even react to complaints. Government mandates about privacy are a farce.
Download/Demo here (Score:5, Informative)
Collusion Download/Demo [mozilla.org]. Looks like a pretty nifty tool. And completely without flash!
Re:Download/Demo here (Score:5, Interesting)
I'd been looking at having laser eye surgery for some time. Money was the only thing stopping me from doing real research.
There was an advert for an Optical Express laser clinic, with a competition for free treatment, so I clicked. It's probably the only time I've ever clicked, and this was at work with no Ad-block installed.
I went through the process of consultation, price negotiation and all that stuff. I was happy with everything offered, and went ahead with the surgery (two weeks ago, best thing I've ever done).
Top of Slashdot today? Adverts for laser eye surgery at Optical Express. In fact, every blinking website I visit at work is trying to show me adverts for Optical Express. This has been going on for nearly two months!
I'm sure it must happen to everyone, everywhere.
Re:Download/Demo here (Score:5, Funny)
Re:Download/Demo here (Score:5, Funny)
Those ads have always been there - maybe you can only see them after you had the surgery!
Re:Download/Demo here (Score:5, Insightful)
Re:Download/Demo here (Score:5, Funny)
Re: (Score:1)
Yeah, I ordered a pair of New Balance shoes off their website since most stores don't have the 13 4E size I wear and now I see ads for New Balance all day every day,
Re:Download/Demo here (Score:5, Informative)
There was an advert for an Optical Express laser clinic, with a competition for free treatment, so I clicked. It's probably the only time I've ever clicked, and this was at work with no Ad-block installed.
Here, you've admitted to two newbie mistakes that culminate in your tale of woe.
Top of Slashdot today? Adverts for laser eye surgery at Optical Express.
These ads (and the attack/tracking vector they signify) will persist until you properly secure your browser.
In fact, every blinking website I visit at work is trying to show me adverts for Optical Express.
In Firefox, open about:config [about] and set browser.blink_allowed to False . If the blinking continues, return to Optical Express and demand a refund.
I'm sure it must happen to everyone, everywhere.
I assure you, that is not the case.
How long until Google notices? (Score:5, Insightful)
The Mozilla Foundation reportedly receives ~$300 million annually from Google.
Google is certainly an interested party when it comes to tracking user behavior.
Is this really a good move for Mozilla strategically?
Re: (Score:3, Insightful)
Is this really a good move for Mozilla strategically?
Yes because the general public do value privacy, and being on the side of public opinion is priceless.
Re: (Score:2)
Is this really a good move for Mozilla strategically?
Yes because the general public do value privacy, and being on the side of public opinion is priceless.
Actually, the general public puts a very low value on privacy. If you ask do you value your privacy?", they'll say "yes, of course." But if you ask them "do you want to save 5% by signing up for our club card?", they'll practically push each other out of the way to save $0.50.
Marketers today put the benefit on the billboard, but put the terms of consent to tracking in the fine print. It would be interesting to see what would happen if the marketing came with the same kinds of warnings and side effects we se
Re:How long until Google notices? (Score:4, Insightful)
Of course it is. Just because they're funded, doesn't mean they're controlled. And I don't think transparency is bad for Google's main business model. People more or less know what Google gets when it is used for searching. I predict they'll jump on board with this one and provide something similar in Chrome. It's the right kind of tool to win over the masses.
Re:How long until Google notices? (Score:5, Insightful)
The Mozilla Foundation reportedly receives ~$300 million annually from Google.
Google is certainly an interested party when it comes to tracking user behavior.
Is this really a good move for Mozilla strategically?
The key issue here is informed consent. The "Collusion add-on so it will enable users to not only see who is tracking them across the Web, but also to turn that tracking off when they want to."
I've no problem allowing cookies and scripts from sites I trust and who are providing me with a service I want. The problem is the number of "drive-by" cookies and scripts you can get hit with.
When I started using NoScript I was amazed at amount of content I was being silently served from third-party sites without my knowledge or consent.
