back to article Alert: Using a web ad blocker may identify you – to advertisers

The recent explosion in people installing ad blockers for their browsers may have an ironic side effect: identifying them to advertisers. French researchers digging into online privacy issues have built on a 2010 study by the EFF that used people's browser configurations to identify individuals. The researchers account for the …

Page:

  1. Andy Non Silver badge
    Facepalm

    Duh

    So people using ad-blockers who don't see online ads are vulnerable to advertisers tracking you and putting targetted ads on websites you visit that you still won't see as you are using an ad-blocker. And this is a bonus to advertisers how?

    1. Charles 9

      Re: Duh

      If they know you're using an ad-blocker, they'll profile you as a leech and perhaps start using ad-gates. Either that or they'll see that as a cue to get more aggressive with the ads by triggering the original website to insert inline same-domain ads, which will be tougher to block without collateral damage. Plus since they'll be able to track you across websites, they can wait for other opportunities to bombard you which you may not always be able to block. Heck, if they can tie you to a social account or e-mail address, they can probably use them to get to you as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: Duh

        There is nothing the client can't ignore.

        It can disable scripts, css, images, cookies, all 3rd party content, or simply copy blocks of text from either HTML, or the modified DOM.

        Sites going down that route will look scummy, and alienate legitimate readers.

      2. Andy Non Silver badge

        Re: Duh

        @ Charles 9. If people are using ad-blockers in the first place it likely indicates they are not receptive to internet adverts anyway, so using alternate means to shove them in your face is likely to have a negative brand image effect for the product and website rather than induce a sale. If websites block me for using an ad-blocker I go elsewhere, there are very few sites that have exclusive content that I absolutely must see. Similarly, if adverts manage to sneak past my ad-blocker and make a site too annoying, then I'll simply stop visiting that site.

        Note: I also use No-Script too and block third party cookies etc so have even less exposure to advertisers and trackers. I also use a throwaway email address on social media.

        1. Charles 9

          Re: Duh

          What about a manufacturer's website for drivers? You can't trust anyone else to not insert malware/aware and the only other alternative would involve plunking down money (maybe A LOT of money).

          1. JulieM Silver badge
            Linux

            Re: Duh

            You can get device drivers from your kernel distributor. No need to go near the manufacturer's site.

            Besides, the manufacturers' drivers may contain proprietary "enhancements" over the GPL ones in the kernel.

          2. Doctor Syntax Silver badge

            Re: Duh

            "What about a manufacturer's website for drivers?"

            You keep raising that. Let's look at it.

            Where do these manufacturers make their money?

            By selling the H/W that their drivers support.

            What would happen if they poisoned their drivers?

            They'd burn their main business. (Remember how quickly HP had to row back after the shit-storm they raised by playing silly buggers with their ink cartridges.)

            Why would they want to do that?

            1. Charles 9

              Re: Duh

              Why wouldn't they? Plus I'm not talking the drivers themselves but the sites on which they're hosted: packed full of mandatory scripts and so on ripe to be drive-by'ed with no viable alternatives if they don't provide high performance drivers to kernels (kernel can't do that themselves many times due to patent-based black-boxing, and as for Windows...).

              1. Danny 14

                Re: Duh

                I wish them the best of luck. I block ads at my gateway. EVERYTHING behind my gateway is served adless pages on their browsers (that may or may not have addons).

              2. Doctor Syntax Silver badge

                Re: Duh

                "Why wouldn't they[want to burn their business]?"

                For investors, an aversion to losing their investment. For the executives an aversion to being sacked by the investors.

    2. An nonymous Cowerd

      Re: Duh, well they could charge you more for holidays/hotels

      so only 48 others are using the single extension Privacy Badger on a locked-down chrome?

      >PB logo.gif identified in only 49/~6000 Browser tests,

      >whilst on FF 52 there were around 2000 Privacy Badger blocker users, so a bit more dilution

      >Safari - a locked down Ghostery (without Evidon direct tracking) seemed OK - but I don't really trust it

      however the standard fingerprinting, OS, resolution, fonts canvas etc individualised me in all cases.,

      then there's server side cookies, evercookies, telemetry [Apple still get a packet with your UUID everytime you query "About this Mac" on your own desktop/laptop!]

      1. John Brown (no body) Silver badge

        Re: Duh, well they could charge you more for holidays/hotels

        "however the standard fingerprinting, OS, resolution, fonts canvas etc individualised me in all cases.,"

        Not sure why you got down voted. I found the same, even after make sure I wasn't logged into anything, changed the browers id string to remove all reference to X, FreeBSD and AMD, ie plain old Firefox ID string, remove all add-ons and yet it still identified my as unique. I'm betting it's my font list.

        On the other hand, the test only runs if I whitelist scripting for the testsite domain.

