EFForg / privacybadger

Privacy Badger is a browser extension that automatically learns to block invisible trackers.
https://privacybadger.org
Other
3.19k stars 386 forks source link

Completely disable blocking on optout.aboutads.info #1606

Open strugee opened 7 years ago

strugee commented 7 years ago

I recently got linked to http://optout.aboutads.info/ from a Google opt-out page. Privacy Badger seems to have blocked 65 requests to advertisers participating in that page.

Obviously it's doing its job pretty well, but in this particular case we actually probably want to allow those requests through since for once requests to these domains are for a privacy-protecting purpose, not the other way around ;)

ghostwords commented 7 years ago

The problem may go deeper than just allowing third-parties on the advertising industry's opt-out page since even if we allowed the setting of opt-out cookies on that page, we would still block the sending of these opt-out cookies elsewhere.

As opt-out cookies are, at least in my view, an inferior alternative to Do Not Track (which Privacy Badger aims to promote), it doesn't seem to make sense for Privacy Badger to attempt to support opt-out cookies.

ghostwords commented 6 years ago

We may want to do something specifically on the optout.aboutads.info page though, like show a message about opt-out cookies and DNT. It looks this situation happens regularly for Privacy Badger users:

+----------+---------+
| count(*) | ym      |
+----------+---------+
|        2 | 2018-02 |
|        2 | 2018-01 |
|        1 | 2017-11 |
|        1 | 2017-10 |
|        6 | 2017-09 |
|        1 | 2017-08 |
|        4 | 2017-07 |
|        4 | 2017-06 |
|        2 | 2017-05 |
|        2 | 2017-04 |
+----------+---------+

Targeting new domains in the manifest might be blocked by #1619.

ghostwords commented 6 years ago
Some error report messages: >131 out of 132 opt outs failed. >half of advertising opt out requests not successful while badger working. opt outs successfil if badger disabled. >I can't opt out of ad tracking on DAA webchoices for some advertisers regardless of whether I disable this program for this page or not. >privacy badger works, and therefore breaks this site >This is an ad opt-out site, it is supposed to send around cookies to all the domains to cross check if that domain is tracking the current browser, hence >Must be disabled for opting out to work >I think Privacy Badger was blocking the addition of "opt out" cookies from the Digital Advertising Alliance website. Running their Opt Out failed with >half of the sites with Privacy Badger active, and succeeded on almost all of them with PB inactive. >Trying to block advertiser cookies through DDA site so I think they should be allowed through (so the opt-out can be registered. >Clearly, this cannot set the opt-out cookies if Privacy Badger is enabled. >Stops DAA Webchoices from successfully completing opt-out requests. > This site is for opting-out of online ad tracking. Privacy Badger appears to interfere with its operation. > Default settings block third-party cookie check. > Some ad preferences fail to load when Privacy Badger is enabled. > Prevents some of the DAA WebChoices opt out cookies from being accepted
regier21 commented 3 years ago

I was looking into this. Would adding a red badge to the icon when visiting the site (see here) and some information in the popup be enough?

ghostwords commented 3 years ago

Hi @regier21!

I was looking for some good reference text to base our messaging on or an article to link to. Here are a few relevant paragraphs from a 2017 article about Twitter dropping support for Do Not Track:

...[The self-regulatory program of the Digital Advertising Alliance (DAA)] is toothless because the only choice it allows users is to opt out of “customizing ads,” when most people actually want to opt out of tracking. Many DAA participants, including Twitter, continue to collect your information even if you opt-out, but will hide that fact by only showing you untargeted ads. This is similar to asking someone to stop openly eavesdropping on your conversation, only to watch them hide behind a curtain and keep listening.

...[The DAA's "WebChoices" tool] is broken; it’s incompatible with other privacy tools, and it requires constant vigilance in order to use. It relies on setting a third-party opt-out cookie on 131 [as of 2017, more now?] different advertising sites. ... Even if you allow third party cookies, your opt-out only lasts until the next time you clear cookies, another common user strategy for protecting online privacy. And new advertising sites are created all the time. When the 132nd site is added to WebChoices, you need to go back and repeat your opt-out...