Re: (Score:1)
The problem is the number of "drive-by" cookies and scripts you can get hit with.
Re:How long until Google notices? (Score:5, Informative)
A nice trick is to set your browser to keep cookies only for the session, clear your cookies and then grab an extension like Cookie Monster [mozilla.org] or something similar to manage exceptions for the sites where you explicitly want permanent cookies.
Re: (Score:1)
Why do you need an extension for managing cookie policy exceptions? There is already a manager in Mozilla web browsers to manage those.
Re:How long until Google notices? (Score:5, Informative)
Those sort of extensions just provide a convenient way of interacting with Mozilla's mechanism. You get a statusbar icon which changes depending on if the site you're viewing has no cookies, blocked cookies, persistent cookies or session cookies. You can click on the icon to change the default action for that site or domain. It's so much simpler than opening the options and adding exceptions manually.
Re:How long until Google notices? (Score:4, Interesting)
And if Google withdraw their funding over this Collusion addon, how do you think that will look?
As far as I know, Google have been very upfront [google.com]about what they have on me and what they use that information for. Collusion doesn't change anything for Google, especially if they respect the DNT option. I think Google would be quite alright with this, as what it really does is reveal how much OTHER people are tracking about you, and not telling you about it. Especially if OTHER people are ignoring DNT.
Like it is said, if you have nothing to hide from Collusion, then you have nothing to fear.
Re: (Score:3, Interesting)
As far as I know
Which is only what Google tells you. You don't think they're tracking you by IP address too? You don't think they're using browser fingerprinting? Google's cookie is one tiny part of the problem.
Re:How long until Google notices? (Score:5, Informative)
As far as I know
Which is only what Google tells you. You don't think they're tracking you by IP address too? You don't think they're using browser fingerprinting? Google's cookie is one tiny part of the problem.
Google logs all IP addresses initially but after nine months zeros the bottom octet to anonymize them. Cookies are kept for 18 months, and many have noted that the cookies can be used to recover the full IP address going back 18 months, assuming you're always connecting from the same IP, but if you've opted out then there are no cookies stored to provide that linkage (I'm not sure if the opt-out cookie is itself anonymous, or if it's stripped before logging, or what, but it's something like that).
I don't know if browser information is anonymized; I'm sure at least enough is kept to identify the browser version.
Although you almost certainly won't believe me (since I work for Google), I'll tell you that Google tries very hard to honor tracking opt outs. If someone discovered a way that Google could recover individualized tracking about a user who had opted out, that would be considered a bug and it would get fixed. If it couldn't be fixed, controls would be put in place to ensure that the data is not used for tracking in any systematic way, and that individual employees can't access it without specific permissions, and the use of those who actually have a demonstrated need to use it would be audited.
The tinfoil hat crowd will simply dismiss this post, but the truth is that Google really doesn't want to track you if you don't want to be tracked. Google wants to convince you that you do want to be tracked, of course, that Google's services (including targeted advertising!) are actually sufficiently valuable to you that you want Google to have the data. But if you don't agree, Google provides the tools to allow you to opt out, and honors your choice.
This isn't to say that bad things will never happen, or that mistakes will never be made. Google is composed of people, and people screw up. Hence things like the Wifi packet capture, and Safari privacy workaround. But violations of the principles of user privacy are treated as errors to be corrected.
From an information-theoretic standpoint, the best way to be sure that Google never screws up with your privacy is to ensure it is impossible for Google to know anything about you, so opt out of tracking and avoid Google services, or even just block Google at your router. IMO, given its track record, trusting Google to behave responsibly isn't at all unreasonable, and I think Google offers good value in trade for your information (assuming that Google behaves responsibly). But it's your choice, and Google wants it to be possible for you to make that choice.
Re: (Score:2)
Google logs all IP addresses initially but after nine months zeros the bottom octet to anonymize them
That's not much privacy. If I watch your browsing habits for 9 months, I bet I could put together a signature that would let me identify your browing from a group of 256 random individuals.