    3. Stuart 22

      Blow 'em a Raspberry!

      As it hasn't been mentioned and almost everybody here will have an old redundant 1st generation RaspberryPi gathering dust in their drawer - You can give it a great second life using https://pi-hole.net/ on it to replace your network DNS. Works a treat for all connected devices. No need for browser add-ons and works within your smartphone apps (when using wi-fi).

      I've found it the most effective way of blocking all ads - and if any ad does show up it will be the most obvious product/service to avoid purely on being so subversive.

      The only issue so far was the TfL website would omit tube/trains from its journey planner. But by checking the easily view-able blocking log, whitelisting solved that problem immediately.

      1. Gotno iShit Wantno iShit
        Pint

        Re: Blow 'em a Raspberry! @Stuart 22

        Cheers for the tip, pi-hole added to my to do list.

      2. Charles 9

        Re: Blow 'em a Raspberry!

        "I've found it the most effective way of blocking all ads - and if any ad does show up it will be the most obvious product/service to avoid purely on being so subversive."

        Even if it's the ONLY source of something? And yes, there ARE sole sources on the Internet?

  2. Anonymous Coward
    Anonymous Coward

    So, uhm...

    "The researchers account for the 2017 internet: they look at what browser extensions people have and what social media services they are logged into."

    This seems more like a (well known) social media issue than something related to ad blockers. I'd thought it was common knowledge by now that if you visit a website you're often also downloading 3rd party contents, which allows said 3rd party to perform a bit of tracking. Especially when it's being used on multiple places (such as social media like buttons, Google Analytics javascript, etc.).

    It's for that reason why I use both an Ad blocker but also the StopSocial plugin; a small plugin which prevents my browser from contacting any social media website whenever I'm on a website other than the social media site itself. Next using a reference blocker (NoRef) also does miracles.

    The only risk is that some websites might break (sometimes they rely on references) but that's easily fixed with setting up a (small) whitelist.

    Happy tracking that :)

    1. Black Rat

      Re: Happy Tracking

      Never hurts to check your browser fingerprint with a visit to https://panopticlick.eff.org/

      as many machines running Adblock & NoScript can still be uniquely identified. Even with 3rd party plugins, Cookies, Javascript & Flash disabled it's fascinating how much data can be gleaned.

  3. AegisPrime
    Meh

    That's the trade-off for ad-blocking/privacy - running your connection through a VPN, using an 'exotic' browser (Vivaldi in my case), using uBlock or similar (TunnelBear Blocker's nice by the way) all give you a relatively unique fingerprint in comparison to the proles - given that my ISP has no clue what websites I'm looking at and that I'm ad/malware free whilst I do it, I think that's a worthwhile trade*

    Of course, if you're doing something naughty and you get tracked down as a consequence of trying to be anonymous you may consider otherwise.

    *That doesn't mean I wouldn't be keen to adopt anti-fingerprinting though - I'm hopeful that's coming in the next round of the privacy wars.

  4. lordphil

    Test

    Just tried the test - it showed I was unique to 4403 so far tested. HOWEVER, it did say that I appeared to be logged in to LinkedIn (never had an account - ever) and logged into Forbes (whomever they may be). So, the question is: As I did try to find someone through LinkedIn - quite some time ago - has it left a marker somewhere on my laptop and how do I get rid of it?

    And what about Forbes - I've never heard of them let alone knowingly been there. I don't 'do' any social media.

    Running Firefox with AdBlockerPlus.

    An inquiring mind would like to know.

    Phil

    1. Doctor Syntax Silver badge

      Re: Test

      "As I did try to find someone through LinkedIn - quite some time ago - has it left a marker somewhere on my laptop and how do I get rid of it?"

      Why would you want to? It's disinformation.

    2. ShortStuff

      Re: Test

      Install 'Self-Destructing Cookies' ... one of the greatest add-ons ever, next to No-Script, Ghostery, and AdBlockerPlus

    3. tiggity Silver badge

      Re: Test

      @Phil - Forbes do news (FSVO news), you may have picked up a cookie from there by following a news story from somewhere

      I never bother with Forbes as they have served malware via ads on their site in the past yet have the temerity to tell you to disable ad blockers!

      Like most people main role of ad blocker is as part of a series of measures (e.g. scripts run from sites on whitelists only) to reduce malware risk, loss of in your face / page rearranging ads is just a bonus side effect

      1. Charles 9

        Re: Test

        I've never been able to use Forbes because of an ad-blocker-blocker. And they're becoming distressingly more common.

  5. Mage Silver badge

    Rage!

    WHY does my Browser tell the website what fonts I have?

    How can I block that on Firefox?

    1. TaabuTheCat

      Re: Rage!

      http://www.ghacks.net/2016/12/28/firefox-52-better-font-fingerprinting-protection/

      Kind of an ugly solution, but it works.