So, DAA's WebChoices:

ghostwords commented 3 years ago

We could style the badge to draw attention to the popup and then communicate the above points somewhere in the popup.

We could also add a dedicated page content script that constructs and injects a informational banner into optout.aboutads.info. The benefit to this approach as that it should be harder for users to miss.

I suggest making and sharing a mockup of whatever you'd like to try first, before spending too much time on it. Thanks for looking into this!

ghostwords commented 3 years ago

This is similar to #1596 where one idea is to detect anti-adblock messaging and then show our own messaging that explains that Privacy Badger is not an ad blocker and that you should consider getting in touch with the website to communicate your displeasure with its approach.

Both in #1596 and here, we want to communicate some information about the current website, whether in Privacy Badger's popup, directly within the page, or in both places. This notification is higher level than "Privacy Badger blocked X potential trackers"; it's also not routine/not applicable to the majority of visited websites.

regier21 commented 3 years ago

Okay here is a quick mockup:

image

Feedback is welcome!

strugee commented 3 years ago

@regier21 a couple problems with that prose that I notice off the top of my head:

ghostwords commented 3 years ago

Thanks for the mockup!

To add to the points above:

For an example of an existing modal dialog, inspect Privacy Badger's background page, set badger.criticalError to some string value, and open Privacy Badger's popup.

For an example of existing Privacy Badger UI that gets injected into pages, visit a page with embedded widgets (for example) that Privacy Badger can/does replace.

I think the hardest thing about injecting a message directly into pages is making it clear that the message came from Privacy Badger.

strugee commented 3 years ago

I think the hardest thing about injecting a message directly into pages is making it clear that the message came from Privacy Badger.

Agreed. Perhaps we could style it like a popup dialog box, with the background semi-opaque? That would solve a few issues:

ghostwords commented 3 years ago

See below for a screenshot of the badger.criticalError modal dialog. Note the special "alert" badge styling.

Screenshot from 2021-04-23 15-40-52

We could take the in-popup modal + "alert" badge approach as was originally suggested, as that is simpler and may be good enough.

regier21 commented 3 years ago

Hmm one of my concerns about a pop up is that the site already generates a popup after it checks all the cookies, so it would be a popup on top of a popup. See the image below: image

I think doing what PB does with Discus and just covering all of the content until you acknowledge it would be preferable as it would only be a single popup at a time.

Regarding the text: I copy-pasted what @ghostwords said in the thread as placeholder. I agree that just a few words and a link would be great. Do we have a site to link to in mind? Has the EFF written about the DAA that isn't just talking about Twitter?

ghostwords commented 3 years ago

To clarify, when I write "popup" above, I'm talking about Privacy Badger's extension popup.

ablanathtanalba commented 3 years ago

Just chiming in here with some thoughts about the proposed changes to showing messaging on the webpage and/or popup:

I definitely agree with @ghostwords that whatever text that shows up on the actual page should be as brief as possible. It might be worth just telling the user that there is some shady dark-pattern like behavior taking place on this particular site, and then linking to a lengthier description in the FAQ section of the Privacy Badger page

Instead of using the critical error modal in the privacy badger popup, it might be worth adding a section like the ones proposed in #2748 — this could be especially useful if we decide down the road to use Privacy Badger to point out other dark pattern behaviors that sites do to trick users into consenting to being tracked

As for the injected bit on the web page, maybe it ought to be similar to the widget replacement modal that Privacy Badger already does, at least in appearance. The "allow" buttons could be changed to some other text, with the option being to close the message or opt into higher privacy settings.

For reference, here is how the current widget replacement looks: Screen Shot 2021-04-26 at 10 26 36 AM
james234298 commented 2 years ago

The issue might go further than simply permitting outsiders on the publicizing business' quit page since regardless of whether we permitted the setting of quit treats on that page, we would in any case impede the sending of these quit treats elsewhere. As quit treats are, basically in my view, a substandard choice to Do Not Track (which Privacy Badger plans to advance), it doesn't appear to check out for Privacy Badger to endeavor to help quit treats.