Re: (Score:2)
Google logs all IP addresses initially but after nine months zeros the bottom octet to anonymize them
That's not much privacy. If I watch your browsing habits for 9 months, I bet I could put together a signature that would let me identify your browing from a group of 256 random individuals.
If that were the only privacy protection measure, sure.
Re: (Score:1)
The tinfoil hat crowd will simply dismiss this post, but the truth is that Google really doesn't want to track you if you don't want to be tracked.
Maybe it is just dog food you are eating, but you should go read your privacy policy sometime. All of your data, whether it be browsing history, location data, email, docs, pictures... Everything, can be shared with 3rd parties. For example:
We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
Thanks for providing us with those instructions Google, and since these 3rd parties follow the same privacy policy, they can go ahead and ship it on to their buddies for "processing" too. These terms are written in such a way that it allows them to get away with anyth
Re: (Score:2)
One of the founders wrote a book on how to do it despite the low-level obfuscating techniques that are being used. They are the equivalent of "adding bits" to crypto-keys. It may take more data to statistically correlate identities, but given enough data, Bayesian induction is almost certainly powerful enough to get the job done. 18 months of data is a long time
Re: (Score:2)
From previous experience my browser fingerprint from one fingerprint-info site, told me that my browser finger print was unique out of over 300K visitors to date. That's fairly specific.
If that's the same site I saw... I visited it twice and it told me my fingerprint was unique the second time, too. I think it's bogus.
Re: (Score:2)
Did you upgrade a plugin? That would make it different? Or was one of your plugins auto-upgraded as many users have it set for?
I went back immediately and was told I was 1 of 2 with my fingerprint...so I'm not so sure how bogus it was or if it was the same site.
Re: (Score:2)
Google provides the tools to allow you to opt out, and honors your choice.
BS - you have to be logged in to a Google account to be able to opt out.
No, you don't. If you opt out through the Google privacy pages, it installs a cookie which tells Google servers not to track you. There are two different opt-outs, one for ads and one for analytics. If you want to make sure that cookies don't get lost, Google provides plugins/extensions for IE, Firefox and Chrome which will reinstall them if they get deleted.
If you are logged in, there are some other options, many of which are off by default (i.e. opt-in). I think those are orthogonal to the ads and a
Re: (Score:2)
Can someone please explain to me in what way Hatta's comment constitutes trolling? Is expressing concern about the practices of the world's largest advertising conglomerate a new form of trolling I was previously unaware of, or is questioning our corporate betters now grounds for being silenced?
Google has pioneered these techniques... (Score:2)
Because some people either haven't read or don't understand chapters 13, 14, 15 and 20 in one of Google's founder's books, "Artificial Intelligence: A Modern Approach". (13:Uncertainty, 14:Probabilistic Reasoning, 15:Probabilistic Reasoning over Time, 20:Statistical Learning Methods).
Re: (Score:3)
Re: (Score:2)
New friends (Score:3, Insightful)
"Among the eye-opening statements in his recent TED talk, Mozilla CEO Gary Kovacs said, 'Privacy is not an option, and it shouldn't be the price we accept for just getting on the Internet.
Evidently, Gary has never met Mark Zuckerberg.
Go Ahead, Track Tor Exit Nodes! (Score:5, Interesting)
I'm just a random Tor exit node, up one day, down the next, replaced by another random exit node.
Use the Tor Browser Bundle:
- https://www.torproject.org/ [torproject.org]
Read the Tor OPSEC article:
- http://cryptome.org/0005/tor-opsec.htm [cryptome.org]
- https://www.schneier.com/blog/archives/2012/01/tor_opsec.html [schneier.com]
"HUGE Security Resource" - enjoy a smart selection of Security
Blogs and other security related information
- http://pastebin.com/Cm2ZHuz3 [pastebin.com]
Re: (Score:2)
Re: (Score:2, Informative)
Wikipedia bans offensive exit nodes from *editing*, not *viewing* their site.
