A new surrogate for Taboola.com

[oryaniv]

Hello,

recently we have seen a rising trend of our scripts (Taboola.com) being blocked on private browsing mode in Safari. After contacting Apple, they pointed us to your block-lists, and we saw that we are being tightly blocked as a tracker.

To remedy that, we'd like to create a surrogate for Taboola to prevent sites using us as 3rd party from breaking on high privacy settings.

could you provide us with what's needed to be done as part of the process?

looking forward to hear from you.

[deoxykev]

+1 for this as well

[dharb]

Hi @oryaniv,

Thanks for filing this issue. Could you please provide a few example urls that are breaking due to request blocking, along with some details about what's breaking and which blocked requests are responsible for the breakage? I'm happy to take a look to see if this type of breakage could be mitigated with a surrogate. Thanks!

[oryaniv]

Hello @dharb,

Thank you for your response.

Here are some resource url's of ours that are being blocked by private browsing in Safari 17:

https://cdn.taboola.com/libtrc/globesil/loader.js (our main loader file on a website called globes)

https://cdn.taboola.com/libtrc/impl.20240114-2-RELEASE.js (our implementation file on the site le-figaro)

In fact, the above files (loader.js, impl.{version}.js) are being blocked on many of our publisher sites. The result of this is our widgets not being rendered on many publisher sites, leading to viewership and revenue loss.

After some research, I've found these files to be marked with a high fingerprinting score on the tracker-rader file for Taboola: (found here: https://raw.githubusercontent.com/duckduckgo/tracker-radar/main/domains/US/taboola.com.json). This very likely due to usage of native API's such as sessionStorage, cookies, etc. in different modules/functions.

We would love to have you look into it, and if possible, provide us with the instructions and guidelines for writing a surrogate to be added to your repositories.

Thanks for your cooperation.

[omriariav]

Hi - I am working with @oryaniv in Taboola as the relevant product manager - adding to what Or added - Our JavaScript SDK is running on more than 9000 leading publishers worldwide and has been certified to be aligned with global legal and privacy regulations and guidelines. We don't engage in fingerprinting, and use these native apis for rendering and contextual needs only. We believe the nullifying the values via a surrogate can restore the functionality and preserves the tracking blocking.

[omriariav]

@dharb thank you for looking into this. can you please help us find a way to add a surrogate that would enable Taboola to display its content while still maintaining tracking protection?

[dharb]

Hi @oryaniv @omriariav,

Thank you for your patience here. After reviewing the examples provided above, I'm afraid that there is a misunderstanding around what a surrogate does, and creating a surrogate will not achieve the outcome you desire. Our tracker list is produced by crawling the web and applying objective criteria to identify third parties that appear to exhibiting tracking behavior. In some cases when we find that simply blocking a request to a third-party script interferes with core website functionality (eg if every click handler on a website first calls a method from a third-party analytics script before completing the expected action), we will create a surrogate script, which is essentially a no-op shim, and it will be served in place of the third-party script to ensure the site functions as expected. The limited exceptions we make are to maintain browser and search functionality for our users.

We understand that this is not the answer you were looking for and this may impact your company, but that impact does not affect our objective criteria which focuses on protecting user privacy. These criteria may be revised over time as the landscape of third-party tracking on the web changes, which leads to additions or removals from our tracker list. In such a case, if the content Taboola serves in a third-party context no longer meets the tracker criteria, it will be removed from the list.