Thursday, May 21, 2015

Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

Edited to add: I wrote a followup post to address comments here and elsewhere that advertising is working as intended. This paper has been reported incorrectly in several places as being about cookie blocking. Tracking protection blocks all traffic, not just cookies.

My paper with Georgios Kontaxis got best paper award at the Web 2.0 Security and Privacy workshop today! Georgios re-ran the performance evaluations on top news sites and the decrease in page load time with tracking protection enabled is even higher (44%!) than in our Air Mozilla talk last August, due to prevalence of embedded third party content on news sites. You can read the paper here.

This paper is the last artifact of my work at Mozilla, since I left employment there at the beginning of April. I believe that Mozilla can make progress in privacy, but leadership needs to recognize that current advertising practices that enable "free" content are in direct conflict with security, privacy, stability, and performance concerns -- and that Firefox is first and foremost a user-agent, not an industry-agent.

Advertising does not make content free. It merely externalizes the costs in a way that incentivizes malicious or incompetent players to build things like Superfish, infect 1 in 20 machines with ad injection malware, and create sites that require unsafe plugins and take twice as many resources to load, quite expensive in terms of bandwidth, power, and stability.

It will take a major force to disrupt this ecosystem and motivate alternative revenue models. I hope that Mozilla can be that force.

26 comments:

  1. Excellent post Monica, you are missed at Mozilla.

    Your point about advertising externalising costs (rather than making content entirely free) is a very good one. Alternatives to this model are much needed.

    I would add that I think advertising also helps aggregate a transfer of value, meaning that more people ultimately consume content.

    ReplyDelete
  2. If Mozilla really want to do something revolutionary, it should make micropayments possible.

    I'll gladly pay one cent per article I read if that makes the web a better place. And I think many with me.

    It's really sad that in 20 years web, it's still not possible.

    The best Mozilla can do is fight the status quo like banks, Visa and Mastercard. Found a new bank. Do lobbying. Anything. Please make it possible.

    ReplyDelete
  3. Thanks for a very interesting paper!

    Mozilla could probably use more people like you :/

    ReplyDelete
  4. I guess all I have to do is go to about:config and set privacy.trackingprotection.enabled to true.
    Is that right?

    ReplyDelete
  5. Thanks for highlighting such a critical issue. I wrote up something recently about these effects as well.

    https://medium.com/@InertialLemon/why-are-web-pages-so-slow-c2297c475358

    I've also been monitoring via my firewall how much ad-related traffic comes from my iOS devices. *Every* app is connecting to ad and tracking servers, regardless of whether any ads are present in the app itself.

    With the proliferation of web-based apps on both the dessktop and mobile, it may be time to start treating mitigation of this as an OS-level issue, not an app level one. Just fixing one browser and using that browser isn't going to block most of the tracking that occurs today.

    ReplyDelete
  6. Instead, Mozilla will sell ad space on the new-tab page.

    ReplyDelete
  7. Mozilla and FireFox is dead to me and for most GNU/Linux community. You guys have made the wrong choices over and over for the past year, and betrayed your promises of openness and protecting users freedom.

    ReplyDelete
  8. Advertising is the revenue model that publishers use to produce and publish their content.

    It's easy to make blanket statements that it doesn't make content free when you aren't in the space but lots of large publishers and the entire long-tail of the web wouldn't exist without advertising.

    Subscriptions are not the answer as people would rather have convenience of free content with ads than have to pay cash for content but disrupting that by just tampering with websites is just malice towards site operators.

    Of course loading less things will improve performance, that's just simple math but messing with the revenue streams (without offering an alternative) of the greater web will only end badly for consumers.

    ReplyDelete
  9. ublock+Ghostery>Block all

    Problem solved

    ReplyDelete
  10. Man, ads are great. They allow content to be targeted towards people that could potentially not afford the content and towards people that might not necessarily use the product normally. The world is already significantly divided by wealth. What if Google was behind a paywall. Assuming someone poor even has access to a service like Google, imagine if it was behind a paywall. Could they afford it? If not imagine how much of a life advantage someone wealthier has over those would can not afford it. Your idealistic 'superior' ad free world is as alienating and as segregated as Silicon Valley is...

