[ADDITION] solicitation for a method to de-bork the modern web

[atomGit]

Location

Web Browsing

Addition

it is the opinion of myself, and many whom are far more knowledgeable than i, including some front-end web developers, that the web has become a ... a shit-hole, to put it bluntly

with wide-spread dependencies on 3rd party frameworks, CDN's, fonts, analytics, CAPTCHA's, unnecessary usage of JS, etc., the modern web has undergone a transformation that is antithetical to the ideals of privacy and security minded people - part of that of course is what we call "surveillance capitalism"

the problem is exacerbated by those who "have nothing to hide" or are simply unaware of the implications and thus take no action

is it possible to have a substantial impact on the course the modern web has taken for the benefit of both camps? that is the question and i'd like to hear any proposals in that regard

...

one 'revelation' i came up with, though perhaps ambitious (a day or 3 of coding?), may have the potential to make a substantial impact and it doesn't necessarily require wide adoption to be effective

basically a browser extension is used to send mail to offending websites upon visiting them - what follows is how that might work...

• an 'offending' website is determined by comparing the 3rd party resources (domains) it uses to a 'blacklist' hosted on some git platform - the blacklist thus can be updated without having to update the extension
• if the user lands on a blacklisted site, they are non-intrusively prompted to send a pre-filled mail to the site owner/admin/contact/author/etc. which contains concerns with the site (privacy, security, etc.) and information as to possible solutions (a list of email address for websites may be needed - easy enough - or, failing that, a mail is sent to 'support@')
• a list of domains which were contacted is retained (locally in browser storage) so that only 1 mail is ever sent, or perhaps additional mails are sent upon revisiting the site after 'x' amount of time has passed (weeks/months?)
• ???

so for example if 20 people all visit x.com on the same day, the contact(s) there receive 20 mails from 20 different addresses and 20 different people - this could be much more effective than what the LibreJS project is/was doing where a single mail was sent from a common mailer

the browser ext. does 3 things: it uses the browser add-ons site to help market itself; it makes the whole process extremely simple and virtually transparent to the user; it brings the process to an individual level which could be more effective for reasons stated

potential caveats...

• blacklisted mail addresses/servers - avoiding excess mail per-user may be enough to prevent this, however it may still be wise for peeps to use a disposable address hosted by a disposable provider
• ???

[Lissy93]

, that the web has become a ... a shit-hole, to put it bluntly

Couldn't have put it better 🤣

As a developer myself, JavaScript is Devil's Spawn. Almost all modern web "apps" run the majority of their logic client-side (on the users browser), this has increased overtime, due to client devices becoming more powerful, and the improved user experience you get from not having to re-render each page.

All this logic is written in JavaScript (or a subset which transpiles into JavaScript). Yet JS is not particulaly secure by default - it's messy, bloated, not type safe, behaves differently on different engines / browsers, can be insecure, etc, etc.

There are a bunch of proposed solutions to the issue in the works, e.g. WASM, which is pretty cool.

That said, you can still build frontend apps, using modern frameworks that are not privacy-invasive. Here's the Privacy Docs for one of my apps, it doesn't make any external requests, unless you specifically enable a feature (like weather, uptime monitoring, etc), and everything that is stored is transparently documented to the user.

The privacy issues mostly come from either sloppy developers, or data-greedy companies, combined with a poorly configured user environment.

[Lissy93]

In terms of your idea...

It doesn't need to be a browser extension (and probably shouldn't be), and obviously the mail sending component wouldn't be possible from an extension alone. Instead, you could just have a serverless function, which accepts a URL, scans the site, generates a report, scrapes a contact address, then sends off the message. The function could then be initiated manually with a web address passed in, or you could use it to crawl top sites within certain categories.

As for the effectiveness, although a nice idea, I honestly don't think any companies would give a shit. To them, the data they are collecting, is far more valuable to them than a few users threatening to boycott their service.

Furthermore, web administrators get A TON of mostly automated messages every day. They don't read any of them. Even developers of small sites, like myself get so many automated messages that it's not practical to even open them any more.

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues, and would have made those decisions based on things like cost, complexity, time-constraints, business requirements..

You could still try building it, not sure of your skill level, but this should be a very easy starter project. Most of the logic is already out there, so just a case of putting the parts together, maybe just a serverless function written in Go, and a simple UI to invoke it.

[atomGit]

Instead, you could just have a serverless function, which accepts a URL, scans the site, generates a report, scrapes a contact address, then sends off the message. The function could then be initiated manually with a web address passed in, or you could use it to crawl top sites within certain categories.

interesting idea for sure!

the problem is, all the mails would be coming from the same mailer, no? this wouldn't be as effective as mails originating from many individuals - any idea on how that could be overcome? i suspect passing a mail address as a param to the ... script(?) wouldn't really work (mails would still originate from a single server)

also, wouldn't a browser ext. act as a compliment to this so users can feed the script the params without having to do anything? i'm thinking about keeping this as dirt simple as possible for users

what about a very simple ext. that interacts with the script? so the script then checks the site (url param sent to the script) against a db and opens a pre-filled mail for the user to manually send - this avoids ext. updates when the db is updated (db = a text file, not an actual db)

As for the effectiveness ... I honestly don't think any companies would give a shit. To them, the data they are collecting, is far more valuable to them than a few users threatening to boycott their service.