Oh, and use bridges, always:
https://bridges.torproject.org/ [torproject.org]
for reasons mentioned in the Tor OPSEC document.
For sites which ban a lot of Tor exit nodes (like godlikeproductions), Startpage's free web proxy evades 99% of these bans, but you can't post with Startpage's proxy, just read.
Using Tor, you can also run through a lot of free web proxies to evade bans on Tor exit node IPs.
Some exit nodes remain for awhile (though your circuit
Re: (Score:1)
"I think the point is they just see all the traffic coming from the node, which can't be identified with you. "
The workings of Tor are documented on the official site, there's no need to reinterpret it's function.
"Except since you have to allow javascript to get even minimal functionality on a huge number of websites now, it kind of defeats the purpose."
Most of the websites which require javascript in order to use are mostly stupid anyway, or exploit privacy/security.. just like...
"Facebook still tracks me
Re:Go Ahead, Track Tor Exit Nodes! (Score:5, Insightful)
Tor won't help you if the website puts a cookie in your browser (which this discussion is about). What you need is a selective cookie policy (like Ghostery [ghostery.com]) -- it makes my Collusion graph blank.
Re: (Score:1)
There's more about Ghostery you evidently aren't aware of http://yro.slashdot.org/comments.pl?sid=2931443&cid=40412193 [slashdot.org] and you may not like it. I didn't. I don't like 1/2 truths, and people pissing down my neck and telling me it's raining!
Neat... (Score:3, Informative)
Then you install ghostery if not already done, and you forget about trackers...
Re: (Score:1)
Truths about ghostery you evidently aren't aware of http://yro.slashdot.org/comments.pl?sid=2931443&cid=40412193 [slashdot.org] and you may not like it. I didn't. I don't like 1/2 truths, and people pissing down my neck and telling me it's raining either.
shouldn't be the price we accept (Score:2)
Who? (Score:2)
Re: (Score:1)
You obviously don't.
The origonal paragraph (extract from an article by Ms Smith) mentions the presentation (done by Gary Kovaks) and there is a video link of this. This is important if you want to get an idea of how Collusion works.
After this video, there is a Interview with Ryan Merkley: He speaks about his experience with Collusion and how it simply shows what is being tracked.
Re: (Score:2)
Re:Who? (Score:4, Funny)
Title says interview with Ryan Merkly, TFS says Gary Kovaks at TED talk. Maybe I'm just new here, but does anyone read anymore?
Merkly quotes Kovaks.
Now I can quote oodaloop quoting samzenpus quoting Merkly quoting Kovaks. You can quote me on that.
Who is (really) watching? (Score:3)
Okay we know that Google, Facebook and other companies have a tracking system in place. But who's really watching? Is it possible that Larry Page or Mark Zuckerberg is reading this post right now and will click his iAmWatchingU app to find out who typed these words? Or is some other sentient entity [slashdot.org] looking over me like the deity of some theistic religion.
Maybe the greater danger isn't that we are being watched, but that algorithms are now in control of our lives [bbc.co.uk], processing, analyzing, bankrupting us in a way where sometimes the only human intervention is someone clicking OK.
Re:Who is (really) watching? (Score:4, Funny)
(if) you use a (bunch) if (parenthesis) psudeo-randomly in your subject (and) u(ser)n(ame) you can fool the algorithms((!!!!))
Re: (Score:1)
(is i)t i(mpo(rtant th)at (the(y're a)ll closed)?
Re: (Score:2)
Re: (Score:2)
Stop The Machine! [youtube.com]
Overstatement alert maximum (Score:1)
Because the memory of the Internet is forever
Easy Solution To This (Score:1)
Provide a feature in Firefox to not request pages not on the current domain.
All those embeddable scripts are now useless and centralized tracking dies a horrible death. The overheads of doing this server-side would be crippling financially.
The idea is not to fight a losing battle, but to make it expensive and financially nonviable.