      1. Mage Silver badge

        Re: Rage!

        "Kind of an ugly solution, but it works."

        I'll try that.

        I have a HUGE number of fonts, to duplicate fonts to replicate vintage packaging / labels.

        Also for other graphic design tasks.

        I also use NoScript, not an ad blocker, as I'm more concerned about security & privacy, so 3rd party cookies are blocked, I log out of evil tracking orgs, and I only white list enough to make a site work. Some sites, even though used regularly, are only getting scripts Temporarily allowed.

        1. Mage Silver badge

          Re: Rage! Fonts

          Rats!

          Courier, Helvetica, Times New Roman, Verdana, MONO

          Unique out of 7501 browsers that were tested so far!

          Maybe install User Agent and pretend I'm on Windows and not Linux. I needed that on last PC to download Kindle Reader for Wine, but I decided it's spyware, so I convert Kindle to ePub with Calibre now. (a plug in uses my real Kindle's serial number).

          1. Mage Silver badge

            Re: Rage! Fonts

            What I need is to add the default list of Linux or Windows fonts, depending on if pretending I'm on Linux or Windows.

            However since I never enable 3rd party javascript, not needed to work a site, I doubt many ad agencies can track me.

          2. RegGuy1 Silver badge

            Re: Rage! Fonts

            Nope, user-agent makes no difference. Info is still leaked via the plugins. So I pretend to be anything but Unix, but the plugin descriptions tell another story. :(

          3. MondoMan
            Trollface

            Re: Rage! Fonts

            Mage Against The Machine? :)

          4. Mage Silver badge
            Unhappy

            Re: Rage! Fonts

            Whitelisting feature in Firefox 52 and later is no use to limit Browser Fingerprinting:

            1) It's whitelisting the fonts the browser uses, which only incidentally affects reporting of fonts to a website.

            2) Whitelisting ALSO blocks fonts loaded from websites (I think this is the reason for the feature, if so it's a broken idea, whitelisting/blocking the domain providing makes more sense?)

            3) Makes too many websites look rubbish that use "wingding"/"symbol" fonts as Icons

            4) I already downloaded and installed lots of commonly used 3rd party on the fly fonts on websites to reduce tracking via font providers. There is website for them. This also speeds up page loading.

            My conclusion is that currently this is a lost cause. Browsers should only report current browser window size and perhaps resolution, though physical DPI is more useful than X by Y screen pixels, it's the window X by Y needed for "responsive" sites / served image sizes etc.). Browsers are simply reporting too much. It was good that Mozilla backtracked and removed the battery state.

            For now the best solution against tracking is:

            1: Block all 3rd party cookies always (Default sadly is allow on Firefox).

            2: Install Noscript and only whitelist enough to make a site work. Some sites best only temporarily whitelist, such as Twitter, Facebook, Google applications.

            3: Always log out of social media and Google. Sometimes restart the browser so as to lose the temporary whitelistings that Social Media icons use on other sites.

            4: If maintaining a website, DO NOT copy/past "code" offered for icons and widgets. Download image of icon/widget, upload to your site and put a simple HTML link (maybe set to open in new window/tab). These 3rd party icons/widgets (with javascript) may even be illegal for you to put on your site if you are in EU.

            5: If building / maintaining a website, put copies of all fonts, images, javascript etc in your own domain (or ideally same site) to make whitelisting easier for users, make your site self contained and avoid leaking the user's history / browser to 3rd parties.

            6: Install your own analytics on your own site. Google's Analytics are a privacy slurp. They can't be trusted.

            7: Only implement cookies for users that login. Do not use 3rd party log in APIs such as Facebook or Google.

            8: If the site captures unique user data or has a login, then use HTTPS.

            9: Use a Mozilla based browser, such as Firefox, Seamonkey etc. Not Edge, Safari, IE, Chrome or Opera. I don't know what the story is on Chromium. Not ideal, but better than some of the spyware.

            10: Change firefox setting so URL bar fails if you mistype, no search or autocorrect. Don't use a browser without a separate search box and url bar.

            11: Do not install toolbars.

            1. Anonymous Coward
              Anonymous Coward

              Re: Rage! Fonts

              1. Because more and more sites won't work AT ALL without cookies. More and more sites won't let you get past the front page, and that includes sites I used to frequent.

              2. More sites tie basic site function to those scripts. No scripts, no content. And other sites like Forbes use ad-blocker-blockers that deny you access. If they're the ONLY source of something (like a manufacturer's website that protects its property, so no internal drivers for you), God help you.

              4. Those widgets are often copyrighted and impose terms on their use, meaning NOT copying/pasting them is in violation. It's THEIR way (copy/paste) or NO way.