    ReplyDelete
  11. lol, ads are not great. ads are the ruination of mankind, as is this corporate takeover of pratically everything in existence down to the building blocks of life itself. when the hedge funds are your landlord and you can vote for monsanto, im sure you will be happy. its quite upsetting tbh to see someone who has embraced this programming so. ads are great. wow. go watch bill hicks or something.

    ReplyDelete
  12. Ok, this should be illegal.

    As a content provider I'm not agree my visitors to disable ads.

    So I have to ban usage of Mozilla by user-agent?

    ReplyDelete
    Replies
    1. User-agents already make all sorts of decisions to mitigate risk on behalf of the user, such as refusing to display phishing pages or download malware. If someone wants to opt-out of tracking, why shouldn't the user-agent help them accomplish that?

      Delete
  13. Imagine cable operators to disable ads between programs they stream?

    ReplyDelete
  14. I have not seen this mentioned before so i will state it outright.

    The Apple and google mobile browsers are forcing 44% more copntent down the throats of Mobile users-and in turn are causing mobile volumes to spike.


    these ads being forced on mobile users are causing them to purchase higher "volume packages" for data thoughoput.


    A class action suit needs to be started against advertisers for causing all rates to rise.


    I will even go so far as to say its not 44%, but more like 70% of all redirects are eating up bandwidth that is of NO use to the end user.

    Its a malicious cash cow.

    ReplyDelete
  15. Cool, so when are you guys making StartPage the default search engine instead of being funded by Yahoo so they can deliver targeted ads? Or was this just more political posturing?

    ReplyDelete
  16. Bizarre to post that on blogger who track people with cookie...

    ReplyDelete
  17. cheap birthday flowers @ http://inonlineshop.co.uk/birthday-flowers.html

    Cheap Sympathy Flowers @ http://www.inonlineshop.co.uk/Sympathy-Flowers.html

    Cheap New Baby Flowers @ http://www.inonlineshop.co.uk/New-Baby-Flowers.html

    Cheap Anniversary Flowers @ http://www.inonlineshop.co.uk/Anniversary-Flowers.html

    Cheap Romantic Flowers @ http://www.inonlineshop.co.uk/Romantic-Flowers.html

    ReplyDelete
    Replies
    1. I forgot to mention the link between advertising and spam. Thank you for pointing it out.

      Delete
  18. It's cute that all these Anonymous users think that ads are ruining mankind. While they use the internet to complain. Like the internet just exists, free for everyone involved and network/server infrastructure, and content creation/ownership and distribution is free.

    So cute.

    I want to live in your utopia where stuff just exists and you get to use it for nothing

    ReplyDelete
  19. Please ignore the troll above. They are clearly shills for the IAB or associated groups. Also they are clearly someone who has never read the HTML spec regarding priority of the constituencies.

    My actual reason for posting though was what you're saying is very interesting and you've put some great thought behind it. But I'm curious how you balance that with rather privacy invasive tech being built inside the walls of the Mozilla complex:

    http://techcrunch.com/2015/05/21/mozilla-will-soon-launch-sponsored-suggested-tiles-based-on-your-browsing-history/

    Seems like there needs to be some fierce conversations happening that either aren't, or aren't having a meaningful impact.

    ReplyDelete
  20. http://techcrunch.com/2015/05/21/mozilla-will-soon-launch-sponsored-suggested-tiles-based-on-your-browsing-history/

    Basicly, Mozilla want to block Ads on pages, and display ads before that.

    People who create content, recieve no money, but Mozilla takes it all.

    So nice.

    ReplyDelete
    Replies
    1. actually Tiles do not track you, all resolution is done client-side.

      the tracking protection blocks trackers/etc not ads per se. that most ads track you is a side effect....

      Delete
  21. "Imagine cable operators to disable ads between programs they stream?"

    Where do I sign up?

    ReplyDelete
  22. Dear Monica, we sure miss you at Mozilla!

    If more executives were thinking this way, we'd certainly make users happier.

    ReplyDelete
  23. 44% , that's huge gain on page speed :)

    ReplyDelete

Note: Only a member of this blog may post a comment.