i dunno - maybe it depends on who is contacted? - site owner vs. article author, the "contact" address, etc. - i think this might get some noticeable attention over time - the "few users" is a hurdle to overcome, but that's where a browser ext. might help and maybe some advertising

not sure of your skill level...

well, if we start the scale at 0, i'm about a 0.2 (some bash, html, css, very limited success hacking other peoples JS/PHP) - given it's assumed simplicity however, this is not necessarily beyond my ability but i'll probably need help, perhaps mostly with getting the ext. to talk to the script (assuming an ext. is in order)

[Lissy93]

the problem is, all the mails would be coming from the same mailer, no? this wouldn't be as effective as mails originating from many individuals - any idea on how that could be overcome? i suspect passing a mail address as a param to the ... script(?) wouldn't really work (mails would still originate from a single server)

Ah yeah, I see what you mean, yeah you could have emails sent from the users address by using an ordinary anchor element. The mailto part within the href attribute can accept, the recipient, subject and body passed as GET params. So when you / the user open the link it'll open your default email client, and populate those fields, all you'll need to do is hit Send.

Then, like you say each mail comes from a real sender, which will be much more effective. Although would also mean sending the email from your real address. And it would might tedious to do each website one at a time.

That'd remove the need for any email sending capabilities. Setting up mail servers for sending, in a way that you can send out a lot of emails, without them landing in spam is surprisingly hard. That's one of the reasons why most apps with any mail sending functionality will outsource this to a third-party service, like mailchimp, sendgrid, mailgun...

---

i dunno - maybe it depends on who is contacted?

Ah yeah, very true. But also, any email address you can found online by a web scraper, will have already been found by a web scraper, and be getting a lot of emails. But if you can manually deduct an authors email address yourself (e.g. trying firstname.lastname@domain.com), then you'll probably have much better results.

[atomGit]

Although would also mean sending the email from your real address. And it would might tedious to do each website one at a time.

users would be (strongly) encouraged to set up a dedicated account somewhere (riseup, gmail <-- yes, i said that out loud, protonmail, etc.)

frequency of mails based on different domain visits could be handled by a preference, or done in a very unobtrusive way, such as a toolbar icon changing color with an optional notification

so i gather you think an ext. + a script makes sense? i'm open to any and all suggestions

ps - for anyone interested, i'm looking at the ClearURLs ext. because it fetches a file from a git repo and processes it - see line 262 in clearurls.js

[ltguillaume]

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues (...)

Not necessarily 😏 https://github.com/Lissy93/awesome-privacy/pull/65

[Lissy93]

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues (...)

Not necessarily 😏 https://github.com/Lissy93/awesome-privacy/pull/65

@ltGuillaume You got me there 😂

[unixdigest]

As for the effectiveness, although a nice idea, I honestly don't think any companies would give a shit. To them, the data they are collecting, is far more valuable to them than a few users threatening to boycott their service.

Furthermore, web administrators get A TON of mostly automated messages every day. They don't read any of them. Even developers of small sites, like myself get so many automated messages that it's not practical to even open them any more.

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues, and would have made those decisions based on things like cost, complexity, time-constraints, business requirements..

I agree 100% with @Lissy93 on this and for the reasons she has mentioned above, I don't think this would have any impact what so ever.

IMHO the entire industry is so hopelessly romanticized by hype that even when it is more costly in the long run, they still do the "wrong" thing just because that's what everyone else is doing.

[atomGit]

hiya @unixsheikh :)

i wouldn't necessarily disagree that effectiveness would be between 0 and near 0 if Big Tech were the target, but that's not really what i had in mind - i'm more interested in blogs, alternative social platforms, sites that focus on free software, personal site, wordpress sites, etc. - a lot of these kinds of sites aren't interested in monetizing data, but the admin, who could be a total novice, is just using whatever tools are popular (wordpress, shitty plugins, etc.) without being aware of the implications

i'd also mention again that i think the effort required to get something like this up and running as far as coding would be rather trivial - essentially a very simple browser ext. that grabs a remote file and prefills a ready-to-send mail

it could be an interesting experiment and, who knows, the result may be surprising

[unixdigest]

i wouldn't necessarily disagree that effectiveness would be between 0 and near 0 if Big Tech were the target, but that's not really what i had in mind - i'm more interested in blogs, alternative social platforms, sites that focus on free software, personal site, wordpress sites, etc. - a lot of these kinds of sites aren't interested in monetizing data, but the admin, who could be a total novice, is just using whatever tools are popular (wordpress, shitty plugins, etc.) without being aware of the implications

Hi @atomGit :)

The problem with those, i.e. private blogs, Wordpress, etc., is that the people using these wouldn't know what to do about it. Even when/if you suggest replacements, migrating a website from product A to product B for at non-tech person is often a daunting/time consuming task.

I personally know a lot of small business that just use Wordpress for blogging, and they know absolutely ZERO about any of this. They managed to get it installed and that's about it.

[atomGit]

I personally know a lot of small business that just use Wordpress for blogging, and they know absolutely ZERO about any of this.

that's where this part comes in...

if the user lands on a blacklisted site, they are non-intrusively prompted to send a pre-filled mail to the site owner/admin/contact/author/etc. which contains concerns with the site (privacy, security, etc.) and information as to possible solutions

i agree that a lot of these administrates are technically challenged (so am i) and i gave that a little bit of thought when i outlined all this - i think friendly, concise suggestions and a willingness to help could go a long way