              5. Same problem. Some fonts, etc. ONLY allow you to source them from the official source.

              9. Mozilla captures user data, too. So do IE, Edge, and Opera. Last I heard, Vivaldi also records stuff. Basically, unless you can roll your own from scratch or use a pre-commercialization browser like NetSurf, don't trust the browser.

              10. ISPs tend to screw up this solution these days, and some of them are bold enough to intercept requests to third-party resolvers (easy enough to do, as DNS uses a fixed port number). And let's not get started with resolutions hard-coded into the clients.

          5. Jonathan 27

            Re: Rage! Fonts

            Great, now they can track you uniquely. You know that's even worse than them being able to ID your OS right?

    2. An nonymous Cowerd

      Re: Rage!

      Yep, a neat font trick, by adding just a handful of fonts and by setting my FF52 to this user agent

      Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0

      I was finally able to get 2 similar users, so three of us in total, that's a bit better than unique

      1. TaabuTheCat

        Re: Rage!

        Well, now I'm not so sure this new FF whitelist setting fully works. EFF's Panopticlick is still able to enumerate fonts (unless it's just guessing?), although the site referenced in this article now only sees what's in the whitelist. Not quite sure what Panopticlick is doing to get around the whitelisting - assuming it really is.

  6. Martin an gof Silver badge

    Noscript...

    I, too, just tried the test and... nowt. nada, zero, dim byd o gwbl. The button, she no work.

    No Javascript, courtesy of Noscript.

    Temporarily enable script and... the browser's fingerprint is unique among 4,473. Ho hum.

    M.

    1. Brian Miller

      Re: Noscript...

      That's what happened to me, too! And I have Exploding Cookies, too. So: no cookies, no JavaScript, and thus certainly not much of a trackable foot print. If a website that I don't need to use doesn't work, I don't care.

      1. VinceH

        Re: Noscript...

        Ditto - NoScript meant NoTest until I allowed it.

        Having done so, unique amongst 6114 so far. However, my extensions came up N/A and I got a 'no' for being identifiable by logins (this will be because cookies don't survive a browsing session, and I've only visited three sites this morning since switching on - including El Reg and the test). It's my browser fingerprint that gets a yes - but that's all.

        (Okay, the combination of all three gets a yes as well, but that's as much because of the browser fingerprint as anything else!)

        With such a small number of people having run the test, this is not that much of a surprise. So meh.

        1. Anonymous Coward
          Anonymous Coward

          I've only visited three sites this morning since switching on

          Get back to work!

  7. Shadow Systems

    Dear Advertisers, here's my fingerprint...

    *A double handed TheFinger*

    Signed, Me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dear Advertisers, here's my fingerprint...

      Agreed.

      And to those sites that serve ad's that autoplay sound very loudly, a massive f**k you.

      (el Reg, I'm looking at you - you were part of the reason I installed an ad blocker in the first damn place.)

  8. Kapudan-i Derya

    Tor on GNU/Linux with systemwide trusted VPN

    Can it protect us? At least from tracking of advertisers?

    1. katrinab Silver badge

      Re: Tor on GNU/Linux with systemwide trusted VPN

      Not really. It will stop them knowing which country you are browsing from and which ISP you use, but other than that, no.

    2. red03golf

      Re: Tor on GNU/Linux with systemwide trusted VPN

      Don't use TOR - TOR isn't safe.

  9. Anonymous Coward
    Anonymous Coward

    Why should a browser report extensions in use?

    When I tried it, it couldn't detect them. Apparently only Google is stupid enough to allow that, since it said it only works in Chrome.

    In the login leak, I was one of 1532 collisions among 4650 browsers, so hardly unique there.

    In the standard fingerprint I was unique as I guessed I would be - I'm running Firefox on Linux! But that's easily fixed by changing my user agent string, if I cared to bother.

    1. inmypjs Silver badge

      Re: Why should a browser report extensions in use?

      "since it said it only works in Chrome"

      But using Chrome means you don't care about privacy anyway.

      The logins and extensions usages is irrelevant anyway, their browser fingerprinting is completely rubbish.

      It told me I was the same as about 680 among 5200 while this https://panopticlick.eff.org tells me my browser is unique among 213k.

  10. Wensleydale Cheese

    Blocking at the firewall, then?

    Shiny new firewall winging it's way to me after Easter.

    1. Charles 9

      Re: Blocking at the firewall, then?

      Doesn't it use an encrypted connection?

  11. Anonymous Coward
    Anonymous Coward

    Doesn't really surprise me that Chrome is so 'chatty', it is a Google spyware product after all...

  12. Anonymous Coward
    Anonymous Coward

    LOL - I get unsupported Browser :-D

    I guess that makes me a shadowy character ... what's wrong with Chromium, anyway ??

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like