Ghostery? (does the same thing?) (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
The hosts file can be shortened even more by appending blocked IPs, rather than a line for each. Like so,
0 badIP-1 badIP-2 badIP-3
And the localhost line can shortened to,
127.1 localhost
Works in XP and 2003.
Re: (Score:2)
He's the Anonymous Coward with most negative karma.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm the last to suggest I know more than you about some of the subjects you rant about.
Send fake data (Score:1)
It is nice to see things like Collusion and Ghostery (will install when I get home), but I think power users of the internet and those of us that care about privacy and a free internet need to take it a step further. We need to not only stop tracking, but also figure out ways to mass spoof trackers and begin corrupting their data. If, on some mass scale, we can figure out how to report bad data to advertisers, they lose all power.
Mass advertising is the biggest scam of the last 30 years. These people pro
poison with false positives (Score:4, Insightful)
Does anyone know what ever happened to that project for salting the tracking data with false positives? I think it was called "Antiphormlite" and it had gotten up to version 1.3 I think.
I see it talked about on teh google but there doesn't seem to be any place it can be downloaded.
I love the idea of fouling tracking data. It's not enough to "track the trackers". I want to make sure they go away unless they reform themselves.
This is one of those areas where the "free market" is not going to come up with a solution. People say, "I want privacy" and the Free Market says, "Fuck you, pay me."
It's going to take vandalism on a massive scale to fix this one.
Re: (Score:2)
The other advantage of using that number is the look on the dumber cashiers' faces, since they think that's your real phone number.
Re: (Score:2)
I'd wager this will happen instead eventually:
People say, "I want privacy" and Government tells Free Market, "Fuck you, stop tracking."
Re: (Score:2)
I wish I had your optimism.
Because I fear what would happen then is the "Free Market" would say, "Fuck you, Government. We own you, thanks to Citizens' United."
And that would be the end of that. There was actually a time, you know, when the air in most major US cities was incredibly foul. The Great Lakes were literally dying and rivers were catching fire. The Government
Ghostery already knows who is tracking us... (Score:2)
Ghostery's true background (Score:3, Interesting)
Seems like a lot of people are praising Ghostery, which leads me to believe that you haven't heard the backstory.
Evidon, which makes Ghostery, is an advertising company. They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons. Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy. Evidon bought Ghostery, an independent privacy tool that had a good reputation. They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned. The company said they were just using Ghostery for research. Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.
When confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today. They took an open-source type tool, bought it, turned it from something that’s actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them. This is a fundamental conflict of interest.
To sum up: Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money. That's an inverse relationship. Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers. Their motivation to promote it, however, isn't for better privacy; it's because they hope that you'll opt in to GhostRank and send you a bunch of information. They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy.
Re: (Score:2)
No, he was downmodded because his post was cut and paste spam.
Even if it was worthwhile information, you don't post a comment of that length. Get your own goddamn blog if you want to write 5000 words.
Multifox+good cookie manager (Score:1)
I'm disappointed with Mozilla's approach to privacy (or lack of it). Currently the biggest danger for privacy is not tracking (your bank also tracks your transactions) but collecting all the available threads of information to build a fairly complete profile of the user. Yet Mozilla is pretty much ignoring the problem to the point it is difficult to differentiate Firefox from Google Chrome (a browser specifically designed for collecting information).
The only thing I ask for is a good identity manager (Mu
Common Service != Collusion (Score:1)
Mozilla is ignorant and late as usual (Score:2)
The more I listen to various mozilla reps, the more I am convinced that they are extremely distanced from reality, and firefox's reduction in market share is direct consequence of this ignorance.
The problems he's talking about has been long solved by "there is an add-on for that" in firefox. Use ghostery. It has a good list of pretty much all meaningful tracking services and offers to block them for you on per-site basis or globally, along with a nice list of all trackers currently tracking you and if they'
Re: (Score:2)
Just as well that computer of yours is off line.
Re: (Score:2)